More questions for Australia cybersecurity strategy  

• Australia has unveiled a cybersecurity strategy. 
• Tech experts feel the need for a higher level of clarity and details on how the funds are going to help achieve all the initiatives outlined in the plan.
• Others feel the aim to make Australia a world leader is admirable – though no easy feat.

As Australia’s newly enforced cybersecurity strategy is unveiled, there have been some mixed reactions from the industry. While the general sentiment on the strategy is positive, some tech experts feel there are still some areas that could have been better planned.

The new strategy, which hopes to make Australia a world leader in cybersecurity by 2030, focuses on protecting both Australian citizens and businesses. It also has a clear focus on helping SMBs improve their cybersecurity, with an allocation towards developing the talents needed in the field.

Are there sufficient funds?

Despite this, some tech experts feel that some areas need more details so that the strategy can be implemented better. David Fairman, the chief information and security officer for APAC at Netskope, commented that there should be a higher level of clarity and details on how the funds are going to help achieve all the initiatives outlined in the plan.

“Even though there’s AUD$600 million allocated for this strategy in addition to the AUD$2.3 billion already committed by the previous government, I think it would help everyone to understand how the funds are going to be allocated with more granularity to complement the overarching plan and answer concerns that the funding may not be high enough in some aspects.

“For example, there’s AUD$7.2 million dedicated to building a voluntary cyber-health check program for SMBs. With more than 2 million SMBs in Australia, is it really going to be enough?” questioned Fairman.

Fairman also highlighted that the strategy is light on details of how the government will track and communicate progress to the wider community. Fairman believes that strategies are only good if they’re successfully implemented, and committing to reporting deadlines or processes is a way to reassure everyone that the government will do its best to stick to its plan.

“We have to consider the financial impact of some of those measures on businesses, and the costs they will have to bear. The economy is still very much in a recovery phase, and many businesses will probably need some sort of financial support to afford cybersecurity upgrades. A cyber-health check for SMBs is great, but if most can’t afford to fill the identified cybersecurity gaps, the plan will fail,” added Fairman.

Not an easy journey for cybersecurity in Australia

For Marcus Thompson, senior advisor at Macquarie Technology Group and chair of ParaFlare, the strategy’s emphasis on resilience and urgency is welcome, and its aim to make Australia a world leader in cybersecurity is admirable – though no easy feat.

As the strategy outlined six shields for cybersecurity, Thompson felt that there could have also been one dedicated solely to citizen responsibility would have been a useful inclusion. Thomspon believes that while it is a focus area of the strategy, the role and responsibility every single citizen has to protect themselves and the community cannot be understated.

On sharing threat intelligence in the region, Thompson, who is also the former head of information warfare for the Australian Defense Forces, said that the government’s strong focus on sovereign industry is something for which he and others have long campaigned.

“The nature of cybercrime and the role played by foreign threat actors means we cannot be assured in our defenses without a strong, local, sovereign base. A greater emphasis on threat sharing is something the industry has long been calling for. Regulations such as the Security of Critical Infrastructure (SOCI) Act and the Notifiable Data Breaches scheme have put the onus on industry, but now the government is committing to increase its threat sharing with industry,” commented Thompson.

Making the right choices

While Ian Yip, CEO of Avertro was pleasantly surprised to see more attention given to the country’s ability to solve problems through innovative solutions via the newly minted Cyber Security Industry Challenge program, he also felt the only way the Australian government knows how to dish out money is via grants.

“My concern is that it devolves into a way for professional services firms to build bespoke solutions for agencies that cannot scale beyond that organization.”

Meanwhile, Jacqui Nelson, CEO of DekkoSecure, a specialist in Zero Knowledge security models used by Australian and global law enforcement and security conditions organizations, is deeply concerned about the quality of the cyber-products people are being sold without quality checks. The Australian Signal’s Directorate threat report shows that something is not adding up.

“While we commend the government’s initiative to establish a code of practice for cyber-incident response providers, this is just a stepping stone towards the comprehensive standardization we need in cybersecurity. The current plan addresses service quality and professional standards, which is positive.

“However, a significant gap remains in providing a broader, government-endorsed rating system that encompasses all cybersecurity providers. Such a system is crucial for businesses and consumers to understand and trust the security measures they rely on truly,” said Nelson.

While Nelson agrees that the strategy’s proposal to create a voluntary labeling scheme for the cybersecurity of smart devices is a forward-looking initiative and recognizes the need for standards in the increasingly digital world, it does not go far enough.

“We need to expand this vision to include a more inclusive and comprehensive rating system that covers the entire spectrum of cybersecurity solutions. Only then can we ensure that businesses and individuals are fully informed and protected in this rapidly evolving digital landscape,” explained Nelson.

---

---

---

---