Building a strong technology and cyber security capability for Australia
In my last blog I put forward a 5 pronged approach to cyber security. There has been much discussion this week in Washington DC at the AU-US Cyber Security Dialogue about the third element – “Building a strong technology and security capability”.
Keeping the Drawbridges Down
While there is a strong recognition by all that a strong cyber security capability requires a genuine public-private partnership, in part because much of a nations critical infrastructure and cyber capabilities resides within the private sector. The challenge is that such partnerships and open dialogues don’t come naturally to many involved.
Nations and governments come from decades of ingrained secrecy around security, and now that we need to collaborate broadly for cyber, it’s not easy. I’ve seen it first hand, that despite the best intentions and top level support, when things go wrong, the drawbridge goes up and the shutters down. Issues get resolved not in a collaborative way, but rather within a closed group that often excludes leveraging the private sector. In the same vein, dialogues often only exist under formal structures rather than a free flowing natural manner, both ways.
It will take time to change his ingrained culture but this is what we need to do if we are going to get it right. As much research would suggest “Culture eats strategy for Breakfast”. Our nation’s problem is that time is against us, we need to increase our risk taking to keep the drawbridges from going up if we are going to win.
Creating Public-Private Sector Cyber Security Exemplars
In an area that I am personally very familiar with, we do have examples of private-public partnerships that we can now turn into exemplars on how to do it right. The AU Government’s Secure Internet Gateway (SIG) policy platform is an example of a partnership which has much of the right pillars in place.
Here, the Government chose to significantly raise its own cyber security stature by consolidating the number of internet connection points across government agencies, creating minimum standards of what is acceptable security, made it clear that the entire government needed to embrace, and leveraged the private sector to bring the skills, infrastructure and operational excellence to the table. Once implemented, this framework allowed the government to engage with a smaller number of private sector providers who would have an amplified impact both up and downstream.
This engagement was done by many arms of government and most notably by the Australian Cyber Security Centre (ACSC). It also created a platform that can be leveraged as the government seeks to invest, evolve and innovate further, at a technology, policy and collaboration level.
A Single Public Sector Approach
While this model has been successful, its real opportunity to be a national exemplar is a few steps away. One such step, is that we need to get all levels of government on board. We can’t have AU States for example at varying levels of interest and commitment to cyber. Nor does it make sense for them to create their own approach as if somehow cyber security is different at a state level and thus needs its own unique approach.
The AU States need to embrace, without exception, the blueprint created by the Secure Internet Gateway (SIG) policy platform, together with the adoption of the Australian Signals Directorate’s Protective Security Policy Framework (PSPF) in full if we are going to win the cyber battle, and have the right to be a leader in this domain in the region.
And even more profound, it will bring us closer to removing the digital barriers that make it so hard for different agencies across different levels of government to communicate, share and collaborate.