What’s next?

There are many ways in which the Federal election has turned the usual assumptions on their head and this includes cyber security policy.

One of the most interesting is that the ICT sector seems to be finding it harder to answer the “what’s next” question for a returned Government, than it would have been if the Opposition had won.

But the question really is more a “who’s next”. While there was reasonable confidence the Opposition’s Shadow Ministers would retain their portfolios, it is not clear who the returned Government plans to slot in to the key posts.

We have no Minister.

We have no Minister for Digital Transformation (with the incumbent Michael Keenan now retired from Parliament), have had no Minister for Cyber Security since August, and it is widely rumoured the Minister for Communications, Senator Mitch Fifield, will not continue in his portfolio.

However, while we don’t know the names of incoming ministers we will be fortunate not to be working with a completely blank canvas in terms of future actions. There are current policies that have recently been (re)confirmed.

We do have completed policy work.

New Ministers taking responsibility for digital transformation and cyber security policy will inherit at least two completed pieces of legislative work to help navigate the vexed issues of how and where government agencies should store their data. In addition to how they should put in place the baseline cyber security hygiene to protect their environments.

The response to a House of Representatives committee inquiry into government cyber security compliance was tabled in the last week of Parliamentary sittings.

It included the review of the Consolidated Internet Gateway program conducted over several months by the DTA.

And the Hosting Strategy was released by DTA days later, again, after many months of development.

The first signals an intention to expand the cyber security controls compliance obligations – such as the Australian Signals Directory’s Essential Eight.– to many more Federal Government agencies. This reaffirms the importance of perimeter security as a part of defence in depth, and creates clearer oversight arrangements for the program.

The Hosting Strategy outlines a framework to give clarity to agencies about how much they can trust data centre ecosystems to be responsive to the sovereign interests of Australia and not another country. And, importantly, by creating a new certification and compliance program provides a model for how government can protect their interests/data even if those sovereign interests change.
Together, these policy initiatives mean any new Ministers can hit the ground running, implementing policy to get outcomes rather than having to reinvent wheels.

And largely bipartisan support.

Importantly, they are largely bipartisan (part of the reason they flew under the election campaign radar) so any legislative change needed to, for example, expand the coverage of cyber security obligations should not face great delay once they are drafted and presented to Parliament.