Prime Minister Scott Morrison’s decision not to allocate a dedicated cyber security minister as part of the August reshuffle suggests the Federal Government’s cyber security agenda is no longer a leading priority.
The inclusion of cyber security within the Home Affairs portfolio, under Minister Peter Dutton, marks the first occasion that the Federal Cabinet lacks a dedicated cyber security minister since prior to the 2016 election. The shift signals a strong change of narrative for the Government, which has previously touted cyber security as a crucial portfolio to many Federal initiatives.
Following a series of cyber-attacks over the last few years, the Federal Government has made a sustained effort to improve cyber security across the board in conjunction with the overhaul of its digital agenda.
The malware attack on the Bureau of Meteorology in 2015 sparked concern over the use of insufficient security controls to protect the network. Then Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, highlighted cyber security as an area “that we as a nation have to take very seriously”.
Similar concerns were raised from the 2016 Distributed Denial of Service attack on the Bureau of Statistics’ eCensus. The negative experience for many users may have damaged citizen confidence in future attempts to digitise services, such as the My Health initiative opt out model.
In a recent address to the National Press Club, only two months prior to the reshuffle, Minister for Digital Transformation Michael Keenan reaffirmed the importance of security frameworks, explaining the requirement for “fraud control, privacy, security and identity proofing standards” as part of his vision to digitise all government services in the next seven years.
This narrative, however, does not align with the Prime Minister’s recent removal of an explicit cyber security portfolio.
The reshuffle may be a casualty of a shift of focus from the former Government’s core digital agenda, towards Scott Morrison’s key priorities of drought and energy prices, in preparation for the upcoming election.
However, the move could be tactical, placing cyber security alongside the Australian Security Intelligence Organisation, Australian Federal Police and Australian Criminal Intelligence Commission along with a handful of other national security agencies.
Whatever the motive, strong leadership and vision will be necessary for future cyber security success.
Intermedium’s Government Cyber Security Readiness Indicator (GCRI), released in November 2017, found the Federal Government led all Australian jurisdictions in preparing for cyber-attacks, adopting a thorough security strategy, introducing governance roles and implementing frameworks.
Though the GCRI highlights Federal’s preparedness at the Whole of Government level, some agencies are lagging – especially in their inability to follow the Australian Government Protective Security Policy Framework (PSPF).
The latest PSPF Compliance Report unearths insufficient compliance with procedures inside agencies, including mandatory reporting requirements. The Framework applies to all non-corporate Commonwealth entities, who must adhere to 36 security requirements and annually report on compliance, among other self-imposed security measures.
Only 34 per cent of entities fully complied with security requirements in 2016-2017. The 36 requirements are broken down into four categories: security governance, information security, physical security and personnel security.
The report acknowledges the difficulties in attaining information security outcomes. The overview of compliance with the information category explains that “information security is dynamic with challenges posed by continuous technological advancement,” and that “compliance with information security requirements has been an area of ongoing concern.”
The Cyber Security Strategy was released in April 2016 with a strong focus on improving cyber defences and collaborating with other government jurisdictions to deter cyber threats. The strategy focuses on the importance of adopting proactive security to mitigate threats.