Australia’s Cyber Security Strategy 2020: What About Privacy?

Most Australian privacy and security practitioners recognise the growing importance of data protection and the need for collaboration to support the use of data in a way that maintains stakeholder trust. However, Australia’s Cyber Security Strategy 2020 is largely silent on this issue.  Will cyber security continue to be a siloed and disconnected specialty, focusing on national security interests rather than supporting a vibrant and innovative digital economy?

Presaged by vague references to increased threat of cyber-attack from hostile foreign actors,[1] Australia’s latest Cyber Security Strategy 2020 promises an investment of an eye-watering $1.67 billion over the next ten years to bolster Australia’s cyber security posture. Dwarfing the $190m of new money allocated to the 2016 cyber security strategy, the 2020 plan includes:

  • Uplifts to various Government capabilities, such as the Australian Cyber Security Centre; Defence and the Australian Federal Police,
  • A pledge to develop frameworks and legislation to promote better cyber hygiene in small to medium enterprises;
  • Robust security requirements for critical infrastructure providers;
  • Investment in developing Australia’s cyber security skills.

It seems comprehensive and has a reasonable focus on some of the most contentious issues in security, such as the role of regulation, inconsistent control requirements across states and territories, and the scarcity of qualified security professionals ready to assume mid to senior cyber roles.

However, there are few references to privacy or data protection in the Cyber Security Strategy. While the publication’s focus is clearly on improving cyber outcomes, consideration and support of Australia’s current and future privacy needs is a worrisome omission from the strategy driving our on-line security experts.

Cyber security and national security

There is little doubt that the main focus of Australia’s 2020 cyber security strategy is building cyber defences to protect our national interests.  The strategy states this explicitly: “We work to actively prevent cyber attacks, minimise damage, and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation.”

But should Australia’s cyber security focus be so much on national security?  How might Australia’s leading government centre of cyber security expertise help the Office of the Australian Information Commissioner (OAIC) administer the mandatory data breach notification scheme? What role should that centre play in working with the Australian Competition and Consumer Commission in protecting consumers from on-line scammers and misleading and deceptive practices or what about supporting the privacy and security of data to be released as part of the new Consumer Data Rights Scheme? All of these interactions might be expected of a government agency with a remit to support broader societal interests (in addition to national interests).

The strategy includes some references to broader economic and social outcomes of cybersecurity.  For example, “Cybersecurity allows families and businesses to prosper from the digital economy, just as pool fences provide peace of mind for households.”   And there are a number of measures aimed at businesses and families. For example, approximately 10% of the cybersecurity strategy funding will be used to support improved cyber security in the community including

  • Expanded efforts to raise awareness of cyber security threats and drive uptake of safe and secure online behaviours across the community;
  • A 24/7 cyber security advice hotline for families and older Australians;
  • Increased funding for victim support; and
  • Introduction of a voluntary Internet of Things Code of Practice to help consumers make informed purchasing decisions.[2]

However there is little doubt that the strategy (and the bulk of the funding funding) is directed to how to best protect Australia from threats, to keep Australians safe.

Negative vs positive cyber security

This focus on protecting Australia’s national interests is entirely consistent with the traditional view of cyber security practitioners, of cyber security as a risk-based defensive position (although more offensive activities in pursuit of protecting cyber infrastructure are now certainly on the table).  We have written before about how this is a negative view of cyber security (protecting us from attack), relying almost entirely on technological controls and operating on the basis of exclusion and inclusion. Through this lens, cyber security is centred on the need to protect assets from sophisticated, well-resourced and determined adversaries.  Military terminology is widely used so we have offensive and defensive security, strong perimeters, defence in depth, ‘kill chain’ and advanced persistent threats. “Users” are regarded as inept at best and hopelessly incompetent at worst, who need to be protected from their own stupidity and lack of care.   This narrative of negative security, where ensuring cyber security is an on-going and ever-escalating war and where distinctions are made between those who are inside the defences (who are included) and those who are outside (who are excluded) is engrained in and underpins most accepted standards based information security management practices.

Modern information security practice has its genesis in the military and defence (which focuses on ‘protection from’ rather than the ‘freedom to’) and cryptography, the domain of engineers,  scientists, mathematicians and technologists. These antecedents support the technological and process based foundations of standard information security practice.  They rely on the use of a largely command and control structure where security is a matter of policy and process, decided by management based on risk assessment outcomes, supported by largely technical controls and closely monitored as part of an on-going continuous improvement process.  From this perspective, security is best achieved via technology rather than, for example, building social networks of solidarity, examining every day practices or working on making people feel secure or empowering them to develop their own solutions. This command and control structure works for organisations that can directly control all of the people and technology that are ‘inside’.  It is a model that suits government agencies, the military and the Catholic Church. [3] It leaves little room for innovation, empowerment or individual goals and is unsuitable for most modern organisatons.

In short, it is my view that current information security practice and its supporting language, both based on a negative security, are not appropriate in the borderless, complex, inter-connected, individualised world we live in.   And yet it is the out-date negative model that we are funding to the tune of almost $2billion and that we are using to set our strategic direction for the next 10 years.

Privacy and Security: Breaking Down the Siloes

The only reference to privacy in the Cyber Security Strategy 2020 is the role of privacy, consumer and data protection laws as part of the consideration of legislative changes to set a minimum cyber security baseline across the economy.  The omission is alarming given the close relationship between privacy and security and the challenges presented for both by the digital economy.

The Australian mandatory data breach notification scheme effective in 2018 is part of the Australian Privacy Act 1988 (Cth). The scheme is administered by the Australian Office of the Information Commission (OAIC), a chronically under-funded and under-resourced government agency sitting in the Department of the Attorney General. The OAIC has arguably one of the most influential roles in terms of oversight of data breaches in Australia.  However, the role of the OAIC and the mandatory data breach notification scheme receives no attention in the Cyber Security Strategy. Similarly there is no consideration of other issues crossing the privacy/security border such as how to balance security monitoring, behavioural logging and continuous surveillance  against citizen privacy.

While privacy and security professionals are learning to play nicely with each other, to quickly respond to changing environments and respect the role each has to play in the burgeoning digital world, the lead government agencies seem bogged down in traditional siloes.  How powerful would it be if the government could show how information sharing and collaboration can work across agencies, with cyber security playing nicely with privacy, working in a supporting role where necessary and as subject matter experts where needed.

We need to work out what matters

I firmly believe that it’s time for cyber security to mature and add a new ‘social’ dimension, so we can answer in a meaningful way some of the big questions such as ‘What is it that information security enables our society, organisations and individuals to do?’;’What are the values we hold dear that information security supports?’; ‘What freedoms can we create through cyber security?.’

One of the ways to do this would be for privacy and security practitioners to work more closely together.

The absence of any reference to privacy, or  to providing a system to support the proper protection and use of individuals’ personal information is so telling. How can a strategy, one that is designed to promote the development of a digital economy, be entirely silent on one of biggest challenges facing economic development: challenges that require consideration of the values we support as a nation and how they should be balanced against competing interests (which can include national security).

While recognising the importance of protecting our nation from hostile cyber attack, could we not have also taken this opportunity as part of our new 10-year strategy to chart a new way of thinking beyond the language of war, the fables of the strong attacker and the weak user, practices based on exclusion.  We have again missed the chance to have a broad, inclusive, innovative conversation, going beyond the traditional limited horizons of national security interests, to see if we can agree on how information security can help us achieve outcomes that matters for all Australian.

 

Dr Jodie Siganto

August 2020

[1] https://www.zdnet.com/article/scott-morrison-cries-cyber-wolf-to-deniably-blame-china/

[2] https://www.itwire.com/security/australian-government-launches-new-$1-67-billion-cyber-security-strategy.html

[3] Frederic Laloux ‘Reinventing organizations’