Australia’s cybersecurity plan needs to zoom out to the big picture of how to change behaviours in a complex system, Cherry Zheng writes.
Australia’s cybersecurity strategy is already over halfway through its four-year lifespan. The $233 million package tracks across five themes, bringing in government, the private sector, the research community and international partners. But one stakeholder remains glaringly absent – the broader Australian public.
The strategy sits at the collision point between two of today’s most seismic transformations. Firstly, in a so-called Fourth Industrial Revolution, new technologies are merging cyber systems with the physical world, becoming inseparable from the way we live. Secondly, the spectre of war looms across our Asian neighbourhood at a time when the Western world is losing ascendancy.
Geographical isolation has spared Australia from the worst of direct military attacks — but not with cyber threats traversing the globe in a span of milliseconds. These realities expand the spectrum of possible harm between war and peace, even as the traditional threat of war persists.
The 2016-2020 strategy thus signals a much-needed policy shift, after years of cyber policy stagnation thanks to a chain of leadership changes. It embraces all Australians under its fifth theme of a ‘cybersmart nation’, targeting two national imperatives for our cybersecurity: developing a skilled workforce and raising awareness in the community. Activities such as the establishment of academic centres, encouraging women in cyber, and outreach to tertiary students have all made cybersecurity “mainstream dialogue”.
But are we on track with our cybersmarts, now that the strategy is well past its halfway point? The second annual update is yet to be released. The first, published over a year ago, paints a rosy picture. It reports that we are making “strong progress”, having started with our tertiary sector capacity-building and the conversation about diversity.
Dig deeper, though, and it’s not clear how much has changed. Envisioned outcomes such as “the number of cybersecurity graduates increases” simply lack the data and research to be quantifiable. Neither the strategy nor its update offers much by way of timelines, responsibilities or ways of measuring success — basic elements of smart goals. Australia’s “strong progress” consists starkly of scattershot actions packaged as results. This lets the Government get away with underperformance, but in the end, it’s self-defeating. No sustained, adaptive change occurs without critical reflection.
Part of the issue is funding. Clearly delineated plans require a measure of certainty and confidence underpinned by far more resources than have been allocated. Though committed to the idea of a cybersmart Australia, the small team at Prime Minister and Cabinet, the key coordinating agency, has received no additional funding to implement the strategy. The overall package is largely comprised of existing Defence funding.
The deeper issue, however, is that the strategy lacks engagement with what it takes to change behaviour on a society scale. The main public-facing aspect of the cyber strategy is the informational program Stay Smart Online. But awareness-raising is the easy part. Australians are already wary about online safety, especially when it comes to privacy.
The challenge is bridging the gap between knowledge and behaviour change. We can draw lessons from 50 years of environmental psychology, wherein knowledge is just one facet of internal factors that also include attitudes, values, personality traits and emotions. Then there are external factors like infrastructure, politics, and the economy. When these interact, all sorts of barriers to change can arise, from poor incentives to lack of feedback.
As a result, old habits die hard. Becoming cybersmart isn’t merely about having a will and a way: we must also create a permissive system with security built in.
So the significance of a ‘cybersmart nation’ goes beyond plugging the yawning technical skills shortage. Stakeholders across government, business, and civil society are ultimately made up of individuals from an array of backgrounds. Being agents in cyberspace, they too — not just technicians and state actors — play a role in keeping our networks secure, through a mix of precaution and innovation.
As the Online Trust Alliance reported, most cyber breaches are easily preventable — and it only takes one unwary click to endanger millions of records. We must envision a system where all Australians are along for the ride, since our actions in cyberspace can not only jeopardise ourselves, but also everyone else with whom we are networked.
As a corollary, we can do better than piecemeal efforts to boost the workforce, diversity, and awareness. The dearth of women in cyber, for instance, starts far younger than countenanced by the strategy. To genuinely engage with the factors of behavioural change, we need to start early and think in terms of removing barriers in addition to simply “attracting more talent,” as our former Prime Minister put it.
This is also an opportunity to embed a cybersecurity consciousness into the next generation, which is already growing up surrounded by the cyber-physical.
Never has Australia come under existential threat to the same extent as many of our Indo-Pacific neighbours. As such, we are slow to wake up to changing times. We insist on the “rules-based global order” and similarly the bounteous optimism of our cyber strategy betrays only one side of the story. While the human element can be a source of strength and innovation, it can also be the weakest link in the chain.
A cybersmart nation, one that is resilient and adaptive, would form the foundation of our cybersecurity. The current strategy makes a start in identifying risks and opportunities. But if we neglect the big picture of how to change behaviours in a complex system, the groundwork for a cybersmart future could degenerate into a talk shop.
In a world of increasing interconnectivity and uncertainty, the Government owes it to Australians to shape a system where we are best equipped to help ourselves, and each other.