Voluntary guidelines, cyber health checks, threat intelligence sharing and addressing the skills gap are all themes the new cyber security policy will attempt to address, but will it deliver on its promises?

iTnews has published a rundown of the Australian government’s brand-new cyber security policy, a national document that hasn’t been updated since 2009.
The current policy has been criticised as woefully outdated in today’s international threat environment, so Tony Abbott commissioned the review back in 2014.
However, the update, originally scheduled for publication in mid-2015, was seriously set back when the sands shifted in parliament and Malcolm Turnbull took the top position in government. Since then, despite rumours and indications that the revision was imminent, nothing has yet emerged.
We have now been told publication is mere weeks away, in the same week that the Australian Cyber Security Centre (ACSC) runs its second annual conference in Canberra, so the timing couldn’t be better.
The details of the policy, as reported by iTnews, show clear direction for Australian industry and state governments. The document comprises five pillars of strategic importance to the national security community, covering cyber defences, education, partnerships, research and development, and awareness.
One interesting aspect of the new policy relates to “health checks” for cyber security governance. This will introduce a scheme whereby boards and senior managers can self-assess their cyber security posture against other organisations (and hopefully a standard) to see how good their defences really are.
On the surface of it, this sounds very like the Cyber Essentials scheme introduced a few years ago in the UK to use CESG’s government-grade security advice and assessment metrics in the context of small-medium sized businesses who previously would not have benefitted from this kind of advice.
The base level of certification is a simple self-assessment, with a submission to a certification company that can check the submission and issue the certification.
Cyber Essential Plus involves an independent penetration test and provides a much more rigorous level of audit on the business’s infrastructure, so is seen as a fairly good benchmark that the business takes security seriously.
The scheme has been relatively successful in the UK; the Cyber Essentials Plus achievement can be used to reduce the cyber insurance premiums incurred by businesses, therefore offsetting the costs of gaining the certification.
Skills and education also feature heavily in the new policy. It’s been highlighted over the past year or so, especially during the consultation period with industry, that we need more qualified, certified individuals in security job roles and we need to find a way of identifying what skills and competencies are required to fulfil the obligations of a given job role.
The policy also commits to an increase in the the number of skilled cyber security specialists within the AFP, Crime Commission and Australian Signals Directorate.
This is good news and foreshadows what we expect for the rest of industry, because an increased view of cyber security from government will demand suppliers to up their game and push professional security roles into organisations that have not previously had them.
The cyber security profession until now has not had the focus or funding it needs, unless, of course, you happen to work in a federal government department or a bank.
However, funding will, as always, be the key to unlocking the success of this policy.
While there has been a hint of funds being drawn down from existing pots of cash, the indication that no new money will be directed into this area is of great concern.
To achieve the outcomes intended from this policy, investment will have to be forthcoming from somewhere. It looks like government is expecting that private industry will readily foot the majority of the bill, while government gets all the benefits, effectively for free.
We really need to see the same level of investment that we’ve seen elsewhere, such as in the UK and US. Without it the policy will drive nothing more than criticism and renewed cynicism in the government’s commitment to cyber security.