Barely any progress made on Australia's cyber security strategy

The government has made little movement on the vast majority of initiatives listed in its Australian cyber security strategy released one year ago, a review has found, with only four of the 83 outcomes achieved so far.

The four-year, $230 million plan was released in April last year. It is intended to facilitate better threat intelligence sharing between government and business, and outlines five strategic pillars covering stronger cyber defences, education, partnerships, research and development, and global awareness.

It resulted in the creation of a new ministerial role and special advisor position dedicated to cyber security - held by Den Tehan and Alastair MacGibbon respectively - as well as a cyber ambassador role within DFAT to champion cyber security internationally, held by Tobias Feakin.

As far as specific strategy direcctives go, so far the ASX has delivered its cyber health check on Australia's biggest listed companies, the industry-led Cyber Security Growth Centre is up and running, and the first joint public-private threat intelligence sharing centre has been established.

Work is currently underway to relocate the Australian Cyber Security Centre out from the ASIO headquarters and into a more friendly and accessible facility.

But a review [pdf] of the government's progress on the strategy's initiatives by independent think-tank the Australian Strategic Policy Institute (ASPI) found little else had been achieved in the past 12 months.

The government recently marked the one-year anniversary of the strategy, claiming it had made good headway on delivering the 83 initiatives contained in the report.

Its claims have been contradicted by the ASPI report which found only four - as opposed to the claimed six - initiatives had been achieved.

A further 20, ASPI said, were "on track", but another 22 initiatives would need greater attention if they were to be achieved within the strategy's four-year timeframe.

Fourteen initiatives have had no work at all done to date, the report found, while there was "no way" to properly determine whether another 11 had been - or would be - achieved.

The report's authors Zoe Hawkins and Liam Nevill said the government was "working hard" to deliver the strategy but was being outpaced by the speed and scale of the cyber security problem.

They also criticised the government for failing to properly explain to the private sector - which under the strategy is expected to play a big role in its delivery - specifically what it is expected to do.

"While progress on achieving the cyber security strategy’s outcomes has been slower than hoped, more concerning is the lack of transparency about the government’s plans for specific tasks and activities they committed to in the document," the ASPI analysts wrote.

"Private sector partners, who are expected to take leadership on strategy initiatives, are in the dark on what the government’s implementation plan is, and the absence of clear timelines undermines the prospect of public-private engagement reaching its full potential."

There also hasn't been any attempt to collect data on whether the strategy has actually had a meaningful impact on cyber security in Australia, according to the report.

And the likes of the less-than-flattering national audit office report on cyber security compliance within three government agencies, alongside the 2016 eCensus bungle, have been "humbling litmus tests" for the additional work that is required on Australia's cyber security posture, ASPI said.

But the analysts said the combined media spotlight, focus within leadership ranks in government, and a "mutual desire" for public-private partnership had provided an opportunity for Australian to learn and move forward.

They attributed the delay in action to the caretaker period associated with the 2016 election and the later machinery-of-government changes, but similarly said the absense of any timelines for delivery has resulted in criticism over the government's commitment to the strategy and differing expectiations of implementation speed.

The ASPI analysts suggested the government develop a "clear roadmap with timelines, milestones and deliverables" to address these concerns.

"Separate annual implementation plans for each strategy theme could be a helpful way to articulate the practical how, when and who of each initiative," they wrote.

"Releasing annual iterations will ensure that the approach evolves with the environment and that stakeholders always have an up-to-date understanding of implementation expectations."

Last year two University of NSW cyber security professors criticised the government for not putting cyber security high enough on its priority list or allocating enough money to the strategy.