Leonie Simpson, Senior Lecturer, Science and Engineering Faculty, Queensland University of Technology
ASPI recommends the government communicate more openly with the private sector, suggesting quarterly threat reporting be issued from the Australian Cyber Security Centre along with regular strategy updates to give confidence to the community.
In my view, that's an important step. The Australian Computer Crime and Security Survey series published from 2002 to 2006, for example, gave insight into cybersecurity in the Australian context. Its discontinuation, along with the lack of breach notification (until 2017), left a void in public reporting on commonly occurring cyber incidents, which is important in informing cyber risk management of both public and private organisations.
Although there have been similar reports in years since, a regular series from Australian Cyber Security Centre (ACSC) could be highly useful.
As yet, we have not seen much progress on actions under the "Cyber Smart Nation" theme. Academic Centres of Cyber Security Excellence have not yet been established, although the process is underway.
ASPI's recommendations also do not target gender bias specifically, although it notes in the report that the government has been "proactively tackling" the issue via its 2016 Australian Cyber Security Challenge, among other initiatives.
Recommendation 9 suggests we broaden the concept of cyber skill shortages to include other disciplines, including law, psychology, communications and so on. This may indirectly assist in increasing cyber workforce diversity, but it does not address the common misconception that women or other minority groups do not hold or wish to hold technical security roles.
This is an area that may benefit from other programs, such as the Science in Australia Gender Equity (SAGE) pilot. The predicted cybersecurity workforce shortages make addressing diversity a priority.
Asif Gill, Senior Lecturer, School of Software, University of Technology Sydney
The ASPI report highlights encouraging progress and commitment from both the government and private sector to Australia's Cyber Security Strategy. Despite this interest, there are some pressing challenges in this report that warrant further analysis.
The report points to the ad hoc nature of the government's communication and expectation management with industry partners. This calls not only for a clear action plan, but also active stakeholder communication to effectively engage and enact the strategy, and quantitatively track and measure its progress.
The stategy's five interdependent themes could also be more precisely integrated, prioritised and planned in an ordered cybersecurity value chain to streamline efforts and achieve success incrementally.
For instance, core to cybersecurity is to the ability to effectively and proactively defend against cyber attacks. But the report highlighted a recent Australian National Audit Office audit that found two key government departments had "insufficient protection" against external cyber attacks.