Outgoing Telstra chief Andy Penn has criticised the implementation of the former federal government’s $1.7 billion 2020 cyber strategy he helped develop, warning “insufficient progress” had been made, even as the threat landscape had become substantially worse.
Mr Penn said the federal government had failed to act as a leader on cyber resilience by hardening its own information technology, had under invested in awareness, and is not properly evaluating the 47 programs that make up the strategy.
He also revealed the Morrison Government never responded to concerns about legislative gaps raised by its cyber advisory group in July last year.
In an address to the National Press Club on Tuesday, Mr Penn backed the new Labor government’s decision to reshape the Morrison-era cyber strategy into what it says will be a more holistic plan that builds local capability and addresses industry concerns.
Mr Penn said the update was necessary because of a worsening threat environment, increased digital adoption driven by the pandemic, a “more fractious” geopolitical environment, as well as new risks presented by emerging technologies like quantum and automation.
But he also questioned the impact of the current strategy he helped develop and implement as chair of the government’s Industry Advisory Committee on Cyber Security.
The committee on Wednesday will release its second annual report on the strategy, with Mr Penn foreshadowing that the update recognises the 2020 plan as a “solid framework” with progress made in some areas, but also significant shortcomings.
“However, notwithstanding this progress there are crucial areas where more needs to be done either because insufficient progress has been made under the strategy to date, or in response to the constantly evolving threat landscape,” Mr Penn said on Tuesday.
The report will identify several areas for acceleration, with Mr Penn highlighting six in his address, including hardening government IT.
“A lot of the work under the strategy to date has been focused on what business needs to do to improve its cyber defences, particularly critical infrastructure operators. At the same time however, it is important government makes progress to harden its own systems and cyber defences,” Mr Penn said.
“In asking Australians and Australian businesses to support the strategy, government needs to be a role model in its own operations, in adopting the Essential Eight maturity model and improving the security of increasingly digital government service delivery.”
The governance of the 2020 strategy, which includes 47 specific programs for industry, government and the public, is also “not yet sufficient for a program of this scale” leaving the government to rely on “anecdotes and commentary” to gauge progress, Mr Penn said.
He also raised concerns with adoption of the government’s threat sharing platform, consultations on critical infrastructure cyber laws, underinvestment in cyber awareness campaigns, and the best practice regulation taskforce.
The taskforce was established last year to consult with stakeholders on potential changes or clarifications to existing legislation to address cyber security issues, including responsibilities of businesses to provide goods and services with fit for purpose cyber security.
It reported to the Morrison government in mid 2021 after a seven week industry consultation but never received a response, Mr Penn said.
“…given the time that has passed, government should prioritise providing industry with the conclusions from this work, including gaps in current legislation and any proposed initiatives or changes being considered.
“It has been the committee’s view that any interventions should minimise legislative change and focus on voluntary industry standards,” he said.
Mr Penn will leave his role as CEO at Telstra from next week after seven and a half years. He will also step down from the government’s Industry Advisory Committee on Cyber Security he currently chairs.
The 2020 strategy will be reshaped by new Home Affairs and Cybersecurity minister Clare O’Neil, who called for better consultations in a “whole of Australia” strategy.
Mr Penn echoed the call on Tuesday.
“Cyber security is not just an issue for government – everybody is at risk and so everybody has a role to play. Our strategy to defend ourselves from those who actively seek to do us harm has to be more than just a whole-of-government strategy, it has to be a whole-of-nation-strategy.”
Do you know more? Contact James Riley via Email.
So much of your money thrown at this and the “threat landscape” (a marketing term) only gets worse? The more we spend the more we have to spend? The world is getting worser and worser, I’m warning you. What’s “a (more?) holistic plan that builds local capability and addresses industry concerns” got to do with this? Security has something to do with that shibboleth “local” when the APS buys from IBM? When did the Commonwealth have to care about “industry” and their “concerns”? Industry votes? Industry has a Parliament? Mr Penn claims everybody is at risk and so everybody has a role to play (pay). My Grandma? We don’t just need a whole-of-government strategy, it has to be a whole-of-nation-strategy? What an insane beat-up this cyber evil nonsense is. And look at the money. It’s a river of gold. The more afraid we make you, the richer our (foreign) shareholders.