OK, Kids, I’m about to review the public submissions to Australia’s 2020 Cyber Security Strategy. homeaffairs.gov.au/reports-and-pu… I’ve put them all in a .zip at drive.google.com/open?id=1vaP78… (204.9MB). I’ll tweet random interesting bits. Follow or mute #2020Strategy as suits your mood.
Off to a good start. “Government is main responsible for trust and dignity for the citizens of Australia. Its like a father is head of family, then the government is head of citizens .” #1 #2020Strategy
“Companies should give power to provoke a person in breach of leaking data of people by suspending him and also complaining to police so they can charge him under theft act.” #1 #2020Strategy
“Stop saying stupid things.” #24 #2020Strategy 
Note that I’m just powering through a first cut of these submissions. As is normal, the majority will be restating individuals’ and organisations’ positions, and are therefore not newsworthy. You may well find interesting stuff in the submissions I’m skipping. #2020Strategy
“Combine all 30+ threat-reporting bodies into one.” #27 #2020Strategy
As an aside, I’m always amused by the number of submissions that are, essentially, “The government needs to put more resources into X. By a strange coincidence, we happen to be a provider of X.” #2020Strategy
The main recommendations from Huawei’s submission. Plus stats that only 4% of telco systems failures are about the cybers. #39 #2020Strategy
There’s a LOT of detail in the Huawei submission. It’s almost as if they’ve been thinking about how to address these issues in response to... I dunno... events or something. #39 #2020Strategy
I’m 20% of the way through the skim. Lots of calls for more enforceable legislation, and lots for cybersecurity compliance ratings. Five-star cybers! My understanding is that official support for the idea in Australia has gone, however. #2020Strategy
An “Executive Summary” that doesn’t actually summarise the points made in the document, but which just waffles on about the organisation, so I end up having to skim the whole thing. #2020Strategy
Australian Payments Council says payments systems are important but they get cybered a lot so the government should focus on helping with that. But taking four pages to say it. #48 #2020Strategy
Recommendations from Australian Catholic University. #49 #2020Strategy
From REA Group, “The government needs to hold itself to the same level of account as the private sector.” #51 #2020Strategy
The REA Group submissions has lots of thoughtful and focused comments and I’ll read it properly later. #51 #2020Strategy
Lots of recommendations from @ACCAN_AU, including the ol’ cyber trust rating and minimum cyber security features for connected devices, with “financial incentives”. Wink. #52 #2020Strategy
Cybersecurity and Cybercrime Advisors Network (CyAN) suggests reestablishing a separate cybersecurity portfolio within government because Home Affairs is so big. #53 #2020Strategy
Ian Falconers has done a SWOT analysis, amongst other things. Curious. #56 #2020Strategy
Yet another call for tighter standards and regulations* from the Commission for the Conservation of Antarctic Marine Living Resources (!), as well as a mention of blockchain because why not. #57 #2020Strategy
* Australians love regulations.
* Australians love regulations.
Some more regulations etc from Trusted Impact. MOAR REGULATIONS. #58 #2020Strategy
More interestingly, it quotes @TFeakin from before he was ambassador: “[Progress] requires a prime minister who will be prepared to champion the issue and spend some time talking about it with those that can make a difference.” #58 #2020Strategy
@TFeakin That @TFeakin quote is from “Cyber security: the new captain’s pick” (14 Jul 2015) aspistrategist.org.au/cyber-security… #58 #2020Strategy
Personally I think “greatest transfer of economic wealth in history”, originally by @DAlperovitch I think, is bullshit. Just look at how slavery and colonisation built the European empires. But we can argue about that later. Once he’s given the server back. ;) #58 #2020Strategy
Paul Twomey is taking a big-picture approach. Also, very national security. #59 #2020Strategy
This is very different from civil society orgs. “Civil society experts slam ‘national security’ agenda” (29 Oct) zdnet.com/article/cyber-…
This is very different from civil society orgs. “Civil society experts slam ‘national security’ agenda” (29 Oct) zdnet.com/article/cyber-…
From KnowBe4, some specific comments on awareness-raising. As I’ve said before, there’s a strong call in submissions for a more-focused approach here. #61 #2020Strategy
Professor John Magnussen and Samuel Baartz point out some problems with the security of medical imaging. #72 #2020Strategy
RSA is going for the cyber ratings system as well, and pushing for a Singapore-style licensing system for cybersecurity providers. #80 #2020Strategy
Palo Alto Networks is suggesting UK-style private-sector placements into the ACSC. #82 #2020Strategy
University of Sydney is among several organisations recommending an active defence approach as per UK’s NCSC. Government should handle high-volume low-danger threats at a national level. (It is working for the UK.) #86 #2020Strategy
CSIRO is pushing for more “provably secure” software, possibly because they’re world leaders in how to do this. Yet another call for cybersecurity ratings for devices. #87 #2020Strategy
Obviously much more in there too, but that’s an interesting angle.
Obviously much more in there too, but that’s an interesting angle.
As an aside, this question asked in the review docs, “Are there any barriers currently preventing the growth of the cyber insurance market in Australia?”, kinda assumes that this market is something that should be grown. Why are we assuming this? #2020Strategy
That’s 40% of the way through the submissions by document count. Break time. #2020Strategy
Time to return to reviewing these submissions. See attached tweet for the context of this thread. #2020Strategy
Same. #2020Strategy
FS-ISAC says “it remains unclear which Minister has prime carriage of cyber security as that portfolio has been subsumed by the Minister of Home Affairs... The need to better inform the business community remains critical and has been lacking.” #88 #2020Strategy
Four recommendations from Standards Australia. #90 #2020Strategy
Superannuation Transaction Network (STN) wants financial networks to be declared essential services. Is STN a financial network, I wonder? Also, “unrestricted warfare”. On your super payments! #92 #2020Strategy
BSA: The Software Alliance isn’t happy with the Assistance & Access Act. #93 #2020Strategy
IBM Australia reckons the 2016 strategy focused too much on industry development rather than countering threats. They definitely don’t like the Assistance & Access Act. #96 #2020Strategy
The Jeff Bleich Centre for the US Alliance in Digital Technology, Security, and Governance wants more attention on the “socio-cognitive implications of the digital age more broadly”. #98 #2020Strategy
University of Queensland knows how to write a submission. Get to the point up front. Seven pages in total. #99 #2020Strategy
Worth noting: “Consider if an intelligence agency (ASD) the best place for the Government’s national CERT capability
(ACSC)” and “Consider options for a Cyber Security "Civil Defence" capability”. #99 #2020Strategy
(ACSC)” and “Consider options for a Cyber Security "Civil Defence" capability”. #99 #2020Strategy
IT Professionals Australia reckons the government should hire more IT professionals. But with a lot more words. #100 #2020Strategy
The Australian Investment Council reckons the government should encourage more investment. But with a lot more words. #102 #2020Strategy
I’m halfway through looking at the submissions yet I still retain the will to live. I have become one of Them. #2020Strategy
The ACS doesn’t think we have a local software industry. #105 #2020Strategy
Charles Sturt University wants a Ministerial Council for Cyber Security. #111 #2020Strategy
ANU College of Law points to some shortcomings in the Security of Critical Infrastructure Act 2018. Also, tougher penalties for cybercrimes. #115 #2020Strategy
The Australian Small Business and Family Enterprise Ombudsman says there should be more focus on small businesses and family enterprises. #121 #2020Strategy
auDA is for a free and open internet, except when it isn’t. #131 #2020Strategy
The Council of Australasian University Directors of Information Technology (CAUDIT) likes the cybersecurity quality rating idea, calling it a Cyber Emblem. #132 #2020Strategy
MurdockCheng Legal Practice is quite blunt about our ability to trust the government. Solid calls for action. Also wants to allow private-sector players to “hack back”! #136 #2020Strategy
Water Corporation has suggested something I’m a fan of: Daly cyber weather reports (my term). Or like traffic reports. #144 #2020Strategy
Me: “It’s time for cyber weather and traffic bulletins” (13 Apr 2018) zdnet.com/article/its-ti…
Me: “It’s time for cyber weather and traffic bulletins” (13 Apr 2018) zdnet.com/article/its-ti…
That’s 70% of the way through. Kinda. #2020Strategy
The submission from WiseLaw’s Jonathan Lim is about the cybersecurity of space-based assets. I’ll come back to this one, because Space! homeaffairs.gov.au/reports-and-pu… (PDF) #155 #2020Strategy
PwC is another submission recommending leadership from the top and a dedicated cybersecurity minister. Also, bug bounties for government. #171 #2020Strategy
I’m zooming through the rest of these submissions now because I’ve identified my news angles for tomorrow. I’ll take a second pass through them on Monday afternoon or Tuesday, depending on the news cycle. For now, I’ll only tweet stuff that jumps out. #2020Strategy
Deakin University has some solid suggestions for improving trust in government cybers, as is their wont. #183 #2020Strategy
Accenture has a 76-page submission, FFS. I’ll come back to it, though it does have this “responsibility matrix”. They’re calling for a Cyber Council. They explore this idea at some length. #189 #2020Strategy
I’m visualising a bunch of Cybermen sitting around a conference table. #189 #2020Strategy
I’m down to the final 10% of submissions now. I’m getting a bit giddy. #2020Strategy
Hah! Cute observation by VeroGuard Systems. ;) #196 #2020Strategy
The OAIC is calling for a “mapping and clarity around the Commonwealth entities’ actual and potential engagement in combating cyber risks”. Which is a polite way of saying “Who is meant to be doing what, exactly?” #197 #2020Strategy
From NetThing: “There is an inherent conflict of interest where the government agency responsible for surveillance and national security is simultaneously responsible for cyber security.” #198 #2020Strategy
(I wrote about this on 29 Oct. zdnet.com/article/cyber-…)
(I wrote about this on 29 Oct. zdnet.com/article/cyber-…)
A straightforward set of recommendations from the Tasmanian Government. #200 #2020Strategy
Hahaha. Microsoft has, in a very diplomatic way, suggested that the coordination of cyber policy and planning, outreach and partnership, communications, operations, and regulatory, spread across three departments is perhaps not going all that well. #203 #2020Strategy
Lockheed Martin isn’t a fan either. “A fragmented and inconsistent approach that is often contradictory, incomplete, and no cohesive.” Someone had a thesaurus! #208 #2020Strategy
That’s it for going through individual submissions for now. I may add some further observations tomorrow, but I’ll probably be more focused on writing, at least initially. #2020Strategy
Here’s that entire thread on a single page. Comments please. threadreaderapp.com/thread/1198388… #2020Strategy
