Last week, Australia’s new Prime Minister Anthony Albanese announced his government’s first full ministry, with Victorian member Clare O'Neil appointed Minister for Home Affairs and Minister for Cyber Security. It’s the first time cyber security has had its own portfolio in the Australian cabinet.
Former Minister for Home Affairs Karen Andrews was in charge of most of the implementation of the previous government’s cyber security policies, and often shared these duties with former Assistant Defence Minister Andrew Hastie. No other government in the G20 has a dedicated minister for cyber security.
Albanese anticipated this move prior to the election. During an address at the Lowy Institute on March 10, he hinted his intent to appoint a dedicated cyber security role. Details on the role are yet to be defined, as is the associated budget.
O'Neil was previously Shadow Minister for Innovation, Technology and the Future of Work. With education in history, law and public policy, and a previous stint in management consulting with McKinsey & Company, she has a multifaceted background.
This puts her in a good position to promote a multidisciplinary approach to cyber security – something that has been called upon for a long time.
Her appointment is expected to strengthen Australia’s commitment to cyber security, which was first systematically set out in the 2016 Cyber Security Strategy, and re-emphasised in the 2020 strategy.
Cyber risk is only increasing
According to the Australian Cyber Security Centre, there had been a nearly 13% increase in cyber crime reports in the 2020-21 financial year, compared to the year prior.
With some 67,500 reports, that’s one incident reported nearly every eight minutes. Self-reported losses totalled more than A$33 billion, with more than a quarter of the incidents associated with critical infrastructure. Year to year, these numbers are on the rise.
The growth in cyber security budgets over the past few years has signalled how seriously Australia is taking this. Allocated funds grew from $230 million in 2016, to $1.67 billion in 2020, to $9.9 billion in this year’s budget to implement the REDSPICE program.
This has been accompanied by policy changes. Between December 2021 and April 2022, the previous government strengthened the Security of Critical Infrastructure regime in two phases. In the first phase, it expanded the definition of critical infrastructures from four to 11 sectors.
It introduced positive security obligations, such as mandatory cyber incident reporting by certain entities to the Australian Cyber Security Centre, and expanded the provision of information to the Register of Critical Infrastructure Assets. This register helps the government track ownership of key cyber infrastructure, among other important information.
Beyond this, it included government assistance to industry as a potential last resort in cyber incidents. This opens the possibility for the Secretary of Home Affairs to direct an affected entity to take certain actions in response to an incident.
In the second phase, it introduced enhanced cyber security obligations for the country’s most critical assets, or “systems of national significance” – and made it obligatory for them to have risk management programs.
The new government has yet to indicate whether new cyber security policies will be promoted, or existing ones modified. However, before his election Albanese emphasised the importance of strengthening cyber resilience, as a complement to the offensive cyber measures introduced in the previous government’s REDSPICE program.
A trailblazing move for the sector
The appointment of O'Neil as a dedicated Minister for Cyber Security sends two important signals.
First, it demonstrates cyber security has become an important matter for politicians and business leaders alike, not just for IT departments. It also has the potential to strengthen Australia’s position in the Asia-Pacific cyber context, and in response to possible threats from the Ukraine war.
Second, in line with Albanese’s efforts to increase gender balance in the cabinet, the newly appointed minister is a woman. This is a powerful signal in the cyber security world.
As of 2018, the percentage of women cyber professionals in Australia was 25%. This is higher than most countries, but still far from balanced.
There are several reasons for women’s under-representation in the cyber space. They include a 24/7 “always on” work culture, gender-based discrimination, stereotype biases, wage inequality, issues with perceived self-efficacy, and a lack of women role models.
However, recent initiatives have been taken to break the barriers. We’ve seen more dedicated university scholarships, industry mentorship programs, flexible work arrangements and “positive discrimination” (such as hiring to fill quotas). Although views on the latter remain controversial.
Regardless, the appointment of a woman to a top cyber security position could certainly go some way towards empowering other women in the space, and those wanting to join. This will hold particularly true if O'Neil decides to address Australia’s gender gap in cyber talent.
Recent forecasts show the country will need nearly 17,000 more cyber security professionals by 2026.