Published by Dan Richardson 30 November 2023
There’s a lot to like about Australia – the beaches, the weather, and even the recent form of their rugby team.
But does its new plan for cyber security hit the same heights?
The Australian government recently released its long-awaited Cyber Security Strategy for 2023-2030. While the strategy doesn’t reference New Zealand, what our only formal defence ally, second largest trading partner, and culturally similar neighbour does in terms of cyber security will impact Aotearoa immensely.
With our new coalition Government getting to work and a new Minister – Judith Collins – overseeing the GCSB and the NZSIS, New Zealand has a timely opportunity to revisit its strategic approach to cyber security.
It’s worth noting that this is Australia’s third cyber security strategy and is intended to guide the nation for the next seven years. By contrast, New Zealand’s Cyber Security Strategy was last updated in 2019 – a relative aeon in cyber security terms. The constantly evolving nature of the cyber security threat landscape means that the risks to New Zealanders are now different and will continue to change.
Our economy is intrinsically tied to the Australian economy. You only need to look at the New Zealand market share of the large Trans-Tasman banks, supermarket chains and other Australian companies that operate here. A heightened cyber security posture across these Trans-Tasman organisations will flow through the local market and help drive cyber security uplift by osmosis.
Leveraging New Zealand industry
A core theme of the new Australian Strategy is the ambition to harness the whole country to tackle cyber problems, enabled by stronger public-private partnerships. This is entirely the right direction, and New Zealand has a real opportunity to do even better than Australia.
Our relative size and agility to streamline information sharing with the government enables our industry to work more easily with it. This can be further enhanced by getting the regulatory and policy settings right to leverage New Zealand’s extensive private sector cyber security infrastructure and capability.
This public-private partnership model is particularly important for critical infrastructure protection, another area of focus in the Australian Strategy and a topic that has been on the mind of officials in Wellington throughout 2023. This is even more true during times of potential budgetary constraints.
By shifting cyber from a technical topic to a whole-of-nation endeavour, Australia is continuing to elevate the cyber security discussion to its rightful place as a national security consideration. While New Zealand has attempted to shift the dial on this via the National Security Intelligence Priorities (or NSIPs) we in New Zealand need to have an open and honest dialogue in civil society about challenges, opportunities and risks in cyber in a more meaningful and inclusive way.
As a nation, we can never match the cyber spending in Australia dollar for dollar. The Australian government says it will spend more than $AU586 million to implement the strategy, on top of the $AU2.3 billion already being spent on cyber security. These numbers dwarf the budgets of our cyber agencies. But the truth is, we don’t need to spend as much to get results. By enabling the private sector to provide cyber services more easily to New Zealand organisations as an extension of government capabilities, we can move the dial in a profound way.
Where New Zealand succeeds already
Six shields’ underpin the Australian Cyber Security Strategy, including “World-class threat sharing and blocking”, and just like the contested Pavlova, the Aussies might have taken this idea from us.
In fact, Aotearoa is probably a little ahead of Australia in this area with the success of the Malware Free Networks (MFN) project. First launched in 2018 by the National Cyber Security Centre (NCSC) and expanded several times since the MFN has offered New Zealanders a layer of cyber protection. But there is always more to do. The natural next step is a streamlined way for the industry to share more extensive cyber threat data with our cyber agencies.
The Australian Strategy makes clear that cyber security is not confined to national borders and puts a spotlight on our regional neighbourhood with the “Resilient region and global leadership” shield. This is an area where New Zealand can do even better than our Aussie friends. As the Indo-Pacific region continues to become even more geopolitically significant, Aotearoa’s already tight links to our Pacific neighbours and our ability to understand Pacific cultures enable us to take a leadership role in the region. This means developing a New Zealand sovereign capability to help and support our friends in the Pacific.
While CERT NZ’s capacity-raising efforts in the Pacific have built some great momentum, the incoming government should consider being more forward-leaning in the coming years. Alongside our efforts in the Pacific, New Zealand has a long record of upholding international law and norms of responsible state behaviour in cyberspace as part of our independent foreign policy stance.
With the release of the Australian Cyber Security Strategy, our new Government would be wise to take inspiration from across the Tasman and consider its own bold vision for New Zealand’s cyber security future.
Dan Richardson is an Executive Director at CyberCX in New Zealand. He has a 20-year career in cyber security across New Zealand, including at the National Cyber Security Centre.