In April, the government released their first annual update on implementation of the 2016 Cyber Security Strategy. We provided our assessment of that report on The Strategist shortly afterwards, and yesterday we released our own evaluation of the progress made on improving Australia’s cybersecurity over the past 12 months. ICPC’s new report, Australia’s Cyber Security Strategy: Execution & Evolution, is the product of our consultation with private sector, and academic and government stakeholders on the progress made towards the 83 outcomes listed in the Strategy. We also dug into the Budget figures to parse the true extent of government’s investment in new cybersecurity initiatives. While the progress made is a positive change, the work that remains is considerable, and greater speed and investment is required.

In the foreword to the government’s annual update, Prime Minister Malcolm Turnbull wrote that the 2016 Cyber Security Strategy has been a ‘catalyst for change’. The government has undisputedly been active, filling the leadership roles created by the Strategy, standing up the first joint cyber security centre in Brisbane, and supporting the growth of Australia’s cyber security industry. Those are clear signs that government is committed to following through with the Strategy. But we think there are several areas in which improvements could be made to assure the success of the Strategy, and achieve better cybersecurity outcomes for Australia.

Cybersecurity threats are evolving, and Australia’s approach to cybersecurity needs to evolve with it to remain effective. Adaptation of the Strategy should be driven by frequent assessment of the effectiveness of cybersecurity initiatives, and build stronger relationships between the government, the private sector and research communities to identify new issues and appropriate responses as they emerge. Such a spiral policy development and implementation process would be better able to manage the complexity of cybersecurity issues, and could adapt to challenges that arise between major updates of policy settings. The government has already committed to annual updates, but those should also include annual and forward action plans, informed by quarterly and annual meetings between government and business leaders. The plans should be both timebound and have measurable outcomes, supported by qualitative and quantitative research into the effectiveness of cybersecurity initiatives.

Annual plans would also improve the quality of communication between government and key implementation partners. That was noted as an issue during our consultation, and it requires concerted effort to ensure that stakeholders are well informed, particularly when there are delays. Established reports, such as the Australian Cyber Security Centre’s annual threat report, could become a quarterly publication. Regular updates on progress would help improve the quality of engagement between the government, key implementation partners in the private sector and the public. Open communication between implementation partners across government and the private sector is a fundamental building block of increased trust, which in turn will enhance the quality of delivery and cooperation on cybersecurity.

The government should also improve its communication with the Australian public. That shouldn’t be isolated to updates on the Strategy and improvements in cybersecurity outcomes. #Censusfail showed that a strong and coherent communications plan is critical during cyber incidents to reinforce public confidence. Similarly, incidents such as this month’s wannacry global ransomeware attack highlight the importance of mobilizing the population to protect themselves where possible… Taken together, those observations lead us to recommend that the government’s communications capacity on cybersecurity be beefed up. That’s particularly true for PM&C, if they’re to continue to be the government’s leading voice on cybersecurity.

Financial and human resources will be key to achieving the outstanding outcomes of the Cyber Security Strategy. The government announced a funding package of $233 million with the Strategy, which was provided in last year’s Budget. However most of this wasn’t “new” funding, but rather money redirected from Defence’s budget allocation. New funding for the Strategy only kicks in noticeably in 2018–19, rising to $5.4 million from just $400,000 in 2017–18. However, aggregating strategy funding with that from other related initiatives such as the National Innovation and Science Agenda paints a rosier picture, with new funding of nearly $500 million over four years to 2020. Most of that funding is directed towards supporting the growth of Australia’s cybersecurity industry and skilled personnel. That’s necessary to grow an ecosystem in which Australia has the talent and capability to secure itself against cyber threats. Unfortunately, other critical agencies such as PM&C who are responsible for implementing key aspects of the Strategy haven’t had their funding supplemented commensurately.

The 2016 Cyber Security Strategy was certainly a significant turning point for cybersecurity in Australia. The government’s efforts to implement the Strategy so far are laudable, but greater effort on communications and planning is required to fully engage the national partnership model for implementation it proposed, and more resources are needed to achieve the Strategy’s lofty objectives.

Mass gatherings protection is focused on counterterrorism and public safety. Compared to critical infrastructure protection, however, it’s been the area least amenable to national leadership.

The issue has recently been highlighted in regional NSW. Four cancelled Anzac Day marches in Katoomba, Blackheath, Springwood and Glenbrook may now go ahead after the Blue Mountains local council said it would assist with the costs of the NSW government’s new anti-terrorism requirements. After last year’s terrorist truck attack in Nice, local government imposed new security legislation designed to protect crowds, including a requirement for water-filled barriers. Demand for greater security mechanisms in public spaces will only increase after the recent deaths in Melbourne’s CBD. And that type of security, along with the NSW government’s requirements, won’t come cheap.

Governments want to keep their people safe, no matter where they are. As Malcolm Turnbull emphasised in his national security address on 23 November, working out how to best protect Australia’s public spaces is a key aspect of that goal. An ideal place to start any work in that area would be for the Australian government listen to and learn from those who undertake that job on a daily basis, rather than telling them how to do it. That will entail seeking new ways to engage Australia’s private security professionals.

The government should recognise that it isn’t as good at protective security as those who already work in the industry. Some government employees do have those skills and formal qualifications, however, but they tend to work at lower levels of the public service, where they offer in-house advice to departments. They certainly aren’t designing effective strategies to be implemented by government at a higher level, or by the corporate sector. Even fewer of those government employees are members of professional associations which provide access to a significant body of knowledge and international and cross-discipline contacts that membership provides. As far as actual experience in managing security functions at places of mass gathering, the expertise in the public sector is minimal.

But where the government does have significant expertise is in providing overarching security policy, the provision and coordination of government resources and responses, and gathering and assessing information. The National Guidelines for the Protection of Places of Mass Gatherings from Terrorism denotes that operators of ‘places of mass gathering’ (PMG) must ‘provide adequate security for their assets, based on threat and risk,’ and to ‘actively apply risk management techniques in their planning processes,’ along with other similar statements of the obvious.

The policy requires that intelligence-led advice be provided to those operators ‘when relevant’ and that the government will respond to their queries usually via an industry Business Advisory Group. It’s not clear who’s represented in this group, or indeed if professional bodies such as the Venue Management Association, Facility Management Association, ASIS International or the Australian Amusement, Leisure and Recreation Association have been engaged in this debate. The current policy assigns such industry and professional associations the role of disseminating information. But despite their expertise and experience, those groups are not being engaged to provide input on the best way to keep PMGs safe.

A primary function of the government is to provide information and analysis that’s not available through the media and industry contacts nationally and internationally to operators of PMGs. Those responsible for protecting PMGs want answers to several key questions:

• What new terrorist tactics are being employed or planned by extremist groups?
• What measures have worked or failed elsewhere to protect PMGs?
• What indicators are there that a specific tactic may be used against a venue or event?
• Is there any information that suggests their venue is being targeted right now?

Other than the final question, private security professionals can get most of that information from open-source or industry contacts.

Local government is also key in protecting PMGs. Any attack against a PMG will occur in a local government area (with the exception of the ACT and NT). However, besides scoring a brief mention in the most recent policy on PMGs, no specific role is denoted for local government. Councils organise or oversee many PMG activities, including Anzac Day, Australia Day, rural shows and community days. They often coordinate the volunteers who plan, staff and manage the events as well as those who form the volunteer response capabilities. Local government will often feel it hardest when an incident occurs, and currently, the urban-based resources that form the backbone of CT planning are either thin or non-existent outside the metropolitan domain.

The Australian Local Government Association, representing over 560 councils across the country, hasn’t been involved in counterterrorism arrangements, in spite of the key responsibilities for public safety, noted above, held by the third tier of Australia’s governance.

Three steps will be essential to improving the current state of security mechanisms at PMGs. First, policymakers need to undertake work to identify how local government could be better integrated into domestic security plans and assist with strengthening the nation’s preparedness for a mass casualty attack, while ensuring that community life can continue as normal. Second, the federal government should listen to, not just talk at, the security professionals who plan and implement protection from a wide range of threats. And third, local government should be given the opportunity to provide input on the topic.

My task as ASPI’s inaugural chairman was to give substance to the Australian government’s decision in the late 1990s to establish an institution to generate independent strategic policy advice, following in the steps of the US, the UK, and other NATO allies. While the Howard Government was well aware of, and respected, the existing Strategic and Defence Studies Centre at the ANU, it wanted another body which could be taken into a closer, more confidential relationship with the Department of Defence, and focus on particular policy choices on which the Government needed advice.

When I began Prime Minister Howard emphasised to me that he needed contestable advice in the defence field, not simply advice from a single source such as the Department of Defence, however valuable that was. The Government also wanted another dialogue partner in the public debate, not merely to agree with its positions and support them, but also to raise major issues, giving new perspectives on the basis of expert knowledge as ASPI’s director and staff members saw fit.

When the Government’s concept was explained to me in 1998–99, two years before I was due to retire from my chair at Oxford and return to Australia, this seemed to be a venture worth supporting. My dialogue with senior defence officials strengthened and on Thursday 18 November 1999, over dinner in London, Defence Minister John Moore invited me to become the first chairman of ASPI’s board. I was pleased to accept.

From then onwards, for the next two years, the initial steps of founding the Institute took much of my spare time. We had to agree on a constitution and a basic system of working which ensured that the interests of the Government were properly served, while preserving essential freedom for ASPI’s director and staff to develop new ideas and approaches, some of which might contradict aspects of official policy.

Fortunately, in addition to having served as Director and then Chairman of the Board of the International Institute for Strategic Studies in London, I had served for five years as the initial chairman of the board of the Centre for Defence Studies at King’s College, London, which was funded by the British Ministry of Defence while being a university body. I knew there would be problems but I felt confident that with the team of people we had in Australia working on the foundation of ASPI, we’d be successful in getting the job done.

Once we knew what we were trying to develop, and John Moore had invited a few leaders from the Commonwealth public service and the business community to join an initial advisory board, we were ready to start selecting ASPI’s first Director. We were fortunate in attracting a strong field of applicants, and particularly fortunate in late February 2000 to be able to nominate Hugh White, who not only had all the knowledge and experience of a Deputy Secretary of the Defence Department, but also possessed a sharp and powerful mind and a track record of independence of judgement. ASPI was off to a good start.

A notional budget was drawn up and we considered what could be achieved on the basis of annual funding of between $2 million and $3 million. The whole prospect for the new institute looked to be not only feasible but also attractive in terms of increasing Australia’s ability to deal with the kind of formidable policy choices of which I had experience over the past thirty years.

Until well into 2001, we had been operating essentially under the authority of the Minister for Defence. John Moore had been succeeded by Peter Reith in January 2001. Moore, then Reith, had the task of obtaining Cabinet approval for what had been decided upon thus far. That proved to be a slow and difficult process to navigate through, not because of the substance of the decisions but because of the high pressure of government business on ministers and their staff.

ASPI, housed in its re-furbished building in Barton, began its operating life in 2002. We moved into dealing with issues relating to Australia’s neighbourhood, especially the Solomon Islands, the structure of the Defence budget, defence industrial policy and the construction of major items of equipment in Australia. A strong staff was built up and the Institute began to acquire a high public profile.

It was both a pleasure and an honour to serve as the first chairman of ASPI’s board of directors. ASPI, I’m glad to be able to say, has gone on from strength to strength, with a larger staff, a better resource base and a higher profile in the public debate.

Severe challenges remain for Australian security policymakers, not only in the Middle East, but also in terms of relations with China and Russia, how to limit the proliferation of weapons of mass destruction, and how to cope with the problems of climate change, population growth, food and water shortages and major outflows of refugees from troubled regions. Working at ASPI will never be dull!

The case for Australia joining ASEAN will have to be embraced by both sides. Here’s the ‘Yes’ case from ASEAN’s perspective.

The first three columns in this series were Canberra-centric, establishing why Australia should seek membership of ASEAN, the dismissive view of Foreign Affairs and the Oz negatives.

Now the series will present a range of ASEAN responses.

A strong voice for the affirmative is the former head of Singapore’s Foreign Ministry, the ASEAN intellectual Kishore Mahbubani (anointed by The Economist as Asia’s Toynbee while The Washington Post sees him as Asia’s Max Weber).

Mahbubani thinks the country facing the most painful adjustment to the Asian century is undoubtedly Australia. Joining ASEAN is a smart response to the danger that ‘Australia could well be left beached, together with New Zealand, as the sole Western entity in Asia.’ He makes the ‘Yes case here, contending that Australia’s ASEAN dilemma is national ego versus long-term interests—and hard geopolitics will trump Oz cultural identity:

‘In the long run, Australia will also have no choice but to seek membership in ASEAN. Right now, any such option is unthinkable in the minds of the Australian elite. Yet this is precisely the kind of “unthinkable” option that Australia has to consider as it enters the most challenging geopolitical environment of its history. In thinking of the unthinkable, Australian leaders should also ask themselves a simple question: why is Australian membership of ASEAN unthinkable? In due course, the honest answer will come out. The main disconnect between ASEAN and Australia is in the cultural dimension. ASEAN is Asian in culture and spirit. Australia is Western in culture and spirit. The main reason why Australia will be uncomfortable as a member of ASEAN is that it will have to learn how to behave as an Asian rather than as a Western nation. In thinking about this discomfort, Australians should bear in mind a new reality for Australia. Australia will have to change course in the Asian century. It will only have painful options. There will be no painless options. The big question that Australia will have to ponder as it looks ahead at its future in the 21st century is a simple one: will it be more painful for Australia to join ASEAN (and thereby accept both its constraints and its valuable geopolitical buffer) or will it be more painful for Australia to remain beached alone as the sole Western country (with New Zealand) in a resurgent Asia of 3.5 billion people?’

No choice but to join! When I started work on this series last year, Mahbubani was my first formal interview. He says the biggest challenge Australia faces is a ‘fundamental change in mindset.’ The inevitability of the choice will be driven by the inexorable decline in the relative size of Australia’s economy compared to East Asia: ‘It’s frightening that not more Australians are saying, “It’s time to change”.’

Singapore, he says, would gladly have Australia in ASEAN and has said so privately.

As Foreign Ministry Secretary (1993-98), Mahbubani raised the idea of a community of 12 (ASEAN 10 plus Australia and New Zealand) with Australia’s Foreign Affairs Secretary, Michael Costello, during the Keating Labor government (1991-96). ‘I used to mention it when I was in ASEAN senior officials meetings—there was no outrageous reaction.’

Back then, the veto by Malaysia’s Mahathir would have been instant. Now, Mabubani thinks, Malaysia would see advantages.

Several other ASEAN thinkers believe the geopolitical veto would be from China—using Cambodia as proxy. Beijing could replay the spoiler role it attempted when Australia got membership of the East Asia Summit.

Mahbubani isn’t so sure China would object:

‘From China’s point of view, it means Australia is less pro-American and more sensitive to its Asian neighbourhood; it’s a plus for China. If you want to join ASEAN you become less pro-American and you behave more like an ASEAN state, it’s in their [China’s] interests.’

No strong ASEAN veto sentiment exists, he says, partly because the idea hasn’t come up:

‘I may be wrong, but I don’t think so. I mean, you need to lay the groundwork. You need to prepare everyone for the change. The problem is no one has ever thought about it because it wasn’t in the cards. Once it appears on the cards then they’ll start thinking and reflecting on the pros and cons.’

Doing this the ASEAN way means slow work, much talk, no public pushing. The proposition of this series is that Australia seeks half-in status—join as an ASEAN observer in 2024 on the 50th anniversary of Australia becoming ASEAN’s first national dialogue partner.

Mahbubani sees an observer bid as a good but small step.

‘Observer status is no big deal,’ he remarks.

Accepting that view, doesn’t that make it a gentle way to ease into the membership discussion?

‘I think the critical thing is to decide whether or not you think it’s in your national interest to join, and work towards that goal. Observer status is just a little subterfuge to try and get close on the way there – it should not become the end destination.’

Many elements would feed into Australia’s ASEAN shift. Mahbubani nominates:

• Asian language courses for every Australian schoolchild (not confined to ASEAN languages)
• Australia systematically signing up to ASEAN agreements
• Getting closer to the ASEAN voting stream at the United Nations

‘Your biggest challenge is domestic,’ Mahbubani says. ‘You’ve got to persuade the Australian population.’

Next week, the ‘No’ case.

ASPI’s 2015 Land Conference this week foreshadows a number of Government policy announcements that will directly or indirectly impact the Australian Army and its future operational tempo and force structure.

The Conference will be an opportunity to discuss and explore a range of issues critical to the future shape and role of the army in Australia’s national security.

Phase 2 of Land 400 (the replacement of Army’s ASLAV mounted combat reconnaissance vehicles) is the hot topic for industry, state governments, army and the commentariat. But there remains a more important issue: the continuing debate over the appropriate size and shape of the army in the coming decades.

Given Army’s operational profile over the last 15 years one would be justified in asking why. The explanation lies in the policy tension that still exists between Australia’s role as a ‘middle power’ and our perceived national security priorities. The current Government seems to favour a more expansive global role for Australia’s defence force compared with a narrow, more traditional regional focus.

Why does this matter to Army? It’s important because there is a lack of consensus amongst policy makers about future force structure options.

Operations closer to home are perceived as ‘lower risk’ and as a consequence, decisions on later phases of Land 400—including the number and type of vehicles—can be debated and acquisition timetables pushed to the right. Army’s size and its harder edge can also be ‘worked’ to create the fiscal head room for other defence capabilities and budget priorities. One would hope these important decisions are informed by a knowledgeable and transparent policy debate.

This week’s Land Conference will help frame the discussion and the road ahead. With a broad range of speakers, including the Prime Minister and military experts from around the world, we have the ingredients for a well-informed debate.

A key topic will involve discussion of defence industry policy and the options that can provide the best possible framework for the States and local industry to support the Army.

The Minister for Industry and Science will join the conference to discuss the broader industry policy issues, which will be followed by perspectives from defence, industry and state government leaders.

Hopefully the Defence Industry Plan to be announced later this year will not be simply a carefully disguised prop for local manufacturing. That would spell another policy failure. The key to an industry strategy that will support Army as well as contribute meaningfully to the broader economy is a blueprint to encourage innovation in niche technologies and systems integration skills. Army’s relative size doesn’t justify the expansion of Australia’s manufacturing capacity. There is, however, a critical need to develop the indigenous knowledge and skills to sustain, evolve and improve Army capabilities across a broad range of areas, including weapons systems, armoured vehicles, helicopters and ICT based systems.

The Australian economy isn’t large enough to sustain competition at any cost. We need government,   industry and the tertiary education sector to come together and create sustainable centres of excellence. We need policy consistency and careful investment for these goals to be realised. If we lose the capacity to innovate we risk becoming simply an ill-informed follower with a defence industry unable to respond to army’s future requirements.

The 2015 ASPI Land Conference will provide a forum to challenge the status quo and broaden our collective understanding of Army’s role as it moves into its second century of serving the nation.

For those who won’t be able to be in Canberra for the Conference, it’ll streamed live by both Sky News and the ABC. And, of course, the ASPI social media team will provide updates as the Conference progresses via #FutureForce2015.