In December 2023, the Australian government published its latest cyber strategy following a series of high profile cyber-attacks in the country – following in the footsteps of the two other AUKUS nations, the UK and USA.
With all three countries setting out new national approaches to cyber security aligned to the AUKUS treaty – which calls for close synergy across a range of technologies – we thought it would be worth comparing the thinking from each nation on cyber issues to identify common themes and priorities, along with any areas of different emphasis when it comes to addressing today’s cyber challenges.
There are of course some fundamental differences inherent in the three nations which are, to some extent, reflected in the cyber strategies. For example, Australia’s constitutional framework is very different to that of the United States. But, when reviewing the three strategies, several shared themes emerge.
Common ground
Australia’s cyber strategy focuses on six cyber ‘shields’ and states that each shield “provides an additional layer of defence against cyber threats and places Australian citizens and businesses at its core”. The six shields are:
- Creating strong businesses and citizens who understand the cyber threat
- Enabling safe technology with cyber security built in
- World-class threat sharing between government and business and the capability to block threats
- Improved cyber security for critical infrastructure
- Building sovereign capabilities
- Building partnerships globally and undertaking co-ordinated action
Although they use slightly different wording, the UK and USA show a striking consistency of approach. For example, there’s a common focus on developing a resilient society (the UK describes a focus on “Making the UK more secure and resilient”), ensuring technology is inherently secure (as the US says, “Rebalancing the responsibility for cyber security away from end users and onto the technology companies and others that own and operate digital systems”), and showing international leadership (from a UK perspective: “Making the UK more influential and valued globally”).
Download our new paper to dive into the national cyber strategies of the UK, US and Australia and gain insights into their respective approaches to cyber security.
Across all three nations, there’s a strong emphasis on cyber resilience through regulation. The Australian strategy sets out plans to review CNI cyber regulation to ensure its existing framework remains fit for purpose. There is a focus on the telecommunications and managed service provider sectors (reflecting close alignment with UK thinking). More broadly, Australia will look to ensure that CNI sectors are complying with their existing cyber obligations. Interestingly, Australia also highlights the need for more support for small and medium enterprises alongside the focus on larger CNI entities.
In comparison, the UK is looking at how to more effectively hold CNI to account for delivering the right cyber security standards, while the US strategy calls for tailored regulatory frameworks and use of the Federal procurement processes to demand stronger cyber security standards from suppliers.
The complex inter-dependence between government, private sector and civil society in achieving national cyber security also features prominently across the three strategies. Along with its ‘shield’ dedicated to achieving significantly enhanced threat sharing between government and private sector, Australia states it will create a new Executive Cyber Council to bring together government and industry leaders to consult over the implementation of the strategy. This is all emphasised by the line: “We are shifting cyber from a technical topic to whole-of-nation endeavour, focusing on providing better support to civilians and industry.”
Similarly, the UK has adopted the term ‘whole of society’ response to characterise the need for a collaborative and joined up approach to cyber – with its strategy setting out the different roles and responsibilities of government, private sector and civil society – while the US emphasises measures including real time information sharing, bringing the private sector into taskforces including on ransomware, and collaborative action to tackle cybercrime.
Countering cyber threats a differentiator
Perhaps the most notable difference between the three cyber strategies is the emphasis the US gives to disrupting and dismantling cyber threat actors. The US has been taking increasingly high-profile action against threat actors to disrupt their operations, their technical infrastructure and even seek to regain money obtained from ransom payments – an approach that is reflected in the emphasis its strategy gives to this strand.
In contrast, the tone of Australia’s strategy – as well as that of the UK – simply isn’t as strong in this area. However, that’s not so say that there hasn’t been positive steps taken. For example, Australia has launched a new collaboration between the Australian Federal Police (AFP) and Australian Signals Directorate to adopt what the government describes as an aggressive approach to disrupting cyber-criminal activity. It has also tackled cybercrime activity as part of the global takedown of an encrypted communications network and previously issued its first cyber sanction in relation to the Medibank hack.
Overall, any nuances in approach between the nations are generally a matter of degree only. Indeed, the consistency between the three cyber strategies is striking. A major focus on national resilience, a commitment to a whole of society response, an emphasis on regulation, and a determination to promote responsible cyber behaviour through active international engagement appear fundamental to each nation’s thinking.
Of course, there will be some tough choices and challenges to overcome. But these cyber strategies represent a coherent and highly active agenda for the future, where success will rest fundamentally on a collaborative approach between the AUKUS nations.