Evaluating Australian Cyber Policy Reform: Urgency, Coherence, and Depth

The Australian government is preparing a new cybersecurity strategy to cover the period 2023 to 2030. As part of the deliberations, it called for submissions on key issues, including an evaluation framework for the new strategy. This 2023 paper responds to that call. It offers reflections on a system of benchmarking and assessment that judges the strategy and its implementation. In doing so, the paper offers a critique of existing approaches as the country wakes from what the government has called a ‘cyber slumber’. Three factors will be central to the success of the new commitments—a sense of urgency, a commitment to coherence across policy pillars, and investment of political capital in deep reform within individual pillars. All three factors (which we can also take as indicators of performance) depend on shared leadership by governments, industry, and community actors (especially educators). Any government strategy must be judged by its results. If there is no visible reduction in cyber harms brought about by government policy, this would appear to suggest persistent shortcomings in policy. Successive cybersecurity strategies (in 2009, 2016, and 2020) have not achieved such results (reductions in cyber harms), even though the country has benefited from a visible improvement in many pillars of cybersecurity preparedness. Building off that discussion, the paper proposes eight principles for an evaluation framework. There should be a single overarching evaluation of the entire strategy (to ensure coherence between policy pillars) every four years, as well as separate evaluations of each policy pillar, every two years. The new framework for evaluation will require much-improved efforts at data collection on the progress of the strategy. The data collection will need to be informed by sophisticated criteria, sustained on a continuing basis, and managed by reputable and independent social scientists experienced in public policy.