In December 2016, RAND and the National Security College at The Australian National University partnered to facilitate a cyber security–focused 360º Discovery Exercise in Canberra.
An interdisciplinary exercise generated three overarching policy recommendations to improve cyber security in Australia: Create and enforce technology security standards, craft international agreements to address cyber security challenges, and improve risk awareness to keep users safe online.
There was broad consensus that the policy domain will continue to struggle to keep pace with technological change. Therefore, ideas and solutions deemed most desirable allowed innovation to flourish while setting standards for security and creating mechanisms for responding to attacks.
Debate among exercise participants indicated an underlying tension between risk-based approaches and compliance-based interventions to improve cyber security.
The solutions identified are not immediately executable. Future exercises could consider their secondary and tertiary effects, and this type of analysis is essential before solutions can be implemented.
Future exercises could consider how policy development, including the Australian Government’s next Cyber Security Strategy, should challenge assumptions about government roles, responsibilities, and authorities and incentivise a broader range of government and non-governmental stakeholders to participate in building and implementing cyber security solutions