Australia’s new cyber security strategy will focus on building threat-blocking capabilities, protecting critical infrastructure and improving the cyber workforce, among other priorities
The Australian government has launched its new cyber security strategy, with the headline goal of making the country a world leader in the field by 2030.
Comprising six pillars, such as building sovereign and threat-blocking capabilities, protecting critical infrastructure, and driving resilience, among others, the strategy comes at a time when Australia has been facing a growing number of cyber attacks.
Clare O’Neil, Australia’s minister for home affairs and minister for cyber security, said: “Cyber security is an urgent national problem, and we need to act now. After a decade of malaise, Australia has fallen behind. For too long, Australian citizens and businesses have been left to fend for themselves against global cyber threats.”
In the short term, the government intends to plug critical gaps in the country’s cyber defences, improve protection for the most vulnerable citizens and businesses, and work towards greater cyber maturity in the region.
Chris Vein, chief executive of the Australian Computer Society (ACS), said: “With the sector touching every corner of society, it’s critical our systems are safe and secure, so that every Australian can be confident their data is protected, and their connectivity is reliable.
“At ACS, we’re looking forward to working with the federal government and minister O’Neil on delivering the strategy’s important objectives to ensure all Australians can use technology safely and securely.”
Focus on small businesses
Alongside the strategy document, the government released an action plan setting out the measures that various agencies will take to turn these ideas into reality.
They include free cyber health checks for small and medium businesses (SMBs), free cyber resilience advice for small businesses, and an expanded cyber awareness campaign, with grants to help community organisations get the message across to the groups they serve.
Chris Sharp, Asia-Pacific CEO of Pax8, said: “There’s a path in Australia’s cyber security opportunity where the little guys aren’t left out, but the advice to market – particularly to SMBs – needs to be polished.
“The government’s ‘health check’ programme announcement is a valiant effort – the true test will be how it goes about educating the right people across an extremely diverse SMB landscape. ‘Concierge-style’ support only goes so far, particularly if it doesn’t know where to go, and businesses don’t understand why to seek it out.
“The problem is SMBs don’t know how to start conversations, nor who to turn to. Working alone makes the cost of cyber security defences untenable, but it doesn’t have to be this way. Your local florist, corner store, or even the grassroots neighbourhood startup can contribute to building Australia’s resilience; they need the education to know why and how to be government-compliant, fight increasing cyber insurance premium costs, and protect their customers’ PII [personally identifiable information] data.”
On the law enforcement side, Operation Aquila will be stepped up to target the highest priority cyber crime threats affecting Australia, and increased global cooperation will be sought to address cyber crime, particularly through regional forums such as the Pacific Islands Law Officers’ Network and the ASEAN Senior Officials Meeting on Transnational Crime.
“Unlike previous national cyber security strategies, this strategy clearly defines what success looks like and the three phases of implementation needed to get to a successful outcome”
Matthew Warren, RMIT Centre for Cyber Security Research and Innovation
The government intends to address the continuing ransomware threat by working with industry to design a mandatory ransomware reporting system. Significantly, these reports will be made on a “no fault, no liability” basis. The home affairs department, in collaboration with other agencies, will create a ransomware playbook to guide businesses in preparing for, dealing with, and recovering from ransomware or other extortion attacks. Again, international collaboration is an important part of the plan.
Adrian Covich, Proofpoint’s senior director of systems engineering in Asia-Pacific and Japan, said: “The mandatory no-fault reporting system will help to collect vital information on where organisations require more support and will encourage a continued assessment of cyber security strategy. Mandatory declarations may make payments less likely and will provide government and law enforcement with more visibility.
Sabeen Malik, vice-president of global government affairs and public policy at Rapid7, noted that ransomware reporting will not alleviate the problem but does help to bring more transparency to the problem of ransomware globally. He hopes this doesn’t lead to companies spending more on complying with a programme that should be kept light touch and spend should go towards combating the problem globally.
To make it easier for organisations to meet reporting requirements, the department of home affairs will investigate the development of a single reporting portal for cyber incidents. Covich welcomed the move but added that further simplification of the regulatory environment would help to ensure common understanding of cyber security, privacy and data protection expectations.
The government has also foreshadowed legislation to assure organisations that the Australian Signals Directorate and the National Cyber Security Coordinator will only make specific limited use of any data provided in connection with a cyber incident, plus a code of practice for cyber incident response providers to clearly communicate the service quality and professional standards expected of them.
To help protect individuals – especially from identity theft – the Digital ID programme will be expanded to reduce the need for people to share their personal information with government and businesses before they can use online services, and support for victims of identity crime will be expanded.
International security standards for consumer smart devices will also be mandated, along with a voluntary security labelling scheme and a voluntary code of security practice for app stores and app developers.
In addition, government procurement practices will be harmonised with the Quad partners, and a framework will be developed to assess the national security risks presented by digital products used in Australia.
Macquarie Technology Group co-founder and Macquarie Government managing director Aidan Tudehope said: “Our AUKUS allies want to see confidence in Australia’s industrial base to support the partnership. Given the horizontal effect cyber security has across all industry sectors and their supply chains, getting behind the strategy and building more cyber-aware citizens and businesses will help create that confidence and showcase the incredible capabilities and talent we have in the local sector.”
The plan calls for a review to identify and ultimately secure the country’s most sensitive and critical datasets, a review of data retention requirements, and a review of the data brokerage ecosystem with particular attention to the way it can be used by malicious actors to obtain data.
Other proposed measures include embedding cyber security into work on responsible artificial intelligence (AI), setting standards for post-quantum cryptography, creating a threat intelligence network to cover the whole of the economy, and developing next-generation threat-blocking capabilities and implementing them across telcos, internet service providers and financial services firms.
Critical infrastructure received particular attention, with proposals to align standards across all entities, clarify the regulation of managed service providers, extend cyber regulation to the aviation and maritime sectors, protect critical data used in conjunction with critical infrastructure, and enhance the cyber obligations for systems of national significance.
The government wants to ensure its own house is in order, so the National Cyber Security Coordinator will oversee an improvement in cyber security across the whole government. In addition, the government will implement zero-trust controls across its networks, conduct regular reviews of the cyber maturity of Commonwealth entities, improve the public service’s cyber skills, and identify Systems of Government Significance that require higher levels of security.
Improving cyber maturity
Looking further ahead, the strategy for 2026 to 2028 aims to improve cyber maturity generally, including the development of a diverse cyber workforce. Proposed measures include aligning migration policy with cyber skill requirements, and guiding employers to target and retain diverse talent, to support the professionalisation of the cyber workforce.
Nigel Phair, professor at Monash University’s department of software systems and cyber security, said: “The strategy highlights the need for a skilled workforce to solve the cyber security problems of the future. The higher education sector is well placed and stands ready to support the government in this aim.”
In the last three years of the strategy, the government “will lead the development of emerging cyber technologies capable of adapting to new risks and opportunities across the cyber landscape”. The main measure in this area will be funding startups and SMBs developing innovative security solutions.
Congratulating O’Neil for her vision and work on the strategy and for her strong engagement with industry on its development, Tech Council of Australia CEO Kate Pounder said: “We are pleased to see a strong focus on building Australia’s cyber security skills and industry capabilities, utilising technology solutions, supporting consumers and small businesses, and ensuring our legal frameworks are fit for the digital age.”
Matthew Warren, professor at the RMIT Centre for Cyber Security Research and Innovation, noted that the government’s new cyber security strategy was a key step in helping to protect Australia in the future against the wide range of cyber threats that Australia faces.
“Unlike previous national cyber security strategies, this strategy clearly defines what success looks like and the three phases of implementation needed to get to a successful outcome,” he said.
Read more about cyber security in Australia
Cyber security incidents were the cause of most data breaches, which rose by 26% in the second half of 2022, according to the Office of the Australian Information Commissioner.
Research by Imperva shows an 81% increase in cyber security incidents in Australia between July 2021 and June 2022, including automated attacks that doubled in frequency.
The massive data breach that affected more than 10 million Optus customers has cast the spotlight on API security and other factors that contribute to the cyber resilience of organisations in Australia.
