The Australian Cyber Security Strategy (2023-2030) process started with a Discussion Paper that sought views on measures to protect and enhance Australia’s cyber resilience. It asked 21 questions and received 330 submissions including a 40-page submission from the Australian Information Security Association (AISA). The resulting Strategy presents a 64-page roadmap to realise the Government’s vision of being a world leader in cyber security by 2030 – framed as six “cyber shields”.
1. Strong businesses and citizens – Responsibility for cyber security will be shared across the community with more cyber risk allocated to those who are most capable of addressing them. Cyber crime business models will be undermined. The Government plans to:
- Summarise corporate obligations and develop a simplified principles-base framework.
- Enhance the Australian Federal Police offensive cyber capability, triple the ASD’s offensive capability and build Pacific and South-East Asian cyber-crime capabilities. They also plan to strengthen regulation of cryptocurrencies, expand the Digital ID program, and increase funding for victim support services.
- Support global adoption of the Council of Europe Budapest Convention on Cybercrime, impose sanctions on Nation States accountable for incidents. They also plan to establish a process for reviewing incidents and sharing lessons learnt.
- Develop a ransomware playbook, and implement a no-fault, no-liability ransomware reporting obligation for businesses. They also plan to implement an industry code of practice for incident response providers
2. Safe technology – Government mandated cyber security standards will be harmonised and aligned to international best practice. Data retention requirements will be streamlined, and guidance will be provided on emerging technologies. The Government plans to:
- Develop a framework for assessing national security risks of vendor products and services.
- Legislate a mandatory cyber security standard for IoT devices, and a voluntary labelling scheme, as well as a voluntary code of practice for app stores and app developers.
- Identity Australia’s most sensitive and critical data sets, develop a voluntary data classification model, and simplify legislative data retention requirements.
- Continue Australia’s commitment to the Bletchley Declaration at the AI Safety Summit and set standards for post-quantum cryptography.
3. World-class threat sharing and blocking – A whole-of-economy threat intelligence network will be created, and threat blocking capabilities will be scaled. The Government plans to:
- Enhance ASD’s threat sharing platform and establish a Threat Sharing Acceleration Fund starting in the health sector.
- Develop automated, near real-time at-scale threat blocking capability, and incentivise ISP and Telco threat blocking.
4. Protected critical infrastructure – The critical infrastructure regulations will be clarified and strengthened, and vulnerability identification capabilities tested. The Government plans to:
- Move all critical infrastructure regulatory obligations into the SOCI Act, strengthen aviation and maritime security, and clarify the responsibilities of managed service providers. They also plan to finalise a compliance monitoring and evaluation framework.
- Expedite implementation of the Systems of National Significance framework and establish a power to manage nationally significant incidents.
- Develop a whole of government zero-trust culture, develop cyber skills of the APS, conduct regular reviews of cyber maturity of Commonwealth entities, and designate Systems of Government Significance.
- Run a National Cyber Exercise Program across all sectors.
5. Sovereign capabilities – The national cyber workforce will be grown, and cyber industry, research and innovation will be accelerated. The Government plans to:
- Attract global cyber experts as part of the Migration Strategy, and issue cyber diversity guidance to employers to attract and retain diverse cyber professional cohorts.
- Reform the Vocational Education and Training (VET) system to keep pace with cyber security needs and establish a clear cyber skills framework.
- Invest in cyber industry growth through a Cyber Security Challenge program for start-ups, a $392m Industry Growth Program, and use of the $15b National Reconstruction Fund.
- Revitalise Australia’s National Science and Research Priorities
6. Resilient region and global leadership – The region will be developed as a global cyber partner of choice, and Australia will work to strengthen international cyber rules. The Government plans to:
- Coordinate Pacific and Southeast Asian regional cooperation and assistance through the Ambassador for Cyber Affairs and Critical Technology, refocus capacity building regionally, and establish a regional cyber response team.
- Strengthen undersea cable systems in Indo-Pacific and examine technology options to protect the regional at scale.
- Promote robust international standards underpinning cybersecurity, strengthen internet governance, and drive development of digital trade rules,
- Uphold international law including through enhanced regional cooperation, and employ all arms of statecraft to deter and respond to malicious cyber actors.
The strategy will be delivered in three horizons – close foundational gaps in Horizon 1 (2023-2025), develop scale through investment in Horizon 2 (2026-2028) and lead globally in Horizon 3 (2028-2030).
Opinion
The government has a good vision of legislative change, regional engagement, and uplift of government cyber capacity, as well as a well thought out approach to threat intelligence sharing and incident management.
However, the strategy:
- Does a poor job of addressing the cyber skills shortage by only focussing (at a high level) on migration and vocational training, and not providing a private sector human resource development strategy.
- Does a poor job of addressing development of the Australian cyber ecosystem by only focussing on a small number largely existing accelerator and grant programs.
- Does not provide any real strategy for Australia to be a world leader in Cyber Security by 2030 other than regional engagement and influencing international law and standards.
In addition, the Horizon 1,2,3 approach is badly articulated as Horizon 1 seems to be just a restatement of all the deliverables of the strategy.
MyRISK® will continue to follow developments in this space, including ensuring our HyperGRC™ platform supports any new corporate obligations, new cyber security standards, new data classification schemes, reporting of systems, and government review processes.