Government's strategy to combat cyber risks 5 min read
The Australian Government released its 2023-2030 Australian Cyber Security Strategy, outlining its vision of a cyber secure Australia, and how we will get there. It represents the Government's wholistic strategy to combat cyber risks throughout the Australian economy, and flags a number of material new or expanded regulatory frameworks, as well as government support and assistance.
In addition, the Government released the Cyber Security Action Plan, which identified which agency would lead and contribute to the actions outlined in the plan.
While the Cyber Strategy represents a significant statement of intent from the Government, including several areas of substantive reform, there is much more work to do. The package contemplates a further Consultation Paper to be released shortly, with consultation and the opportunity to make submissions until March 2024.
In this Insight, we unpack the key takeaways from the strategy and what we can expect next.
Six cyber shields: what is the Cyber Security Strategy?
The Cyber Strategy is described as a 'whole-of-nation endeavour' that will aim to ensure—by 2030—that Australia is a hard target for cyber-attacks or, if an attack does occur, that Australians are in a stronger position to respond effectively and deal with ransom demands.
As foreshadowed prior to the Cyber Strategy's release by the Hon Clare O'Neil MP, Minister for Home Affairs and Minister for Cyber Security, it focusses on providing more robust protection to individuals and businesses through six 'cyber shields', being:
- strong businesses and citizens
- safe technology
- world-class threat sharing and blocking
- protected critical infrastructure
- sovereign capabilities
- resilient region and global leadership
Under each 'cyber shield', the Government outlined the specific initiatives and actions it would undertake to establish the relevant 'shield'. In total, there are 60 actions the Government proposes to implement across the various government initiatives.
Summary of key actions proposed in the Strategy and Action Plan
Set out below is a high-level summary of the key actions proposed to be taken (broadly categorised thematically). Many will require significant additional consultation, including amendments to existing regulation and legislation, development of entirely new regulatory frameworks and significant industry consultation and co-design.
- Work with industry to co-design options for a mandatory no fault, no liability ransomware reporting obligation.
- Create a ransomware playbook to guide businesses on preparation and responses to ransomware or cyber extortion attacks. Notably, the Government 'continues to strongly discourage businesses and individuals from paying ransoms to cybercriminals', although it has not proposed to ban payment of ransoms.
- Support small and medium businesses to strengthen their cybersecurity, including by creating cyber ‘health checks’.
- Co-design with industry options to establish a Cyber Incident Review Board to conduct no-fault incident reviews to improve cybersecurity. Lessons learned from these reviews will be shared with the business community and the wider public.
- Simplify incident reporting by considering options to develop a single reporting portal for cyber incidents to make it easier for entities affected by a cyber incident to meet their regulatory reporting obligations. This would make a material practical difference for entities responding to incidents.
- Consult industry on options to establish a legislated limited use obligation for ASD and the National Cyber Security Coordinator to encourage organisations to share information in the early stages of a cyber incident.
- Develop cybersecurity standards for IOT consumer devices by working with industry to co-design a mandatory cybersecurity standard. This would be supported by a voluntary labelling scheme and codes of practice for app stores/developers.
- Develop a framework for assessing the national security risks presented by vendor products and services to help industry manage supply chain risks.
- Telecommunication providers will be aligned with the critical infrastructure entity standards in the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
- Strengthen and clarify cybersecurity obligations and compliance for critical infrastructure, including consulting with industry on:
- introducing a consequence management power that will allow the Government to direct an entity to take specific actions to manage the consequences of a nationally significant incident; and
- clarifying the application of the SOCI Act to ensure critical infrastructure entities are protecting their data storage systems where vulnerabilities to those systems could impact the availability, integrity, reliability or confidentiality of critical infrastructure. This includes:
- clarifying the regulation of managed service providers under the SOCI Act and delegated legislation;
- enforcing risk management obligations under the SOCI Act, including the possibility of rolling out additional powers for the Government to review, and direct uplift of an entity's risk management program; and
- activating enhanced cybersecurity obligations for Systems of National Significance under the SOCI Act.
Relevantly, the proposals suggest a real focus on the scope of the 'data storage and processing' critical infrastructure sector.
- Review federal legislative data retention requirements, including through implementation of the Government’s response to the Privacy Act Review. A potentially massive task given the breadth of coverage, this is an area industry has increasingly been asking for support on, as they grapple with data retention challenges. We would anticipate this review will take a substantial amount of time to undertake and assess.
- Conduct a review to identify and develop options to protect Australia’s most sensitive and critical datasets, focussing on datasets that are crucial to national interests but not appropriately protected under existing regulations.
- Expand the Digital ID program to reduce the need for people to share sensitive personal information with government and businesses to access services online. For more information about this proposal, see this Insight.
- Launch a threat sharing acceleration fund to provide seed funding to establish or scale-up Information Sharing and Analysis Centres in low-maturity sectors. This program will start with an initial pilot in the health sector.
- Co-design a code of practice for cyber incident response providers to clearly communicate the service quality and professional standards expected.
Are ransom payments to be prohibited? What else was left on the cyber cutting-room floor?
The final version of the strategy appears to have benefited from the long period of consultation since the initial rollout. As pre-empted through various prior public statements from the Minister, some of the more debated aspects of the initial discussion paper in February 2023 appear to have been left out following feedback from industry.
In particular, the Strategy does not contemplate:
- an express prohibition on ransom payments (or, for that matter, anticipate clearing up any uncertainty about whether ransoms are illegal under various proceeds of crime or other financial crime laws);
- the implementation of a specific 'Cybersecurity Act'; or
- imposing specific duties on directors in connection with cyber risk management.
Strategy rollout
The Cyber Strategy will be delivered in three phases:
- Horizon 1 (2023–25): to address foundations by examining critical gaps in the cyber shields and to support improved cyber maturity uplift.
- Horizon 2 (2026–28): to expand the reach by addressing further investments in the broader cyber ecosystem, and continuing to scale up cyber maturity and the cyber workforce.
- Horizon 3 (2029–30): to lead globally, and to address the development of emerging cyber technologies capable of adapting to new risks and opportunities.
Next steps
The Government will shortly be releasing a Consultation Paper to help address the new initiatives, identify gaps in existing laws and specifically look at amendments to the SOCI Act to strengthen protections for critical infrastructure. Organisations impacted by the various proposals should review the Consultation paper closely, with submissions to be open until March 2024.