Wednesday, 22 November 2023
Pragmatic steps toward a bold horizon
CyberCX welcomes the Australian Government’s Cyber Security Strategy 2023-2030 and applauds its ongoing focus on cyber security as key to our national security and economic prosperity.
Launched today by Minister for Home Affairs and Cyber Security Clare O’Neil, this is the third cyber security strategy delivered by a federal government in the last seven years, and easily the most ambitious. The Strategy shows the Albanese Government is steering toward the far horizon, setting a bold vision for where we need to be by 2030, seven years from now.
Meanwhile, there’s stormy weather in the near-term outlook: the Government is operating in a fiscally-constrained environment brought about by global economic uncertainty, with increasingly complex geopolitical tensions playing out in our region and across the globe. The cyber threat landscape will almost certainly continue to deteriorate over the lifespan of the Strategy.
Against this backdrop, the Strategy reflects a coming of age for cyber security in Australia. Leveraging hard-won lessons from a year that saw the largest data breaches in Australian history, as well as major incidents that underscored the need for resilience in our critical infrastructure, the Strategy is clear-eyed about where Government will lead, and where the private sector must step up. It sets a roadmap for how the Government intends to play to its strengths, while raising the standards it expects private industry to meet, and setting the conditions for more meaningful partnership with industry.
As the Strategy moves from vision to implementation, the Government’s progress will be marked against four key themes:
- increasing visibility of the threat
- reducing the volume of cyber incidents
- improving our ability to respond to cyber incidents when they do occur, and
- enhancing our ability to bounce back from current and future cyber threats.
Increasing visibility of the threat
You can’t defend what you can’t see. For too long, we have relied on reporting mechanisms that are voluntary and often duplicative. We know that cyber incidents are systematically underreported in Australia and, too often, victims refrain from sharing timely threat intelligence with their industry peers because of legal concerns.
The Strategy outlines a suite of initiatives to improve the scope and clarity of cyber threat intelligence the Government can ingest, analyse, share and operationalise. A new no-fault, no-liability ransomware reporting obligation for businesses, and a limited use obligation for reports made to ASD and the Cyber Coordinator, will get actionable threat information where it needs to go, faster. It will also give comfort to businesses worried about the legal consequences of sharing.
The Government will also establish a new process for slower-time review of national cyber incidents, working with industry to establish a Cyber Incident Review Board. Taking inspiration from successful models in other sectors – such as transport and aviation – the intent is to share lessons learned to uplift and strengthen our cyber defences.
Reducing the volume of cyber incidents
The Government has signalled its intent to further support telcos and ISPs to block threats at scale, stopping more cyber threats from entering Australia’s digital infrastructure. To this end, the Government has established a Threat Blocking Steering Group to develop cutting-edge threat blocking capabilities, and encourage and incentivise threat blocking across the economy by those most capable of doing so.
There are also measures to help improve threat sharing within less mature sectors, with a Threat Sharing Acceleration Fund being set up to support the development of sector-specific information sharing and analysis centres (ISAC) in Australia, with an initial pilot for the health sector.
Another key plank of the Strategy is mandatory standards for internet-of-things devices – a fast growing market of mostly poorly-secured cheap commodity devices. This measure, coupled with voluntary ‘safety’ labels for these devices, will help address a collective action challenge at the heart of cyber insecurity: the lack of incentive for technology companies to ensure their products are secure-by-design.
Improving our collective response to cyber crises
Despite our best efforts to bolster our defences, cyber incidents are inevitable. In a further indication of this Strategy’s vision for cyber maturity, the Government has signalled its intent to professionalise the cyber industry. A clear cyber skills framework will provide assurance to employers that their cyber workforce is appropriately skilled.
Further professionalisation will be achieved through the creation of an industry code of practice for incident response providers, clearly defining the service quality and professional standards expected from third-party cyber incident response providers.
Consolidating our sovereign capability to respond to cyber crises will also enable Australia to operate from a position of strength in supporting our Pacific and Sout East Asian neighbours to respond to serious cyber incidents.
A rising tide of resilience
Australia has a well-established and world-leading cyber regulatory scheme under the Security of Critical Infrastructure Act (SOCI). The Government intends to build on the work done under SOCI to further strengthen the resilience of our most essential systems.
These changes include moving the security regulation of the telecommunications sector from the Telecommunications Sector Security Reforms (TSSR) currently in the Telecommunications Act 1997 into the SOCI regime. The Government will also seek to clarify obligations for managed service providers which provide services to SOCI entities, as well as developing a reform agenda to strengthen the security settings for aviation, maritime and offshore facilities.
Broadening the scope beyond critical infrastructure, the Government is also introducing measures to encourage further maturity across the private sector, by clarifying corporate governance standards. This will build on and complement work already done by industry bodies such as the Australian Institute of Company Directors and the Australian Information Industry Association.
Demonstrating a willingness to ‘walk the talk’, the Strategy also outlines initiatives aimed at enhancing cyber security within the Commonwealth Government itself. This includes empowering the Cyber Coordinator to oversee whole-of-government cyber uplift, designating ‘Systems of Government Significance’ that need to be protected with higher security standards.
The Strategy also seeks to ensure that some of the most vulnerable cohorts benefit from the opportunity to improve their cyber readiness and resilience. This includes measures targeted at the 2.5 million small businesses in Australia, such as a cyber health-check program and the establishment of a new Small Business Cyber Security Support Service.
Toward the horizon
Overall the Strategy details some 48 different measures and initiatives the Government will act on, demonstrating a commitment to do what must be done in the near term to address the most urgent issues, while setting in motion processes that will need time to gather momentum and consensus.
Indeed, the Strategy contemplates a number of wicked problems that will require a long tail of concentrated effort as we progress toward 2030. This includes how Australia will capture the remarkable opportunities of game-changing technological advancements in artificial intelligence and quantum computing – while ensuring we do so responsibly, minimising the risks to our economy and national interest.
Achieving security-by-design and by-default in digital technologies is another area which will require sustained effort from government, and good will from industry, to consult and co-design a path toward a higher standard of security being baked into the software and systems that increasingly underpin our daily lives. Mandatory cyber security standard for IoT devices will be the starting position, with future outcomes flagged for more complex hardware and software in the years to come.
This Strategy has been more than a year in the making – and a key feature of its development was widespread industry consultation. The Strategy continues its focus on tapping into the knowledge and expertise of industry leaders. As the Government navigates towards the future, a new Executive Cyber Council will be a key forum to build cross-sectoral trust and drive public-private collaboration.
Seven years is certainly a long time – two more federal elections will be held before 2030 – but the reality is that the success of this Strategy will not rest solely on the Government’s shoulders, but on citizens and organisations across all sectors demonstrating the will and tenacity to see this bold vision become reality.
CyberCX Webinar
Join our Chief Strategy Officer Alastair MacGibbon and Executive Director of Cyber Intelligence Katherine Mansted as they unpack what the strategy means for Australian organisations, with measures designed to bolster defences and improve resilience across every sector of the economy – from small businesses, to private industry, government agencies and critical infrastructure.