CyberCX has released its annual Digital Forensics and Incident Response Year in Review Report for 2023 

Budget nudges private sector closer to cyber frontline

Legislation and Policy

Published by Megan lane on

 

Every federal budget must navigate and accommodate a crippling number of competing priorities, striking the right balance between achieving its policy ambition and delivering fiscally responsible outcomes for its citizens.

The 2023-24 budget demands a particularly invidious set of trade-offs in this regard: delivering on the ambitious reform agenda of a young government; managing large and growing costs associated with essential services such as the NDIS and aged care; committing to meaningful budget repair; all in the context of a cost-of-living crisis and an uncertain global economic outlook.

Navigating this treacherous landscape of policy commitments and fiscal responsibilities, Treasurer Jim Chalmers has been clear with his colleagues and with the public: most new investments or initiatives will need to be funded by offsets and savings from other government spending.

Against this backdrop, the Albanese Government has set the scene for an ambitious undertaking regarding the future of our nation’s cyber security: make Australia the most cyber secure country in the world by 2030.

Achieving this vision will require bold and coordinated action from government at all levels, meaningful partnership with the private sector, and innovation by industry and academia.

It’s hard to imagine this is something that can be done on the cheap.

Overcoming decades of technical debt, transforming ways of working, partnerships, and norms across the public and private sectors will be extremely challenging – and expensive.

A number of cyber security investments outlined in the budget reflect announcements made in recent times by the Minister for Home Affairs and Cyber Security, Clare O’Neil, and the Attorney General, Mark Dreyfus – including funding the reinvigorated Coordinator for Cyber Security, supporting the roll out of the SOCI program, and the establishment of a standalone Privacy Commissioner.

Such investment has been offset by savings in other areas, such as winding down the Cyber Hubs program, an initiative designed to help government improve efficiencies of scale in cyber security across the public sector.

What do these sorts of decisions tell us about the government’s intent and prioritisation when it comes to cyber security? Have these decisions set Australia on the path required to achieve its world-leading ambition to secure our businesses, government, and the broader community?

Unfortunately, we’ll have to wait and see.

Because while it is true that budgets generally set the course for the next fiscal year, if not the next three, O’Neil as the minister responsible for cyber security is concurrently in the process of revamping Australia’s national cyber security strategy.

Ahead of the strategy’s release, the government must grapple with this question: Is it possible to become the most cyber secure nation by 2030 without a significant net increase in government funding and investment in cyber programs?

If the government decides its stated ambition for cyber must be met within the existing budget envelope, that inevitably limits the number of levers at their disposal.

When contemplating what other levers may therefore be leaned on more heavily, regulation would appear to be an obvious one.

Minister O’Neil has recently spoken about her enthusiasm for “good regulation”, noting that “despite the great willingness of businesses and industry… sometimes the law is going to be necessary.”

It is understandable then that industry is starting to see the cyber road ahead is likely to involve more stick than carrot, with the burden of safeguarding Australians to be largely borne by the private sector.

There is no doubt business leaders are already alive to the acute operational, financial and reputational risks posed by cyber threats. Recent months have rightly seen cyber concerns in Australian businesses shift from the IT help desk to the boardroom table.

While industry comes to grips with the commercial implications of cyber risk being realised, should they also be preparing themselves for an onslaught of regulatory costs that may be heading their way as Australia moves further into the “cyber century”?

As the cyber security strategy moves into its final months of consultation and drafting, now is the time for government to fine tune its engagement with industry and begin to provide more clarity on this question.

While it is vital for government to calibrate a strategy that harnesses the immense cyber strengths of the private sector, a more secure future for Australia can only be built on a meaningful partnership between business, government, and the community.

 

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.