Published by Katherine Mansted and Megan Lane on 4 November 2022
The Albanese government’s first Budget, handed down last week in Canberra, began to deliver on many of the of the government’s election commitments – from childcare and aged care through to housing. When it came to cyber security, the spending was modest, which will raise expectations for major cyber reforms in the lead up to the government’s next budget in May.
The October Budget outlined three key areas of cyber spending:
- a modest increase in the privacy regulator’s resources;
- a small boost to scam and fraud prevention; and
continued investment in the federal government’s own cyber resilience, in the form of the extension of the ‘Cyber Hubs’ pilot started by the previous government.
All up, the October Budget delivered just shy of $50 million in cyber security spending, but also redirected $5 million the previous government had committed to the area. Of the new funding measures, most were about responding to recent high-profile data breaches, including investments in IDCARE and the privacy regulator. For now, the government has kept its powder dry on progressing structural reform to prevent similar, inevitable cyber incidents in future.
This approach is not unexpected, with much of the government’s thinking on cyber security still under review. From the start, the government has signalled a reprioritisation of cyber, returning cyber security to cabinet under Minister Clare O’Neil.
In August, Minister O’Neil announced that she would recast the previous government’s ten-year Cyber Security Strategy, released in 2020. The 23-24 May Budget will be the Albanese Government’s opportunity to signal how it plans to reallocate, and enhance, what remains unspent from the $1.7 billion committed under the 2020 strategy. Minister O’Neil has suggested her priorities will include investing in cyber skills, the sovereign cyber industry and a revitalised ‘cleaner pipes’ initiative where ISPs must block threats at scale. All are urgent—if not overdue—reforms.
Additionally, data protection reform has been on Australia’s horizon for several years, but Attorney-General Mark Dreyfus is accelerating and broadening this process. Last Wednesday, the government introduced a bill to increase penalties for serious privacy infringements and to expand the privacy regulator’s enforcement powers. This will only be the tip of the spear of privacy reforms widely expected to land in the coming 12 months.
In this sense, it’s to be hoped that October’s Budget is simply a warm-up act to a showstopper cyber budget next May.
The government’s patience in not rushing through ‘sugar hit’ cyber measures while it consults on and finalises its broader strategic thinking on cyber is welcome.
It’s also worth remembering that this was never going to be a ‘Cyber Budget’. The government’s key objective last Tuesday night was locking in its election commitments, of which very few related to cyber safety.
In large part, this reflects the status of cyber security in Australian federal politics just five months ago. Cyber security investment wasn’t seen as an election winner. And cyber attacks, despite being one of the most foreseeable harms to Australians, weren’t seen as something that could lose elections.
The last month of high-profile breaches may have changed that. Cyber safety is now dinner table conversation for Australians, following highly-publicised data breaches affecting household brand names like Optus, Medibank and Woolworths. Consumers and the media have shown renewed appetite to hold corporations – and also the federal government – to account for cyber security failures. And organisations across Australia have been jolted into re-evaluating risk in the digital age, especially in relation to their holdings of Australians’ personal information.
Against this backdrop of heightened attention and expectation, and with the global cyber threat environment increasingly volatile, we eagerly await the necessary switch from cyber planning to investment and action by the federal government.