The Australian Federal Government has published the Australian Cyber Security Strategy 2023-2030 with a focus on protecting the country’s most vulnerable citizens and businesses. On the face of it, the strategy covers a lot of ground, and the government will need to work hard and fast to ensure that some of the proposed actions are implemented before the next big breach.
As Previously reported, the cyber strategy is based on the idea of six cyber shields to provide an additional layer of defense against cyber threats. These shields aim to create strong businesses and citizens, secure technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities, and resilient regional and global leadership.
In addition to the $2.3 billion already spent on cybersecurity, the government has committed $586.9 million to deliver the strategy over seven years. The money will be used for the following:
- $290.8 million to support small and medium businesses, raise awareness, combat cybercrime, break the ransomware business model and make Australians’ identities more secure.
- $4.8 million to establish consumer standards for smart devices and software.
- $9.4 million to create a threat sharing platform for the healthcare sector.
- $143.6 million to strengthen the protection of critical infrastructure and improve government cybersecurity.
- Expand our sovereign cyber capabilities by investing $8.6 million to “professionalize” the country’s cyber workforce and accelerate the cyber industry.
- An investment of $129.7 million in regional cooperation, cyber capacity building programs and leadership in cyber governance forums on the international stage.
The federal government had shared earlier this week an investment of 18.2 million to help small and medium-sized businesses improve their cybersecurity resilience and response to cyberattacks, which is also part of the strategy.
Implementation of the strategy
Australia’s cybersecurity strategy covers most, if not all, aspects of cybersecurity, but there are many things to focus on and the timelines for implementing each are unclear.
THE 28 page action plan details each action proposed by the strategy and the departments that will be involved, but not the date by which each should be implemented. It only states that some will begin immediately and that the plan will be reviewed every two years.
The strategy will be delivered in three blocks, called horizons. Horizon 1 – to be delivered until 2025 – will fill critical gaps and focus on better protection of citizens and businesses, as well as improving cyber maturity in the region. This will include work between the federal government and industry to jointly design a “landmark series of legislative reforms” aimed at strengthening cyber shields, with options for new cybersecurity obligations, streamlined reporting processes, improved incident response and better sharing of lessons learned after a crisis. cyber incident.
Horizon 2 – which will be delivered between 2026 and 2028 – will focus on increasing cyber maturity by increasing the cyber workforce. Horizon 3 – which will be delivered between 2029 and 2030 – will focus on leading the development of emerging cyber technologies capable of adapting to new risks and opportunities in the cyber landscape.
The Government’s Cybersecurity Executive Council – part of Shield 3, Action 11 – should support the implementation of national cybersecurity priorities, including Action Plan initiatives.
“Without any programs or policies in place beforehand, and without media headlines generally focusing on attacks from “big business,” many SMEs are unaware of how they can – or why they should – get involved to collectively strengthen the country’s cyber defenses,” Chris Sharp, CEO of Pax8 APAC, told CSO. “The Shield One imperative of the strategy aims to help businesses defend themselves and facilitate access to advice and support. With the cost of cybercrime being near-deadly for small and medium-sized businesses, speed in providing these tools and resources is critical. Rapid collaboration with industry is essential if we are to achieve an economy comprised of around 95% SMEs – immediate government programs are strong; they just need guidance from the industry on where to go. It is our collective duty.
Sharp said CISOs have a responsibility to work with government and industry to help educate and support the broader economy, which often lacks knowledge or resources.
Peter Maloney, CEO of AUCloud, told the CSO that some of the actions are extensions of services already available to Australians, “which will only improve their efficiency with more resources”.
Key points for the Australian Government
Cybersecurity Minister Clare O’Neil spoke at a press conference this morning about some of the government’s key concerns, such as keeping households safe by creating standards around device security.
The other major concern appears to be with telecoms providers, an issue which gained even more attention after a nationwide Optus outage left all its customers without service for around nine hours, affecting machines EFTPO, among other services.
The government expects telecom operators to share threat intelligence with it, in addition to existing threat sharing and blocking measures.
Additionally, O’Neil is concerned about critical infrastructure, including water, telecommunications and energy providers. Referring to the cyber incident that took place DP World stops most of its port activities over an entire weekend, O’Neil wants to establish minimum cyber standards for these industries and ensure they meet them. “Telecommunications operators must be held to the highest standards of cybersecurity,” she said at the press conference.
Another topic of concern to the industry is the possibility of mandatory reporting following a ransomware payment, as well as a complete ban on ransomware payments. In this strategy, the government says it wants to work with industry to jointly design options to make a no-fault, no-liability reporting requirement for businesses to report ransomware-related incidents and payments. In a radio interviewO’Neil said: “The reason we haven’t gone ahead with a ban is because I think everyone I work with accepts that a ban at some point is inevitable. The problem is we just haven’t done the hard work. to prepare the country to manage the consequences of a ban on ransomware.
AUCloud Maloney’s believes that mandatory no-fault, no-liability reporting on ransomware will create more opportunities for businesses to quickly access support.
And in order to secure identities, the government has committed to expanding the digital ID program to reduce the need for people to share sensitive personal information with government and businesses to access online services. Further details are yet to be provided.
Towards the cybersecurity strategy
It is undeniable that Optus The September 2022 data breach was the catalyst, pushing the current government to step up its cybersecurity efforts. After briefly blaming the telecommunications company, the government’s attitude changed when, less than a month later, Medibank revealed what would become a much more serious breach, which resulted in highly sensitive medical records of Australian residents being published on the dark web.
In December 2022, O’Neil announced the development of the cybersecurity strategy, which was then opened for consultation in late February 2023. More 330 submissions were received and Home Affairs also organized consultation events and roundtables with stakeholders.
In March, another major data breach was revealed involving publicly traded companies. Latitude Financial finding that the data of 14 million people had been consulted.
In May, the government announced how it would use $200 million – funded partly from existing Home Office resources and by redirecting funds – as part of the Budget 2023-2024 to improve the country’s cyber resilience.