by Sophia Brook
The 2023-2030 Australian Cyber Security Strategy
#13/23
1 December 2023
Global developments have highlighted that cyber-attacks are accelerating at an ever-increasing pace and that targeting critical infrastructure has become a major part of conflict operations worldwide. In Russia’s war on Ukraine, for example, malicious cyber actors have repeatedly targeted critical communications, energy, health, and transport infrastructure to disrupt systems and destroy supply chains. This included attacks on Ukraine-allied partners like the EU and the US.
As a result, in December 2022, the Australian Government announced its intention to make Australia ‘the world’s most cyber secure nation by 2030’, with a new comprehensive 2023-2030 Australian Cyber Security Strategy said to be implemented the following year. The strategy was released on 22 November, a week after the Australian Signals Directorate (ASD) released its Cyber Threat Report 2022-23.
Based on the ASD’s threat report, nearly 94,000 reports of cybercrime have been reported in 2022-23, meaning an increase of 23% from the previous year. The average cost of these attacks to small, large, and medium businesses hereby increased by 14%.
The key security trends listed in the report are data theft and disruption of business by state actors focussed on critical infrastructure, with an increase of attacks on Australian infrastructure via interconnected systems. One in five critical vulnerabilities were reportedly exploited within 48 hours, highlighting the need for fast-response mechanisms to patch cyber security gaps.
The report further states that within the top ten reporting sectors, federal government recorded the highest incident rate at 30.7%, followed by state and local government at 12.9%.
The government’s newly released strategy aims to address these and other problem areas and anticipate future cyber security needs. According to Minister for Cyber Security Clare O’Neil, the strategy will be a game-changer for Australia’s cyber security, boldly and ambitiously offering a ‘clear vision for both domestic and international cyber security for the first time’.
To implement the strategy, the Australian government intends to spend more than $586.9 million all up. This will be in addition to the $2.3 billion already being invested in existing cyber security projects. The majority of funds will go towards the protection of businesses and citizens ($290.8m), the defence of critical infrastructure ($143.6m) and building cyber resilience in the region ($129.7m).
The strategy is built around ‘six shields’ of cybersecurity: strong businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities, and a resilient region and global leadership.
In order to achieve these objectives, the government, among other things, intends to fund civil society cyber awareness programmes and expand its Digital-ID programme to reduce the risk to individuals online. To increase the resilience of businesses, it plans to create a ‘ransomware playbook’ for reference (rather than straight up banning companies from making ransomware payments) and establish a compulsory ‘no-fault reporting scheme’.
The latter is aimed at building trust, as, despite significant breaches at major Australian companies over the last few years, the government is still ‘struggling to overcome resistance by many Australian companies facing a cyber-attack to work with the [signals] directorate to help defeat intrusions’. This is mainly due to the companies’ fear of damage to their reputation as well as fears of possible fines or customer class action. To establish trust between businesses and government agencies such as the ASD, the government proposes to establish a ‘safe harbour’ regime. This, according to Deputy Prime Minister Richard Marles, would ‘deliver the world-class capabilities of the Australian Signals Directorate to the affected company’ as well as ‘shield companies from further legal action by the government’ as long as they complied with the regulation. To make government-industry cooperation more effective, the government further announced the release of a Consultation Paper on intended cooperation with industry to supplement the strategy. The consultation period will last until March 2024, with the paper aiming to be released later that year.
Further measures outlined by the strategy include increased efforts to attract more highly skilled migrants – by means of migration reforms and a new global outreach program – and working more closely with international partners for more effective threat sharing and blocking mechanisms. This includes joint Quad initiatives. In addition to a global outreach, the strategy further stresses the necessity to build up Australia’s sovereign capabilities.
Another important change mentioned is the re-classification of telecommunication as ‘critical infrastructure’. This means operators will need to report on their cyber security measures in the same way as hospitals, energy providers and ports.
The strategy will be implemented in three stages. Horizon 1, from 2023-25, will focus on the strengthening of foundations, i.e. addressing gaps, building up protection for the most vulnerable groups, and supporting a more general ‘cyber maturity uplift’. Horizon 2, from 2026-28, will focus on industry, increasing investment and growing the cyber workforce. Horizon 3, 2029-30, will focus on future resilience and ‘advancing the global frontier’. This includes the development of emerging technologies to be able to adapt to new risks.
The Home Affairs website states that the government is ‘delivering tangible action on the cyber security issues that matter most to Australian communities and businesses’, ‘shifting cyber from a technical topic to whole-of-nation endeavour’. However, in a first statement on the strategy, Shadow Cyber Security Minister James Paterson criticised it as a ‘major flop’ that contained ‘nothing radical or revolutionary […] nor anything that will substantially shift the dial on cyber security’. The Greens meanwhile released a media statement labelling the strategy as ‘disappointing’ and ‘lacking on specific actions’.
Regarding the latter comment, it needs to be noted that the strategy is supplemented by the ‘Cyber Security Strategy Action Plan’, outlining the key initiatives commencing in the Horizon 1 phase. This includes accountabilities for each measure and identifies the respective agencies in lead and supporting roles. At the same time, the strategy not being radical might mean that its objectives and targets are more achievable.
Professor Johanna Weaver, founding Director of the Tech Policy Design Centre at the Australian National University, labelled the strategy an ‘ambitious plan’ that was ‘very comprehensive and much needed’. The strategy is certainly comprehensive, but some argue that, unless legislation follows the strategy, there remains a lack of ‘mandated standards and enforcement mechanisms’. Ultimately, as with any strategy, a conclusive verdict will depend on the strategy’s implementation.
