Development of the Strategy

The Australian Signals Directorate's (ASD) Annual Cyber Threat Report 2022-2023 (the Report) presented a bleak overview of Australia's cybersecurity landscape for the 2022-2023 financial year, revealing Australia experiences one reported cybercrime every six minutes, and ransomware continues to pose the most severe cyber threat to Australia. The Report highlights how critical infrastructure in Australia and overseas is increasingly targeted due to interconnected IT systems.

Following the Report and public consultation on the 2023-2030 Australian Cyber Security Strategy Discussion Paper (the Discussion Paper) in early 2023, the Australian Government released the Strategy.

The Strategy is a plan to strengthen Australia's cyber resilience through a whole nation endeavor at a multi-stakeholder level involving government departments, businesses, academia, and society. It seeks to position Australia so that it may become a world leader in cyber security by 2030.

Strategy rollout – three horizons

The Strategy will be released in three phases:

Horizon 1 – Strengthen our foundations – 2023 to 2025

Horizon 1 aims to enhance existing foundations by examining critical gaps in cyber shields and facilitating the advancement of cyber maturity. The Strategy is accompanied by the 2023-2030 Australian Cyber Security Action Plan (the Action Plan), which details initiatives to be implemented across six cyber shields. The Action Plan is to be reviewed every two years and updated to reflect changing needs.

Horizon 2 – Expand our reach – 2026 to 2028

Horizon 2 seeks to expand the reach of cyber maturity and grow the Australian cyber industry through investments and diversifying the cyber workforce.

Horizon 3 – Lead the frontier – 2029 to 2030

Horizon 3 aims for Australia to lead the cyber industry globally by focusing on emerging cyber technologies that can effectively adapt to and address new risks and opportunities.

Six cyber shields of defense

The Strategy seeks to build six cyber shields with the dual objective to make Australian individuals, businesses, and government agencies more difficult targets for cybercriminals, and ensure that Australians are better positioned to effectively respond to cyber threats. This will help position Australia as a global leader in cybersecurity.

Each shield provides an additional layer of defense against cyber threats and identifies key areas for legislative reforms and initiatives. The federal government will invest roughly $2.8 billion over the next four years towards implementing the six cyber shields as part of the Strategy. The six cyber shields are described below.

Cyber shield 1 – strong businesses and citizens

The first cyber shield includes actions to strengthen cyber resilience and provide better protection for individuals, and small and medium businesses by:

• implementing a cyber health check program and Small Business Cyber Security Resilience Service to empower citizens against cyber threats by expanding the national awareness campaign and funding tailored programs for diverse groups;
• collaborating with industry leaders to improve responses to ransomware and provide clear cyber guidance for businesses by discouraging the payment of ransoms;
• streamlining support after a cyber incident has occurred through a reporting portal and code of practice for cyber incident response providers; and
• continuing to develop the Digital ID program and National Strategy for Identity Resilience to reduce the need for sharing sensitive information with government and businesses to access services online, and work towards securing identities.

Cyber shield 2 – safe technology

The second cyber shield strives to increase the safety of technology and build trust in digital products and software by:

• adopting international security standards for consumer-grade smart devices, co-designing a voluntary labeling scheme and a cyber security code of practice for smart devices and app stores, and collaborating with Quad partners1 to harmonize software standards for government procurement;
• developing a framework for assessing national security risks;
• examining the requirements for data retention to assess potential burdens and vulnerabilities arising from entities retaining substantial volumes of data for longer than required; and
• scrutinizing the data brokerage sector, particularly the transfer of data through data markets to malicious actors.

Cyber shield 3 – world-class threat sharing and blocking

The third cyber shield aims to expand the scale of threat sharing and blocking by:

• establishing the Executive Cyber Council as an alliance of government and industry leaders to share and exchange strategic threat intelligence;
• continuing to enhance the ASD's threat-sharing platform through introducing an acceleration fund and incentives for organizations to participate in threat-sharing platforms; and
• working with the National Anti-Scam Centre to develop next-generation threat-blocking capabilities.

Cyber shield 4 – protected critical infrastructure

The fourth cyber shield aims to refine Australia's current regulations and practices surrounding critical infrastructure by:

• clarifying the scope of critical infrastructure regulation, for example, by aligning standards of telecommunication with other critical infrastructure entities;
• strengthen cyber security obligations and compliance for critical infrastructure, for example, by finalizing and implementing monitoring and evaluation frameworks for critical infrastructure entities;
• uplifting cyber security for the Commonwealth Government, beginning with enabling the National Cyber Security Coordinator to oversee the implementation and reporting of cybersecurity across the government; and
• pressure-testing critical infrastructure to identify any vulnerabilities and developing incident response playbooks to help coordinate incident responses across Commonwealth, state, territory, and industry stakeholders.

Cyber shield 5 – sovereign capabilities

The fifth cyber shield aims to develop and professionalize the nation's cybersecurity workforce by:

• providing guidance to employers on targeting and retaining diverse cyber talent and establishing a framework for the professionalization of the cyber workforce;
• accelerating investment in the local cyber industry, research, and innovation capabilities; and
• providing cyber start-ups and small-to-medium businesses with funding to develop innovative solutions to cyber security challenges through the Cyber Security Industry Challenge program.

Cyber shield 6 – resilient region and global leadership

The sixth cyber shield aims to develop regional cyber resilience and uphold international law standards by:

• strengthening collective cyber resilience in the Pacific and Southeast Asia by creating a regional cyber crisis response team;
• harnessing private sector innovations and expertise to improve regional security by testing potential solutions that utilize technology to protect the region on a large scale; and
• increasing penalty costs for malicious cyber actors.

Industry commentary – no prohibition on making ransomware payments

The Strategy benefited from a lengthy consultation period. Based on industry feedback, some of the most contemplated elements from the February 2023 Discussion Paper were omitted from the Strategy, most notably the inclusion of an explicit prohibition on ransom payments.

In Australia between January and June 2023, ransomware accounted for 31% of data breaches. Ransomware incidents are estimated to cost the Australian economy up to $2.59 billion annually. However, the Government has not prohibited making ransomware payments. Instead, the Strategy prioritizes increasing awareness of ransomware threats by building on a mandatory reporting requirement with no fault or liability attached. However, Claire O'Neil, Minister for Home Affairs and Cyber Security, has stated that a prohibition is inevitable.

In the meantime, under the first cyber shield, the Counter Ransomware Initiative will discourage ransom payments, and the government plans to create a ransomware playbook to offer businesses clear guidance on preparing for, managing, and recovering from ransom demands.

Next steps

As Australia moves forward, the Strategy's success relies on a collaborative effort involving government, industry leaders and society.

The Government has released a 2023-2030 Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper, and are accepting submissions until 5pm AEDT, March 1, 2024, to address the new initiatives, identify gaps in existing laws, and examine attitudes to the proposed amendments to the Security of Critical Infrastructure Act (the SOCI Act) for enhanced critical infrastructure.

The consultation offers a crucial opportunity for stakeholders to contribute to the Strategy's effectiveness in making Australia a global leader in cybersecurity by 2030. Organizations affected by the proposals should review the Strategy and engage in the consultation process.

Katherine Sainty Director
[email protected]
Kaelah Dowman Graduate Lawyer
[email protected]
Sarah Macken Paralegal
[email protected]
Sainty Law, Sydney