Infra
Australia’s cybersecurity strategy focuses on protecting small businesses and critical infrastructure
The Australian federal government has released the 2023-2030 Australian Cyber Security Strategy with a focus on protecting the country’s most vulnerable citizens and businesses. At first glance, the strategy covers a lot of ground, and the government will need to work hard and fast to ensure some of all the actions proposed are put in place before the next big breach.
As previously reported, the cyber strategy is based on the idea of six cyber shields to provide an additional layer of defence against cyber threats. These shields aim to create strong businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities and resilient region and global leadership. “I don’t believe that the programs described in the first ‘shield’ (strong citizens and business) can either be operationalised, or for programs that do already exist, be scaled up to deliver within a meaningful timeframe. While I have significant general concerns regarding the wholly inadequate funding for the 2030 strategy, these concerns become particularly relevant with respect to this first ‘shield’,” KordaMentha executive director, cybersecurity Tony Vizza told CSO.
On top of $2.3 billion already being spent on cybersecurity, the government has committed $586.9 million to execute the seven-year strategy. The money will go towards the following:
- $290.8 million to provide support for small and medium businesses, build public awareness, fight cybercrime, break the ransomware business model, and strengthen the security of Australians’ identities.
- $4.8 million to establish consumer standards for smart devices and software.
- $9.4 million to build a threat-sharing platform for the health sector.
- $143.6 million to strengthen critical infrastructure protections and uplift government cyber security.
- Growing our sovereign cyber capabilities by investing $8.6 million to “professionalise” the country’s cyber workforce and accelerate the cyber industry.
- $129.7 million investment in regional cooperation, cyber capacity uplift programs, and leadership in cyber governance forums on the international stage.
The federal government had shared earlier this week an 18.2-million investment to help small and medium businesses improve cybersecurity resilience and response to cyber-attacks, also part of the strategy. “Given the federal government claims that there are 2.5 million small businesses operating in Australia today, this equates just more than a takeaway coffee’s worth of cyber assistance for each small business over the next seven years. It’s a pittance and it’s nowhere near enough,” Vizza said.
The delivery of the strategy
The Australian cybersecurity strategy has most, if not all, aspects of cybersecurity covered but there are a lot of things to focus on and the timelines for the delivery of each is not clear. The 28-page action plan details each action the strategy proposes and the departments that will be involved, but not by when each is expected to be in place. It only states some will commence immediately, and the plan will be reviewed every two years.
A lack of concrete steps to deliver the strategy worries some in the industry. “The strategy aims high and aspires to meet the needs of as many stakeholders as possible. It’s often said in aiming to please all, you please none. I feel that this outcome is highly likely here and as a result, we will see a failure of this Strategy to achieve many of its stated outcomes,” Vizza said.
The strategy will be delivered in three blocks, dubbed horizons. Horizon 1 — to be delivered up to 2025 — will address critical gaps and focus on better protecting citizens and businesses as well as support improved cyber maturity uplift across the region. This will include work between the federal government and industry to co-design a “suite of landmark legislative reforms” to strengthen the cyber shields, with options for new cyber obligations, streamlined reporting processes, improved incident response and better sharing of lessons learned after a cyber incident.
Horizon 2 — to be delivered between 2026-2028 — will focus on increasing cyber maturity by increasing the cyber workforce. Horizon 3 — to be delivered between 2029-30 — will focus on leading the development of emerging cyber technologies capable of adapting to new risks and opportunities across the cyber landscape.
The Government’s Executive Cyber Council — part of shield 3, action 11 — is expected to support the delivery of national cyber security priorities, including initiatives under the Action Plan.
“Without any programs or policies previously in place, and media headlines typically focused on ‘big business’ attacks, many SMEs remain unaware of how they can – or why they should – be involved to collectively raise the nation’s cyber defences,” Chris Sharp, CEO at Pax8 APAC, told CSO. “The strategy’s Shield One imperative is set to help businesses defend themselves and make it easier to access advice and support. With the cost of cybercrime to small and medium businesses practically fatal, speed in granting these tools and resources is critical. Fast collaboration with industry is essential if we’re to reach an economy made up of about 95 % SMEs – the immediate government programs are solid; they just need industry’s guidance to know where to go. That’s our collective duty.”
Sharp said CISOs have a responsibility to work with government and industry to help educate and support the broader economy, which often lacks the benefit of knowledge or resources.
AUCloud CEO Peter Maloney told CSO that some actions are expansions of services already available to Australians, “which will only improve in efficiency with more resources put behind them.”
Key focus points for the Australian government
Minister for Cyber Security Clare O’Neil spoke in a press conference this morning about some of what appears to be the government’s main concerns such as ensuring the safety of households by creating standards around the security of devices.
The other major focus seems to be around telecommunications providers, an issue that got even more attention after a country-wide Optus outage left all its customers without service for approximately nine hours affecting EFTPOs machines among many other services.
The government expects telcos to share information with it about threats on top of existing measures of threat sharing and blocking.
Furthermore, O’Neil is concerned about critical infrastructure, including water, telco and energy providers. Referencing the cyber incident that had DP World stop most of its port activities for a whole weekend, O’Neil wants to set minimal cyber standards for these industries and make sure they follow them. “Telcos need to be subject to the highest standards of cybersecurity,” she said in the press conference.
Another topic that has been worrying the industry is the possibility of mandatory reporting following a ransomware payment, as well as a ban on ransomware payments altogether. In the strategy, the government says it wants to work with industry to co-design options for a mandatory no fault, no liability ransomware reporting obligation for businesses to report ransomware incidents and payments. In a radio interview, O’Neil said “The reason that we haven’t gone ahead with a ban is because I think everyone who I work with accepts that a ban at some stage is inevitable. The problem is that we just haven’t done the hard work to prepare the country to manage what a ransomware ban would do.”
AUCloud Maloney’s believes the mandatory no fault, no liability ransomware reporting will bring to the surface more opportunities for businesses to access support quickly.
And in order to secure identities, the government pledged to expand the Digital ID program to reduce the need for people to share sensitive personal information with government and businesses to access services online. Further details are yet to be provided.
Leading up to the cybersecurity strategy
There is no denying that the Optus data breach of September 2022 was the catalyst, pushing the current government to step up when it came to cybersecurity. After a brief moment of blaming the telco, the government’s attitude changed when less than a month later Medibank revealed what would become a much more serious breach, which resulted in extremely sensitive medical records of Australian residents being published on the dark web.
In December 2022, O’Neil announced the development of the cybersecurity strategy, which then opened for consultation in late February 2023. More than 330 submissions were received and Home Affairs also held consultation events and stakeholder roundtables.
In March, another major data breach was revealed with publicly listed Latitude Financial finding that data from 14 million people had been accessed.
In May, the government announced how it was going to use $200 million — partially met from within the existing resources of the Department of Home Affairs and by redirecting funding — as part of the 2023-2024 budget to improve the country’s cyber resilience.