The Commonwealth Government has today released a discussion paper on the 2023-2030 Australian Cyber Security Strategy, following a succession of reports, legislation such as SOCI and the Morrison Government's Cyber Security Strategy noted elsewhere in this blog.
The paper asks the following specific questions
1. What ideas would you like to see included in the Strategy to make Australia the most cyber secure nation in the world by 2030?
2. What legislative or regulatory reforms should Government pursue to: enhance cyber resilience across the digital economy?
a. What is the appropriate mechanism for reforms to improve mandatory operational cyber security standards across the economy (e.g. legislation, regulation, or further regulatory guidance)?
b. Is further reform to the Security of Critical Infrastructure Act required? Should this extend beyond the existing definitions of ‘critical assets’ so that customer data and ‘systems’ are included in this definition?
c. Should the obligations of company directors specifically address cyber security risks and consequences?
d. Should Australia consider a Cyber Security Act, and what should this include?
e. How should Government seek to monitor the regulatory burden on businesses as a result of legal obligations to cyber security, and are there opportunities to streamline existing regulatory frameworks?
f. Should the Government prohibit the payment of ransoms and extortion demands by cyber criminals by: (a) victims of cybercrime; and/or (b) insurers? If so, under what circumstances? What impact would a strict prohibition of payment of ransoms and extortion demands by cyber criminals have on victims of cybercrime, companies and insurers?
g. Should Government clarify its position with respect to payment or non- payment of ransoms by companies, and the circumstances in which this may constitute a breach of Australian law?
3. How can Australia, working with our neighbours, build our regional cyber resilience and better respond to cyber incidents?
4. What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber security perspective?
5. How should Australia better contribute to international standards-setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?
6. How can Commonwealth Government departments and agencies better demonstrate and deliver cyber security best practice and serve as a model for other entities?
7. What can government do to improve information sharing with industry on cyber threats?
8. During a cyber incident, would an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) improve engagement with organisations that experience a cyber incident so as to allow information to be shared between the organisation and ASD/ACSC without the concern that this will be shared with regulators?
9. Would expanding the existing regime for notification of cyber security incidents (e.g. to require mandatory reporting of ransomware or extortion demands) improve the public understanding of the nature and scale of ransomware and extortion as a cybercrime type?
10. What best practice models are available for automated threat-blocking at scale?
11. Does Australia require a tailored approach to uplifting cyber skills beyond the Government’s broader STEM agenda?
12. What more can Government do to support Australia’s cyber security workforce through education, immigration, and accreditation?
13. How should the government respond to major cyber incidents (beyond existing law enforcement and operational responses) to protect Australians? a. Should government consider a single reporting portal for all cyber incidents, harmonising existing requirements to report separately to multiple regulators?
14. What would an effective post-incident review and consequence management model with industry involve?
15. How can government and industry work to improve cyber security best practice knowledge and behaviours, and support victims of cybercrime? a. What assistance do small businesses need from government to manage their cyber security risks to keep their data and their customers’ data safe?
16. What opportunities are available for government to enhance Australia’s cyber security technologies ecosystem and support the uptake of cyber security services and technologies in Australia?
17. How should we approach future proofing for cyber security technologies out to 2030?
18. Are there opportunities for government to better use procurement as a lever to support and encourage the Australian cyber security ecosystem and ensure that there is a viable path to market for Australian cyber security firms?
19. How should the Strategy evolve to address the cyber security of emerging technologies and promote security by design in new technologies?
20. How should government measure its impact in uplifting national cyber resilience?
21. What evaluation measures would support ongoing public transparency and input regarding the implementation of the Strategy?
Apart from the usual statements that Australia aspires to be the leading cyber security economy the paper states
Core policy areas to be included in the 2023-2030 Australian Cyber Security Strategy
Enhancing and harmonising regulatory frameworks
We have heard from industry that business owners often do not feel their cyber security obligations are clear or easy to follow, both from an operational perspective and as company directors. There are a range of implicit cyber security obligations placed on Australian businesses and non- government entities, including through the corporations, consumer, critical infrastructure, and privacy legislative and regulatory frameworks. However, it is clear from stakeholder feedback and the increasing frequency and severity of major cyber incidents, that more explicit specification of obligations, including some form of best practice cyber security standards, is required across the economy to increase our national cyber resilience and keep Australians and their data safe.
To be the most cyber secure nation in the world by 2030, Australians should have confidence that digital products and services sold are fit for purpose and include appropriate best practice cyber security protections.
There may also be opportunities to simplify and streamline existing regulatory frameworks. For example, stakeholders have encouraged government to streamline reporting obligations and response requirements following a major cyber incident.
It is clear that a package of regulatory reform is necessary. How this would be implemented, including the potential consideration of a new Cyber Security Act, drawing together cyber-specific legislative obligations and standards across industry and government, and the details of these reforms is something on which feedback will be welcomed. This should also consider whether further developments to the SOCI Act are warranted, such as including customer data and ‘systems’ in the definition of critical assets to ensure the powers afforded to government under the SOCI Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions.
Strengthening Australia’s international strategy on cyber security
Combined with domestic uplift, strengthened international leadership will enable us to seize opportunities and address the challenges presented by the shifting cyber environment. Australia is a respected voice in addressing the challenge of making the world a safer place online. We can leverage this voice through tangible steps to shape global thinking, particularly in relation to new and emerging technologies.
Cyber resilience is also essential to unlocking economic opportunity and prosperity in our region. Investments in areas such as health, infrastructure, and education are not secure if they are not underpinned by effective cyber security.
What legislative or regulatory reforms should the Government pursue to enhance cyber resilience across the digital economy?
Assistant Minister for Foreign Affairs, the Hon. Tim Watts MP, has noted: “This is not a challenge we face alone. We all – Australia, our region and the global community – benefit from a stable and resilient cyber space. Indeed, without cyber security other gains are too easily lost. Whether it’s developing international cyber space laws and norms, holding accountable those that flout the rules, working to lift regional cyber resilience or leveraging our humanitarian response track record to respond to severe cyber attacks, working with partners is essential to a prosperous and secure cyber environment.”
There are three sets of opportunities to explore through consultation on the 2023-2030 Australian Cyber Security Strategy:
1. How Australia can elevate the existing level of engagement with international partners through concrete steps to promote cyber resilience?
2. What opportunities are there to better support the development of international technology standards, particularly in relation to cyber security?
3. How can government and industry partner to uplift cyber resilience and secure access to the digital economy, especially in Southeast Asia and the Pacific?
How can Australia, working with our neighbours, build our regional cyber resilience and better respond to cyber incidents?
What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber security perspective?
How should Australia better contribute to international standards- setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?
Securing government systems
The Commonwealth Government controls and processes some of Australia’s most sensitive data to deliver essential public services. Australia continues to be the target of persistent cybercrime and espionage by a wide range of criminal and state actors, including foreign intelligence services, seeking information on political, diplomatic, military, and personal data.
Government should stand as an exemplar of cyber security; however the Commonwealth Cyber Security Posture in 2022 report (the Cyber Posture Report) reveals government agencies have a long way to go to properly secure government systems. Only 11% of entities in the Cyber Posture Report reached Overall Maturity Level 2 through the implementation of Essential Eight controls, and the majority of entities are yet to implement basic policies and procedures.
Public sector cyber security is comprised of both non-technical and technical elements, and it is crucial to consider both when considering how to better secure government systems. Non-technical aspects include things like governance frameworks and accountability mechanisms, cyber security culture, and risk management planning. Technical aspects include elements such as inventory management and legacy systems, variation across government systems and attack surfaces, and the nature of essential services delivered by each entity.
While acknowledging the work done under previous strategies, these have not achieved the level of progress required to meet the Government’s vision. Leadership and accountability are critical at all levels and in all organisations to deliver the Strategy. Enhancing government cyber posture will require a framework which accounts for: • best practice standards, evaluation, transparency, reporting, and aligned incentives; and • the appropriate support, accountability and leadership for individual government departments and agencies to manage their cyber security risk profile.
Areas for Potential Action by 2030
In addition to the core policy areas, where it is clear interventions will be addressed in the Strategy, there are a range of other areas where potential policy options to enhance cyber resilience could be considered in the Strategy. We are seeking views to inform advice to Government on the following potential areas for policy action: • Improving public-private mechanisms for cyber threat sharing and blocking There is a broad spectrum of options available to enhance cyber security threat sharing and blocking through public-private partnerships. This requires analysis of feasible technical approaches, which can be deployed sustainably at scale. However, improved threat sharing should also consider qualitative issues, such as government practice related to information sharing, access, declassification of intelligence, and existing regulatory frameworks such as the Privacy Act and the Surveillance Legislation Amendment (Identify and Disrupt) Act. There are a range of international approaches which Australia could also consider through the Strategy, recognising these would require further consultation to assess.
How can Commonwealth Government departments and agencies better demonstrate and deliver cyber security best practice and serve as a model for other entities?
What can Government do to improve information sharing with industry on cyber threats?
Does Australia require a tailored approach to uplifting cyber skills beyond the Government’s broader STEM agenda?
What best practice models are available for automated threat-blocking at scale?
What more can the Australian Government do to support Australia’s cyber security workforce through education, immigration, and accreditation?
Supporting Australia’s cyber security workforce and skills pipeline
There is no one single silver bullet for addressing the shortage of skilled cyber security professionals in Australia. Rather, it requires a suite of practical actions conducted under a clear strategy. The Australian Government is pursuing a broad agenda related to science, technology, engineering, and mathematics (STEM) skills, which will support the growth of our future workforce, including in cyber security.
More broadly, the Government has committed to reaching 1.2 million tech jobs by 2030.
To the extent that cyber security is embedded in STEM curricula, this agenda will improve the available pool of cyber security professionals. However, it is not yet clear whether this will be sufficient for more specialised cyber security career pathways. The purpose of the discussion paper is to determine whether there are additional steps, specific to the cyber workforce, which should be pursued through the Strategy.
National frameworks to respond to major cyber incidents
It is clear that Australians expect the Commonwealth Government to play a role in responding to major cyber incidents. We need to clarify what the community and victims of a cyber attack can expect from the Government following an incident in the context of victim support and post- incident response. Government must ensure that frameworks for incident management and coordination are fit-for- purpose, and conduct post-incident review and consequence management following major cyber incidents. It is also clear that government should share the root cause findings from investigations of major cyber incidents so that we can all benefit from these learnings. There are a range of international models which serve as useful comparisons, and the Optus and Medibank incidents exposed the gaps in Australia’s existing incident response functions.
The Strategy provides a mechanism to improve the manner in which Australia responds to major cyber incidents.
How should the Government respond to major cyber incidents (beyond existing law enforcement and operational responses) to protect Australians?
Community awareness and victim support
Despite widespread awareness of the potential risks posed by cybercrime, there is no consistent understanding of the practical steps that consumers, small and medium-sized enterprises (SMEs), and other organisations must take to enhance their cyber security. There is an opportunity through the Strategy to invest further in community awareness and skills building for cyber security, including for SMEs.
As with crimes which have devastating impacts on individuals, businesses, and communities, there is scope for Government to explore opportunities to increase support available to victims of cybercrime. While preventing cyber incidents is important, it is inevitable that major attacks will continue to occur through to 2030 and beyond, and Australia should assess its overall cyber posture by viewing remediation and victim support as a key measure of security.
Investing in the cyber security ecosystem
Protective cyber security technologies have been identified as a critical technology by the Government, and cyber security is essential to the secure development and implementation of a broad range of other critical technologies. To become the most cyber secure nation by 2030, Australia must create an environment that attracts investment in cyber security and other critical technologies. There are a range of potential measures which could be explored to promote trade and investment in this space, with clear opportunities for collaboration between federal, state, and territory governments.
How can Government and industry work to improve cyber security best practice knowledge and behaviours and support victims of cybercrime?
What would an effective post-incident review and consequence management model with industry involve?
What opportunities are available for Government to enhance Australia’s domestic cyber security technologies ecosystem and support the uptake of cyber security services and technologies in Australia?
How should the Strategy evolve to address the cyber security of emerging technologies and promote security-by-design in new technologies?
Implementation governance and ongoing evaluation
The Strategy will form the foundation of an evolving approach to cyber security into the future. Implementation will require strong governance and a transparent, meaningful evaluation framework to ensure the Australian Government’s vision is realised, and the Strategy is fit-for-purpose now and into the future.
How should we approach cyber security technologies future-proofing out to 2030?
Are there opportunities for Government to better use procurement as a lever to support the Australian cyber security technologies ecosystem and ensure that there is a viable path to market for Australian cyber security firms?
Designing and sustaining security in new technologies
There are a number of emerging technologies, such as quantum, communications technologies, the Internet of Things, and artificial intelligence which will significantly impact, and be impacted by, cyber security. Some of these technologies exist now. Others will rapidly develop from 2023 to 2030 and will disrupt the existing landscape of cyber security. The Strategy must be adaptable to account for changes in the strategic and technological environment in the coming years.