After lengthy deliberation, the Australian government has released its 2023-2030 Cyber Security Strategy, which aims to make Australia one of the most cyber-secure nations in the world by 2030. It’s a worthy goal, considering Australia was ranked as the fifth-most powerful cyber nation in a 2022 report by Harvard University’s Kennedy School.
The strategy outlines a range of ways Australia can protect its people, businesses, and organizations into the next decade. Importantly, it has come at a time when the country is reeling from a series of major cyber incidents, including the Medibank and Optus data breaches last year, a nationwide Optus blackout earlier this month, and the more recent closure of ports across the country due to a cyber breach.
Among other things, the strategy aims to protect critical infrastructure, provide businesses and organizations with tools to bolster their cyber resilience, especially against ransomware attacks, ensure businesses secure products and services to protect customers, attract skilled migrants to establish a diverse cybersecurity workforce, prioritize critical threats from the most sophisticated actors, engage international partners to share threat intelligence and develop new capabilities, and expand cyber awareness programs to educate the public.
The government has dedicated $586.9 million to achieving these goals, on top of $2.3 billion committed to existing cyber initiatives, including the REDSPICE program aimed at enhancing the intelligence and cyber capabilities of the Australian Signals Directorate.
The most significant investment of $290.8 million will go towards protecting businesses and citizens. A further $143.6 million will be invested in strengthening critical infrastructure, including major telecommunications infrastructure.
By comparison, $9.4 million will be used to build a cyber threat sharing platform for the health sector, and only $4.8 million will go to establishing consumer standards for smart devices and software.
The strategy will also expand the Digital ID program, to reduce the need for people to share sensitive personal information with the government and businesses to access services online – but details on this were scant.
The strategy notes ransomware is one of the most disruptive cyber threats in the world – and costs Australia’s economy up to $3 billion in damages each year. The government will make a ransomware playbook to help businesses respond to and bounce back from cyber extortion.
It will also work with industry to co-design a mandatory no-fault ransomware reporting scheme to encouraging reporting on ransom incidents. We know, based on past experiences with the Notifiable Data Breaches scheme, that businesses sometimes won’t report breaches for fear of public backlash. A no-liability reporting scheme could change this and provide important data that will further bolster our defenses against ransom attacks.
The strategy also strongly discourages making ransom payments. This makes sense, as these payments inevitably fuel the ransomware economy and fund criminals’ future attacks.
Controversially, however, Minister for Cyber Security Clare O’Neil has considered introducing a blanket ban on such payments at some time in the next few years.
This could have negative impacts. For instance, a business that legally can’t pay a ransom may not be able to recover stolen data, resulting in permanent data and financial loss. Attackers may also release the stolen data online out of spite. We saw this happen after last year’s Optus data breach.
There’s also a risk that announcing an impending ban could make Australia more attractive to criminals in the short term, as they may scramble to carry out as many attacks as possible before payments are made illegal. The impact of this would be lessened if businesses adopt a disciplined approach to regular data backups.
Another strategic initiative will involve working with the industry to establish a mandatory cybersecurity standard (in line with international standards) for consumer-grade smart devices sold in Australia.
The government will also introduce a voluntary cybersecurity labeling scheme for smart devices. Ideally, such a scheme would keep the public informed about the level of security on the many different devices they own. However, given it’s voluntary, it’s hard to say whether it will have a substantial impact.
Another voluntary code of practice will be introduced for app stores and app developers.
If it’s implemented well, the strategy could result in a substantial decrease in cybercrime, greater safety for the public, and a thriving cyber sector.
Currently, businesses and individuals struggle with a lack of cybersecurity awareness and skills. They don’t have the resources, nor the incentive, to invest in cybersecurity. This strategy could change that.
The greatest challenge is the complexity and diversity of cyber threats, which are constantly evolving. Today’s threats may not have crossed anyone’s mind a few years ago. This inherent unpredictability may render some of the assumptions in the strategy redundant in the coming years.
Then there are inevitable trade-offs that come with competing values such as privacy, security, innovation, and regulation. For example, a project that strongly maintains the privacy of consumers may end up sacrificing transparency. Similarly, too much transparency can lead to security risks.
We’ll need to innovate in the cybersecurity domain to stay ahead of criminals. But as we’ve seen in other areas of the tech sector, innovation that outruns regulation is often more harmful than helpful. Striking the balance is difficult.
Moreover, there’s a noticeable lack of detail in many of the initiatives outlined in the strategy. This could make it difficult to measure its progress and impact as a high-level strategic document.
Success will depend on voluntary action and cooperation from stakeholders, which may not be enough to ensure compliance and accountability from some businesses and individuals.
The Australian government’s Cyber Security Strategy aims to make the country a global leader in cybersecurity by 2030. With a dedicated investment of $586.9 million, the strategy focuses on protecting critical infrastructure, strengthening cybersecurity for businesses and citizens, attracting skilled migrants, engaging international partners, and expanding cyber awareness programs to educate the public. However, challenges remain, including the complexity of evolving cyber threats, balancing privacy and transparency, and the need for continuous innovation in the cybersecurity domain. The strategy’s success will depend on voluntary action and cooperation from stakeholders.
