Striking a balance: A review of Australia’s Cyber Security Strategy 2023-30

Anne-Louise Brown Commentary

Post Tags

Over the past several years, Australia has undergone a cyber security reckoning. Several high-profile breaches impacting millions of citizens has propelled cyber security into the public consciousness, with regional tensions heightening government fears in relation to state-based attacks on critical infrastructure. In response to these threats, in November 2023, the Australian Government released the 2023-30 Australian Cyber Security Strategy, which is unpacked in this article.

Over the past two years cyber security has assumed a prime place in Australia’s political and public discourse, torpedoed into the national consciousness through a serious of high-profile, high-impact cyber attacks that saw the personal data of millions of citizens compromised. While malicious cyber activity targeted at Australian institutions, organisations and citizens is not new, this slew of attacks gripped the public imagination. The impacted organisations – telco Optus, private health insurer Medibank, and credit service provider Latitude – were well known and well trusted in the national ecosystem. And the scale of data theft of personal information was unprecedented, like nothing Australia had seen before. Australians were angry, organisations were worried and the government was under mounting pressure to take action. Propelled by this unique momentum, there was clear impetus for the Federal Government to grasp the opportunity to review and renew Australia’s Cyber Security Strategy.

In launching strategy consultation, Australia’s Minister for Home Affairs Clare O’Neil stated: “Australians have recently suffered two of the worst data breaches in our nation’s history. We must work together to counter these threats, build partnerships and set ourselves up for success. Everyone has skin in the game when it comes to Australia’s cyber security”. Australia should aim to be the world’s most cyber secure nation by 2030. The development of the 2023-2030 Australian Cyber Security Strategy will outline the Government’s long-term vision for the future of Australian cyber security, and the concrete steps required to get there.” What followed was an extensive discussion paper and widespread public consultation. This work culminated in the release of Australia’s Cyber Security Strategy 2023-30 (the Strategy), in November last year, which at its heart is focussed on a vision of Australia becoming the world’s most cyber secure nation by 2030. In this commentary we highlight some of key aspects of the strategy, designed to drive Australia’s cyber security journey and its cyber uplift priorities over the next seven years. In particular, we will examine the key tenets of the Strategy, referred to as the ‘Six Shields’.

To provide context, the new Strategy is Australia’s third. The first, released in 2016, was focussed on uplifting government capability in relation to cyberspace, growing the domestic cyber security industry and building the nation’s cyber-related research and development capacity. It also acknowledged Australia’s offensive capability for the first time. The 2020 strategy was primarily concerned with the protection of national critical infrastructure and enhancing law enforcement capabilities in relation to countering cyber crime. The key achievement of the strategy was significant reform to Australia’s critical infrastructure security regime, which is now world leading.

Building on this foundation, the Strategy takes a whole-of-economy focus, capturing citizens, government, small business and big business. Notably, it has been developed during a period of significant and related legislative reform, with an overhaul of Australia’s Privacy Act currently underway, aimed at bringing Australia’s outdated privacy laws up to EU GDPR standard, and further refinement of the Security of Critical Infrastructure Act (SOCI Act), following the major cyber attacks of the past several years. It has also been developed against a backdrop of significant geopolitical upheaval, regional flux and the establishment of AUKUS, which is reflected in the Strategy’s focus on international cooperation, regional initiatives and strengthening of alliances.

As noted, the Strategy is built upon Six Shields:

  • Strong businesses and citizens
  • Safe technology
  • World-class threat sharing and blocking
  • Protected critical infrastructure
  • Sovereign capabilities
  • Resilient region and global leadership.

These will be achieved over three horizons – strengthening foundations; economy-wide scaling of cyber maturity; and becoming a world-leader in cyber security by 2030.

Shield One – Strong businesses and citizens, is focused on supporting Australian businesses, especially small-to-medium enterprises (SMEs), improve their cyber resilience and capacity to recover from cyber incidents. Education, increased awareness and incentivisation are highlighted as central mechanisms to achieving Shield One. Similar to EU and US approaches, the Australian government will call upon larger organisations to play a key role in strengthening the security of the wider economy by bolstering their own protections and supporting SMEs.

Shield Two – Safe technology, is aimed at ensuring the trustworthiness of digital products and services, emphasising security in technology. Central to this shield is developing secure-by-design frameworks and rating systems to provide consumers about the cyber security credentials of the digital products and software they purchase. This is in line with similar EU, UK and US strategies to stem the security risks arising through the proliferation of IoT devices. The Strategy recognises the potential systemic impact of these systems and the exposure to foreign interference, with one example being the use of IoT devices in widely deployed solar power systems. This shield is also focused on promoting the safe use of such emerging technologies – notably artificial intelligence and quantum computing – through the establishment of guardrails. This mirrors other countries’ priorities in these areas, most notably the EU’s AI Act and the Cyber Resilience Act, but without immediate regulatory instruments, relying instead on standards and codes of practice.   

Shield Three – World-class threat sharing and blocking, is focused on enhancing public-private partnerships to improve the detection and mitigation of cyber threats. The Strategy outlines an ambitious plan to develop a whole-of-economy threat sharing and blocking network, with enhanced industry-to-industry information sharing and real-time threat sharing to enable automated threat-blocking capabilities. Central to achieving this goal are telcos and internet service providers, who will be incentivised to enhance these capabilities.

Shield Four – Protected critical infrastructure, is aimed at further enhancing the SOCI Act, which regulates Australia’s critical infrastructure assets across 11 key sectors. As previously mentioned, the major achievement of the 2020 Strategy was SOCI Act reform, which saw the number of captured sectors increased from three to 11, with enhanced security obligations for so called systems of national significance (SoNS). While the SOCI Act takes an ‘all hazards’ approach to security threats, bolstering cyber security is at its core. Propelled by the large-scale data breaches of 2022-23, the government will consult with industry to clarify the application of the SOCI Act to ensure critical infrastructure entities are adequately protecting their data storage systems. This will focus on ‘business-critical’ data storage systems where vulnerabilities could impact the availability, integrity, reliability or confidentiality of critical infrastructure assets. Unlike other critical infrastructure regimes, notable the US model, the SOCI Act does not capture government, its departments or agencies. While it is unlikely the SOCI Act will be expanded to capture government entities, the Strategy stresses the government’s ambition to lead by example. This is important, as in the past criticism about significant gaps in government cyber security infrastructure have been raised.

Shield Five – Sovereign Capabilities, is focused on developing and professionalising a strong national cyber workforce, as well as fostering the domestic cyber industry, and cyber research and innovation. Like other nations, Australia is suffering from a significant cyber skills and workforce gap. The government aims to curb this trend through investment in education and training, attracting skilled migrants through immigration reform and promoting and incentivising diversity in the cyber workforce. To professionalise Australia’s workforce, skills accreditation is being considered, with a clear cyber skills framework to be developed. This is aimed at providing assurance to employers that the cyber workforce is appropriately skilled, and giving workers confidence their qualifications and relevant experience are recognised and fit for purpose.

Shield Six – Resilient region and global leadership, is about defining Australia’s role as a mature and ethical digital nation, dedicated to upholding and promoting global rules and norms. This is especially important regionally, where the government will invest heavily in uplifting the cyber defences of Australia’s Pacific family and is borne of the understanding that Australia’s security and prosperity are linked to our region, with implications of unchecked coercion and competition in our region serious. At a global level, the government has pledged to protect and strengthen the international standardisation system, promoting and upholding robust international standards in the technology that underpins cyberspace, the internet and the digital economy. To this end Australia will work with global partners to ensure technology markets are transparent and competitive, with a diversity of suppliers for products and services that are secure and safe by design. Of note, Shield Six intimates that Australia will employ its offensive capabilities through the Australian Signals Directorate (ASD), to deter and respond to malicious cyber actors, working with international partners to take action to impose costs on individuals and organisations that make cyberspace less safe and secure.

Implementation of the Strategy will be driven by the 2023-2030 Australian Cyber Security Strategy – Action Plan (the Plan). The Plan outlines three horizons for action, focussed on strengthening foundations, growing cyber maturity and establishing Australia as a world cyber leader. This approach has been taken to maintain a “flexible approach to achieving the Strategy’s vision will enable us to remain adaptive to emerging technological, economic and geopolitical trends”.

The big picture

As a liberal democracy, Australia faces similar threats and challenges as its global partners, reflected in the broad and ambitious Strategy. It is well positioned to align with the strategies of core partners and references Australia’s important global alliances, including AUKUS and the Quad. Australia also has unique challenges, with the tyranny of distance a contributor to some of the Strategy’s key measures. This is especially marked in relation to the push to enhance sovereign capabilities through building a strong cyber workforce and the promotion of homegrown innovation. Similarly, in comparison the cyber strategies of global counterparts, Australia’s has a key focus on SME cyber security and uplift, driven by the economy’s large SME base and the core supply chains that rely upon it. With seven years to achieve its aims, the Strategy sets a clear path for Australia to achieve its goal of being a cyber world leader. It recognises the opportunities presented by building a vibrant cyber security ecosystem through enhancing domestic capabilities and capacity, as well as the key regional role Australia plays as a cyber exemplar.

However, the Strategy is not without its weaknesses. For example, while commitments to maintaining Australia’s cyber-related research capabilities and investment in domestic cyber industry growth are welcomed, they are not underpinned by investment action plans or tangible funding, as is the case in the US and EU. Similarly, little detail is provided as to how the regulation and ethical use of critical and emerging technologies will develop – a pressing issue domestically, regionally and internationally. Central to the Strategy’s future success will be the ability of the government to remain agile in a dynamic global environment, where new threats and challenges continue to arise. In essence, this means the Strategy should be approached as a living document – one that is not set in stone and is malleable to change in a climate of flux. If this can be realised without losing sight of the Strategy’s broader vision, then Australia will be well placed to become one of the world’s most cyber-secure nations.

Thumbnail image: credits to @sotti on Unsplash

Image

About the Author

Anne-Louise Brown

Anne-Louise Brown is the Director of Policy at the Cyber Security Cooperative Research Centre (CSCRC). Anne-Louise specialises in articulating the intersection between public policy and cyber security, national security, governance and law in a ‘human’ way, demystifying what can be highly technical and complex areas. She has co-authored several key policy papers about ransomware, cyber insurance and IoT cyber security, and has a deep interest in cybercrime and its continuing evolution.

Authors

About the Author

Image

Helge Janicke

Professor Helge Janicke serves as the Deputy CEO and Research Director at Australia's Cyber Security Cooperative Research Centre. He has been honored in The Australian's 2024 list of top 250 scientists, marking him as a distinguished leader in the field of Computer Security and Cryptology. Prof. Janicke also holds a part-time Professorship at Edith Cowan University and a visiting professorship in Cyber Security at De Montfort University (DMU), UK. His research primarily focuses on enhancing cyber security within critical infrastructures, with special attention to cyber-physical systems, SCADA, and Industrial Control Systems. His innovative work extends to AI augmentation for cyber incident response, managing human errors in cyber incidents, and employing gamification and nudging technologies to boost cyber awareness and skills. Prof. Janicke played a pivotal role in establishing the Cyber Technology Institute at DMU, including its Airbus Centre of Excellence in SCADA Cyber Security and Forensics Research.

Share this Article