Australia’s cybersecurity strategy focuses on protecting small businesses and critical infrastructure

The Australian federal government has released the 2023-2030 Australian Cyber Security Strategy with a focus on protecting the country’s most vulnerable citizens and businesses. At a first look, the strategy covers a lot of ground, and the federal government will need to work hard and fast to ensure some of all the actions proposed are put in place before the next big breach.

As previously reported, the cyber strategy is based on the idea of six cyber shields to provide an additional layer of defence against cyber threats. These shields aim to create strong businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities and resilient region and global leadership.

On top of $2.3 billion already being spent on cybersecurity, the government has committed $586.9 million to execute the 7-year strategy. The money will go towards the following:

  • $290.8 million to provide support for small and medium business, building public awareness, fighting cybercrime, breaking the ransomware business model, and strengthening the security of Australians’ identities.
  • $4.8 million to establish consumer standards for smart devices and software.
  • $9.4 million to build a threat sharing platform for the health sector.
  • $143.6 million to strengthen critical infrastructure protections and uplift government cyber security.
  • Growing our sovereign cyber capabilities by investing $8.6 million to “professionalise” the country’s cyber workforce and accelerate the cyber industry.
  • $129.7 million investment in regional cooperation, cyber capacity uplift programs, and leadership in cyber governance forums on the international stage.

The federal government had shared earlier this week an 18.2-million investment to help small and medium businesses to improve cybersecurity resilience and response to cyber-attacks, also part of the strategy.

The delivery of the strategy

The Australian cybersecurity strategy has most, if not all, aspects of cybersecurity covered but there are a lot of things to focus on and the timelines for the delivery of each is not clear.

The 28-page action plan details each action the strategy proposes and the departments that will be involved, but not by when each is expected to be in place. It only states some will commence immediately, and the plan will be reviewed every two years.

The strategy will be delivered in three blocks, dubbed horizons. Horizon 1 — to be delivered up to 2025 — will address critical gaps and focus on better protecting citizens and businesses as well as support improved cyber maturity uplift across the region. This will include work between federal government and industry to co-design a “suite of landmark legislative reforms” to strengthen the cyber shields, with options for new cyber obligations, streamlined reporting processes, improved incident response and better sharing of lessons learned after a cyber incident.

Horizon 2 — to be delivered between 2026-2028 — will focus on increasing cyber maturity by increasing the cyber workforce. Horizon 3 — to be delivered between 2029-30 — will focus on leading the development of emerging cyber technologies capable of adapting to new risks and opportunities across the cyber landscape.

The Government’s Executive Cyber Council — part of shield 3, action 11 — is expected to support the delivery of national cyber security priorities, including initiatives under the Action Plan.

Key focus points for the Australian government

Minister for Cyber Security Clare O’Neil spoke in a press conference this morning about some of what appears to be the government’s main concerns such as ensuring the safety of households by creating standards around the security of devices. This ties with a global guide co-created with the Australian government to ensure software developers create products both secure by design and secure by default.  

The other major focus seems to be around telecommunications providers, an issue that got even more attention after a country wide Optus outage left all its customers without service for approximately nine hours affecting EFTPOs machines among many other services. 

The government expect telcos to share information with the government around threats on top of existing measures of threat sharing and blocking. 

Furthermore, O’Neil is concerned about critical infrastructure, including water, telco and energy providers. Referencing the cyber incident that had DP World stop most of its port activities for a whole weekend, O’Neil wants to set minimal cyber standards for these industries and make sure they follow it. “Telcos need to be subject to the highest standards of cybersecurity,” she said in the press conference. 

Leading up to the cybersecurity strategy

There is no denying that the Optus data breach of September 2022 was the catalyst, pushing the current government to step up when it came to cybersecurity. After a brief moment of blaming the telco, the government’s attitude changed when less than a month later Medibank revealed what would become a much more serious breach, which resulted in extremely sensitive medical records of Australian residents being published on the dark web. 

In December 2022, O’Neil announced the development of the cybersecurity strategy, which then opened for consultation in late February 2023. More than 330 submissions were received and Home Affairs also held consultation events and stakeholder roundtables.  

In March, another major data breach was revealed with publicly listed Latitude Financial finding that data from 14 million people had been accessed. 

In May, the government announced how it was going to use $200 million — partially met from within the existing resources of the Department of Home Affairs and by redirecting funding — as part of the 2023-2024 budget to improve the country’s cyber resilience.

Critical Infrastructure, Government, Small and Medium Business

Go to Source