On 22 November 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy. The Government’s goal is to make Australia one of the most cyber-secure nations in the world and the strategy is a roadmap for how to achieve it by 2030.
One sentence summary: The strategy aims to build resilience through awareness, education, clearer industry and business guidelines and better information sharing between industry and Governments.
The strategy is split into six “shields”:
- Strong businesses and citizens
- Safe technology
- World-class threat sharing and blocking
- Protected critical infrastructure
- Sovereign capabilities
- Resilient region and global leadership
We’ve extracted a few key points below from these six.
Strong businesses and citizens
The Government acknowledges the critical role businesses and people play in cyber security. They plan to support businesses by creating free cyber health-check programs and advice on how to build their cyber security capability and resilience. And they plan to run more cyber awareness programs to encourage genuine behavioural change over the long term.
The Government wants to make it easier for Australian businesses to access advice and support after a cyber incident. If a cyber incident happens the Government’s keen for more businesses to quickly share information to improve the response. The report says that currently some businesses are reluctant to share about incidents due to a lack of clarity in what regulators will do with it, and what the potential downsides for the business could be e.g. reputation.
Break the ransomware business model
Ransomware is one of the most disruptive cyber threats in the world today. The ransomware business model is fuelled by payments made to cybercriminals, with cryptocurrency transactions enabling malicious actors to anonymously profit from extortion claims. Paying a ransom does not guarantee that sensitive data will be recovered. It also makes Australia a more attractive target for criminal groups.
The Government plans to introduce no-fault, no-liability ransomware reporting for businesses. And suggests that anonymised reports could be shared with industry to improve learning. They also plan to build a ransomware playbook to guide businesses in how to respond to a ransomware attack.
Cyber guidance and governance
The report makes the point that “cyber security is not just good practice; it’s good business” and that many cyber risks could be mitigated by better corporate governance from the board down.
I think this is critical. Based on our experience achieving SOC 2 Type 2 there is minimal guidance and support for smaller businesses and a fragmented governance environment with a buffet of information security frameworks to choose from. Businesses need clarity from regulators to improve their own security posture yet also to improve trust that their suppliers are also cyber secure. Supply chain attacks are common and can disrupt many businesses at the same time.
The Government plans to co-design cyber best practices with industry and to share lessons learned from cyber incidents.
Safe technology
Australians must be able to trust that our digital products and services are safe and secure. The report points out that many digital products are not secure by design, especially Internet of Things (IoT) e.g. smart speakers, tvs, fridges, lights, cameras etc. By 2025 the average Australian home is expected to have 33 connected devices!
Introduce international secure by design standards for IoT devices. And co-design a voluntary code of practice for app stores and app developers.
Promote the safe use of emerging technology
Safe and responsible use of AI, building on Australia’s commitment to the Bletchley Declaration at the AI Safety Summit in November 2023. The Bletchley Declaration is a global commitment to developing safe AI, signed by Australia, the EU and 27 countries including the US, UK and China. It’s a commitment to ensure that AI is designed, developed, deployed, and used in a manner that is safe, secure, trustworthy and responsible.
Prepare for a post-quantum world, where advances in quantum computing could leave current cryptography insecure.
World-class threat sharing and blocking
The strategy speaks to the value in public-private parternships, such as Microsoft investing $5 billion into the Australian tech and cyber industry, partnering with the Australian Signals Directorate (ASD) to co-lead Microsoft-ASD Cyber Shield, detecting, analysing and defending Australian from nation-state cyber threats.
The strategy also talks to better strategic threat intelligence sharing with industry.
Grow and professionalise our national cyber workforce
Grow and expand Australia’s skills pipeline via Jobs and Skills Australia. Incorporating cyber skills into primary and secondary education and providing clear skills pathways to cyber security jobs via VET and university.