Australia's roadmap to global cyber leadership
The release of the Commonwealth Government's 2023-2030 Australian Cyber Security Strategy (the Strategy) is a decisive moment in Australia's cyber policy outlook. The much-anticipated Strategy provides a holistic assessment of Australia's cyber security and technology horizon out to 2030, and commits to extending a range of Government capabilities so that Australia remains safe and secure and is positioned to take full advantage of the many opportunities national investment in cyber security will bring. The Government's proposed approach, if executed correctly, could help make Australia a world-leading cyber power by the end of the decade.
Six 'cyber shields' form the backbone of the Strategy, under which fall several actions and supporting initiatives. The six cyber shields are:
- strong businesses and citizens,
- safe technology,
- world-class threat sharing and blocking,
- protected critical infrastructure,
- sovereign capabilities, and
- resilient region and leadership
The contents of each shield are ambitious and, in certain respects, world-leading. Australia is uniquely positioned to follow through on its pledge to be a global leader in cyber security if the full strength of its constituent stakeholders – Government, industry, academia and civil society – can be brought to bear. As a national priority, cyber security is a mutual responsibility in which everyone must play their part. Below is our National Cyber Security Practice response to the Strategy.
Pivot to small and medium enterprise
The Strategy's first (and perhaps most important) action item is its focus on small and medium enterprise. Large organisations and critical infrastructure have consumed much of the Government's cyber security focus over the past few years, at the expense of small and medium businesses which account for 80% of all Australian enterprise. As detailed in the Australian Signals Directorate's (ASD) Annual Cyber Threat Report, small and medium-sized enterprises continue to suffer disproportionately from cybercrime. The Government's creation of a ransomware playbook, introduction of free cyber health checks, and provision of increased support for victims of cyber attacks, are intended to set a solid foundation for uplifting small and medium-sized business' cyber capabilities.
However, this approach is tempered by the parallel expectation on larger and more mature organisations, such as telcos and banks, to bear their share of the load in supporting industry to detect and protect against threats. This sentiment reflects global approaches to national cyber strategy in the past year, most notably that of the United States, which is seeking to 'rebalance the responsibility to defend cyberspace' to those who are best positioned to provide support. This approach is most directly reflected in the 'world-class threat sharing and blocking' shield.
Threat sharing and blocking
Cyber threats can emerge from unlikely places. Insecure and unpatched technology have been the vectors of many recent cyber attacks (including in Australia). The Government is dealing with this issue head-on by promoting the implementation of security-by-design and default into the development of software and internet-of-things devices.
As discussed above, this shield also builds on international successes in cyber threat sharing and blocking. Despite being a developed, heavily interconnected economy, Australia lacks the information and intelligence sharing ecosystem enjoyed by some other nations. Public-private cyber threat intelligence exchange is essential to building a forward-looking and world-leading cyber security capability, and can provide asymmetric security at scale if combined with automated blocking capabilities. To this end, the Government will subsidise a Threat Sharing Acceleration Fund to support the development of Information Sharing and Analysis Centres (ISACs) in Australia. The health sector will be the first to receive a government-subsidised ISAC. Telcos and internet service providers will be expected to leverage their infrastructure and top-down network visibility to support threat sharing and blocking at scale, with the government committed to building on existing industry codes and reflecting international best practice.
Carrots are better than sticks
Another important acknowledgement from the Government is its recognition that positive incentives often drive better outcomes than the coercive threat of penalties. Indeed, the Government emphasises the pivotal role industry will play in the driving the success of the Strategy's initiatives. However, those firms and industries that lead the nation in best practice cyber security remain in the minority. For most organisations, awareness, education, resourcing, and willpower remain too low. To improve overall maturity, the Government will prioritise nudging, advising, and educating industry towards achieving greater cyber uplift through clarifying its expectations, issuing more accessible and principles-based guidance, and sharing lessons learned from incidents more widely. Hopefully, this will yield more faithful, consistent, and sustained cyber resilience from industry than if it is regulated into submission or given box-ticking exercises. Reflecting this approach, the Government's promotion of anonymised no-fault, no liability ransomware reporting obligation will aid in both industry's willingness to engage Government during incidents, as well as assisting both the Government and industry to better understand the ransomware threat landscape.
The data and privacy elephant in the room
A consistent theme throughout the Strategy is the importance of data. The governance, protection, and privacy of data are recognised as key considerations for the Government's prosecution of the Strategy's initiatives. This manifests most plainly in the Government's efforts to identify Australia's 'datasets of national significance' – the repositories of data which support Australia's national interests and thereby require enhanced protections analogous to those afforded to critical infrastructure. The Government also plans to review Commonwealth data retention requirements with a view to simplifying and minimising regulatory obligations to retain non-personal data. In addition, a voluntary data classification model will be developed to assist businesses to identify and classify their data holdings.
A key aspect of these initiatives, as recognised by the Government, is the role of the Privacy Act reforms in imposing stricter requirements for the collection, storage, use, and handling of personal information. In many ways, the Strategy is a force multiplier for the Privacy Act reforms, covering peripheral areas of information regulation that fall outside of the reforms' scope. This includes, for example, the Government's intention to review the data brokerage ecosystem to assess the risks presented by modern data flows and markets that, until now, have seen limited attention beyond academia. In so doing, this will hopefully provide greater confidence to the public that their information is being handled ethically, carefully, and lawfully. Digital ID is another area where the public will demand transparency as to how their personal information is being stewarded. The Government will also need to clearly communicate to the public the benefits for a Digital ID, including how the system works, and how sensitive information will be protected. It is hoped that the Government's work-in-progress National Strategy for Identity Resilience will articulate these points.
Critical infrastructure regulatory harmonisation
The Government's acknowledgment that the Security of Critical Infrastructure (SOCI) regime could benefit from further clarification will be welcomed by many organisations, for whom the scope and extent of their current obligations remain unclear. The Government will seek to reduce duplication across the Telecommunications Act and SOCI regimes, by moving the security regulations from the former to the latter. Increased cyber security measures are also expected to be imposed on the aviation and maritime sectors.
Of particular note for the SOCI regime is the Government's focus on tightening regulations for managed service providers (MSPs). MSPs are vital nodes within modern organisations' supply chains. As we have seen recently, MSPs can be the threat vectors for devastating cyber attacks. The details of this initiative are not revealed in the Strategy, other than that it will align closely with the Privacy Act and support the Government's efforts to increase data protection.
Part of a bigger picture
Though the Strategy primarily focuses on Australia's cyber security, there is also importance placed on Australia's role as a locus of cyber security and capacity building in the Indo-Pacific. Australia cannot lead the world in cyber if it leaves its neighbours behind. Australia's Southeast Asian and Pacific partners are just as susceptible (if not more so) to the cyber threat actors and the consequences of cyber attacks. Recent incidents that have targeted critical infrastructure in the Indo-Pacific highlight the region's heightened threat environment and relative vulnerability, and underscore the duty Australia upholds as a responsible regional actor to support its regional neighbours.
Central to sustaining cyber security in the region will be Australia's promotion of secure international technical standards. As cyberspace becomes more contested, a range of norms and interests from different actors will serve to subvert the global model of internet governance that has prevailed for over three decades. The Government is making a steadfast commitment to upholding the existing model of the internet and for the continued advancement of free and open international norms and cooperation in cyberspace.
Eye to the future
Lastly, the Strategy casts an eye to the future and considers the impacts and implications of emerging technologies such as artificial intelligence (AI) and quantum computing. The Strategy pledges to support safe and responsible AI use, building on Australia's support for the Bletchley Declaration and leveraging international cooperation, to ensure AI development and use in Australia is safe-by-design. What may come as disappointing to those who follow AI developments, the Strategy does not commit to any concrete measures to refine Australia's regulatory approach to AI.
Nevertheless, following the release of the Strategy, the Australian Signals Directorate (alongside 19 global partners) published its Guidelines for secure AI system development (the ASD Guidelines), which provides four guidelines aimed at ensuring AI technology is deployed in a manner that prioritises cyber security as a core focus within the lifecycle (ie, development, deployment, operation, maintenance and retirement) of AI systems, including:
- secure design,
- secure development,
- secure deployment, and
- secure operation and maintenance.
In the absence of AI-specific laws, the ASD Guidelines provide some industry standards for cyber security. Specifically, AI providers (that is, individuals or organisations responsible for the development of AI systems) will need prioritise the protection of end user data when designing, developing, deploying and operating such systems. Other key considerations addressed in the ASD Guidelines are the need for members of the AI community to share knowledge and exercise 'radical transparency and accountability' in their ongoing dealings with AI technology.
Finally, the Strategy anticipates the potentially catastrophic consequences of quantum computing on hallmark cyber security practices, such as modern cryptographic techniques. While we are likely years away from seeing a fully-functional quantum computer, it is important to lay the groundwork now to support long-term cyber resilience. As such, the Government is committing to setting standards for post-quantum cryptography, and will update the Australian Signals Directorate's Information Security Manual in due course to reflect this.
Australia's approach to cyber security for the 2020s is ambitious, and will require a concerted whole-of-society focus in order to recognise its aims. The Action Plan, which accompanied the Strategy, sets out the agencies responsible for leading and contributing to the realisation of the Government's initiatives. However, no timeframes – not even indicative forecasts – are set for the completion of each initiative. Instead, three high-level 'horizons', broken out over two-year segments, are laid out to 2030. These are, respectively, aiming to strengthen foundations and address core vulnerabilities, scale cyber maturity nationally, and pioneer global leadership on cyber security. Nevertheless, the Government has set its sights on a desired end state which acknowledges the continuing importance of cyber security to everyday Australian life.
MinterEllison will monitor the Strategy's developments closely as it is implemented over the coming months and years.
MinterEllison is a leader in cyber security, offering integrated legal, cyber risk, and technology consulting. This integrated capability enables us to advise and navigate our clients through the challenging and complex cyber security risk landscape. Should you or your organisation require any assistance with managing cyber risks, please do not hesitate to reach out to the MinterEllison National Cyber Security Consulting Practice.