After lengthy deliberation, the Australian government has released its 2023–2030 Cyber Security Strategy, which aims to make Australia one of the most cyber-secure nations in the world by 2030. It’s a worthy goal, considering Australia was ranked as the fifth-most powerful cyber nation in a 2022 report by Harvard University’s Kennedy School.
The strategy outlines a range of ways Australia can protect its people, businesses and organisations into the next decade. Importantly, it has come at a time when the country is reeling from a series of major cyber incidents, including the Medibank and Optus data breaches last year, a nationwide Optus blackout earlier this month, and the more recent closure of ports across the country due to a cyber breach.
Among other things, the strategy aims to:
- protect critical infrastructure
- provide businesses and organisations with tools to bolster their cyber resilience, especially against ransomware attacks
- ensure businesses secure products and services to protect customers
- attract skilled migrants to establish a diverse cyber security workforce
- prioritise critical threats from the most sophisticated actors
- engage international partners to share threat intelligence and develop new capabilities
- expand cyber awareness programs to educate the public.
The government has dedicated $586.9 million to achieving these goals, on top of $2.3 billion committed to existing cyber initiatives, including the REDSPICE program aimed at enhancing the intelligence and cyber capabilities of the Australian Signals Directorate.
The most significant investment of $290.8 million will go towards protecting businesses and citizens. A further $143.6 million will be invested in strengthening critical infrastructure, including major telecommunications infrastructure.
By comparison, $9.4 million will be used to build a cyber threat sharing platform for the health sector, and only $4.8 million will go to establishing consumer standards for smart devices and software.
The strategy will also expand the Digital ID program, to “reduce the need for people to share sensitive personal information with the government and businesses to access services online” – but details on this were scant.
Plans to ‘break the ransomware business model’
The strategy notes ransomware is “one of the most disruptive cyber threats” in the world – and costs Australia’s economy up to $3 billion in damages each year. The government will make a “ransomware playbook” to help businesses respond to and bounce back from cyber extortion.
It will also work with industry to co-design a mandatory no-fault ransomware reporting scheme to encouraging reporting on ransom incidents. We know, based on past experiences with the Notifiable Data Breaches scheme, that businesses sometimes won’t report breaches for fear of public backlash. A no-liability reporting scheme could change this, and provide important data that will further bolster our defences against ransom attacks.
The strategy also “strongly discourages” making ransom payments. This makes sense, as these payments inevitably fuel the ransomware economy and fund criminals’ future attacks.
Controversially, however, Minister for Cyber Security Clare O’Neil has considered introducing a blanket ban on such payments at some time in the next few years.
This could have negative impacts. For instance, a business that legally can’t pay a ransom may not be able to recover stolen data, resulting in permanent data and financial loss. Attackers may also release the stolen data online out of spite. We saw this happen after last year’s Optus data breach.
There’s also a risk that announcing an impending ban could make Australia more attractive to criminals in the short term, as they may scramble to carry out as many attacks as possible before payments are made illegal. The impact of this would be lessened if businesses adopt a disciplined approach to regular data backups.
Smart devices and apps
Another strategic initiative will involve working with industry to establish a mandatory cyber security standard (in line with international standards) for consumer-grade smart devices sold in Australia.
The government will also introduce a voluntary cyber security labelling scheme for smart devices. Ideally, such a scheme would keep the public informed about the level of security on the many different devices they own. However, given it’s voluntary, it’s hard to say whether it will have a substantial impact.
Another voluntary code of practice will be introduced for app stores and app developers.
What are the challenges?
If it’s implemented well, the strategy could result in a substantial decrease in cyber crime, greater safety for the public and a thriving cyber sector.
Currently, businesses and individuals struggle with a lack of cyber awareness and skills. They don’t have the resources, nor the incentive, to invest in cyber security. This strategy could change that.
The greatest challenge is the complexity and diversity of cyber threats, which are constantly evolving. Today’s threats may not have crossed anyone’s mind a few year ago. This inherent unpredictability may render some of the assumptions in the strategy redundant in the coming years.
Then there are inevitable trade-offs that come with competing values such as privacy, security, innovation and regulation. For example, a project that strongly maintains the privacy of consumers may end up sacrificing transparency. Similarly, too much transparency can lead to security risks.
We’ll need to innovate in the cyber security domain to stay ahead of criminals. But as we’ve seen in other areas of the tech sector, innovation that outruns regulation is often more harmful than helpful. Striking the balance is difficult.
Moreover, there’s a noticeable lack of detail in many of the initiatives outlined in the strategy. This could make it difficult to measure its progress and impact as a high-level strategic document.
Success will depend on voluntary action and cooperation from stakeholders, which may not be enough to ensure compliance and accountability from some businesses and individuals.
Any shortcomings could be managed by making the strategy inclusive and consultative. If it caters to the needs of all, it may indeed become a successful seven-year plan.