A cyber-attack on Australia’s biggest port operator, halting 40 per cent of the nation’s maritime freight, and an Optus outage that crippled the services of Australia’s second-largest telecommunications provider. These twin events in the past week highlight the need for resilient, secure networks. The imminent 2023–2030 Australian Cyber Security Strategy, intended to chart Australia’s path to becoming “the world’s most cyber secure country by 2030,” could not be more timely.
Data and cyber security vulnerabilities have been showcased by earlier data breaches at Optus, Medibank and Latitude Financial, affecting millions of Australians. Internationally, the list of challenges runs far longer, from cyber-attacks against civilian internet infrastructure during the invasion of Ukraine to the targeting of US critical infrastructure by Chinese state-sponsored actors. In the last three years, the United Kingdom and the United States have updated their cyber security strategies. A revised Australian cyber security strategy is clearly needed.
The fact that “every aspect of our lives – social, economic, and cultural – is underpinned by digital connectivity” makes the success of this strategy critical. Public concerns around privacy, as well as awareness of data breaches, cyber security vulnerabilities and social harms, have grown rapidly – and regulators globally have been trying to catch up. In the past two weeks there have been major AI announcements that include cyber security implication, the Biden administration’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI, the UK-hosted global AI Safety Summit and the G7 Leaders’ Statement on the Hiroshima AI Process.
We can expect the forthcoming Australian cyber security strategy to include alignment with the work of allies as well as a pivot towards a “whole-of-nation” cyber uplift. Minister for Cyber Security and Home Affairs Clare O’Neil has announced the strategy will be framed around “six shields” of cyber security. These are: an informed citizenry and business sector; safe technology; world-class threat sharing and blocking; reliable critical infrastructure; sovereign capability; and a resilient region. Alignment with partners and countries in Australia’s region will be vital in achieving these.
As O’Neil noted, “we have an urgent economic and security imperative to make a step change as a country for how we deal with cyber issues.” Ahead of the strategy’s release, there are three specific policy considerations that are obvious; establishing coordination mechanisms, providing flexible Department resourcing to implement and promote the strategy, and collaborating with industry and international partners.
We are seeing the coordination mechanisms of the Cyber Incident Management Arrangements. The Department of Home Affairs will combine domestic and international efforts of cyber security in the coming strategy, according to Deputy Secretary Hamish Hansford speaking to Technology & Security. This is a departure from the approach of Australia’s last cyber security strategy, released in 2020 under the previous government, which focused on domestic challenges, with the international components of cyber security subsequently covered by Australia’s 2021 International Cyber and Critical Technology Engagement Strategy. Integrating the domestic and international components mirrors the recent US Strategy, with one its five “pillars” dedicated to forging “international partnerships to pursue shared goals.” It will be important to see how Australia’s international engagement will be measured and aligned between the Departments of Home Affairs and Foreign Affairs and Trade.
Negotiating the involvement of overseas providers or operators of critical infrastructure in these mechanisms and exercises will be an additional challenge. While the United States can talk easily about working with the “stewards of the digital ecosystem” that are domestically located, for Australia many of these same ‘stewards’ are headquartered on American or other shores. To achieve its ambitious vision, the strategy will need to strong lines of communication across not just the whole enterprise of government, but into industry (both domestic and international, big and small) and broader society.
Achieving a strong, informed citizenry and resilient businesses is a mammoth undertaking. Enabling responsibility for individual cyber security and resilience will require significant educational resources across a wide range of technical developments. This could include promoting – and possibly funding – multi-factor authentication (MFA) and up-to-date messaging on scams as they evolve – especially with the growing use of generative AI to produce curated, targeted scams.
Country wide education programs will need to cover various demographics and age groups, including individuals, businesses, and communities. We suggest that government embrace and nurture a wide range of options that harness community input. This could include grants funding and resource options; community, business and school-led programs; and reduced-fee TAFE and vocational education to create a rich tapestry of solutions. Developing a regime of certification or licensing for cyber security and data science professionals – such as those in accounting and financial services – could ensure a consistent standard of capability across the cyber security workforce and improve resilience across all scales of business.
Given the global challenge of cyber security, international alignment and coordination will be key to countering cyber threats that do “not respect land borders.” Multilateral institutions are important venues – as are specific alliances – to address destabilising threats. Already, Minister O’Neil has highlighted the Quad as one mechanism to address the safe technology ‘shield’ by promoting standards between the four countries.
Prioritising the expansion of rapid threat sharing and blocking to integrate international partners across industry and government will be increasingly important. Already, the government has announced the Microsoft–ASD Cyber Shield (MACS) to improve capabilities in “detecting, analysing and defending against sophisticated nation-state cyber threats” – a welcome example of building much-needed relationships between government and industry. As a starting point for integrating regional partners into its efforts, Australia could integrate allies and regional partners into other shields, such as offering other nations observer status at future critical infrastructure exercises. This would also build a more cyber-resilient region.