The imminent 2023–2030 Australian Cyber Security Strategy (the Strategy) will chart Australia’s path to becoming “the world’s most cyber secure country by 2030”, according to the Minister for Cyber Security and Home Affairs, the Hon. Clare O’Neil. As the Minister notes, the fact that “every aspect of our lives – social, economic, and cultural – is underpinned by digital connectivity” makes the success of this Strategy critical.
Since Australia’s last cyber security strategy in 2020, technology developments have moved at breakneck speed. We have seen activities and communications migrate online during the pandemic, the rise of consumer artificial intelligence (AI), which saw OpenAI’s ChatGPT reach 100 million users in two months, and the launch of human trials for Elon Musk’s brain-computer interface, known as Neuralink.
Public concern around privacy, as well as awareness of data breaches, cyber security vulnerabilities and social harms, has grown rapidly – and regulators globally have been trying to catch up. In the past two weeks there have been major AI announcements that include cyber security implications – the Biden Administration’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI, the UK-hosted global AI Safety Summit and the G7 Leader’s Statement on the Hiroshima AI Process.
A cyber-attack on Australia’s biggest port operator – representing 40 per cent of the nation’s maritime freight – and the recent Optus outage that crippled Australia’s second-largest telecommunications provider, all within the past week, highlight the need for resilient, secure communications networks.
A cyber-attack on Australia’s biggest port operator – representing 40 per cent of the nation’s maritime freight – and the recent Optus outage that crippled Australia’s second-largest telecommunications provider, all within the past week, highlight the need for resilient, secure communications networks. Data and cyber security vulnerabilities have been showcased by the earlier Optus, Medibank and Latitude Financial data breaches which affected millions of Australians, the HWL Ebsworth hack that affected 65 government agencies, cyber-attacks against civilian internet infrastructure during the invasion of Ukraine and the targeting of US critical infrastructure by Chinese state-sponsored actors. In the last three years, the United Kingdom and the United States have updated their cyber security strategies. A revised Australian cyber security strategy is clearly needed.
The stage for the forthcoming Strategy was set by the 2022 discussion paper and eminent expert advisory board in Andrew Penn, Mel Hupfeld and Rachael Falk. The discussion paper pointed to the long list of legislation, reviews and inquiries currently underway that could inform the Australian Government’s approach to cyber security – across issues of data, digital services, safety, AI, social media, security and privacy. It also set out four specific goals for the strategy,1 and saw extensive consultation with over 300 public submissions.
This analysis sets out what we can expect from the 2023–2030 Australian Cyber Security Strategy, how it aligns with the strategies of our allies and some policy considerations.
Six shields of cyber security
The Australian Minister for Cyber Security and Home Affairs, the Hon. Clare O'Neil announced the Strategy will be framed around “six shields” of cyber security. These are: an informed citizenry and business sector; safe technology; world-class threat sharing and blocking; reliable critical infrastructure; sovereign capability; and a resilient region.
- Creating a strong, informed citizenry and business sector that can protect themselves will require significant campaign efforts and resources. Achieving a cyber resilience uplift will be important, especially in small and medium-sized enterprises (SMEs), which represent more than 50 per cent of Australia’s GDP and 65 per cent of employment. SMEs are more likely to be targeted, and more heavily impacted by cyber-attacks, with over 60 per cent of cybercrime committed against SMEs. The government announced a $23.4 million small business Cyber Wardens program to support 15,000 SMEs in the 2023–24 Federal Budget.
- Developing safe technology and software to create “global standards for digital safety” echoes the adoption of car safety standards, such as seatbelts, and represents a deliberate, global shift to prioritise user safety in an emerging technology. The global nature of technology supply chains and software development means this will require international collaboration. Minister O’Neil suggested the Quad, with 40 per cent of global GDP, as an ideal forum to promote safe technology by preventing the sale of “wantonly unsafe” software.
- World-class threat sharing and blocking is key to ensuring threat actors who commit serious cyber-attacks are identified and stopped as soon as possible. Success will depend on managing to share threat intelligence between government and industry “at real-time machine speed” and learning from and working with regional partners and close allies to adopt best-practice approaches.
- Protecting Australia’s critical infrastructure will be a continued government priority. This builds on the Security of Critical Infrastructure (SOCI) Act, the establishment of the National Cyber Security Committee, which coordinates cyber leads across government on cross-jurisdictional cyber security incidents, and the appointment of Australia’s first Coordinator for Cyber Security Air Marshal Darren Goldie, whose role focuses on national preparedness and major cyber incident responses.
- Building sovereign capabilities – including the upskilling of all Australians, improving Australia’s cyber security workforce and building a flexible domestic sector that can accommodate shifting needs – is welcome. Cyber security has been consistently highlighted as one of the critical shortages in the Australian technology workforce. The Strategy will likely complement the Australian Signal Directorate’s (ASD) ongoing RESPICE program, supported by $9.9 billion in government funding, to build government cyber capability.
- Developing a resilient region acknowledges that “cyber threats are genuinely global.” The joint leaders’ announcement during Prime Minister Albanese’s Visit to the United States of a potential pilot initiative to upgrade data services, including cloud-based solutions for storing government data, for Pacific Islands, offers a first step towards this goal.
Global alignment
Our digital interconnectedness highlights the need to build cyber resilience globally. Alignment with partners and countries in Australia’s region will therefore be vital. While the UK also recently released their UK Government Cyber Security Strategy 2022–2030,2 the announced six shields align most closely with the US 2023 National Cybersecurity Strategy (US Strategy) with one of the American drafters of the US Strategy having spent time with the Department of Home Affairs earlier in 2023.
The Department of Home Affairs will combine domestic and international efforts of cyber security in the coming Strategy, according to Deputy Secretary Hamish Hansford speaking to Technology & Security. This is a departure from the approach of Australia’s Cyber Security Strategy 2020 which focused on domestic challenges, with the international components of cyber security covered by Australia’s 2021 International Cyber and Critical Technology Engagement Strategy. Integrating the domestic and international components mirrors the US Strategy, with one of its five ‘Pillars’ dedicated to forging “international partnerships to pursue shared goals.” It will be important to see how Australia’s international engagement will be measured and aligned between the Departments of Home Affairs and Foreign Affairs and Trade.
The ‘whole-of-nation' framing mirrors recent Australian national security material – such as the Defence Strategic Review – and highlights that ensuring security and resilience, including in the cyber realm, will require coordination across not just government, but the private sector and society writ large.
Minister O’Neil has led with a new “whole-of-nation” framing when it comes to sustained cyber resilience, replicating key language from the US Strategy. This contrasts Australia’s previous sector-specific cyber security strategy, which divided responsibility along three lines: “governments protecting against sophisticated cyber threats, businesses protecting their customers, and the community making cyber-aware choices.” The ‘whole-of-nation' framing mirrors recent Australian national security material – such as the Defence Strategic Review – and highlights that ensuring security and resilience, including in the cyber realm, will require coordination across not just government, but the private sector and society writ large.
Similarly, the ‘safe technology’ shield, which will “shift responsibility to those who can actually literally change it” – echoes key language of the US Strategy, which strongly emphasises shifting the onus on those “best-positioned” to mitigate and reduce risks of cyber-attacks. Rather than leaving the responsibilities for meeting a myriad of regulations and maintaining watertight cyber security with SMEs and individuals, the emphasis in the US strategy is on working with the “stewards of the digital ecosystem” – to ensure their systems and processes can protect the SMEs, individuals and families that use their systems.
Policy considerations
As Minister O’Neil noted, “we have an urgent economic and security imperative to make a step change as a country for how we deal with cyber issues.” Ahead of the Strategy’s release, there are three specific policy considerations front of mind; establishing coordination mechanisms, providing flexible Department resourcing to implement and promote the Strategy, and collaborating with industry and international partners.
Coordination mechanisms
We are seeing signs that the necessary coordination bodies, mechanisms and exercises for a ‘whole-of-nation’ effort are being put into place. The Government has created a Minister for Cyber Security and implemented a range of processes that enable coordination on cyber resilience – from the Cyber Incident Management Arrangements to the appointment of the aforementioned Coordinator for Cyber Security. The government has flagged that some of the SOCI Act was reviewed during the drafting of the Strategy to ensure the two were in alignment, resulting in the recent designation of telecommunications providers as ‘critical infrastructure’. Enshrining these processes both within and beyond key government departments, agencies and legislation must continue.
The government has begun a series of one-day national cyber security exercises that test how specific sectors are able to handle a national cyber security attack (to date, three have taken place with the financial services, aviation and telecommunications industries). To sustain resilience, these cyber security exercises should be routinised to foster government-industry relationships at the individual, company and department levels. Hopefully, the Strategy will detail how these activities will build the muscle memory for integrated cyber security.
Negotiating the involvement of overseas providers or operators of critical infrastructure in these mechanisms and exercises will be an additional challenge. While the United States can talk easily about working with the “stewards of the digital ecosystem” that are domestically located, for Australia many of these same ‘stewards’ are headquartered on US or other shores. To achieve its ambitious vision, the Strategy will need strong lines of communication across not just the whole enterprise of government, but into industry (both domestic and international, big and small) and broader society.
Resourcing to deliver and promote the Strategy
The Strategy will need to adapt to changes in the cyber environment to 2030 – given its seven-year timespan and broadened scope (from a siloed, sector-specific focus to incorporating the entire digital landscape and combining domestic and international components). The Minister recently highlighted the Strategy’s implementation will occur in “two-year blocks.” This will require a large-scale, constantly changing lift from the Department – including commitment from the public service and industry and the resourcing necessary to evolve and refine the Strategy. This, alongside the focus on building an informed citizenry and resilient business sector as a ‘whole-of-nation’ effort, means updated public releases on the Strategy and its implementation, led by senior figures including Minister O’Neil and the Cyber Security Coordinator, will be vital to drive coordination. Partnering these communications efforts with the continued resourcing to revise and adapt the Strategy must be ensured for it – and by extension the nation’s cyber resilience – to be flexible and adaptable.
To build social license and ‘whole-of-nation’ buy-in for the Strategy, public engagement after its release will be important – from explaining how everyday Australians and SMEs fit into the ‘six shields’ framework to what resources and support they can expect – as well as their responsibilities. The formulation of the discussion paper and Strategy included an ‘all-star’ cast of cyber security titans as part of the expert advisory board. Minister O’Neil suggested that a lot of the policy thinking for the strategy was "driven by [the] expert advisory board." You would expect to see public engagement supported by such a board, and key ministerial advisors, however, it has since been revealed that two of the three members declined payment for their involvement and that their final report is no longer being provided.
Achieving a strong, informed citizenry and resilient SMEs is a mammoth undertaking. Enabling responsibility for individual cyber security and resilience will require significant education resources across a wide range of technical developments. This could include promoting – and possibly funding – multi-factor authentication (MFA) and up-to-date messaging on scams as they evolve – especially with the growing use of generative AI to produce curated, targeted scams. The recent announcement on mandatory ransomware reporting aims to give Government a clearer picture of the challenge being faced.
Countrywide education programs will need to cover various demographics and age groups, including individuals, businesses and communities. We suggest that government embrace and nurture a wide range of options that harness community input. This could include grants funding and resource options; community, business and school-led programs; and reduced-fee TAFE and vocational education to create a rich tapestry of solutions, rather than relying on existing regulatory and educational authorities.
Collaboration with industry and international partners
Developing a regime of certification or licensing for cyber security and data science professionals – like those in accounting and financial services – could ensure a consistent standard of capability across the cyber security workforce and improve resilience across all scales of business. Government must continue to address Australia’s cyber security workforce shortages and synchronise efforts to drive interoperability with partners, standards adoption and the migration of technology workers. Australia cannot build sovereign capability in isolation.
Government must continue to address Australia’s cyber security workforce shortages and synchronise efforts to drive interoperability with partners, standards adoption and the migration of technology workers. Australia cannot build sovereign capability in isolation.
Given the global challenge of cyber security, international alignment and coordination will be key to countering cyber threats that do “not respect land borders”. This will be especially important with many large companies in the digital space not necessarily being Australian. Multilateral institutions are important venues – as are specific alliances – to address destabilising threats. Already Minister O’Neil has highlighted the Quad as one mechanism to address the safe technology ‘shield’ by promoting standards between the four countries.
Prioritising the expansion of the rapid threat sharing and blocking to integrate international partners across industry and government will be increasingly important between now and 2030. Already, the government has announced the Microsoft–ASD Cyber Shield (MACS) to improve capabilities in “detecting, analysing and defending against sophisticated nation-state cyber threats” – a welcome, early example of building much-needed collaborative relationships between government and industry. As a starting point for integrating regional partners into its efforts, Australia could integrate allies and regional partners into other shields, such as offering other nations observer status at future critical infrastructure exercises. This would also support the ambition of building a more cyber-resilient region.
Convening regional cyber security working groups between governments and with industry could help interlink and coordinate nations’ respective cyber security strategies and support international infrastructure providers and industry in developing their own cross-jurisdictional approaches to cyber security. This would be particularly welcome in areas like subsea cables that require international partnerships to maintain their security.
A revised strategy that responds to and remains agile in the face of technology developments and rapidly changing cyberspace is welcome. Unsurprisingly, the devil will be in the details. The government will need to harmonise its domestic initiatives – across workforce, cyber skills, business preparedness and education – with its international coordination with industry and government, while maintaining a flexible, adaptive approach to the Strategy’s implementation. All of this will be necessary for the successful delivery of Australia’s 2023–2030 Australian Cyber Security Strategy.