Govt unveils plans for cross-industry Executive Cyber Council, & ‘no fault’ ransomware reporting

Cyber Security Strategy

The Australian Government will create a “coalition of government and industry leaders” to defend the nation’s digital assets under a new ‘Executive Cyber Council’ to be launched as part of its just-released 2023-30 Cyber Security Strategy.

Led by the Home Affairs Department, with support from the Australian Signals Directorate (ASD), the Council will be formed as an independent, cross-industry forum to support the delivery of the Government’s national cyber security priorities.

Comprising executives from across industry, the Council will be tasked with “build[ing] cross-sectoral trust and shar[ing] strategic threat intelligence” as well as driving public-private collaboration on key 2023-2030 cyber strategy priorities.

“Industry has critical responsibilities to manage and mitigate cyber risk across the economy,” the Government wrote in its Strategy.

“To help industry respond to cyber threats, the Government will work with business leaders to facilitate genuine co-leadership on cybersecurity issues, enabled by improving industry’s access to strategic threat intelligence.”

The Council will be formed under Horizon 1 (2023–25) of the new Cyber Strategy, with the Government extending its hand to industry to co-design “a suite of landmark legislative reforms” to help strengthen its ‘Cyber Shields’ program, a six-layer cake of various cyber defence initiatives.

Around $600 million has been earmarked to erect the six Cyber Shields, with an overall priority to “make Australia a world leader in cyber”.

The layers, which cover a range of cyber defensive and offensive priorities designed to protect Australian infrastructure, public agencies and businesses, include the use of ‘safe technology’, a mission to empower ‘businesses and citizens’, the development of ‘world-class threat sharing and blocking’ technologies, a priority to ‘protect critical infrastructure’, to collaborate and provide ‘regional and global leadership’ with aligned partners, and to ensure Australia maintains ‘sovereign capabilities’.

Among these reforms include options for new cyber obligations, streamlined reporting processes, improved incident response and better sharing of lessons learned after a cyber incident.

The Council will convene twice a year and will complement other cyber governance groups, including the Data and Digital Ministers’ Meeting and the Critical Infrastructure Advisory Council, serving to “uplift Australia’s cyber ecosystem through strong leadership”.

Among its priorities, the Council will also work to develop whole-of-economy initiatives to improve cyber workforce diversity.

Cyber intelligence sharing

As part of its latest Cyber Security Strategy, the Government also outlined a range of priorities to boost the private sector’s cyber defence and resilience capabilities.

Among these, the Government will move to enhance the ASD’s existing threat-sharing platforms to boost the volume and speed of machine-to-machine exchanges of cyber threat intelligence.

“These platforms will enable a framework within which industry-to-industry and government-to-industry cyber threat intelligence can be exchanged,” the Strategy said.

Those in industry “most capable of collecting and sharing threat intelligence” data at scale, will also be “encouraged and incentivised” to participate in the Government’s threat-sharing platforms.

The Federal Government said it will also move to pilot “next-generation threat blocking capabilities” through the creation of a National Cyber Intel Partnership, which brings together industry partners and cyber experts from academia and civil society.

“This partnership will pilot an automated, near-real-time threat blocking capability, building on – and integrated with – existing government and industry platforms.”

It has also flagged its intention to further regulate and simplify the cyber incident reporting process within its one-stop-shop reporting hub,, which it said will make it easier for regulated entities to meet their reporting obligations.

“Our Strategy calls for a new era of collaboration on cyber in Australia,” wrote Minister for Home Affairs and Cyber Security Clare O’Neil in the document’s foreword.

“Cybersecurity requires government and big business to lead. From today, we are shifting more of the cyber risk to those who are most capable. We are holding industry to higher standards to protect our devices, our data, and our critical infrastructure.”

“For the first time, Government will hold itself to the same standard it expects of industry.”

‘No fault, no liability’ reporting

Work will also be underway to co-design, with industry, a mandatory ‘no fault, no liability’ reporting obligation for businesses to compel entities to report ransomware incidents and payments made to ransomware purveying criminals.

Pending design, the Government said these anonymised ransomware reports and cyber extortion trends may be shared with industry and the broader community to improve overall national resilience against cybercrime.

A Cyber Incident Review Board will also be co-designed with industry, providing options to conduct no-fault incident reviews. Learnings from these reviews will also be shared with the public, with the aim of strengthening Australia’s collective national cyber resilience.

This will culminate in the creation of a ‘ransomware playbook’, designed to provide further guidance to businesses on how to prepare for, deal with and bounce back from a ransomware or cyber extortion attack.

However, the outlawing of ransom payments is not yet on the cards for the Government, O’Neil confirmed.

“We are in a situation in our country where it is clearly not the right time at this moment to ban ransoms because we haven’t done the hard work,” she said.

The proposal to ban, though, will be revisited after two years, O’Neil added.

The Government will also consult industry on options to establish a legislated ‘limited use obligation’ for the ASD and the National Cyber Security Coordinator (NCSC). This would provide further “clarity and assurance” to businesses and government agencies over how information reported to the ASD and the NCSC is used, with the Government adding that this would encourage further industry engagement with public agencies post-breach.

Data protection & classification reforms

The Government said it will work with industry to design a voluntary data classification model, providing guidance to businesses in assessing and communicating the relative value of their data holdings “in a more consistent and unified way”.

“This will enable businesses to segment information and implement proportionate operational controls, reducing enterprise risk.”

Australia’s “most sensitive and critical datasets” across its economy – particularly those that are not appropriately protected under existing regulations, yet are crucial to our national interests – will also be classified.

“This will allow us to assess whether existing data protections, including storage and governance settings, are proportionate and effective. Where gaps are identified that render these datasets vulnerable, the Government will explore options to better safeguard sensitive data across the economy.”

Alongside its commitment to expand the Digital ID program, effectively obviating the need for individuals to share sensitive personal information with businesses to access online services, the Government has committed Government to increasing funding for victim support services to aid individuals’ recovery from identity theft.

“This funding will enable case management services to allow individual victims of identity crime to obtain specialised support – including guidance on how to recover their identity, advice on how to mitigate damage and replace identity credentials, and education on warning signs that their identities continue to be misused.”

The Government will review Commonwealth legislative data retention requirements, with a focus on non-personal data, to determine whether existing provisions are appropriately balanced.

“Complementing our response to the Privacy Act Review, which will examine laws that require retention of personal information, the review will consider any unnecessary burden and vulnerabilities that arise from entities holding significant volumes of data for longer than necessary.

“Following the outcomes of this review, the Government will explore options to minimise and simplify data retention requirements.”

Critical infrastructure regulations

More than $144 million has been committed to strengthening the digital defences of the nation’s critical infrastructure.

The Government will consult with industry to clarify the application of the Security of Critical Infrastructure Act 2018 to ensure critical infrastructure entities are able to adequately protect their data storage systems.

This consultation will focus on ‘business-critical’ data storage systems where vulnerabilities could impact the availability, integrity, reliability or confidentiality of critical infrastructure assets.

Industry input will also be sought on the introduction of a somewhat controversial ‘all-hazards consequence management power’, which would empower the Government to direct an entity to take specific actions to manage the consequences of a nationally significant incident.

“This is a last-resort power, used where no other powers are available and where it does not interfere with or impede a law enforcement action or regulatory action.”

The Government said it will also move to develop a framework for assessing the national security risks presented by vendor products and services entering and operating within the Australian economy.

SME commitments

A major investment priority for the Cyber Strategy is in protecting small and medium business, with the Government outlining a $290 million program to uplift the sector’s cyber defence and resilience – a recognition of SMEs’ longstanding concerns “over their lack of time, resources and expertise to uplift their cybersecurity”.

“As a consequence” of these limitations, the Government wrote, “small and medium businesses can take longer to recover from a cyber incident and face higher costs compared to larger businesses.

Incidents affecting SMEs also, ultimately, impact other organisations across their supply chains, including larger, more nationally significant entities.

“An incident in a large organisation’s supply chain can cause major downstream impacts, disrupting service delivery. Or, where a small business is integrated into the networks of a large organisation, a cyber-attack on the smaller entity can unlock a ‘back door’ into the larger organisation that malicious actors can easily exploit.”

Among the SME-targeted initiatives include a cyber health-check program, which will provide a free, tailored assessment of cybersecurity maturity for small businesses.

“Based on international exemplars, the health-check program will provide educational tools and materials to help small and medium businesses improve their cyber security posture.”

A new Small Business Cyber Security Resilience Service will also provide SMEs with advice on how to build their cyber security capability and resilience.

“This ‘one-stop-shop’ will also help small businesses deal with the aftermath of a cyber incident and recover quickly. Staffed by professionals who understand small business, cyber security and mental health, this service will provide small businesses with assistance that is tailored to their situation, capability and level of cyber risk.”