Australia’s Cyber Security Strategy 2023-2030 signals ‘generational shift’ in response to new threats

The Australian Government has unveiled its seven-year Cyber Security Strategy, with an aim to “make every Australian citizen, business, government agency and organisation a harder target” against growing cyber threats, and an overall priority to “make Australia a world leader in cyber”.

With the Government committing almost $600 million, the strategy will build and deliver on the priorities of six Cyber Shields, announced by Minister for Cyber Security Clare O’Neil in September, and accelerate “game-changing reforms” to uplift Australia’s cybersecurity capability.

As part of the Strategy, the Government will create a “coalition of government and industry leaders” to defend the nation’s digital assets under a new ‘Executive Cyber Council’.

Led by the Home Affairs Department, with support from the Australian Signals Directorate (ASD), the Council will be formed as an independent, cross-industry forum to support the delivery of the Government’s national cyber security priorities.

Comprising executives from across industry, the Council will be tasked with “build[ing] cross-sectoral trust and shar[ing] strategic threat intelligence” as well as driving public-private collaboration on key 2023-2030 cyber strategy priorities.

“Industry has critical responsibilities to manage and mitigate cyber risk across the economy,” the Government wrote in its strategy.

“To help industry respond to cyber threats, the Government will work with business leaders to facilitate genuine co-leadership on cybersecurity issues, enabled by improving industry’s access to strategic threat intelligence.”

The Council will be formed under Horizon 1 (2023–25) of the new Cyber Strategy, with the Government extending its hand to industry to co-design “a suite of landmark legislative reforms” to help strengthen its ‘Cyber Shields’ program.

This newly announced funding of the new strategy – which comes on top of the Government’s commitment of $2.3 billion to fund existing related initiatives that will support the Cyber Security Strategy delivered by the Australian Signals Directorate (ASD) out to 2030 – includes $143.6 million to strengthen Australia’s critical infrastructure protections and uplift government cybersecurity.

To achieve this, the Government will clarify the scope of critical infrastructure regulation and will work with industry to move the security regulation of the telecommunications sector from the Telecommunications Sector Security Reforms (TSSR) in the Telecommunications Act 1997 to the SOCI Act.

“This will better align obligations for critical infrastructure entities that span multiple sectors, reduce regulatory duplication and complexity, and provide scalable obligations for the telecommunications sector,” the strategy reads.

The Government will also seek to clarify cyber security obligations for managed service providers, aligning closely with data protection initiatives established under Shield 2.

“Together, these initiatives will complement the protections and obligations for personal information established by the Privacy Act and action taken by the Government to strengthen individuals’ trust in the management and storage of personal data.”

It will also consult with industry to clarify the application of the SOCI Act to ensure critical infrastructure entities are adequately protecting their data storage systems. This consultation will focus on ‘business-critical’ data storage systems where vulnerabilities could impact the availability, integrity, reliability or confidentiality of critical infrastructure assets.

However, the biggest allocation from the $586.9 million Government’s commitment towards the strategy will go towards the protection of businesses and citizens with a $290.8 million investment to help support small and medium businesses (SMEs), build public awareness, fight cybercrime, break the ransomware business model, and strengthen the security of Australians’ identities.

The funding is also expected to address SMEs’ longstanding concerns “over their lack of time, resources and expertise to uplift their cybersecurity”.

“As a consequence” of these limitations, the Government wrote, “small and medium businesses can take longer to recover from a cyber incident and face higher costs compared to larger businesses.

Incidents affecting SMEs also, ultimately, impact other organisations across their supply chains, including larger, more nationally significant entities.

“An incident in a large organisation’s supply chain can cause major downstream impacts, disrupting service delivery. Or, where a small business is integrated into the networks of a large organisation, a cyber-attack on the smaller entity can unlock a ‘back door’ into the larger organisation that malicious actors can easily exploit.”

The Government also said it will work with industry to design a voluntary data classification model, providing guidance to businesses in assessing and communicating the relative value of their data holdings “in a more consistent and unified way”.

“This will enable businesses to segment information and implement proportionate operational controls, reducing enterprise risk.”

Australia’s “most sensitive and critical datasets” across its economy – particularly those that are not appropriately protected under existing regulations, yet are crucial to our national interests – will also be classified.

“This will allow us to assess whether existing data protections, including storage and governance settings, are proportionate and effective. Where gaps are identified that render these datasets vulnerable, the Government will explore options to better safeguard sensitive data across the economy.”

The remainder of the funding will be distributed across:

  • Keeping Australians safe in their homes and workplaces by investing $4.8m in establishing long-overdue consumer standards for smart devices and software
  • Uplifting the cyber security of Australia’s health system by investing $9.4m to build a threat-sharing platform for the health sector
  • Growing our sovereign cyber capabilities by investing $8.6m in professionalising our cyber workforce and accelerating the cyber industry in Australia
  • Building regional cyber resilience and global leadership by investing $129.7m in regional cooperation, cyber capacity uplift programs, and leadership in cyber governance forums on the international stage