Forward thinking: Australian Government discussion paper outlines vision for 2023-2030 cyber strategy

The consistently evolving cyber security landscape has seen governments take proactive action to ensure their countries remain cyber secure. The Australian Government aspires to be the most cyber secure country in the world by 2030. The below article analyses the recently released discussion paper that maps our nation’s path towards that goal.

Last month, Cyber Security and Home Affairs Minister Claire O’Neil released the 2023-2030 Australian Cyber Security Strategy (Strategy) Discussion Paper (Discussion Paper). The Discussion Paper is currently open for submissions on a series of questions relating to the prospective areas of discussion in the soon-to-be-released Strategy. Submissions are open until 15 April 2023.

The Strategy will be headed by an Expert Advisory Board made up of Andrew Penn AO, former CEO of Telstra, Mel Hupfeld AO DSC and Racheal Falk, CEO of the Cyber Security Cooperative Research Centre. The Strategy has also sought the expertise of Australian Foreign Minister Tim Watts, who will be leading the partnerships across government, industry and community.

Why is a Strategy needed?

Australia remains a prominent target for cyber crime as evidenced by significant cyber attacks in 2022, including unprecedented data breaches impacting both Medibank and Optus. Following these breaches, there has been a laser focus by the Government to create a cyber resilient environment for Australians to thrive in the modern world and to become more technologically literate.

Although the staggering statistics from the Australian Cyber Security Centre’s 2021-2022 threat report indicate that there is a cyber incident every seven minutes, the cyber sector offers significant opportunity for Australia’s digital economy and is an industry that the Government seeks to harness. The Discussion Paper highlights the possible revenue that can be generated from increasing Australia’s cyber resilience. Between 2020 and 2022, the cyber sector increased by 11%, with the cyber market contributing approximately $2.4 billion in gross value added in 2022. This has resulted in an increased demand for cyber professionals to assist with the development of Australia’s cyber capabilities. It has also highlighted the need for more streamlined regulatory procedures.

What will the Strategy engage?

The Expert Advisory Board has confirmed that the Strategy will engage with the following three core policy areas.

  • This will engage with the implementation of more specific company obligations, including best practice cyber security standards, as well as simplification and streamlining of existing regulatory frameworks.
  • This core policy area will engage with methods to strengthen Australia’s leadership in addressing challenges presented in the cyber environment and will also highlight the importance of cyber resilience as a method of harnessing global economic opportunities.
  • Statistics generated from the Cyber Security Posture in 2022 Report indicate that only 11% of entities have reached satisfactory cyber security standards by implementing Essential Eight controls.

How can Australians contribute to the discussion?

The Discussion Paper provides an additional seven areas that the expert panel is seeking submissions on. The additional areas of consideration are:

  • The Discussion Paper encourages consideration for qualitative issues such as existing regulatory frameworks like the Privacy Act 1988, as well as international approaches when wanting to improve threat sharing and blocking.
  • The Government intends on pursuing a broad agenda into STEM skills to reach 1.2 million tech jobs by 2030.
  • Ensuring that the post-cyber incident management frameworks are fit-for-purpose.
  • The Government intends on providing guidance to small businesses, consumers and other organisations on best cyber practice and intends on increasing support for victims of cyber crime.
  • The Government investment into cyber security technologies in order to have foreign investment in Australian cyber technology.
  • There is an emphasis for the Government to be flexible and adaptable to future technological developments.
  • The Strategy will form the basis for Australian cyber security now and into the future.

In addition, the Government is seeking submissions in relation to the 21 questions that are listed at the conclusion of the Discussion Paper. The proposed questions indicate that the Government may be seeking to further review and reform the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), specifically to recognise security systems and personal data. For more information on current reforms to the SOCI Act, please see our recent article about the amendments to the legislation concerning the availability, integrity, reliability and confidentiality of assets that form part of Australia’s critical infrastructure. The Government has also proposed questions relating to the possible introduction of a new Cyber Security Act.

The Discussion Paper demonstrates that there appears to be consideration about the prohibition of ransom payments, with the Expert Advisory Board posing the question, ‘Should the Government prohibit the payment of ransoms and extortion demands by cyber criminals by: a) victims of cyber crime; and/or b) insurers? If so, under what circumstances?’

There are both positive and negative consequences for companies, victims of cyber crime and insurers if the Government does prohibit ransom/extortion payments, including:

PROS
CONS
  • Potential to slash the profitability of cyber crime in Australia.
  • Removes the pressure placed on companies who are required to make a high-stakes decision to pay a ransom.
  • Provides legal clarity on the legality of paying a ransom.
  • As companies are not likely to pay ransoms due to the prohibition, it could deter cyber criminals from choosing to launch ransomware attacks on Australian businesses or entities in the first instance.

 

 

  • In situations where cyber criminals encrypt computers and software, some businesses may be desperate and have no alternative to paying the ransom anyway (despite being in contravention of Australian laws). The victim is forced to commit a criminal offense.
  • Other, potentially more potent, alternative attacks may replace ransomware attacks.
  • It could cause additional financial losses due to business interruption if businesses are not able to take steps to obtain tools to decrypt locked systems critical to business continuity.

 

The Government is also seeking submissions in relation to Australia’s desire to become a leader in the international sphere by posing the following questions:

‘What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber safety perspective?;’ and

‘How should Australia better contribute to international standards-setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?’

The Government is taking a holistic approach to the enhancement of the Australian cyber security sector. Through the implementation of more efficient regulatory processes for reporting, consideration for legislative reform, investment in the industry and enhancement of the workforce, the Government endeavours to achieve its ambitious target of being the regional and global leader in cyber resilience.

Hall & Wilcox will be following the development of the Government’s Strategy once submissions are closed. For further information and guidance, please contact our team members below to discuss.

This article was written with the assistance of Brittany Garagounis

Contact

Related practices

You might be also interested in...

Cyber | 1 Mar 2023

Artificial intelligence: the fifth industrial revolution or the end of the world?

Will AI unleash the fifth industrial revolution or will it bring about the end of the world as we know it?

Cyber | 1 Mar 2023

Resilient infrastructure: risk-management program rules under SOCI Act now in force

With the cyber threat landscape for Australian entities expanding and evolving rapidly, last year the Australian Government amended the legislation concerning the availability, integrity, reliability and confidentiality of assets that form part of Australia’s critical infrastructure.