Securing the Future: Highlights from Australia's 2023-2030 Cyber Security Strategy

Yesterday the Australian Government (Government) released the 2023 – 2030 Australian Cyber Security Strategy (the Strategy). The Government has dedicated $587 million to fund the Strategy, which aims to make Australia a world leader in cyber security by 2030.

The Strategy comprises 6 key ‘cyber shields’ intended to help defend citizens and businesses from cyber threats. Each shield is intended to provide an additional layer of defence against cyber threats that the Australian government will build and reinforce with industry throughout the period covered by the Strategy, namely: 

• Shield 1: Strong businesses and citizens; 
• Shield 2: Safe technology; 
• Shield 3: World-class threat sharing and blocking; 
• Shield 4: Protected critical infrastructure; 
• Shield 5: Sovereign capabilities; and
• Shield 6: Resilient region and global leadership.

The Strategy will be delivered in 3 phases between 2023 and 2030:

• Horizon 1 (2023 – 2025) is intended to address critical gaps in each of the cyber shields, build better protections for more vulnerable citizens and businesses and support improved cyber maturity uplifts within the region.
   
• Horizon 2 (2026 – 2028) is intended to scale cyber maturity across the whole economy with a focus on further investments in the broader cyber ecosystem and the growth of a diverse cyber workforce.
   
• Horizon 3 (2029 – 2030) will focus on advancing the global frontier of cyber security by leading the development of emerging cyber technologies that are capable of adapting to new risks and opportunities across the cyber landscape.

The Government has also released the Cyber Security Strategy Action Plan (Action Plan) that outlines the key initiatives and deliverables for Horizon 1 (2023 – 2025) and identifies lead and supporting agencies for implementing those initiatives. As part of Horizon 1 (2023 – 2025), the Government intends to work with industry to co-design legislative reforms that will help strengthen the cyber shields. This will include options for new cyber obligations, streamlined reporting processes, improved incident response and information sharing after a cyber incident.

Horizon 1 - Action Plan for 2023 – 2025

Key initiatives the Government intends to take to build and reinforce the cyber shields are:

1. Ransomware reporting (Shield 1) 

To enhance visibility of the ransomware threat to Australia and assist businesses and citizens with responding to cyber extortion, the Government will look to legislate ‘no-fault, no-liability’ ransomware reporting obligations for businesses. Depending on industry feedback, the initiative will produce anonymised reports of ransomware and cyber extortion trends which may be shared with industry and the broader community to assist building national resilience against cybercrime.

2. Cyber Incident Review Board (Shield 1)

The Minister of Home Affairs will appoint a new Cyber Incident Review Board (the Board) which will conduct ‘no-fault incident reviews’ of major incidents. 

This ‘no-fault’ review mechanism aims to uplift collective cyber security, provide insights on best practice and help prevent similar incidents from occurring. It mimics international agencies such as the US Cyber Safety Review Board.

The lessons learned from the reviews will be shared with the business community and the wider public. Importantly, the reviews are not designed to prosecute breached organisations – they will not make findings of fault or interfere with incident response or regulatory, intelligence or law enforcement functions.

3. Streamline reporting (Shield 1)

To make it easier for impacted entities to meet their regulatory reporting obligations the Government will consider options to develop a single reporting portal for cyber incidents. This may include potential regulatory changes or a simplified notification form. 

4. Data Retention requirements (Shield 2)

The Strategy recognises that there is limited guidance for the security of commercial, sensitive or critical datasets that fall outside of the Privacy Act 1988 (Cth) (the Privacy Act) and the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act). 

As a result, the Government will review Commonwealth legislative data retention requirements, with a focus on non-personal data. The review will consider unnecessary burden and vulnerabilities that arise from organisations holding significant volumes of data for longer than necessary. The Government will then aim to minimise and simplify data retention requirements that are appropriate and proportionate. 

5. Executive Cyber Council (Shield 3)

The Government will establish the Executive Cyber Council made up of government and industry leaders to improve sharing of threat intelligence across the whole economy and to drive initiatives under the Strategy. It is intended that the Executive Cyber Council will convene twice a year. 

6. Security obligations for managed service providers (Shield 4)

The Government will seek to clarify cyber security obligations for managed service providers under the SOCI Act, with a focus on uplifting security within the data storage and processing sector. With this initiative, the Government aims to complement the protections and obligations for personal information under the Privacy Act. It will also aim to strengthen individuals’ trust in the management and storage of personal data.

7. Regulation of Telco’s (Shield 4)

The Government will move regulation of the telecommunications sector to the SOCI Act to align it with the other critical infrastructure entities.  

What’s next: Implementation by the Government

The coordination of the Strategy and Action Plan will be led by the National Cyber Security Coordinator (Cyber Coordinator) and the National Office of Cyber Security. The Cyber Coordinator will be responsible for whole-of-government coordination and collaboration with state, territory and local government. 

As foreshadowed, the Government has also established the Executive Cyber Council consisting of industry leaders to support its consultation approach as it moves to implement the initiatives under the Strategy. 

We will be covering further details regarding the legislative changes likely to be implemented under Horizon 1 (2023 – 2025) and how they are likely to impact you and your organisation. If you would like to receive our insights and updates, please sign up to our list here. 

For more information, please contact our team – John Moran, Reece Corbett-Wilkins, Richard Berkahn, Alec Christie, Stefanie Luhrs or Chris McLaughlin or look out for details on our Cyber Summit 2024 where we will be unpacking the Government’s Strategy.