On 22 November 2023 the Australian government released the 2023-2030 Australian Cyber Security Strategy (Strategy),1 with the aim of strengthening Australia’s cyber defences to enable citizens and businesses to prosper, be resilient to, and recover quickly from cyberattacks.
The ambitious Strategy sets out a roadmap that will help realise the Australian government's vision of becoming a "world leader" in cyber security by 2030, a mere six years away.
The Strategy explained
The key focus of the Strategy is to implement six “cyber shields” to help defend Australian citizens and businesses from cyber threats, with each “shield” providing an additional layer of defence to make Australia a harder target for cyberattacks. These are:
- Strong businesses and citizens
- Safe technology
- World-class threat sharing and blocking
- Protected critical infrastructure
- Sovereign capabilities
- Resilient region and global leadership.
The Strategy will be delivered across three horizons:
- Horizon 1 2023-25 - strengthening our foundations by addressing critical gaps in the cyber shields, building better protections for our most vulnerable citizens and businesses, and supporting initial cyber maturity uplift across our region. A Horizon 1 Action Plan supplements the Strategy and details the key initiatives that will commence over the next two years. The Action Plan will be reviewed every two years and updated as required
- Horizon 2 2026-28 - expanding reach by scaling cyber maturity across the whole economy, investing in the broader cyber ecosystem, and continuing to scale up the cyber industry and growing a diverse cyber workforce
- Horizon 3 2029-30 - advancing the global frontier of cyber security, leading the development of emerging cyber technologies and adapting to new risks and opportunities across the cyber landscape.
The Australian government has committed to working with industry to implement the shields and enhance Australia's national cyber security and resilience in what it is calling a "new era of public-private co-leadership". This includes inviting industry and businesses to “co-design options” for the regulation and legislative changes proposed under the shields.
A consultation paper released in January 2024 outlined two areas of proposed legislative reforms as set out in the Action Plan to urgently address gaps in existing regulatory frameworks and amend the SOCI Act to protect Australia's critical infrastructure.
1. New cyber security legislation
- Mandating secure-by-design standards for Internet of Things (IoT) devices
- Creating a mandatory no-fault, no-liability ransomware reporting obligation to improve understanding of ransomware incidents across Australia
- Creating a “limited use” obligation for information voluntarily provided to the Australian Signals Directorate and the National Cyber Security Coordinator to encourage industry to continue to collaborate with the government on incident response and consequence management
- Establishing a Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve our national cyber resilience.
2. SOCI Act amendments
- Clarifying obligations for critical infrastructure entities to protect data storage systems that store business critical data, where vulnerabilities in these systems could impact the availability, integrity, reliability, or confidentiality of critical infrastructure
- Introducing a last resort consequence management power for the Minister of Home Affairs to authorise directions to a critical infrastructure entity in relation to the consequences of incidents that may impact the availability, integrity, reliability, or confidentiality of critical infrastructure
- Simplifying information sharing to make it easier for critical infrastructure entities to respond to high-risk, time-sensitive incidents
- Providing a power for the Secretary of Home Affairs or the “relevant Commonwealth regulator” to direct a critical infrastructure entity to address deficiencies in its risk management program
- Consolidating telecommunications security requirements under the SOCI Act.
The Australian government has committed A$586.9 million in funding to the Strategy,2 on top of a commitment to fund A$2.3 billion of existing related initiatives that will support the Strategy delivered by the Australian Signals Directorate between now and 2030.
Much has been said and written about the Strategy since it was unveiled. Two key issues to consider are how the Strategy will succeed in achieving its ambitious vision; and how it compares against the cyber security strategies of other key jurisdictions.
What will the Strategy’s success depend on?
In our view, there are three key determinants for the success of this Strategy. Firstly, it is important to recognise that as a broad plan to achieve a particular outcome, the Strategy is meant to be ambitious — although it must also be realistic to be successful. Whether or not the Strategy is realistic and successful will largely depend on:
- the Action Plan, which will need to be reviewed every two years as planned to ensure it remains current and relevant through to 2030; and
- active participation in the public-private co-leadership co-design process, which seeks to particularise the specific legislative reforms and non-legislative cyber initiatives and partnerships necessary to give force to the Strategy.
Besides submissions to the consultation paper, the Department of Home Affairs has been organising expert roundtables, town halls and deep-dive events which are critical to this co-design process. Active participation by the right cyber security experts with the right expertise is key.
Secondly, the Strategy and Action Plan need to be truly flexible and demonstrate measurable impact that can be reviewed independently. The government has indicated that the Strategy’s implementation will be supported by "robust evaluation of all initiatives" and a flexible approach to delivery that adapts to the changing geopolitical landscape, threat environment and trends in the technology market. It is not clear what is planned in concrete terms other than an updated Action Plan every two years, but we suggest that:
- a "robust evaluation of all initiatives" could be undertaken by an independent Strategy Review Committee, with recommendations used to inform the Action Plan and any further legislative and non-legislative reforms; and
- as legislative reforms are often slow to respond to changes to the geopolitical landscape, threat environment and trends in the technology market, non-legislative cyber initiatives and partnerships will be critical for flexibility and faster response times.
Thirdly and most importantly, if Australia is serious about bolstering its cyber defences and resilience and becoming a "world leader" in cyber security by 2030, this Strategy will need to be able to withstand political change and party politics. To achieve a greater good for the country and the region, the Strategy will need the buy-in and commitment of the Australian government for the next six years and beyond, regardless of which political party is in power.
How do we compare against the US, UK, EU, Singapore and China?
The below table sets out how Australia’s 2023-30 Cyber Security Strategy compares with the following international cyber security strategies, particularly where there are similarities or potential overlaps with the six cyber shields:
- The US National Cybersecurity Strategy dated March 2023 and the US National Cybersecurity Strategy Implementation Plan dated July 20233
- The UK National Cyber Strategy 20224
- The EU's Cybersecurity Strategy for the Digital Decade, dated December 20205
- The Singapore Cybersecurity Strategy 20216
- China's National Cyberspace Security Strategy 2016.7
Click to expand
We note the following:
- The strategies are each structured around key priorities (shields, pillars, objectives or tasks) that are further broken down into initiatives. The strategies aim for cyber security to be a national effort, with a key focus on building cyber resilience from within.
- Many of the strategies are multi-year plans, with Australia and the US in particular supplementing their strategies with action plans or implementation plans that set out specific goals and timelines. Australia, US and the UK have also implemented ways to measure the success of their initiatives. In contrast, it is not clear how Singapore or China propose to measure and assess the effectiveness of their initiatives.
- There are many similarities in the strategies of Australia and the US, including the proposed establishment of a Cyber Incident Review Board (CIRB) in Australia and the Cyber Safety Review Board (CSRB) in the US.
- Protecting the cyber security of critical infrastructure is specifically highlighted in the strategies of Australia, the US, EU, Singapore and China. Interestingly, there is no specific pillar relevant to critical infrastructure in the UK cyber security strategy, although critical national infrastructure is mentioned under various pillars.
- Improving government threat intelligence capabilities and being on the offensive (besides cyber defensive tactics) are also a common theme across the strategies.
- All strategies recognise the need to attract and retain cyber talent, as well as improve the quality of and expand the cyber security workforce. This is because uplifting cyber resilience requires having the right people with the right cyber security expertise.
- International cooperation and global cyber leadership also feature prominently across all strategies, although this will likely be guided by international politics and allied relationships or partnerships. The US unsurprisingly seeks to take on the global leadership role by expanding its ability to assist allies and partners, while Australia aspires to regional leadership by supporting a cyber resilient region as the partner of choice.
By supplementing the Strategy with concrete actions and proposed priorities as articulated in the consultation paper, co-designing with public-private cooperation, articulating how success will be measured, adopting a flexible approach, and ensuring alignment with the strategies of key allies, we consider there is much potential and promise in the 2023-30 Australian Cyber Security Strategy as a way forward in strengthening Australia's cyber defences and establishing us as one of the world’s leading cyber security nations ─ as long as this Strategy continues to have the buy-in and commitment of the Australian government for the next six years and beyond, regardless of which political party is in power.
Access CyberSight 360 - A legal perspective on cyber security and cyber insurance for more on the key events, legislative and regulatory changes, trends and lessons from the year in cyber, and what we can expect in the year ahead.
1 https://www.homeaffairs.gov.au/cyber-security-subsite/files/2023-cyber-security-strategy.pdf
2 This includes: A$290.8 million to support small and medium business, build public awareness, fight cybercrime, break the ransomware business model, and strengthen the security of Australians’ identities; A$4.8 million to establish consumer standards for smart devices and software; A$9.4 million to build a threat sharing platform for the health sector; A$143.6 million to strengthen critical infrastructure protections and uplift government cyber security; A$8.6 million to professionalise the cyber workforce and accelerate the cyber industry in Australia; A$129.7 million to strengthen regional cooperation, cyber capacity uplift programs, and leadership in cyber governance forums on the international stage. https://www.globalaustralia.gov.au/news-and-resources/news-items/australias-strategy-become-global-cyber-leader-2030
3 https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/13/fact-sheet-biden-harrisadministration-publishes-thenational-cybersecurity-strategyimplementation-plan/ https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf https://www.whitehouse.gov/wp-content/uploads/2023/07/National-Cybersecurity-Strategy-Implementation-Plan-WH.gov_.pdf
4 https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022
5 https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade-0
6 https://www.csa.gov.sg/Tips-Resource/publications/2021/singapore-cybersecurity-strategy-2021
7 https://www.cac.gov.cn/2016-12/27/c_1120195926.htm; https://chinacopyrightandmedia.wordpress.com/2016/12/27/national-cyberspace-security-strategy/
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted. Lander & Rogers is furthermore committed to providing legal advice and content that is factual, true, practical and understandable. Learn more about our editorial policy.