In November 2023, the Commonwealth Government unveiled its 2023-2030 Cyber Security Strategy, with the objective of positioning Australia as a “world leader in cyber security by 2030.”
The strategy emphasizes six “cyber shields” aimed at fortifying the nation against cyber threats. This announcement signals the government’s intention to revise existing laws to enhance cyber security, prompting a detailed examination of potential changes and recommended preparations for businesses.
The six cyber shields
Overview of the Government’s Cyber Security Strategy
Released on November 22, 2023, the Cyber Security Strategy outlines the government’s vision to bolster Australia’s cyber defences, making it a “hard target for cyber attacks.”
The strategy introduces six key “cyber shields” designed to safeguard Australians, covering areas such as strong businesses and citizens, safe technology, world-class threat sharing, protected critical infrastructure, sovereign capabilities, and a resilient region with global leadership.
The strategy is structured across three implementation horizons. The initial horizon (2023-2025) focuses on strengthening the foundations of cyber resilience, followed by a scaling of cyber maturity across the economy in the second horizon (2026-2028). The third horizon (2028-2030) aspires for Australia to attain global leadership in cyber security.
The Action Plan
The most relevant shield to people and businesses is Shield 1 – Strong businesses and citizens . In brief, this includes:
- Strengthening cyber security measures for small and medium businesses.
- Empowering Australians by assisting individuals in defending themselves against cyber threats.
- Taking actions to disrupt and deter cyber threat actors from targeting Australia.
- Combating ransomware by collaborating with industry to dismantle the ransomware business model.
- Providing clear and comprehensive cyber guidance for businesses.
- Enhancing post-incident support by simplifying access to advice and support for businesses following a cyber incident.
- Enhancing identity security and offering improved assistance to victims of identity theft.
The government plans to support the Cyber Security Strategy through an accompanying Action Plan, providing details on how strategic aims will be achieved and specifying government agencies responsible for implementation.
Key Law Reforms
The Cyber Security Strategy identifies areas for law reform to align with its goals:
No-Fault, No-Liability Reporting for Ransomware Attacks
The government proposes legislation to establish a no-fault, no-liability reporting obligation for ransomware attacks. The objective is to enhance visibility and encourage timely disclosure by businesses, addressing current reluctance.
A “ransomware playbook” will be created to assist businesses in preparing for, dealing with, and recovering from ransomware or cyber-extortion attacks.
No Specific Ban on Ransomware Payments
While not explicitly stated in the strategy, the government refrains from an immediate ban on ransomware payments. The possibility of a future ban will be reviewed in two years, with input from businesses and the community.
Mandatory Cyber Security Standard for IoT Devices
The government prioritizes legislation for a mandatory cyber security standard for Internet of Things (IoT) devices. A voluntary labelling scheme for consumer-grade smart devices will also be implemented.
Improving Data Governance Standards and Obligations
The government is considering Privacy Act reforms and intends to review legislative data retention requirements, especially regarding “non-personal data.” The “data brokerage ecosystem” will be assessed for potential risks associated with data transfer to malicious actors.
Extending Critical Infrastructure Regulation
Shield 4 focuses on upgrading and promoting the cyber resilience of critical infrastructure. The Security of Critical Infrastructure Act 2018 (SOCI Act) will be further revised, imposing stringent obligations on telecommunications companies regarding cyber incident reporting.
An overview of “corporate obligations” for critical infrastructure owners and operators will be published, and the Act will clarify the obligations of managed service providers.
A “consequence management power” will be introduced under the SOCI Act, allowing the government to direct entities in managing the aftermath of a “nationally significant incident.”
Conclusion
The Cyber Security Strategy represents a substantial step in enhancing Australia’s cyber resilience.
The proposed law reforms, particularly the introduction of a ransomware reporting obligation, underscore the government’s commitment to addressing evolving cyber threats.
Businesses in various sectors, including IoT device manufacturers, critical infrastructure operators, and managed service providers, should closely monitor these developments and prepare for potential legislative changes.
How can we help enhance cyber security?
We are here to help strengthen cyber resilience. Our cyber risk management capabilities include designing and developing a cyber risk management framework and a wide range of response plans to enhance your cyber resilience capabilities. Our cyber risk management services include:
- Vulnerability scanning
- Cyber Security Gap Analysis
- Regulation compliance advice
- Cyber Risk Governance Framework Reviews
- Cyber Risk Governance Framework Development
- Third-Party Vendor Review and Cyber Risk Analysis
- Cyber Risk Awareness Training and Internal Campaigns
- Post-Cyber Incident Review
- Email Phishing Campaigns
- Cyber Incident Response
- Crisis Team Familiarisation Training
Be more resilient to a wide range of cyber risks and get relevant insight into how to protect your systems by contacting us to discuss how we can help strengthen your cyber resilience framework.