The Australian Government released the 2023-2030 Australian Cyber Security Strategy (the Strategy) on 22 November 2023. According to the Department of Home Affairs:
“The Strategy is the roadmap that will help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030. To achieve this vision, we need to protect Australians. Through the Strategy we seek to improve our cyber security, manage cyber risks and better support citizens and Australian businesses to manage the cyber environment around them. We will do this with six cyber shields.”
The six shields set out in the Strategy are:
- Strong businesses and citizens
- Safe technology
- World-class threat sharing and blocking
- Protected critical infrastructure
- Sovereign capabilities
- Resilient region and global leadership
We will be providing summaries and commentary over the next few days on each of the 6 shields starting with this, shield one.
Shield 1 – Strong business and citizens
The vision behind shield 1 is to draw on collective expertise in preparing for and responding to cyber incidents, primarily relying on expertise held by large businesses to collectively protect all businesses in Australia (including small and medium businesses (SMEs)). The Government aims to do this by:
- proving further assistance to SMEs (through further education, creating a cyber health-check program and support after incidents). SMEs will be incentivised to take advantage of this assistance, although the incentives are not yet clear
- building out law enforcement capabilities and facilitating information sharing amongst relevant agencies/entities
- facilitating increased reporting of ransomware with a no fault, no liability obligation to report ransom demands and payments
- streamlining cyber incident regulatory reporting into one central portal
- establishing a Cyber Incident Review Board to conduct no-fault incident reviews to improve cyber security and share lessons learned with the public
- designing a code of practice for incident response firms mandating professional standards, and
- further expanding on the Digital ID program to reduce the need for people to share sensitive personal information with Government and businesses.
Shield 1 brings to light some interesting and important aspects that require further consideration by Government in actioning this vision:
- More support is needed for SMEs, both in understanding their risks and responding to cyber incidents – SMEs hold sensitive data and need more support in mapping and safeguarding data. Building cyber knowledge, maturity and resilience, and ensuring regulatory compliance has a significant cost, and providing free resources and positive incentives to access these will be of significant value to SMEs.
- No fault reporting on ransom payments will provide fundamental information to assist in forming effective strategies to combat the rise of ransomware attacks on Australian businesses. Given the disparity in reporting on payment numbers at times, we welcome Government sharing information (in an anonymised format) with industry on the number of ransom demands, sizes of impacted organisations, and values of amounts being demanded and paid, so as to better inform statistics around ransomware.
- It is clear from the strategy that the banning of ransom payments is not on the agenda presently, which is a pleasing development given that taking away this last resort option for businesses could have been problematic. However, the Minister for Home Affairs and Cyber Security, Clare O’Neil, has advised that a reconsideration of this position in two years is possible.
- Single reporting streams, and clear guidance on what information is required from each regulatory body, we hope will cut down incident response times and costs for businesses, and afford business the opportunity to focus on the immediate priorities in an incident – particularly recovery, investigation, and mitigation of harm for clients and individuals at risk.
- While the establishment of a Cyber Review Board is a good thing for Australia and the economy at large in an effort to improve national cyber resilience, care will need to be given to how the post-incident review process works, particularly where it may impact the ongoing operations of the organisation recovering from an incident. Often, businesses scarred by the trauma of a cyber incident want to move on swiftly, learning their own lessons from the incident, with most such businesses swiftly making significant improvements to their cyber resilience following the incident. Identification replacement after an incident can be extremely costly and time-consuming for businesses and pose risks to individuals by creating further sets of documents that can be subject to compromise in later incidents. Reducing the need for businesses to collect identification information through the further development of a government digital identification portal or programme should significantly reduce the collection of data and retention of sensitive identification documentation by organisations of all sizes, and provide more effective measures to prevent identification fraud for individuals.
W+K supports the provision of continued education and assistance outlined in shield 1, particularly for SMEs where availability of resources can often be a problem. This increased education and support should improve incident response times and enable organisations to continue to uplift their security posture, leading to the mitigation of potential harm to members of the public. Cybercriminals continue to evolve their efforts and mechanisms to seek financial gain from businesses of all sizes, and understanding the risks posed by cybercriminals will allow organisations to adopt better cyber security measures to mitigate the risks posed by the ever-evolving threat landscape.