Back to Insights

Australia’s New Cybersecurity Strategy

Cyber security 10/10/2020 - 12:23 by Swami Nathan

Australia’s Cybersecurity Strategy for 2020

To achieve our vision of building a safer online environment for Australians, their companies and the critical services on which we all rely, the Australian Cybersecurity Strategy 2020 will invest $1.67 billion over 10 years. It will be delivered via:

  1. Action by companies to secure their goods and services from identified cyber threats and secure their customers.
  2. Government action to improve the security of Australians, companies and vital infrastructure from the most advanced threats.
  3. Community action to practise safe online behaviour and make better purchase decisions.

Although this policy is an initiative of the Australian Government, we acknowledge the vital role of the state, territory, local governments, companies, academics, international partners and the wider community in improving the cybersecurity of Australia. In the implementation of the Cybersecurity Strategy 2020, every part of the government, company and society has a role to play.

The Australian Government published the Cybersecurity Strategy 2020 on 6 August 2020, with its $1.67 billion commitment to be spent on cybersecurity over 10 years (2020 strategy).

The 2020 strategy builds on the Australian Government’s 2016 Cybersecurity Strategy to promote and safeguard Australian interests online. The 2020 Strategy was built following the consultation process of the Industry Advisory Panel (IAP), which led to the publication of its final report in July 2020. The IAP report provided the Government with 60 recommendations covering the broad spectrum of cybersecurity concerns and suggested a structured solution that was implemented in the 2020 Strategy.

Where would $1.67 billion go?

Over the next 10 years, the government is committed to investing $1.67 billion, which includes upgrades to vital infrastructure defences, based on a series of commitments to be placed on owners and operators. The major portion of the government’s investment in the Australian Cybersecurity Centre (ACSC) will fund cyber resources, with additional personnel to be recruited from the Australian Federal Police, the Australian Signals Directorate and capacity building at each of the Joint Cybersecurity Centres (JCSCs).

New forces, including methods of tackling encrypted network networks, such as those that make up the dark web infrastructure (such as TOR), will also be implemented by regulatory reforms, offering new ways for law enforcement to investigate and shut down cybercrime.

Secure Hubs for Government

With departments and agencies continuing to struggle to enforce rudimentary cybersecurity measures, the main issues are government systems and records.

The government is preparing to “centralise the management and operations of the vast number of networks” operated by agencies as a priority in an attempt to improve cyber resilience.

The strategy stated that centralising networks would allow the government to “focus its investment in Cybersecurity on a smaller number of safer networks”.

The strategy says, ‘A centralised model would be built to encourage creativity and agility while also achieving economies of scale.’

It also intends to explore the development of “secure hubs” to further decrease the number of networks that can be attacked by hostile actors, although the method does not elaborate on what this would look like.

To prevent unnecessary threats, regular cybersecurity provisions will also be incorporated into government IT contracts.

The strategy states that 35.4 per cent of the 2266 cybersecurity incidents that the ACSC responded to in the 2019-20 financial year were targeted by federal, state and territorial agencies.

Critical infrastructure suppliers in the healthcare, education, finance, water, communications, transport and energy sectors have been affected by about the same number of accidents.

To improve their ability to fight cybercrime, including $89.9 million for the Australian Federal Police, the government will also provide law enforcement agencies with $124.9 million.

The funding will sit alongside proposed legislation that will help the AFP locate people on the dark web who are involved in serious criminal activity.

A further $31.6 million will also be raised by the ACSC to strengthen its ability to fight offshore cybercrime and enable federal, state and local law enforcement to detect and disrupt cybercriminals.

As per the strategy, the Australian Government will ensure that it has sufficient powers and resources for targeting, combating and preventing cybercrime, particularly on the dark web.

Actions for Business in Australia’s New Cybersecurity Strategy

Improving the security and resilience of critical infrastructure operators in our increasingly interconnected environment is vital to the safety of Australia’s economy and national security. The government has outlined the implementation of an improved regulatory framework for protection to improve the stability of the nation and ensure that Australia can respond quickly in an emergency. In response to immediate and severe cyber-attacks on Australia’s most critical networks, the framework provides security responsibilities for critical infrastructure providers and government aid to industry. The package will also include over AU$66 million to help Australia’s major critical infrastructure providers analyse their vulnerability networks and cooperate to strengthen their posture in cybersecurity.

Small to medium-sized enterprises are also getting a shout-out, with the government noting that it will partner with large corporations and help small and medium-sized Australian businesses boost their cybersecurity and raise their knowledge of cybersecurity. For example, this can be done by offering information and resources on Cybersecurity as part of packages of protected services (such as threat blocking, antivirus and cybersecurity awareness training).

Finally, the government states the value of partnering with industry to encourage security by design, urging internet service providers to offer protected internet services and mentioning the release of a “Voluntary Internet of Things Code of Practice” to help customers recognise the security and privacy implications of the IoT products they buy.

To date, Australia has been fortunate to escape a devastating cybersecurity incident against its companies. It is generally understood that, across Australia, the loss of an important service may have catastrophic consequences. To improve protection and resilience in critical infrastructure sectors, these steps are necessary.

Establish your Cyber Resilience for Success in the Future

The Cybersecurity Strategy 2020 of the Australian Government raises a range of questions which remain unanswered. One thing is clear, however, that the government plans to spend a significant amount of money on itself. At the same time, changes within our legislative structure would force companies to improve their security posture and reinforce the controls on cybersecurity incorporated into their products and services.

Changes are coming; our advice is that by planning and engaging in creating a security roadmap that helps you comply with legislation as it is implemented, you get ahead of the curve.

The Australian Government published the Cybersecurity Strategy 2020 on 6 August 2020, with its $1.67 billion commitment to be spent on cybersecurity over 10 years (2020 strategy).