A look into the 2023 - 2030 Australian Cyber Security Strategy
Ivano Bongiovanni GAICD
General Manager @ AUSCERT | Senior Lecturer @ The University of Queensland | Cybersecurity Management | Cyber GRC | Leadership | Design Thinking | Keynote speaker
Article co-authored with Chathura Abeydeera, Director - Cyber Security and Incident Response at KPMG Australia, CREST Assessor and CREST Australasia Advisory Board Member
The 2023-2030 Australian Cyber Security Strategy is finally here. In the last week or so, in a crescendo of announcements, the government has: 1) Published the Annual Cyber Threat Report 2022; 2) Launched measures to foster cyber security in Small and Medium Businesses (SMBs); and finally, 3) Announced the brand new Australia Cyber Security Strategy 2023-2030.
Let's put some order to the excitement and briefly review the above, focusing in particular on the Strategy and including some way-too-early discussion on it.
Guess What: Cyber Crime isn't Going Anywhere
The end of the year is usually time for the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) to publish their report on cyber-crime for the previous fiscal year. 2023 was no exception and last week the government presented data on FYI 2021-2022. No surprise, cyber-crime is not going anywhere:
More help for Australian SMBs, the Strategy confirms
Since being named last year Minister for Cyber Security , first in the G20, Clare O'Neil has not shied away from stressing the importance of supporting SMBs in their uplift of cyber security measures. Given their limited resources, this often translates into initial conversations around cyber security, and building basic cyber-hygiene. To help them do so, the government announced an $11 million programme to strengthen cyber resilience (aka measures to prevent, mitigate, respond to, and recover from, cyber-attacks). In short, this it what this comes down to:
And now...The Strategy
As mentioned in the lead-up to the publication, the 2023-2030 Australian Cyber Security Strategy is organised around 6 shields (Figure below) which set the strategic directions in which the government wants the country to go, to achieve the bold and ambitious goal of becoming the World's Most Secure Country by 2030.
Too much strategising and not enough 'doing'? Good news: the Strategy comes with an Action Plan that delineates what practical actions will be required to achieve the objectives entailed within the 6 shields. The Action Plan also indicates what government agencies will be responsible for each action. However, neither the Strategy nor the Action Plan clarify what Key Performance Indicators (KPIs) will be utilised to measure what success looks like, but one may argue that's not really the purpose of a strategic document.
There is no point in us simply synthesising what is contained in the Strategy and the Action Plan, so let's jump into highlighting some selected components of the Strategy.
Ransomware payments not banned (yet?) (Shield 1)
The elephant in the room, first. The Strategy does not mention an intention by the government to ban ransomware payments. However, Minister O'Neil has mentioned banning ransom payments is an inevitable move , one for which Australia is not prepared yet, but one that will happen at some stages in the future. To pave the way for this, the Strategy illustrates 3 initiatives: 1) Facilitating reporting of ransomware attacks by creating a no-fault, no-liability reporting obligation for these types of attacks; 2) Building a ransomware playbook for Australian businesses; 3) Leading global, cooperative initiatives in counter-ransomware. A very controversial topic: when asked about the opportunity to ban ransomware payments, in the open consultation phase of the Discussion Paper to the Strategy concluded in April, respondents demonstrated significant opposition to the idea, with 75% of organisations and 55% of individuals saying 'No' to banning ransom payments. Whilst banning ransom payments by organisations would be a bold move, with the potential to disrupt the ransomware business model to which the Strategy often refers, it is undeniable that Australian businesses (and the government, for that matter, think of enforcement) are not ready for this to happen. Extreme caution and a step-by-step approach are warranted, should the decision be made. Moreover, the question whether cyber-criminals could anyway find ways around a ban would still loom.
领英推荐
Support for SMBs is a cornerstone of the Strategy (Shield 1)
The government maintained its promise of working to uplift the cyber resilience of SMBs, placing this objective as number 1, under Shield 1. Shield 1 also receives the majority ($290.8 million) of the $586.9 million committed to realise the Strategy, on top of money already allocated by the previous government in particular to build capabilities within ASD (around $2.3 billion). Certainly powerful ways to signal the importance of cyber resilience for SMBs. How crucial the protection of SMBs (and citizens in general) is for this government can also be gauged by the number of actions that fall under Shield 1, and how practical they are. Some examples include the already-mentioned creation of 'cyber health checks' for SMBs, the establishment of a SMBs Cyber Resilience Service, the expansion of the national cyber security awareness campaign for citizens, etc.
Cyber Threat Intelligence sharing (Shield 3)
The recognition that threat actors are becoming more sophisticated highlights the necessity for collaborative efforts between industry and government to share actionable, timely, and contextualized cyber threat intelligence (CTI). The path forward involves a holistic and collaborative approach to CTI sharing, ensuring a resilient cybersecurity ecosystem for the digital age.
Three initiatives from the Strategy stand out:
Professionalisation of cyber security will happen (Shield 5)
This set of actions has a two-fold aim.
First, addressing the intrinsic workforce gap that is affecting the cyber security industry (statistics indicate a gap of 4 million workers globally ; and between 17,000 and 30,000 in Australia, depending on the sources).
Second, ensuring businesses and citizens have access to reliable, high-quality cyber security services. Professionalisation will certainly involve incident response providers, but also other roles in cyber security, with a view to 'set clear standards to validate cyber skills and experience'.
Proponents of the professionalisation of cyber security point out that this would dramatically improve the quality of services, in a context where, given the lack of standards and regulations and the increasing demand, self-professed cyber security experts are numerous. Also, it would provide much needed clarity on pathways and required skills to cyber-professions. Opponents argue against the 'bureaucracy' that professionalisation would entail and bring up the current skills shortage, the lack of diversity in the profession, the many-sided backgrounds of cyber-professionals, and the ability of job markets to self-regulate as their reasons for a 'no'. Again, regardless of personal opinions, the feeling is that the professionalisation process has already started (as confirmed by the Strategy, which has allocated $8.6 million to this purpose) and a wise, step-by-step approach will be put in place to achieve the objective of having a 'flourishing cyber industry, enabled by a diverse and professional cyber workforce'.
Final Snippets
Australia award scholar.Cybersecurity at The University Of Queensland.Police officer.
1 年Ragarding ban on ransomware payment or criminalisation of payments need some more discussions.
I help executives deliver cyber security transformation programs by aligning delivery to business goals through effective program management and governance.
1 年Thanks for the summary Ivano & Chathura; looks like Australia is wisely extending shield 1 to our pacific neighbours (https://www.abc.net.au/news/2023-11-22/australia-roving-pacific-cyber-experts-online-threats-grow/103135782). In terms of ransomware payments, while they're not specifically banned it's no simple matter to be sure you're not breaking some other law (Australian, European or US) by making a payment (great explanation here on the Fear & Greed podcast (https://www.dhirubhai.net/posts/mcgrathnicol_interview-why-companies-are-still-paying-activity-7130366027481145344-zb5a?utm_source=share&utm_medium=member_desktop)
Channel system engineer at Fortinet | Senior solutions architect | Network, datacenter and security expert
1 年Thanks Ivano!! I was waiting for it ??