A look into the 2023 - 2030 Australian Cyber Security Strategy

A look into the 2023 - 2030 Australian Cyber Security Strategy

Article co-authored with Chathura Abeydeera, Director - Cyber Security and Incident Response at KPMG Australia, CREST Assessor and CREST Australasia Advisory Board Member

The 2023-2030 Australian Cyber Security Strategy is finally here. In the last week or so, in a crescendo of announcements, the government has: 1) Published the Annual Cyber Threat Report 2022; 2) Launched measures to foster cyber security in Small and Medium Businesses (SMBs); and finally, 3) Announced the brand new Australia Cyber Security Strategy 2023-2030.

Let's put some order to the excitement and briefly review the above, focusing in particular on the Strategy and including some way-too-early discussion on it.

Guess What: Cyber Crime isn't Going Anywhere

The end of the year is usually time for the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) to publish their report on cyber-crime for the previous fiscal year. 2023 was no exception and last week the government presented data on FYI 2021-2022. No surprise, cyber-crime is not going anywhere:

  • 76,000+ reports to ACSC, +13% compared to the previous FY, one report every 7 minutes on average
  • Average cost per cyber-crime report at $39,000 (small businesses); $88,000 (medium businesses); and $62,000 (large businesses)
  • 29,000 brute force attacks against Australian servers taken down.

More help for Australian SMBs, the Strategy confirms

Since being named last year Minister for Cyber Security , first in the G20, Clare O'Neil has not shied away from stressing the importance of supporting SMBs in their uplift of cyber security measures. Given their limited resources, this often translates into initial conversations around cyber security, and building basic cyber-hygiene. To help them do so, the government announced an $11 million programme to strengthen cyber resilience (aka measures to prevent, mitigate, respond to, and recover from, cyber-attacks). In short, this it what this comes down to:

  1. Cyber-Wardens program : $23.4 million invested in training in-house cyber experts, delivered by the Council of Small Businesses Organisations Australia (COSBOA)
  2. Small Business Cloud Security Guides: the guidelines are based on ACSC's Essential Eights framework and are intended to support SMBs in protecting the cloud environments they heavily rely on;
  3. A voluntary, cyber health-check program : the purpose of this initiative is to allow businesses to access a cyber-maturity self-assessment service, inclusive of recommendations for improvement (e.g., access to free educational tools).

And now...The Strategy

As mentioned in the lead-up to the publication, the 2023-2030 Australian Cyber Security Strategy is organised around 6 shields (Figure below) which set the strategic directions in which the government wants the country to go, to achieve the bold and ambitious goal of becoming the World's Most Secure Country by 2030.

Australian Cyber Security Strategy - The Six Shields

Too much strategising and not enough 'doing'? Good news: the Strategy comes with an Action Plan that delineates what practical actions will be required to achieve the objectives entailed within the 6 shields. The Action Plan also indicates what government agencies will be responsible for each action. However, neither the Strategy nor the Action Plan clarify what Key Performance Indicators (KPIs) will be utilised to measure what success looks like, but one may argue that's not really the purpose of a strategic document.

There is no point in us simply synthesising what is contained in the Strategy and the Action Plan, so let's jump into highlighting some selected components of the Strategy.

Ransomware payments not banned (yet?) (Shield 1)

The elephant in the room, first. The Strategy does not mention an intention by the government to ban ransomware payments. However, Minister O'Neil has mentioned banning ransom payments is an inevitable move , one for which Australia is not prepared yet, but one that will happen at some stages in the future. To pave the way for this, the Strategy illustrates 3 initiatives: 1) Facilitating reporting of ransomware attacks by creating a no-fault, no-liability reporting obligation for these types of attacks; 2) Building a ransomware playbook for Australian businesses; 3) Leading global, cooperative initiatives in counter-ransomware. A very controversial topic: when asked about the opportunity to ban ransomware payments, in the open consultation phase of the Discussion Paper to the Strategy concluded in April, respondents demonstrated significant opposition to the idea, with 75% of organisations and 55% of individuals saying 'No' to banning ransom payments. Whilst banning ransom payments by organisations would be a bold move, with the potential to disrupt the ransomware business model to which the Strategy often refers, it is undeniable that Australian businesses (and the government, for that matter, think of enforcement) are not ready for this to happen. Extreme caution and a step-by-step approach are warranted, should the decision be made. Moreover, the question whether cyber-criminals could anyway find ways around a ban would still loom.

Support for SMBs is a cornerstone of the Strategy (Shield 1)

The government maintained its promise of working to uplift the cyber resilience of SMBs, placing this objective as number 1, under Shield 1. Shield 1 also receives the majority ($290.8 million) of the $586.9 million committed to realise the Strategy, on top of money already allocated by the previous government in particular to build capabilities within ASD (around $2.3 billion). Certainly powerful ways to signal the importance of cyber resilience for SMBs. How crucial the protection of SMBs (and citizens in general) is for this government can also be gauged by the number of actions that fall under Shield 1, and how practical they are. Some examples include the already-mentioned creation of 'cyber health checks' for SMBs, the establishment of a SMBs Cyber Resilience Service, the expansion of the national cyber security awareness campaign for citizens, etc.

Cyber Threat Intelligence sharing (Shield 3)

The recognition that threat actors are becoming more sophisticated highlights the necessity for collaborative efforts between industry and government to share actionable, timely, and contextualized cyber threat intelligence (CTI). The path forward involves a holistic and collaborative approach to CTI sharing, ensuring a resilient cybersecurity ecosystem for the digital age.

Three initiatives from the Strategy stand out:

  • Strategic Threat Intelligence Sharing: Forming the Executive Cyber Council , with government and industry leaders, shows a commitment to building trust between sectors and sharing vital strategic threat intelligence. This acknowledges the necessity for industry leaders to access timely and relevant threat information for effective responses.
  • Sector-Specific Tactical and Operational Threat Intelligence Sharing: Investment in automated solutions to maintain visibility of threat activity across the economy is a challenging initiative but reflects a proactive stance. The emphasis on scalability and enhancement of existing threat sharing platforms with industry ensures readiness for the expected growth in cyber threat intelligence in coming years. In addition, the creation of a Threat Sharing Acceleration Fund, to support the development of sector-specific Information Sharing and Analysis Centers (ISACs) in Australia recognizes the importance of tailoring cybersecurity efforts to the specific needs and challenges of different industries. We are getting there!The Strategy mentions an initial pilot for the health sector and demonstrates a targeted approach to addressing specific industry challenges. The focus on healthcare cyber security, with its unique sensitivity and lower cyber maturity, aims to strengthen the sector's capability to identify and respond to cyber threats. It remains to see how an Australian Health ISAC would work with the equivalent American/global one.
  • Scale threat blocking capabilities: The government's approach does place certain expectations on telcos and Internet Service Providers (ISPs). Is it too much to ask? It's crucial to consider the practical feasibility for providers to take this on board. The initiative to develop next-generation threat blocking capabilities is a forward-looking approach. By supporting telecommunications and ISPs in blocking threats at scale, the government is acknowledging the need for advanced, scalable measures. The government's plan to expand the reach of threat blocking capabilities is a very practical strategy. Regulatory amendments commit telcos to proactively block threats and further demonstrate a commitment to action.

Professionalisation of cyber security will happen (Shield 5)

This set of actions has a two-fold aim.

First, addressing the intrinsic workforce gap that is affecting the cyber security industry (statistics indicate a gap of 4 million workers globally ; and between 17,000 and 30,000 in Australia, depending on the sources).

Second, ensuring businesses and citizens have access to reliable, high-quality cyber security services. Professionalisation will certainly involve incident response providers, but also other roles in cyber security, with a view to 'set clear standards to validate cyber skills and experience'.

Proponents of the professionalisation of cyber security point out that this would dramatically improve the quality of services, in a context where, given the lack of standards and regulations and the increasing demand, self-professed cyber security experts are numerous. Also, it would provide much needed clarity on pathways and required skills to cyber-professions. Opponents argue against the 'bureaucracy' that professionalisation would entail and bring up the current skills shortage, the lack of diversity in the profession, the many-sided backgrounds of cyber-professionals, and the ability of job markets to self-regulate as their reasons for a 'no'. Again, regardless of personal opinions, the feeling is that the professionalisation process has already started (as confirmed by the Strategy, which has allocated $8.6 million to this purpose) and a wise, step-by-step approach will be put in place to achieve the objective of having a 'flourishing cyber industry, enabled by a diverse and professional cyber workforce'.

Final Snippets

  • For the first time, Data Governance (Shield 2) explicitly 'creeps' into the Cyber Security Strategy, and it does so around 3 of its components: data retention (with a focus on non-personal data), data brokerage, and data classification. Given the current lack of legislation in the space in Australia (globally, the EU Data Governance Act being an exception), a stronger connection between practices in cyber security and data governance is expected in the future.
  • Strategy and Action Plan contain 15 references to co-design as the approach the government will utilise to build solutions (e.g., a code of practice, a standard, a review board, etc.) for complex cyber security challenges. This is a laudable approach: however, for effective, real co-design, end-users (e.g., citizens or SMBs) will need not to be neglected in problem-framing, ideation, prototyping and testing of solutions.
  • Microsoft is the only corporate that gets a specific mention in the Strategy, with the recent announcement of a $5 billion investment to improve Australian cyber defences as an example of Public-Private Partnership in cyber security.
  • Adding to the already committed budget for cyber security measures inherited from the previous government, an additional $586.9 million have been announced to support some of the initiatives in the Strategy. The breakdown is as follows: [$290.8 mil Support to SMB and citizens] [$143.6 mil - Protecting Critical Infrastructures] [$ 129.7 mil - Regional and global cyber initiatives] [$ 9.4 mil - Cyber threat sharing platform for the health sector] [$ 8.6 mil - Professionalise the cyber profession] [$ 4.8 mil - Establishing consumer standards for smart devices and software].



junaate kawser

Australia award scholar.Cybersecurity at The University Of Queensland.Police officer.

1 年

Ragarding ban on ransomware payment or criminalisation of payments need some more discussions.

回复
Dave Brown

I help executives deliver cyber security transformation programs by aligning delivery to business goals through effective program management and governance.

1 年

Thanks for the summary Ivano & Chathura; looks like Australia is wisely extending shield 1 to our pacific neighbours (https://www.abc.net.au/news/2023-11-22/australia-roving-pacific-cyber-experts-online-threats-grow/103135782). In terms of ransomware payments, while they're not specifically banned it's no simple matter to be sure you're not breaking some other law (Australian, European or US) by making a payment (great explanation here on the Fear & Greed podcast (https://www.dhirubhai.net/posts/mcgrathnicol_interview-why-companies-are-still-paying-activity-7130366027481145344-zb5a?utm_source=share&utm_medium=member_desktop)

Alessandro Zucchini

Channel system engineer at Fortinet | Senior solutions architect | Network, datacenter and security expert

1 年

Thanks Ivano!! I was waiting for it ??

要查看或添加评论,请登录

Ivano Bongiovanni GAICD的更多文章

社区洞察

其他会员也浏览了