On 22 November 2023, the Federal Government released the 2023-2030 Australian Cyber Security Strategy (Strategy). The Strategy was accompanied by the 2023-2030 Australian Cyber Security Action Plan (Action Plan), which supplements the Strategy and details the key cyber security initiatives that will be delivered over the next 2 years.
Together, the Strategy and Action Plan outline significant proposed legislative reforms in respect of ransomware, data retention, critical infrastructure and cyber incident response support as well as other initiatives. These initiatives will affect cyber planning for all businesses operating in Australia.
The Strategy has been developed following public consultation earlier this year on the Strategy’s Discussion Paper – see our previous article on the discussion paper '2023-2030 Australian Cyber Security Strategy: Leading the Charge'.
Launched after 15 months of development, the Strategy directly responds to widespread concerns following the significant incidents that have occurred over the past year, including last year’s high-profile Optus and Medibank cyber incidents as a result of which millions of Australia’s population had personal information stolen, the nationwide outage of Optus’ mobile and internet services on 8 November 2023, and the November 2023 ransomware attack on DP World Australia which significantly disrupted port operations.
The Strategy and Action Plan follow the release of Australia’s Annual Cyber Threat Report 2022-23 (Report) developed by the Australian Signals Directorate (ASD), which paints a grim picture of Australia’s cyber threat landscape in FY 2022-23. According to the Report, the ASD responded to over 1,100 cyber incidents from Australian entities in this period and, on average, one cybercrime is reported every 6 minutes in Australia. The Report also identified that critical infrastructure both in Australia and globally was targeted from increasingly interconnected IT systems and that ransomware remains the most destructive cybercrime threat to Australia.
Against this background, Home Affairs and Cyber Security Minister Clare O’Neil has described the Strategy as a pathway to wake Australia from its “cyber slumber”, and promised the Strategy will make individuals, businesses and government agencies more difficult targets for cybercriminals. The implementation of the Strategy and Action Plan is also intended to achieve the Albanese Government’s vision for Australia to become a world leader in cyber security by 2030.
The Strategy describes six “cyber shields”, each providing an additional layer of defence against cyber threats (as described in further detail below). The key proposed legislative reforms are:
Ransomware reporting obligation
The Strategy proposes introducing a no-fault, no-liability ransomware reporting obligation for businesses to give the Government greater visibility of ransomware threats and allow it to have greater ability to plan for and manage that threat. The Strategy contemplates that ransomware reports may be used by Government to share anonymised reports of ransomware and cyber extortion trends with industry and the broader community to help build national resilience against cybercrime. However, there is currently no further details as to what ‘no-fault, no-liability’ may actually mean in the context of the current legal regime. See our previous ransomware articles on the legality of paying a ransom and combating ransomware 'Ransomware – to pay or not to pay?' and 'What next to combat ransomware following the Optus attack?'.
Data retention requirements
The extent of the volume of data being retained by companies has been an area of concern in the past year. This was highlighted by Optus’ 2022 cyber incident, where personal information of millions of current and former Optus customers was apparently retained by Optus for longer than legally required.
Restrictions in respect of retaining data containing personal information are currently unclear under the Privacy Act 1988 (Cth) (Privacy Act), where personal information must be destroyed “where the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity” (see our previous article on data minimisation 'Why’d you ask? Reducing risk and harm through data minimisation'). In contrast, many organisations have potentially conflicting obligations to retain data, which has led to widespread practices of extensive data retention. Telecommunications providers, for example, are required to comply with specific timeframes under “know your customer” requirements to retain identification information and metadata for 2 years under the Telecommunications (Interception and Access) Act 1979 (Cth) and billing information for up to 6 years under the Telecommunications Consumer Protections Code.
The Strategy proposes amendments to data retention requirements, with a focus on non-personal data, to address the burden and risks that arise from entities holding significant volumes of data for longer than necessary.
Further amendments to the SOCI Act
The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) has already undergone significant amendment over the past 5 years. The Strategy proposes further amendments to increase Government powers, perhaps in response to a perception that it has not been fit for purpose.
Key amendments proposed to the SOCI Act include:
- subjecting telecommunications companies to tougher cyber reporting requirements by moving the security regulation of the telecommunications sector from the Telecommunications Sector Security Reforms (TSSR) in the Telecommunications Act 1997 (Cth) to the SOCI Act. This will mean telecommunications companies are subject to the more onerous cyber reporting requirements under the SOCI Act. See our previous article on the current status quo for telcos 'A case of tele-FOMO? Telecommunications sector introduces SOCI-aligned notification of cyber security incident and reporting obligations';
- clarifying the cyber obligations of managed service providers;
- imposing stronger cyber security obligations on aviation, maritime and offshore facility regulated entities, including other critical infrastructure that enables international transport and shipping routes;
- an enhanced Government review and remedy power, including the power to direct entities to uplift risk management plans if they are seriously deficient; and
- introducing a last resort all-hazards consequence management power where Government would be able to authorise specific actions to manage consequences of a nationally significant incident, including cyber-attacks or other hazards.
For further information on the development of and reforms to the SOCI Act, see our previous articles 'Security of Critical Infrastructure Act (SOCI) reforms – what your business needs to know', 'The curtain falls - Final reforms to Australia’s critical infrastructure laws', 'Critical infrastructure assets - your reporting obligations' and 'SOCI Critical infrastructure risk management program Rules now registered'.
Limiting Government sharing of cyber information
The Strategy includes plans to legislate a limited use obligation for the ASD and the National Cyber Security Coordinator (Cyber Coordinator) resulting in these bodies being more limited in sharing information on cyber incidents. This obligation would aim to limit how sensitive cyber incident information that industry shares with ASD and the Cyber Coordinator can be used by other Federal Government entities, including regulators. To further promote access to trusted support after a cyber security incident, Government also intends to introduce an industry code of practice for incident response providers which will clearly define the service quality and professional standards that are expected from third-party cyber incident response providers.
Cyber security standard for smart devices
The Strategy proposes introducing a mandatory cyber security standard for Internet of Things (IoT) devices, a voluntary labelling scheme for consumer-grade smart devices and a voluntary code of practice for app stores and app developers which will communicate expectations of cyber security in software development. The Government has committed $4.8 million to these initiatives.
The six “cyber shields”
The six national “cyber shields” to help defend from cyber threats are being built through the Strategy. Each of these 6 shields will provide an additional layer of defence and are intended to therefore make Australia and Australians more difficult targets. Key planned initiatives under each of these shields are described below, where the building of these shields will involve collaboration across numerous Government agencies, including Home Affairs, the ASD, Treasury, the Attorney-General’s Department, the Australian Federal Police (AFP), the Department of Foreign Affairs and eSafety.
Shield 1: Strong businesses and citizens
Shield 1 focuses on support for businesses and individuals to strengthen their cyber resilience, responding to concerns from Australian small and medium businesses over their lack of time, resources and expertise to uplift their cyber security. As a consequence, small and medium businesses can take longer to recover from a cyber incident and face higher costs compared to larger businesses and for large incidents, incidents affecting a small or medium business in their supply chain can cause major downstream impacts.
Shield 1 aims to achieve this by:
- creating a cyber “health-check” program for small and medium businesses to access free, tailored cyber maturity assessments and guidance on how to improve their cyber security posture;
- enhancing visibility of the ransomware threat by working with industry to co-design options to legislate a no-fault, no-liability ransomware reporting obligation for businesses. Government will also create a ransomware playbook to provide clear guidance on how businesses and individuals should respond to ransomware. Consistent with the Government’s Counter Ransomware Initiative (CRI) commitment, the Federal Government continues to discourage paying ransoms to cybercriminals;
- simplifying incident reporting by exploring options to develop a single reporting portal for cyber incidents to make it easier for entities affected by a cyber incident to meet their regulatory reporting obligations;
- co-designing options to legislate a limited cyber information use obligation for the ASD and Cyber Coordinator, as described above;
- co-designing an industry code of practice for incident response providers which will clearly define the service quality and professional standards that are expected from third-party cyber incident response providers, and ensure they are delivering fit-for-purpose services consistent with public expectations; and
- developing the Digital ID program to reduce the need for people to share sensitive personal information with government and businesses to access services online. This will mean fewer records of individuals’ ID data and documents are kept by commercial and government agencies, reducing the risks and impact of identity theft and fraud. See our previous articles on the Digital ID program 'Your Digital Identity: GovPass expands to include private sector companies and biometric capabilities as project moves forward' and 'In the Government we trust: Have your say on the Trusted Digital Identity Bill'.
Shield 2: Safe technology
Shield 2 aims to improve the safety of smart technologies by:
- legislating a mandatory cyber security standard for IoT devices;
- introducing a voluntary labelling scheme to measure the cyber security of consumer-grade smart devices which is aligned to international markets, including the United States, Singapore and the United Kingdom;
- co-designing a voluntary cyber security code of practice for app stores and app developers to incentivise enhanced cyber security in consumer apps;
- harmonising software standards for government procurement;
- reviewing data retention requirements to determine whether existing provisions are appropriately balanced. This complements the Government’s response to the Privacy Act review, reforms to enable use of Digital ID, and the National Strategy for Identity Resilience. See our previous articles on the Privacy Act review 'Privacy Act Review Report: Highlights And Hot Takes' and 'Federal Government offers modest response to Privacy Act Review';
- reviewing the data brokerage ecosystem and exploring options to restrict unwanted transfer of data to malicious actors via data markets, complementing proposed Privacy Act reforms; and
- continuing to explore practical steps the Federal Government can take to support the safe development and diffusion of artificial intelligence (AI) technologies across the Australian economy, recognising the significant benefits they are already delivering and both the significant future potential that they offer as well as challenges for cyber security. See our article on AI regulation in Australia 'AI Regulation in Australia: A centralised or decentralised approach?'.
Shield 3: World-class threat sharing and blocking
Shield 3 aims to create a whole-of-economy threat intelligence network and scale threat blocking capabilities by:
- establishing the Executive Cyber Council as a coalition of government and industry leaders to improve sharing of threat information across the whole economy;
- continuing to enhance the ASD’s existing threat sharing platforms to enable machine-to-machine exchange of cyber threat intelligence at increased volumes and speeds. These platforms will enable a framework within which industry-to-industry and government-to-industry cyber threat intelligence can be exchanged; and
- piloting an automated, near-real-time threat blocking capability, building on – and integrated with – existing government and industry platforms.
Shield 4: Protected critical infrastructure
Critical infrastructure has been a major focus for the Federal Government for years and is a major focus in the context of cyber security given the whole-of-society risks if essential services are disrupted by cyber incidents. Under Shield 4, further reform to the SOCI Act lies ahead which will bring telcos within scope of the SOCI Act, clarify the scope of the SOCI Act, give Government greater powers and impose greater cyber security obligations and compliance measures for critical infrastructure owners and operators.
Shield 4 aims to better protect Australia’s critical infrastructure by:
- amending the SOCI Act to impose stronger cyber security obligations on telecommunication companies and aviation, maritime and offshore facility regulated entities, and introducing new and enhanced powers for Government, as described above;
- activating enhanced cyber security obligations for Systems of National Significance (SoNS) under the SOCI Act - including requirements to develop cyber incident response plans, undertake cyber security exercises, conduct vulnerability assessments, and provide system information to develop and maintain a near real-time threat picture;
- expanding Australia’s National Cyber Exercise Program to proactively evaluate consequence management capabilities, identify gaps in coordination and test the effectiveness of incident response plans. Led by the Cyber Coordinator, these cyber security exercises will include participation from states and territories, as well as industry leaders, and will incorporate simulation of systemic cyber incidents; and
- developing incident response playbooks to help coordinate national incident response across Commonwealth, state, territory and industry stakeholders. Developed by the Cyber Coordinator, these playbooks will be informed by the insights gathered from national exercises.
Shield 5: Sovereign capabilities
Shield 5 aims to grow and professionalise Australia’s national cyber workforce by:
- reforming the migration system to increase Australia’s competitiveness and attract highly skilled migrants to expand the cyber security workforce;
- providing guidance to employers to target and retain diverse cyber talent, with a focus on barriers and biases that dissuade under-represented cohorts – specifically women and First Nations people – from entering and staying in the workforce; and
- providing cyber start-ups and small-to-medium enterprises with funding to develop innovative solutions to cyber security challenges through the Cyber Security Industry Challenge program.
Shield 6: Resilient region and global leadership
Shield 6 aims to build cyber resilience in the region and uphold international cyber law standards by:
- refocusing Australia’s cyber cooperation efforts across the Indo-Pacific to support enduring cyber resilience and technology security and better position regional governments to prevent cyber incidents;
- piloting options to protect the Asia Pacific region at scale by partnering with Australia’s regional neighbours and the private sector to leverage industry solutions to protect more people, systems and data from cyber threats;
- shaping and defending the development of transparent international standards in the technology underpinning cyberspace, the internet and the digital economy, including emerging technologies;
- upholding and improve the framework of responsible state behaviour in cyberspace, including how international law applies and best practice implementation of norms; and
- working with international partners to deter and respond to malicious cyber activity, including publicly attributing and imposing sanctions on those who carry out or facilitate significant cyber incidents where there is sufficient evidence and it is in Australia’s interests to do so.
The Strategy will be delivered in three phases over the next 7 years:
- Horizon 1 (2023-25): strengthening Australia’s cyber foundations by addressing critical gaps in Australia’s “cyber shields”, building better protections for Australia’s most vulnerable citizens and businesses, and supporting initial cyber maturity uplift across Australia.
- Horizon 2 (2026-28): scaling cyber maturity across the Australian economy by making further investments in the broad cyber ecosystem and continuing to scale up Australia’s cyber industry and grow a diverse cyber workforce.
- Horizon 3 (2029-30): advancing the “global frontier” of cyber security by leading the development of emerging cyber technologies and adapt to new risks and opportunities across the cyber landscape.
To ensure the Government’s actions remain focused and fit for purpose, the Government will release an updated Action Plan every two years on how the Horizons will be delivered against the ever-evolving cyber threat environment.
What’s next for the Cyber Security Strategy?
After the launch of the Strategy, the Government will start a targeted consultation process to co-design specific initiatives with industry.
To support this consultation, the Government will also establish an Executive Cyber Council comprising executives across industry and enable broader collaboration on national cyber security priorities. The Government has committed $586.9 million to the Strategy, which is in addition to the $2.3 billion investment made by the former Morrison Government into Australia’s cyber preparedness, Project REDSPICE (see our previous article on Project REDSPICE 'A spice up to Australia’s cyber capabilities? What we know so far about Project REDSPICE').
The Government has announced that it will shortly release a Strategy Consultation Paper to work directly with industry to inform the proposed legislative reform on new initiatives to address gaps in existing laws and the amendments to the SOCI Act to strengthen protections for critical infrastructure. For impacted and interested entities who intend to make submissions on the Strategy, the consultation period will run until March 2024.
The Strategy and proposed legislative reform in relation to cyber needs to be considered in the context of other Government reviews. The most notable of these is the current review of the Privacy Act, where we expect to see substantial changes to better protect Australians’ privacy in response to shifts in technology and community expectations. The Federal Government has also been engaging with industry to inform its approach to regulating AI to help support responsible AI practices and mitigate potential risks. Affected businesses should take the opportunities to engage with Government and pay close attention to the steps the Federal Government takes in its efforts to keep pace with a complex, diverse and rapidly evolving digital environment.
Authors: Lesley Sutton, Melissa Fai and Dal Lim