In a significant move to bolster Australia's cybersecurity posture, the Albanese Government has announced a $600 million investment and unveiled a comprehensive strategy to combat cyber threats.
The strategy, titled the 2023-2030 Australian Cyber Security Strategy, outlines a multi-pronged approach to protect businesses, citizens and critical infrastructure from evolving cyber threats.
"We need to act now to defend Australia from cyber threats," Home Affairs Minister Clare O'Neil stated.
"Australia is a wealthy country and a fast adopter of new technologies, which makes us an attractive target for cybercriminals."
With millions of Australians having their data stolen and released online in a series of high-profile cyberattacks such as those against Optus and Medibank, Minister O'Neil emphasised that the updated strategy would make every citizen, business, government agency and organisation a "harder target" and ensure those that were hit could bounce back faster.
The decade of sleepwalking on cyber ends with our government.Today I launched the Albanese Government’s 2023–2030 Australian Cyber Security Strategy with @TimWattsMP.
Cyber security is the fastest growing threat to Australia’s national security. pic.twitter.com/K4YjH6M11p
— Clare O'Neil MP (@ClareONeilMP) November 22, 2023
Six cyber sheilds
The new strategy calls for the creation of six 'cyber shields', which are:
- strong businesses and citizens;
- safe technology;
- world-class threat-sharing and blocking;
- protected critical infrastructure;
- sovereign capabilities; and
- resilient region and global leadership.
Today the Australian Government has released its new 2023–2030 Australian Cyber Security Strategy.The Strategy brings six cyber shields to respond to the challenges cyber security poses to the Australian community.
To learn more, visit: https://t.co/b4XkIhotVB pic.twitter.com/vFpzKFJhGH
— National Cyber Security Coordinator (@AUCyberSecCoord) November 22, 2023
Labor will boost spending on cybersecurity by $587 million between now and 2030, on top of the $2.3 billion commitment it inherited from the Morrison government.
That $2.3 billion was originally part of the $10 billion REDSPICE package for the Australian Signals Directorate.
Of Labor's funding increase, $291 million will cover support for small and medium businesses, building public awareness, fighting cybercrime, breaking the ransomware business model and strengthening identity security.
A further $146.3 million will be spent defending critical infrastructure and improving government cybersecurity, while $129.7 million will be invested on regional and global cybersecurity initiatives.
The Federal Police will get extra resources to "fight back" against cyber gangs as part of Australia's offensive cyber capabilities.
Safe harbour provisions
Amid complaints from the Australian Signals Directorate that some companies hit by a cyberattack were hindering the response by "lawyering up" because of concerns over damages claims or regulatory action, the government will introduce safe harbour provisions when disclosing incidents.
Under the new regime, to be co-designed with industry, businesses will face a no-fault, no-liability ransomware reporting obligation.
Limits will be put on how any information a business or industry shares with cyber officials can be used by other government bodies, including regulators.
"We need early warnings of ransomware attacks to enable the government to provide the right support at the right time," the strategy stated.
"We also need to build an improved picture of the ransomware threat so that we can develop appropriate responses."
Today the Australian Government launched a game-changer for Australia’s cyber security. The new 2023–2030 Australian Cyber Security Strategy will deliver tangible action on the cyber security issues that matter most to Australian communities & businesses. https://t.co/QwOhGnYKkZ pic.twitter.com/yQroHVgJSn— Cyber and Infrastructure Security Centre (@CISC_AU) November 22, 2023
Ransomware playbook
While the government will not ban companies making ransomware payments, it will create a 'ransomware playbook' to provide clearer guidance about how businesses should respond.
"The Australian Government continues to strongly discourage businesses and individuals from paying ransoms to cybercriminals," the strategy stated.
"There is no guarantee you will regain access to your information, or prevent it from being sold or leaked online. You may also be targeted by another attack."
Cyber safety review board
The government will also set up a new process to learn lessons from cyberattacks and share that information with the community, likening it to the Australian Transport Safety Bureau and drawing on the US model of its Cyber Safety Review Board.
The proposed Cyber Incident Review Board will conduct a no-fault post-incident review, with the aim of improving collective cybersecurity and hone preparations for responding to attacks.
"The proposed review mechanism will not make findings of fault and will not interfere with incident response or regulatory, intelligence or law enforcement functions," the strategy stated.
The government will also "encourage and incentivise" threat sharing and threat blocking by critical infrastructure providers and internet service providers and conduct more frequent national cybersecurity exercises across the economy.
With this comprehensive strategy and significant investment, the Albanese Government is taking a proactive stance to safeguard Australia's digital future and protect its citizens and businesses from the ever-increasing threat of cyberattacks.