Making sense of the Australian Cyber Security Strategy

• Australia unveils the Australian Cyber Security Strategy to protect businesses and citizens. 
• Australia aims to be a world leader in cybersecurity by 2030.
• The first phase of the Australian Cyber Security Strategy will address critical gaps in cybershields, building better protections for the most vulnerable citizens and businesses.

Cybersecurity in Australia is becoming a prerogative as the government works towards safeguarding citizens and businesses. One cybercrime is reported every six minutes in Australia, with ransomware alone causing up to AUD$3 billion in damages to the Australian economy annually.

In response to which, the Australian government has released its plans to improve cybersecurity. The 2023-2030 Australian Cyber Security Strategy is a roadmap that aims to strengthen cybersecurity, manage cyber-risks, and better support Australian citizens and businesses.

Aiming to be a world leader in cybersecurity by 2030, the roadmap will be implemented through six cybershields. Each shield provides an additional defense against cyberthreats, placing Australian citizens and businesses at its core.

“Cybersecurity requires government and big business to lead. From today, we are shifting more of the cyber risk to those who are most capable. We hold industry to higher standards to protect our devices, data, and critical infrastructure.

For the first time, the government will hold itself to the same standard it expects of industry. The strategy is bold and ambitious – and it has to be. Because one thing is abundantly clear from what’s happened to our cyber-environment in the last five years: we can’t continue as we are. We need to push harder to get in front of this problem. For the first time, Australia’s Cyber Security Strategy will help our country do just that,” said Clare O’Neil, Minister of Home Affairs and Cyber Security in Australia.

To achieve its 2030 vision, the strategy will be delivered in three phases:

• Horizon 1 (2023–25) – Australia will strengthen its foundations. This includes addressing critical gaps in cybershields, building better protections for the most vulnerable citizens and businesses, and supporting improved cybermaturity uplift across the region.
• Horizon 2 (2026–28) – The focus will be scaling cyber maturity across the economy. This includes investing further in the broader cyber-ecosystem, continuing to scale up the cyber-industry, and growing a diverse cyber-workforce.
• Horizon 3 (2029–30) – Australia will advance the global frontier of cybersecurity. The country will lead the development of emerging cyber-technologies capable of adapting to new risks and opportunities across the cyber-landscape.

Views on the Australian Cyber Security Strategy

Following the unveiling of the strategy, several tech companies reached out to Tech Wire Asia to share their views on the strategy.

Aidan Tudehope, co-founder of Macquarie

Most collaboration between government, industry, and intelligence currently happens within what could be deemed the regulatory compliance vertical, owing to the legal ramifications organizations can face when cyber-events happen. This strategy allows greater collaboration between intelligence operators within both government and enterprises – typically CISOs, CIOs, and CTOs – and their counterparts in the Australian Signals Directorate.

Our AUKUS allies want confidence in Australia’s industrial base to support the partnership. Given cybersecurity’s horizontal effect across all industry sectors and their supply chains, getting behind the Strategy and building more cyber-aware citizens and businesses will help create that confidence and showcase the incredible capabilities and talent we have in the local sector.”

The current cybersecurity and privacy legislation landscape has evolved considerably in recent years and, in the process, has become fragmented across the Commonwealth, states, and territories. Minister O’Neil’s Strategy establishes cybersecurity as a unifying nationwide endeavor, led by the Federal Government as the exemplar, but delivered in synchronicity with all tiers of government, the private sector, and the broader economy.

SMEs are exempt from Australian privacy laws and many data protection, deletion, and governance requirements. But they make up about 95% of all organizations in Australia, and many are part of government and critical infrastructure supply chains, sharing data and digitally interacting with entities crucial to the nation’s economy and national resilience.

Organizations with an immature understanding of cyber and privacy measures could inadvertently create risk for other, potentially more critical organizations, and we strongly welcome the government’s targeted support to help SMEs achieve new levels of cybersecurity and sophistication.

Tim Hartman, head of solution architecture, Australia & New Zealand, Infoblox:

Infoblox welcomes the government’s 2023-2030 Cyber Security Strategy and mainly its focus on real-time threat intelligence sharing, working in partnership with our neighbors, and raising all organizations and people’s cybersecurity posture to make the whole stronger than the sum of its parts. Organizations face new threats every day but too often don’t speak up to partners, customers, like-minded businesses, or government intelligence, which leaves others to fend for themselves. The Strategy focuses on cyberprotection as a collective effort, and greater intelligence sharing will help us subvert cybercriminals.

While there’s a journey to become the most secure nation in the world in seven years, there are some essential quick wins organizations ranging from SMEs – which will have the benefit of the new cyber-‘health checks’ the government has announced – to significant enterprises and government agencies, can achieve now.

For example, when last reported by the Australian Signals Directorate (ASD), only 11% of organizations mandated to meet the Essential Eight maturity model had completed Maturity Level 2, a level experienced cybercriminals willing to invest in their time and tools can still break through. Further, just 26% of eligible or mandated organizations leveraged AUPDNS as of December 2022. This free protective domain name system (DNS) can employ response policy zones to dynamically filter out malicious and suspicious domains, which can foil over 90% of malware attacks.

A recent report showed that Australian organizations detected more issues from email/phishing attacks than any other type, including network, application, device/endpoint, cloud, third-party/supply chain, and ransomware attacks. The greater awareness, education, collaboration, and investment in our cybersecurity and defense capabilities will help the country zero in on where the issues and vulnerabilities lie, see the adoption of readily available frameworks and services rise considerably, and help Australia towards its ambitious goal to lead the world in this area.

Anthony Stitt, regional senior director, Nozomi Networks

One of the critical issues to address is visibility over deep, widely connected networks with so many devices potentially talking to each other. All too often, IT and operational technology (OT) networks run together on the same flat network. For these organizations, many are planning segmentation projects, but they are complex and disruptive to implement, so in the meantime, organizations want to understand what’s going on in these environments.

What’s positive is that organizations are more willing than ever to get their foot in the door. They understand there’s a lot of work to do, but starting with some essential tools and monitoring capabilities can still make a huge difference, and it starts the maturation process.

There’s always something an attacked organization could have done to remain protected, but we can’t forget that cybercrime is a crime. Greater involvement and offensive capabilities from law enforcement will help to change that mindset, and it’s great that is a priority from the government through the 2023-2030 Cyber Security Strategy.

Jacqueline Jayne, security awareness advocate, KnowBe4 APAC

While the rhetoric from previous ‘strategies’ is evident, there are some standouts regarding the ultimate goal of creating a ‘slip-slop-slap’ for cybersecurity.

This goal would mean that every Australian:

1. Understands and accepts that cybersecurity is everyone’s responsibility.
2. Is aware of the cyberthreat landscape.
3. Has all the essential cyber-hygiene elements in play.
4. Knows the red flags to be on the lookout for to avoid scams and cyberattacks.
5. Is comforted by the knowledge that their kids are safe online.
6. Knows what resources and support are available should they become victims of a scam or cyberattack.
7. Organization has an ongoing, relevant, and engaging security awareness program for all their employees and volunteers.

Chris Sharp, CEO at Pax8 APAC

There’s a path in Australia’s cybersecurity opportunity where the little guys aren’t left out, but the advice to market – particularly to SMBs – needs to be polished. The government’s “health check” program announcement is a valiant effort – the actual test will be how it educates the right people across a highly diverse SMB landscape. ‘Concierge-style’ support only goes so far, particularly if it doesn’t know where to go and businesses don’t understand why to seek it out.

Despite the flurry of media headlines, many SMBs remain blissfully unaware of how or why they can and should be involved in collectively raising the nation’s cyberdefenses. But it’s not their fault. Rhetoric typically focuses on ‘big business’ attacks, leaving SMBs thinking, “We’re too small; our data doesn’t matter.”

The latest ASD report on the 2022-23 financial year, citing 94,000 registered cybercrime incidents with average financial losses of AUD$46,000 to small businesses and AUD$97,200 to medium companies, busts this myth.

The problem is that SMBs don’t know who to start conversations with, or turn to. Working alone makes the cost of cybersecurity defenses untenable, but it doesn’t have to be this way. Your local florist, corner store, or even the grassroots neighborhood start-up can contribute to building Australia’s resilience; they need the education to know why and how to be government-compliant, fight increasing cyber-insurance premium costs, and protect their customers’ PII data.

Recent events have seen an escalation in Australian cyberattack threat.

---

---

---

---