The rapidly evolving regulatory and legislative cyber environment in Australia shows no sign of slowing, with the release of the Federal Government’s Discussion Paper (the Paper) for the forthcoming 2023-2030 Australian Cyber Security Strategy (the Strategy) now out for consultation. The new Strategy will set our nation’s cyber compass for the coming seven years.
The Paper addresses the core policy areas to be included in the Strategy and other areas where feedback is being sought, with 21 main questions and 9 sub questions being used to frame the discussion. Co-design will be a focus of the Strategy, taking into account the views of industry, academia, government and other key stakeholders.
It also coincides with the creation of a National Office for Cyber Security (the Office), led by national coordinator for cyber security, within the Department of Home Affairs. The Office will be tasked with leading whole-of-government coordination and triage of major cyber incidents, leading policy development and hardening government’s digital systems.
The key aims of the Strategy are:
- Securing the economy and fostering a thriving cyber ecosystem
- Building resilient and secure critical infrastructure and government systems
- Enhancing sovereign and building capability and capacity to counter cyber threats
- Establishing Australia as a trusted and influential global cyber leader
- Working with regional neighbours to lift cyber security and build cyber resilience
Recognition of complex and evolving regulatory and legislative environment
The Paper recognises the complex and dynamic nature of cyber-related regulation in Australia. These divergent regimes and consultations will be considered in the development of the Strategy and include:
- the outcomes of the Attorney-General Department’s Review of the Privacy Act 1988
- the National Plan to Combat Cybercrime
- the ACCC’s Digital Platform Services Inquiry 2020–25
- Commonwealth Digital ID policy development and reforms
- Critical Technologies and National Quantum strategies
- investment through REDSPICE via Defence
Core policy areas to be included in the 2023-2030 Australian Cyber Security Strategy
- Enhancing and harmonising regulatory frameworks: Consideration of a new Cyber Security Act, drawing together cyber-specific legislative obligations and standards across industry and government; consideration of whether further developments to the SOCI Act are warranted, for example, including customer data and ‘systems’ in the definition of critical assets.
- Strengthening Australia’s international strategy on cyber security: Strengthened international cyber leadership, building on Australia’s International Cyber and Critical Technology Engagement Strategy; focus on uplifting cyber resilience across our region.
- Securing government systems: Development of a framework for government to follow, driven by best practice standards, evaluation, transparency, reporting and aligned incentives; enhance mechanisms for support, accountability and leadership across departments and agencies.
Areas for Potential Action by 2030
- Improving public-private mechanisms for cyber threat sharing and blocking: Enhance cyber security threat sharing and blocking through public-private partnerships; consideration of issues pertaining to information sharing, access, declassification of intelligence and existing regulatory frameworks.
- Supporting Australia’s cyber security workforce and skills pipeline: Consideration of what steps are needed to build Australia’s cyber workforce and how the Strategy can support such mechanisms.
- National frameworks to respond to major cyber incidents: Development of frameworks for incident management and coordination, post-incident review and consequence management following major cyber incidents; share learnings to help organisations be better prepared.
- Community awareness and victim support: Consideration of initiatives to support investment in further in community awareness and skills building for cyber security, including for SMEs.
- Investing in the cyber security ecosystem: Explore how Australia can create an environment that attracts investment in cyber security and other critical technologies to build national capacity
- Designing and sustaining security in new technologies: How to future-proof the Strategy for new and emerging technologies with the potential to impact cyber security, like quantum and AI/ML.