22 September 2020
By Zann Maxwell, AusPayNet Policy Analyst
The Federal Government has long recognised that digital technologies are fundamental elements of Australia’s prosperity in a global economy, and that capturing more of the opportunities that a connected world offers depends on ensuring cyber security settings are appropriate.
Australia’s first Cyber Security Strategy was released in 2016 and backed by a $230 million investment. It set out the Government’s plan to strengthen our cyber resilience and security, raising national awareness of online threats. The Strategy guided the Government’s establishment of The Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) as the single point of cyber expertise for the Government. This was in addition to the establishment of Joint Cyber Security Centres (JCSC) in five capital cities.
However, in the years since its release, the cyber threat landscape has shifted and evolved dramatically.
To ensure that Australia’s response evolves in line with the increased threats, on 6 August 2020 the Government released its second Cyber Security Strategy. The Strategy will invest $1.67 billion over 10 years to work towards achieving the Government’s vision of creating ‘… a more secure online world for Australians, their businesses and the essential services upon which we all depend’.
The 2020 Strategy was informed by A Call for Views Discussion Paper, which received 215 submissions and an Industry Advisory Panel (chaired by Mr Andrew Penn, Chief Executive Officer and Managing Director of Telstra) also provided strategic advice.
The Australian Payments Council (APC) public submission highlighted a number of factors for consideration including:
Many of these are addressed in the 2020 Strategy.
The Advisory Panel Report published on 21 July, a matter of weeks prior to the Strategy, contained 60 recommendations that the Panel believed ‘… strike the right balance between increasing our cyber defences, promoting the development of a digital economy and countering threats to our economy, safety, sovereignty and national security.
Under the Strategy the majority of the $1.67bn, $1.35bn is allocated to the development of Cyber Enhanced Situational Awareness and Response (CESAR). This covers a number of deliverables including assistance to critical infrastructure providers, an enhanced cyber threat-sharing platform, a new national situational awareness capability and funding to tackle the increase in scams, which has grown during COVID-19.
The Government will also develop an enhanced regulatory framework for critical infrastructure and systems of national significance. The Government sees supporting the continuity of essential services in the face of disruptive or sophisticated attacks as ‘… a fundamental obligation for government’.
To meet this obligation, the Government says it will develop ‘new powers proportionate to the consequences of a sophisticated and catastrophic attack.’ The regulatory framework will uplift security and resilience in critical infrastructure sectors, combined with better identification and sharing of information about threats. The framework will apply to owners and operators of relevant critical infrastructure regardless of ownership arrangements and will be delivered through amendments to the Security of Critical Infrastructure Act 2018.
Of the $1.35bn, $62.3m is allocated to a ‘classified national situational awareness capability’ intended to better enable government to understand and respond to cyber threats to critical infrastructure and other high priority networks. This will be complemented by increased incident reporting and near-real-time threat information from the most essential pieces of infrastructure as part of future regulatory requirements.
The Industry Advisory Panel noted consistent feedback from stakeholders about the need to improve Australia’s situational awareness through improved threat information sharing between industry and Government. The primary concern of the Industry Advisory Panel was a perceived lack of real-time threat information sharing from the Australian Cyber Security Centre (ACSC) to industry.
To make use of all sources of threat information, through the Strategy the Government will deliver an enhanced threat-sharing platform, enabling critical infrastructure operators to share intelligence with government and other providers about malicious cyber activity at machine speed, and block emerging threats as they occur.
There is also $12.5m for the ACSC ‘… to provide Australia’s major telecommunications providers with information about known malicious websites, malware, phishing campaigns and online scams to boost providers’ ability to block threats at scale. This funding will support industry partnership, research and development of new capabilities to detect and block threats at scale, reducing the volume of cyber threats impacting Australians’.
Another area of agreement between many of the submissions that were made in response to the Discussion Paper was on the matter of human behaviour being almost always part of the problem and greater education of the general public being a necessary part of any plan to improve Australia’s cyber security.
Cyber security can be complex and confusing for many people, particularly vulnerable groups such as the elderly and people from non-English speaking backgrounds. Providing more general cyber security information to the public will be important. A good example of this is the work done by the UK’s national cyber security centre.
Optus in its public submission suggested that a coordinated Government-led education campaign is required to raise awareness and increase security literacy of all Australians, ‘… particularly at the lower-resourced end of the market.’ The University of Melbourne’s submission echoed this by suggesting a cyber security equivalent of the famous and successful ‘slip, slop, slap’ government education campaign for sun-safety.
To this end, the Strategy states that the Government will ‘… invest in a new public awareness raising campaign, delivered in coordination with campaigns about online safety,’ and that ‘The Australian Government will also provide a comprehensive online cyber security training program for small businesses, older Australians and Australian families, delivered through www.cyber.gov.au’.
The IoT is also addressed in the Strategy with the Government planning on releasing a voluntary Code of Practice: Securing the Internet of Things for Consumers. This will comprise 13 principles and will be supported by guidance material by ASIC.
Submissions similarly agreed that Australia needs more trusted and skilled cyber security professionals, reflecting the concerns expressed by many of the submissions to the Select Committee on Financial Technology and Regulatory Technology. In fact, Optus pointed out in its public submission to the Discussion Paper that the demand and competition for skilled professionals from other sectors, such as fintech, are exacerbating the problem for cyber security.
This issue is likely to be amplified moving forward, with more devices flowing from the rollout of 5G, more use of the IOT, and an increase in cyber-attacks in Australia intensifying the demand for qualified cyber security professionals.
The Strategy addresses this challenge with a $50 million Cyber Security National Workforce Growth Program, which includes:
This program complements the $40m invested by the Government as part of their election commitment to grow the Defence cyber workforce and the already announced fast-tracking of training qualifications for the ICT sector to further equip Australia’s workforce with cyber security and digital skills.
The Minister for Home Affairs will have primary responsibility for delivering this Strategy, while a Cyber Security Strategy Delivery Board will be responsible for its day-to-day implementation. The Industry Advisory Panel will also be made a permanent Industry Advisory Committee and will guide the implementation of this Strategy. This Committee will make public reports about the progress of this Strategy.