On 21 April 2016, the Federal Government launched a new $230 million Cyber Security Strategy (the Strategy), aimed at combatting the increasing number of online threats and assaults. The Strategy replaces the 2009 Cyber Security Strategy, providing a four year program which draws on greater defence capabilities, private sector involvement, global coordination and public awareness to improve Australia’s cyber safety.
The Strategy has 33 initiatives, sorted under five pillars:
- Building national cyber security partnership;
- Strengthening defences;
- Exercising global leadership;
- Driving growth and innovation; and
- Creating a cyber-smart nation.
NATIONAL CYBER SECURITY PARTNERSHIPS: PRIVATE SECTOR COOPERATION AND CONSULTATION
The Strategy stresses the importance of the private sector in strengthening Australia’s cyber security. $47 million is to be spent on the development of Joint Cyber Threat Centres in key capital cities, to build online portals for businesses to share cyber security information. Several pilot centres will be built first to trial viability and effectiveness.
The private sector will be asked to consult with the Government and research community to devise national voluntary cyber security guidelines, based on the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions. Business will also be able to undergo “health checks” to compare their information security defences against similar organisations. Although voluntary, ASX 100 listed businesses will be encouraged and first have the opportunity to complete these checks, with the plan to open the program up to small public and private organisations over time.
The Prime Minister will lead an annual security meeting with business leaders. Further, the Australian Cyber Security Centre will be relocated from the Canberra ASIO building to a major capital centre to be more accessible to businesses.
2. STRENGTHENING DEFENCES: MORE FUNDING AND PERSONNEL
The 2016 Defence White Paper recognised the importance of bolstering Australia’s cyber and intelligence capabilities, committing $400 million over the next decade to the cyber security sector.
The Strategy adds to this, with the Australian Federal Police (AFP) and the Australian Crime Commission receiving an additional $20.4 million and $16 million respectively for threat detection, technical analysis and forensic assessment. Both bodies will also receive about 50 more cyber security experts between them, with another 50 new experts to be dispersed across other Government agencies. The capacity of the Computer Emergency Response Team will also be increased to coordinate with businesses providing key national services.
The policy includes enhancement of Australia’s cyber offensive capability. The new offensive capability is to be used strictly in compliance with international responsibilities. It is considered that development of offensive capability will also help improve defensive capabilities.
Three new roles have been created to ensure continued focus on cyber security. Former AFP tech crime director Alastair MacGibbon has been appointed as the new Special Advisor on Cyber Security at the Department of Prime Minister and Cabinet. There will also be a Minister Assisting the Prime Minister for cyber security to lead the dialogue between business leaders and the Government, and a Cyber Ambassador to work closely with the Foreign Minister.
3. GLOBAL LEADERSHIP IN TACKLING ONLINE ATTACKS
Recognising the global nature of the threat of cyber attacks, the Government seeks to “champion an open, free and secure internet.” Government organisations and centres of excellence will work with allied nations to devise strategies for pre-empting the moves of cyber criminals (known as “cyber raiders”). This will include developing ways of shutting down overseas “safe havens” where cyber raiders congregate to launch raids.
4. LIFTING GROWTH AND INNOVATION: BUILDING CENTRES AND A WORKFORCE
The Government plans to establish academic centres of excellence at universities to boost the numbers and quality of cyber security workers in Australia. They are also seeking to promote careers in cyber security at all levels of education, and diversify the workforce, particularly by boosting female participation.
The centres of excellence will complement the $30 million national cyber security growth centre announced by the Prime Minister in December 2015, acting as a centre of research and development. The centre is expected to hook up with existing Commonwealth and State initiatives and be operational by mid-2016.
5. CREATING A CYBER-SMART NATION: CAMPAIGNS AND GUIDELINES
A public social media campaign will be launched to strengthen the cyber safety of Australians, from households to major businesses. Individuals will be alerted to dangers of common online threats, such as opening foreign emails, clicking on untested websites, and failing to guard against malware. Business will be aided by the proposed national guidelines to improve their cyber hygiene, threat detection, monitoring of administrative privileges to avoid unauthorised disclosure and testing malware precautions.
The Prime Minister was careful to position the Strategy as an important foundation for a successful digital economy. Jennifer Westacott, Chief Executive of the Strategy of the Business Council of Australia, in her opening remarks referred to the successful implementation as a potential competitive advantage for Australia. The announcement of steps to enhance Australia’s capacity for cyber-offence, better cooperation with international law enforcement to shut down cybercriminals and improved policy co-ordination through an Australian Cyber Ambassador are actions that only government can take. Intended action on these issues appears timely and appropriate.
However, the success of the Strategy will depend on the effectiveness of implementation. Areas to watch include:
- The Special Advisor: Government has set Special Advisor, Alistair MacGibbon, the challenging task of guiding the coordination and disclosure of government agencies and programs underpinning the Strategy.
- The Cyber Ambassador and Minister Assisting the Prime Minister: the appointment and official role of the Cyber Ambassador and the Minister Assisting the Prime Minister is yet to be detailed.
- The relocation of the Australian Cyber Security Centre: The new location of the Centre is yet to be announced, and details of how it will engage in greater consultation with businesses are unclear. It is notable that no new legislation is proposed to underpin the secrecy regime necessary to facilitate sharing of threat information between members of government. It will therefore be interesting to see the framework that is proposed.
- Improving cyber security literacy: It is not clear whether and how the proposed support for the education sector will attract greater numbers and diversity into the cyber security workforce.
- Increasing cyber awareness: It appears details of how increased cyber security awareness across the community will be achieved practically are yet to be announced.
For the full report, click here.