Australia will be “the world’s most cyber-secure country by 2030” under an ambitious new plan outlined by Cyber minister Clare O’Neil in Canberra on Thursday. It includes an entirely new national strategy, new sovereign capabilities and a hardening of government systems and critical infrastructure.
The Home Affairs and Cybersecurity minister also flagged policy reforms based on more analysis of the large-scale breaches at Optus and Medibank, and a “punch back at the hackers” with new offensive cybersecurity.
In her first address to the National Press Club as minister, Ms O’Neil attacked her Coalition predecessors for leaving the nation “unnecessarily vulnerable” and outlined a new program of work.
The announcement goes well beyond Ms O’Neil’s post-election commitment to recast the national 2020 cybersecurity strategy – which had laid out a 10-year $1.6 billion plan – acknowledging it will take significant new investment by the government.
But the recent Optus and Medibank data breaches had underscored the issue and offered an opportunity for a “step change” in Australia’s cybersecurity, Ms O’Neil said.
“I want Australia to be the world’s most cyber-secure country by 2030. I believe that is possible. But we need a reset, and a pathway to get there,” she said.
In the wake of the massive private sector data breaches, the Albanese government established a 100 cyber offensive team led by the Australian Federal Police and the Australian Signals Directorate, expanded international efforts on ransomware, and significantly increased the penalties for data breaches through privacy law reform.
Ms O’Neil said the taskforce would “punch back at the hackers”, while the hefty fines are the first “proper” penalty regime for data breaches.
Work on longer term changes are now underway with a new program outlined by the minister on Thursday.
The new national strategy will “bring the whole nation into the fight” by focusing more on sovereign capabilities, strengthening critical infrastructure, government systems and international engagement.
Ms O’Neil announced the development of the new strategy will be led by former Telstra boss Andy Penn, Cyber Security Cooperative Research Centre chief Rachel Falk — who is currently reviewing the Medibank and Optus breaches for policy reform options — and former chief of Air Force Mel Hupfeld.
Mr Penn helped develop the 2020 strategy as an advisory panel member, but has been critical of its implementation and monitoring.
A global expert panel led by former UK National Cyber Security Centre chief executive and Oxford University Professor Ciaran Martin will also provide input on the new strategy. Within government, Finance Minister Katy Gallagher and Assistant Minister Tim Watts will work with Ms O’Neil on the strategy.
“We have the burning platform, we have the mandate for change, we’ve genuinely got the best minds on this problem. Now, it’s time to translate that into a more cyber-secure Australia,” Ms O’Neil said.
While the Coalition’s 2020 cyber strategy will now be scrapped, the former government’s $9.9 billion REDSPICE project will continue, with Ms O’Neil throwing her full support behind it and flagged an even greater investment in government cybersecurity.
“We’re not spending enough on cyber defence at the moment,” she said. “One of my challenges is how are we going to address that problem? One of the elements of this that is going to be expensive is securing government infrastructure.”
Australian government agencies have repeatedly been found to not meet their own minimum cybersecurity standards.
Ms O’Neil, who has been critical of the private sector firms that suffered data breaches, said the government needs to show “a bit of humility” on cybersecurity.
“Part of the cyber strategy — one of the four goals — is to establish how we are going to lift and fund the security of Australian government infrastructure, and it is going to require more money, she said”
Do you know more? Contact James Riley via Email.
Political jibes at the former liberal government who pledged $1.6bn in funding cyber security and expand police powers. The reality is this stuff has been going on for years whilst executives sleep away the risks “it’ll never happen to us, why would anyone attack us?”
Once I see proper steps taken towards legislating a decentralised identity service to replace address, phone number, passport # etc. is the day I believe the government is taking the matter seriously.
Also reviewing mandatory retention laws in line with the above so wholesale scraping of customer data is no longer possible. If there’s nothing to steal, thieves will go elsewhere.