Govt strategy underestimates Australia’s cyber challenge


Jason Murrell
Contributor

Facing rapidly escalating cyber threats, Australia’s cybersecurity landscape demands a decisive and strong response. The Australian Government’s 2023-2030 Cyber Security Strategy, while a big step forward, grossly underestimates the magnitude of the current situation.

With a phased horizon approach geared to solve urgent gaps and improve cybersecurity maturity, the strategy intends to establish Australia as a global cybersecurity leader by 2030. However, this pragmatic plan seems woefully inadequate in the face of the severe and immediate cybercrime challenges confronting the nation.

At the core of the strategy’s inadequacy is its budgetary allocation. The $2.88 billion budget is dwarfed by the overwhelming $4.2 billion in cybercrime damages reported for 2022-2023. This glaring misalignment not only signifies an underestimation of necessary resources but also highlights a strategic oversight in budgetary prioritisation.

Moreover, when compared with global leaders like the USA and Japan, Australia’s per capita cybersecurity expenditure is alarmingly low, emphasising an urgent need for increased financial commitment.

CSCAU chair Jason Murrell says there is a misalignment of budget and cybercrime realities in Australia

The Six Cyber Shields initiative, covering key cybersecurity areas, seems comprehensive in theory but falls short in practice.

Crucial sectors, especially small and medium businesses (SMBs), are left vulnerable, lacking the immediate, robust support needed to withstand the current cybercrime wave. Shield One, focusing on SMBs and introducing a ‘no-fault’ ransomware reporting scheme, takes positive steps but fails to address the broader challenges.

The scheme’s legal complexities, as well as its interaction with current regulations such as the Privacy Act, raise fundamental questions regarding its feasibility and efficacy. Again, the cyber health checks for SMBs sound nice in theory, but when done in the other aforementioned nations, it has inconsistent effectiveness. In fact, the users almost always require handholding to get secure.

Furthermore, Shield Two’s emphasis on safe technology and data retention reform, although timely, requires more than policy adjustments. A complete overhaul of the data retention regime is crucial to ensure both data protection and privacy.

The strategy’s commitment to a whole-of-economy intelligence network for threat sharing, encapsulated in Shield Three, is an innovative concept. However, its effectiveness against sophisticated and emerging cyber attacks is uncertain. To be fully effective, the optimistic position requires a firm foundation in realistic capabilities.

The focus on critical infrastructure in Shield Four is relevant and timely. However, the proposed ‘last resort’ powers raise concerns about potential government overreach and bureaucratic inefficiency.

Shield Five’s goal of developing the national cyber workforce and supporting local cyber R&D is progressive, but the cybersecurity sector’s current skills shortages and diversity challenges put doubt on its viability.

Shield Six’s focus on geopolitics and regional cyber resilience is commendable. Nevertheless, for Australia to assume a global leadership role in cybersecurity requires not just strategic alliances but also a demonstrated capability to counter and lead in the face of global cyber threats.

I had hoped for a lot more. The 2023-2030 Cyber Security Strategy, despite its comprehensive appearance, severely underestimates the current cyber threat landscape. The misaligned budget, though significant in isolation, fails to match the soaring costs and complexities of cybercrime.

For Australia to emerge as a global cybersecurity leader, it must not only meet but surpass international standards. This necessitates an urgent and substantial reassessment of the nation’s cybersecurity strategies and priorities, addressing the cybercrime challenge with the urgency and scale it demands.

Jason Murrell is the chair CSCAU (Cybersecurity Certification Australia) and former head of AustCyber.

Do you know more? Contact James Riley via Email.

Leave a Comment