The national office being stood up by the federal government to coordinate its cyber security efforts and respond to incidents will operate without any additional funding initially, the Department of Home Affairs has revealed.
Last month, Prime Minister Anthony Albanese announced the government would create a National Office for Cyber Security, led by a new coordinator for cyber security, in response to the spate of recent data breaches against companies like Optus and Medibank.
The decision followed a discussion paper drafted by the expert advisory board contributing to the refreshed cybersecurity strategy that found the government was “Ill-equipped to respond” to the breaches.
The office, to form part of a new Cyber and Infrastructure Security Group within Home Affairs from May 1, will coordinate the work of the departments and agencies with policy or operational responsibilities for cyber security.
Home Affairs is the policy lead for cyber security, while the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre in Defence, and the Australian Federal Police in the Attorney-General’s Department have operational responsibilities.
At the time of the announcement, Home Affairs minister Clare O’Neil declined to put a number on the staff that the office would employ, saying it was still to be worked out and that the office would be “staffed as it’s needed”.
But in response to question on notice from Liberal Senator Paul Scarr, Home Affairs has revealed that no additional funding has been provide by the federal government to establish the National Office for Cyber Security, as first reported by iTnews.
It is not clear whether the government is planning to provide additional funding in the federal Budget next month, but if it was to do so, the funding would arrive after the official start date for the office on May 1.
Question on notice from Senate Estimates in February also show the office will be staffed with five full time equivalent (FTE) staff from Home Affairs, with support to be provided from at least 50 FTE staff and potentially more in the event of a “significant incident”.
The Cyber and Infrastructure Security Centre within Home Affairs, which will become part of the Cyber and Infrastructure Security Group next month, had an average staffing level (ASL) of almost 300, as at February.
Despite being established to improve coordination, Home Affairs has also confirmed that the National Office for Cyber Security will “not have formal reporting arrangements with ASD except for the seconded officers from ASD who will have reporting obligations”.
The office and national cyber coordinator is, however, expected to “regularly engage with ASD, including formalised engagement through operational protocols that will outline roles and responsibilities, including during cyber incidents”.
On Tuesday, Minister O’Neil said Australia needed to become a “hard target” and “bounce back quickly when… hit” if it to reach it ambitious goal of becoming the “most secure” nation in the world by 2030.
She revealed the “rollout of a national cyber exercise series” for critical infrastructure assets covered by the Security of Critical Infrastructure Act would be led by the new national cyber coordinator within Home Affairs’ Cyber and Infrastructure Security Group.
While the government has long run exercises through the Australian Cyber Security Centre, they have typically targeted specific industries and were run infrequently, unlike the “systematic” and “frequent” exercises planned.
Ms O’Neil said the exercises would be the equivalent of Australia hitting the “gym” as it wakes from its “cyber slumber”, allowing companies to “build muscle memory in how to deal with a cyber-attack – and importantly cover the types of incidents we have not yet experienced on a national scale”.
“Critically it will look at how to work with governments, including dealing with the consequences of a crisis that inevitably will not impact just one company but potentially millions of Australians,” she said on Tuesday.
“This initiative is something that has been raised with me in a number of cybersecurity consultations and, while there have been some grater examples of targeted exercising, we need to move faster and in a more integrated way.”
Do you know more? Contact James Riley via Email.