The federal government has finally released its $1.7 billion 2020 Cyber Security Strategy, with initiatives including new laws to protect critical infrastructure, additional powers for police to target the ‘dark web’ and efforts to improve the cyber resilience of small business.
Prime Minister Scott Morrison and Home Affairs Minister Peter Dutton unveiled the full strategy in Canberra on Thursday morning – four months later than expected – after nearly a year of consultations and amid growing concerns over the threat of cyber-attacks to businesses and governments around the country.
Most of the funding, which had been repurposed from the Defence budget, was announced in late June with the $1.3 billion Cyber Enhanced Situational Awareness and Response package, with the strategy providing further detail on this along with an additional $320 million. The funding is across the next decade.
The more significant areas of the strategy will rely on legislation being developed and passed by Parliament, with little detail provided in the document on this.
The strategy is split into three key areas: protecting essential infrastructure, protecting the economy and SMEs and protecting everyday Australians.
While the focus of much of the early media reporting and Mr Dutton’s address to the media was on the dangers of the dark web and new laws to assisting law enforcement to counter illegal activities online, the bulk of the strategy is focused on protecting essential infrastructure from cyber-attacks, improving the resilience of businesses and uplifting community awareness of cybersecurity.
As part of the strategy, new laws will be introduced to allow the government to better assist critical infrastructure providers during a cyber-attack and impose minimum standards, large businesses will be incentivised to assist SMEs in improving their cybersecurity, a number of initiatives will look to grow the cyber workforce and voluntary code of practice will be developed for Internet-of-Things devices manufacturers.
The strategy opens by painting a picture of an ever-growing threat landscape online for both governments at all levels and Australian businesses and individuals. This situation had been made more dangerous due to the ongoing COVID-19 pandemic, it says.
The funding package would achieve the government’s “vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend.”
It positions the federal government’s role as primarily protecting critical infrastructure and other essential services, as well as assisting agencies and businesses in improving their own cyber resilience.
It also places responsibility on larger businesses to assist smaller companies and everyday Australians with improving their awareness and cybersecurity capabilities.
The strategy says that a cyber-attack on an essential service such as electricity or transport would have “devastating impacts across Australia”, and the government needs to be able to directly intervene to defend from these attacks when it is “in the national interest” and its “unique capabilities” are needed.
“Although more can be done to raise the overall security posture of critical infrastructure, some nation states or state-sponsored actors are so sophisticated that an attack may be beyond the capability of a single network owner to handle alone, irrespective of its size, expertise and best efforts,” the strategy said.
The government plans to develop new laws giving it powers “proportionate to the consequences” to actively defend these networks and assist their operators in recovery efforts. This could include expert advice, direct assistance or the use of classified tools.
Amendments to the Security of Critical Infrastructure Act 2018 will clarify what owners and operators need to do to meet minimum expectations of cybersecurity, including enforceable “positive security obligations” for designated entities, enhanced cybersecurity obligations for entities most important to the nation, and how the government will assist during and after an attack.
In terms of public sector cybersecurity, the government will centralise the management and operations of government agencies, with the potential to establish “secure hubs”. This would reduce the number of targets for hostile actors.
Basic cybersecurity clauses will now be included in government IT contracts, while stronger consequences would be considered for nation-states found to be targeting Australia when it is in the national interest to do so.
An $8.3 million Cyber Security Connect and Protect Program will also be launched to assist SMEs with tailored advice, along with $12.3 million for online training and a 24/7 helpdesk. The government will encourage large businesses to provide tools and information in bundles to SMEs, including threat-blocking, antivirus and cybersecurity awareness training, in-line with a Clean Pipes strategy.
“Integrating cybersecurity products into other service offerings will help protect SMEs at scale and recognise that many businesses cannot employ dedicated cyber security staff,” the strategy said.
The government will consider whether to make legislative changes to set a minimum cybersecurity baseline across the entire economy, including the role of privacy, consumer and data protection laws and the duties for company directors.
The government will also consider legislative assistance for businesses to implement automatic threat-blocking technology, with the Australian Cyber Security Centre to be provided with $12.5 million to provide the country’s major telcos with information on malicious websites, malware and phishing campaigns.
A voluntary code of practice will soon be launched outlining the cybersecurity levels expected of internet-connected devices being sold in Australia, with 13 set principles. The strategy also flagged that further steps will be taken if this voluntary code doesn’t do the job. A Cyber Security Best Practice Regulation Task Force will also be established.
The strategy also includes a $50 million Cyber Security National Workforce Growth Program, including a $26.5 million Skills Partnership Innovation Fund to encourage businesses and academia to partner together, $6.3 million for the ACSC to grow education skills, $14.9 million going towards Questacon and $2.5 million to improve data on cybersecurity skills shortages.
There will be increased powers handed to the AFP and other law enforcement agencies to combat crime on the dark web, which Mr Dutton referred to as the “sewer” of the internet.
This includes $90 million for the AFP to establish new teams and bolster its ability on the dark web and $31.6 million to expand the ACSC’s power to counter cyber crime actors operating offshore.
Other new initiatives in the strategy include $118 million to improve the ASD’s data science capabilities, $20.2 million for research labs, expanded investment in the joint-Cyber Security Centres, $1.6 million to enhance the cybersecurity of universities and $10 million for an expanded National Exercise Program for cybersecurity incident planning.
The strategy includes a list of initiatives and measures for their success, but no set timeline for implementation or a breakdown of how the $1.7 billion will be allocated across the next 10 years.
The new strategy had been set to be released earlier this year but was delayed due to the ongoing COVID-19 pandemic. The government has been consulting on it since September last year when a consultation paper was unveiled, with 215 submissions made on this. Home Affairs officials met with more than 1400 people as part of the consultations.