Following careful consideration, the Australian government unveiled its 2023 - 2030 Cyber Security Strategy, aiming to position the country as one of the world's most cyber-resilient countries by 2030. In the decade to come, Australia can safeguard its citizens, companies, and other entities from cyber threats in a number of ways that are outlined in the cybersecurity strategy.
Crucially, it has occurred at a time when the nation is still in shock from a series of significant cyber incidents, such as the data breaches at Optus and Medibank from last year, the statewide Optus blackout that occurred earlier this month, and the more recent closure of ports across the nation as a result of a cyber attack. Given that Australia was listed as the fifth-most powerful cyber nation in a 2022 assessment by Harvard University's Kennedy School, it is a commendable aim.
Clare Ellen O'Neil, Minister of Home Affairs and Cybersecurity, unveiled the draft, which was centered on ways to strengthen Australia's critical infrastructure resilience, networking options, and related coordinating techniques to safeguard citizens and small companies across the country.
The strategy aims to achieve a balance by encouraging strong industry-government commitment while simultaneously taking firm action against companies that are not prepared for the digital age. At present, no economy-wide cyber regulations have been brought about despite a number of legislative improvements, such as those to the Security of Critical Infrastructure Act 2018 (SOCI Act), being recommended.
Improving Communication between Public, Private and Economic Organizations
In regards to cybercrime solutions and other related advancements, the first two years will improve communication between the public and private sectors as well as significant economic organizations. Creating new guidelines for communication providers that will separate the effects of hacking will be part of this phase.
In the next few years, new models "that will encourage the rest of the economy to work" will be created, and the public's awareness of the dangers in the nation's digital space will grow even more.
O'Neil stated that as part of the endeavor, the government will add to the prior investment made by the previous administration through 2030 by spending an additional 587 million Australian dollars ($385 million) over a four-year period.
In addition to the $2.3 billion committed to ongoing cyber projects, including the REDSPICE program, which aims to improve the intelligence and cyber capabilities of the Australian Signals Directorate, the government has allocated $586.9 million to accomplish these goals.
The largest allocation of $290.8 million will be used to safeguard residents and companies. An additional $143.6 million will be allocated towards fortifying vital infrastructure, encompassing significant telecommunications networks.
In order to "reduce the need for people to share sensitive personal information with the government and businesses to access services online," the policy will also expand the Digital ID initiative. However, little details were provided about this.
Mitigation Ransomware
According to the strategy, ransomware is ‘one of the most disruptive cyber threats’ in the world and can cause damages to Australia's economy of up to $3 billion annually. A "ransomware playbook" will be created by the government to assist companies in defending against and recovering from cyber-extortion.
"In an effort to encourage the reporting of ransom occurrences, it will also collaborate with the industry to co-design a mandated no-fault ransomware reporting program."
Additionally, the plan ‘strongly discourages’ paying the ransom. This makes sense because the ransomware industry and future attacks by criminals are inexorably fueled by these payments.
A Risky Move
In a controversial move, however, Minister of Cybersecurity Clare O'Neil has thought of outlawing these kinds of payments altogether at some point in the upcoming years. This can have unfavorable effects. A company that is legally unable to pay a ransom, for example, might not be able to retrieve stolen data, leading to irreversible data loss and monetary loss. Out of retaliation, attackers might also post the stolen information online.
A further risk is that, in the short term, criminals may find Australia more alluring if a prohibition is announced since they may rush to carry out as many attacks as they can before payments are declared unlawful. This would have less of an effect if companies used a structured strategy for routine data backups.
A Cybersecurity Standard for Consumer Electronic Goods
Working with the industry to create a mandated cyber security standard (compliant with international norms) for consumer-grade smart devices sold in Australia is another key aim.
Additionally, an optional cyber security labeling program for smart gadgets will be introduced by the government. An effective program will advise people on the security settings of the many gadgets they own. That being said, it's difficult to predict if it will have a significant effect because it's voluntary. App developers and app shops will be subject to yet another voluntary code of conduct.
Challenges to the Strategy; What are the Odds?
If successfully executed, the plan may lead to a significant drop in cybercrime, increased public safety, and a booming cyber industry. The complexity and diversity of cyberthreats, which are always changing, present the biggest obstacle. Perhaps a few years ago, no one would have considered the threats of today. Some of the strategy's underlying presumptions might become obsolete in the upcoming years due to this inherent uncertainty.
Then, with conflicting ideals like privacy, security, innovation, and regulation, there are inevitably trade-offs.
Furthermore, several of the initiatives listed in the strategy are conspicuously vague. This might make assessing its effectiveness as a high-level strategic document and tracking its development challenging.
Stakeholder participation and voluntary action are necessary for success, but they might not be sufficient to guarantee accountability and compliance from certain companies and people.