A new age? How the new government is looking to transform Australian cybersecurity

Cybercrime in Australia continues to rise at an alarming rate.

Australian Cyber Security Centre (ACSC) figures show that the country experiences a cyber attack every eight minutes, with self-reported losses in 2021 reaching $33 billion.

Australia’s cyber policy is scrambling to keep up

The ACSC, part of the Australian Signals Directorate (ASD), has led the government’s response to cybersecurity since 2014, when it replaced the Cyber Security Operations Centre. But there have been two major policy shifts since its inauguration – with another to come.

In 2016, Liberal Prime Minister Malcolm Turnbull launched a Cyber Security Strategy that trumpeted the benefits of “an open, free and secure internet”, and underlined cyber’s role in driving confidence and economic growth. In 2020, under Scott Morrison’s leadership, a new strategy was introduced, with an emphasis on online safety via the education of the public and the strengthening of both the ASD and ACSC.

Recent cybersecurity incidents are spurring action

The fact the telecommunications giant Optus made the news for all the wrong reasons is creating more momentum for change. The new government has already introduced two major updates, namely:

1. The ability for telecom operators to share information with APRA-regulated financial institutions to get ahead of potential fraud

2. Changes to the Privacy Act pertaining to the collection and storage of PII data

The Minister for Communications, the Hon Michelle Rowland MP, commented: "The Albanese Government takes seriously the protection of personal information. The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for designated purposes. This will enable Optus, the financial services sector and relevant agencies to work together more effectively, to implement enhanced monitoring and safeguards to protect customers affected by the breach."

Cybersecurity now has a seat at the highest levels of government

2020’s Cyber Security Strategy was intended to last a decade, but the Labor party’s May election victory means change is coming fast. Within two weeks of his election, Prime Minister Anthony Albanese announced the appointment of Clare O'Neil as Minister for Home Affairs and Minister for Cyber Security – the first time cybersecurity has had its own cabinet portfolio.

It’s a welcome recognition of the sector’s importance. Cyber spending has soared in recent years, from $230 million in 2016 to $1.67 billion in 2020, with $9.9 billion allocated in 2022’s budget to implement the Resilience, Effects, Defense, Space, Intelligence, Cyber and Enablers (REDSPICE) program. With a dedicated ministry, it’s hoped that spending can be focused and proactive measures put in place. The fact that O’Neil is a woman, meanwhile, is also good news for an industry that has often struggled with a lack of diversity.

Recent measures have taken aim at ransomware

While the indications coming from the new government are promising, change will take time. Organisations are still adjusting to Morrison government’s cybersecurity measures:

• 2021’s Ransomware Action Plan made the reporting of attacks mandatory for organisations with a turnover of more than $10 million, established a dedicated anti-ransomware taskforce and brought in stricter sentences for cyber crime
• In March 2022, $9.9 billion was allocated to expand the ASD and ACSC
• Mindful of the danger posed by attacks on essential industries, the Critical Infrastructure Act was amended in April so that organisations across numerous “critical asset classes” – which now includes sectors such as education, broadcasting, food and transport – must report serious incidents within 12 hours of discovery or risk a minimum $11,100 fine
• Legislation also requires that “systems of national significance” now have risk management programs in place, and government assistance has been made available as a potential last resort in cyber incidents

The government aims for sovereign capability

The plan to “tear up” existing strategy and start with a clean slate suggests that there may be some radical changes on the horizon. O’Neil said future strategy would be “grounded in sovereign capability, with a plan for the future workforce and growth of the cyber security sector, including Australian cyber-SMEs.”

What does that mean in practice? Despite the media spotlight, too many businesses still see cybersecurity as an afterthought, rather than an integral part of their infrastructure. To drive its message home, the government may even seek to consolidate cybersecurity across a single framework that sets national standards and has the power to impose strong penalties, along the lines of the European Union’s General Data Protection Regulation (GDPR).

The government may also revisit anti-ransomware plans, such as mandating that all companies must inform the ACSC before making any ransomware payments.

Changes may mean more cyber workers and more collaboration

Previous governments have banked on being able to recruit more highly skilled cybersecurity workers, but there are already a big cyber skills gap in the Australian job market, with resources stretched thin and wages often higher in the private sector. Tackling this shortage is clearly a priority, and it’s likely to involve placing a greater emphasis on cybersecurity education in schools and universities. O’Neil has also noted the importance of migration in helping Australia build a “thriving, diverse cyber-skilled workforce”.

Building bridges across the cybersecurity sector is also crucial, with ministers considering an initiative like the UK’s Industry 100 (i100) project, in which professionals from commercial organisations come together in “good faith” with government staff to collaborate on national security.

State-backed actors threaten the nation

These are early days for the new government and many questions remain. O’Brien has promised to “build resiliency, with real engagement and industry ­alliances to deal with cyber shocks in an assured, not anxious way,” but until these words are backed with concrete policy, it’s hard to predict exactly how the change in government will affect individual organisations.

In 2021, Australia joined the AUKUS pact, promising ever-closer cybersecurity collaboration with the US and UK – as threats from state-backed actors soar – the government is yet to state how this key relationship will evolve in the years to come. But what we can expect, given the global reach of state-backed attackers, is that cybersecurity policies across different country will cover a lot of common ground, making mutual cooperation and collaboration a lot easier.

Cybercrime is getting the attention it deserves

There is no doubt that Australia’s cybersecurity strategy is in urgent need of a review, and by giving the industry its own cabinet role the government has underlined its commitment to change.

For now, the impacts of existing legislation such as the Ransomware Action Plan are still playing out, but the next few years could see major steps taken in terms of legislation, education and collaboration across different industries and with nations around the world. The jury is still out – but CISOs should take comfort from the fact that cybercrime is firmly in the crosshairs of the government, and they are likely to have more support – and responsibilities – going forward.