Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
The Skills Gap - Training & Development
Threat Landscape
Training

Australian Cyber Security Strategy works on developing cybersecurity measures while improving cyber resilience

February 27, 2023
Australian Cyber Security Strategy works on developing cybersecurity measures while improving cyber resilience

Australia released on Monday a discussion paper seeking views on how the government can achieve its vision under the 2023-2030 Australian Cyber Security Strategy. The paper calls for recommendations as to what it should consider when developing cyber security measures to better protect and enhance collective cyber resilience, both in Australia and in the region. Interested stakeholders have until Apr.15 to submit their views and opinions. 

The paper identifies the need for the unified effort of government, industry, and the community. “Together, we can equip our community to reduce the number and impact of cyber incidents through improved cyber hygiene and provide clear advice on how to respond confidently when they occur.”

The discussion paper seeks to enable the government to develop cyber security policies and initiatives to deliver a secure economy and thriving cyber ecosystem, provide secure and resilient critical infrastructure and government sector, and offer the sovereign and assured capability to counter cyber threats. Australia is a trusted and influential global cyber leader, working in partnership with its neighbors to lift cyber security and build a cyber-resilient region.

“I have appointed an Expert Advisory Board to assist and advise the Government on the development of the 2023-2030 Australian Cyber Security Strategy. The Board is chaired by former Telstra CEO Andrew Penn AO, who is joined by Mel Hupfeld AO DSC and Rachael Falk,” Clare O’Neil, Australia’s Minister for Home Affairs and Minister for Cyber Security, wrote in the discussion paper. “The Board is working closely with industry, civil society, and academia to advise the Australian Government on the steps we need to take to make Australia the most cyber secure nation in the world by 2030.” 

The Assistant Foreign Minister, the Hon. Tim Watts MP, is also closely involved in the development of the 2023-2030 Australian Cyber Security Strategy, leading Australia’s approach to how Australia can work in partnership with the region to lift collective cyber security, according to O’Neil. “Setting Australia up for success in the digital age begins with meaningful engagement and transformative partnerships across all levels of government, industry, and the community. To achieve this goal, the Government is developing the 2023-2030 Australian Cyber Security Strategy, and we want you to be a part of the discussion,” she added. 

Core policy areas to be included in the 2023-2030 Australian Cyber Security Strategy include enhancing and harmonizing regulatory frameworks, strengthening Australia’s international strategy on cyber security, securing government systems, and supporting Australia’s cyber security workforce and skills pipeline. The strategy also looks at developing national frameworks to respond to major cyber incidents, bringing about community awareness and victim support, investing in the cyber security ecosystem, and designing and sustaining security in new technologies, while also implementing governance and ongoing evaluation. 

Australia’s cyber landscape has evolved significantly since Australia’s Cyber Security Strategy 2020 was released. “COVID-19 highlighted our critical dependence on cyber for our productivity, prosperity, and national security as Australians spent more time online than ever before. The Russia-Ukraine conflict demonstrated that cyber-attacks by both nation states and criminal groups can rapidly spill across borders and affect critical infrastructure and essential services around the world,” the discussion paper identified. “The Optus and Medibank incidents also represented two of the most significant data breaches in Australia’s history.”

Collectively, these events underscore an urgent need to deliver a national cyber security strategy that takes lessons learned from previous stakeholder consultations and major incidents to inform current policy responses. The strategy also sets out the priorities for Australia’s cyber security uplift from 2023-2030. and seizes opportunities to get ahead of changes in the risk environment, harness new technologies, and position Australia as a global leader in cyber.

The discussion paper identified that to be the most cyber secure nation in the world by 2030, Australians should have confidence that digital products and services sold are fit for purpose and include appropriate best practice cyber security protections. There may also be opportunities to simplify and streamline existing regulatory frameworks. 

“Combined with domestic uplift, strengthened international leadership will enable us to seize opportunities and address the challenges presented by the shifting cyber environment. Australia is a respected voice in addressing the challenge of making the world a safer place online,” the discussion paper said. “We can leverage this voice through tangible steps to shape global thinking, particularly in relation to new and emerging technologies. Cyber resilience is also essential to unlocking economic opportunity and prosperity in our region. Investments in areas such as health, infrastructure, and education are not secure if they are not underpinned by effective cyber security.”

The paper also outlines three sets of opportunities to explore through consultation on the 2023-2030 Australian Cyber Security Strategy. They include how can Australia elevate the existing level of engagement with international partners through concrete steps to promote cyber resilience, what opportunities are there to better support the development of international technology standards, particularly in relation to cyber security, and how can government and industry partner to uplift cyber resilience and secure access to the digital economy, especially in Southeast Asia and the Pacific. 

When it comes to public sector cyber security which is composed of both non-technical and technical elements, it is crucial to consider both when considering how to better secure government systems. Non-technical aspects include things like governance frameworks and accountability mechanisms, cyber security culture, and risk management planning. Technical aspects include elements such as inventory management and legacy systems, variation across government systems and attack surfaces, and the nature of essential services delivered by each entity.

“Enhancing government cyber posture will require a framework which accounts for best practice standards, evaluation, transparency, reporting, and aligned incentives; and the appropriate support, accountability and leadership for individual government departments and agencies to manage their cyber security risk profile,” the discussion paper revealed. “In addition to the core policy areas, where it is clear interventions will be addressed in the Strategy, there are a range of other areas where potential policy options to enhance cyber resilience could be considered in the Strategy.”

The Australian Government is pursuing a broad agenda related to science, technology, engineering, and mathematics (STEM) skills, which will support the growth of the future workforce, including in cyber security. “More broadly, the Government has committed to reaching 1.2 million tech jobs by 2030. To the extent that cyber security is embedded in STEM curricula, this agenda will improve the available pool of cyber security professionals. However, it is not yet clear whether this will be sufficient for more specialised cyber security career pathways,” the paper said.  

Close to the heels of the announcement about CI-ISAC’s Academic R&D Engagement Group, CI-ISAC Australia and the Australasian Higher Education Cybersecurity Service (AHECS) signed a comprehensive memorandum of understanding (MOU) to share cyber threat intelligence collected by this ‘brains trust’ – Australia’s research and higher education institutes – and Australian industry. The two-way sharing that is unlocked by the alliance through CI-ISAC Australia’s threat intelligence platform and community network will enhance the cyber defense of Australian industry and critical infrastructure.

The discussion paper also said the government must ensure that frameworks for incident management and coordination are fit-for-purpose, and conduct post-incident review and consequence management following major cyber incidents. “It is also clear that the government should share the root cause findings from investigations of major cyber incidents so that we can all benefit from these learnings,” it added. 

The recent Optus and Medibank incidents exposed the gaps in Australia’s existing incident response functions.

“To become the most cyber secure nation by 2030, Australia must create an environment that attracts investment in cyber security and other critical technologies,” the discussion paper said. “There are a range of potential measures which could be explored to promote trade and investment in this space, with clear opportunities for collaboration between federal, state, and territory governments.”

It also disclosed that there are a number of emerging technologies, such as quantum, communications technologies, the Internet of Things, and artificial intelligence which will significantly impact, and be impacted by, cyber security. “Some of these technologies exist now. Others will rapidly develop from 2023 to 2030 and will disrupt the existing landscape of cyber security. The Strategy must be adaptable to account for changes in the strategic and technological environment in the coming years,” it added.

“The Strategy will form the foundation of an evolving approach to cyber security into the future,” the discussion paper said. “Implementation will require strong governance and a transparent, meaningful evaluation framework to ensure the Australian Government’s vision is realised, and the Strategy is fit-for-purpose now and into the future.”

Last week, the Australian government published a 2023 Critical Infrastructure Resilience Strategy that provides a national framework to guide Australia to enhance critical infrastructure security and resilience. The document provides a framework for how industry, state and territory governments, and the Australian government will work together to mature the security and resilience of critical infrastructure, and to anticipate, prevent, prepare for, respond to, and recover from all-hazards. It builds upon the 2015 Critical Infrastructure Resilience Strategy.

Accompanying the 2023 Critical Infrastructure Resilience Strategy is a 2023 Critical Infrastructure Resilience Plan that sets out how the Strategy’s objectives will be delivered. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness