New Cyber Security Strategy released

The federal government has released the 2023-2030 Australian Cyber Security Strategy. Here we unpack the key elements of the strategy, which aims to make Australia a more cyber-secure nation.

The 2023-2030 Australian Cyber Security Strategy was released by the Minister for Home Affairs and Cyber Security, Clare O’Neil on 22 November 2023. The strategy outlines the government’s vision to make Australia the most cyber-secure nation by 2030. An accompanying Action Plan details initiatives for implementing the strategy, which will be supported by $586.9 million in additional funding, on top of Australia’s existing $2.3 billion cyber security budget.

The AICD has welcomed the release of the strategy as a key milestone. We also provided an extensive submission in response to the consultation paper in April 2023, available here and engaged with both the Minister and Expert Advisory Board (Andy Penn AO, Rachael Falk MAICD, and Air Marshal (ret’d) Mel Hupfeld AO DSC) during the consultation period.

Key elements of the Strategy

To achieve its 2030 vision, the government has committed to 20 strategic initiatives, with 60 specific actions associated with these initiatives. The strategy is not limited to regulatory change with a clear focus on collaboration with industry, including enhanced threat sharing, uplifting the cyber security workforce and support for small and medium sized enterprises.

We welcome the strategy not proposing a cyber-focused director duty or mandatory governance standard, in recognition of the flexibility of existing laws. We also support the absence of a prohibition on ransomware payments, recognising the complexities which entities can face in such scenarios.

Key actions include:

• Establishment of a mandatory ransomware reporting regime, co-designed with industry - under the proposed regime, large businesses will be required to report a ransomware event. Unlike other mandatory reporting regimes, the proposed model will operate on a ‘no-fault and no liability’ basis.
• Introduction of a ‘limited use’ provision for information shared by entities with the Australian Signals Directorate (ASD) and National Cyber Security Coordinator – the intention of this measure is to promote greater information-sharing during a critical incident and address legal concerns that such information might be provided to regulators for enforcement purposes.
• Amendments to the Security of Critical Infrastructure Act 2018 - to expand application to ‘business critical data’, enhanced obligations on Systems of National Significance, transfer security regulation of telecommunications providers from the Telecommunications Act 1997 and the provision of additional ministerial directions powers.
• Simplified incident reporting – via a single reporting portal (Cyber.gov.au) and further work to examine options for harmonising reporting obligations.

The government has acknowledged the critical need for further guidance to assist business understand their cyber obligations and best practice, and has signalled several support mechanisms and guidance materials are in the pipeline, including:

• An overview of corporate obligations for critical infrastructure owners and operators;
• Release of best-practice principles to guide good cyber governance, to be developed in consultation with industry, drawing on existing guidance including from the AICD;
• A ransomware playbook, to assist businesses and individuals prepare and bounce back from ransom attacks;
• A playbook for incident response, to be developed by the National Security Coordinator; and
• Creation of further information and threat sharing mechanisms, including the establishment of a Cyber Incident Review Board to complete no-fault reviews and educate the wider community and business on ‘lessons learnt’.

Next steps for strategy implementation

Delivery of the strategy will occur over three phases, with the first (2023-25) focused on addressing critical gaps, better protecting citizens and business and improving regional cyber maturity. In the next few weeks, consultation will commence on legislative reforms, including proposed amendments to the SOCI Act and the establishment of a ransomware reporting regime.

AICD resources and upcoming webinars

The AICD membership is strongly engaged on cyber security, with the AICD Director Sentiment Index consistently finding the topic is the number one ‘issue’ keeping directors awake at night.

Directors seeking practical guidance on building cyber resilience can access the Cyber Security Governance Principles developed by AICD and the Cyber Security Cooperative Research Centre here. The principles, endorsed by Minister O’Neil, have quickly become a benchmark for boards, receiving over 20,000 downloads since their release last year.

We are also supporting members via two upcoming webinars. On 5 December, a webinar will feature the Head of the Australian Cyber Security Centre, Ms Abigail Bradshaw CSC, discussing the current cyber threat environment. On 12 December, an expert panel will discuss the broader cyber and digital regulatory landscape, including the Strategy and developments in artificial intelligence.

You can register at the following links:

• 5 December - Australia's Cyber Threat Environment: Insights from the Australian Signals Directorate
• 12 December - Navigating the digital regulatory changes in Australia 2023

The AICD will keep members updated on the implementation of the Strategy. Any feedback can be sent to policy@aicd.com.au