A very rough year of cyber attacks prompted quick and dramatic legislative action in Australia, and the latest development is the announcement of a new national cybersecurity plan to be funded with A$587 million.
In addition to increasing funding for law enforcement, the cybersecurity plan establishes “health checks” for the country’s small businesses and makes incident reporting rules more strict. The government also intends to pursue foreign talent to fill open roles in the cybersecurity workforce, and to limit the amount and length of time of personal data storage.
Ambitious cybersecurity plan puts a special focus on smaller businesses, critical infrastructure
The headline items that have driven Australia’s cyber defense upgrades are the 2022 breaches of telco Optus and health insurer Medibank, each involving over nine million leaked records containing sensitive personal information, and the much more recent weekend shutdown of four ports operated by DP World Australia. But there has also been a more sustained and general uptick in cyber crime, with the Australian Cyber Security Centre recently reporting an increase of nearly 25% in reports from residents and the average cost to victims increasing by 14%.
The new cybersecurity plan is meant to play out over seven years, with a commentary period open and some terms subject to change before everything is finalized. It is divided into three “horizon” periods of two to three years each, with the first of these beginning immediately and ending as 2025 closes. One of the near-term objectives is the establishment of a “cyber health check plan” for the country’s small and medium businesses. This program will be free to qualifying businesses and will tie in with the existing Cyber Wardens initiative, a $23 million program announced in May that offers free training in cyber resilience improvement.
Small businesses that experience an attack will also receive victim support by way of the Small Business Cyber Security Resilience Service, meant to be a “one-stop-shop” to be consulted in the wake of incidents.
Horizon 1 of the cybersecurity plan also looks to establish education and awareness training for the whole of the country via a national cyber awareness campaign, and a new grant program for community organizations serving vulnerable populations in rural areas or in cohorts that would be better served by a tailored approach.
One of the highlight items of the initial phase of the cybersecurity plan is improvement of law enforcement capability. The government will expand the existing Operation Aquila, an aggressive hack-back program meant to disrupt and disable high-priority cyber criminal activity. The Project REDSpice program, meant to develop new cyber capabilities and offensive tools for pursuing criminal groups online, will also get a financial boost. The cybersecurity plan also proposes building regional law enforcement capability via the Pacific Islands Law Officers’ Network and ASEAN Senior Officials Meeting on Transnational Crime.
The government is also looking to encourage businesses to report cyber incidents, and to make it easier to report in a timely manner. To that end the cybersecurity plan calls for talks with stakeholders in forming a no-fault no-liability ransomware reporting obligation, and a promise to publish clear guidance for private industry via the existing Counter Ransomware Initiative (CRI). This latter effort will take the form of a “ransomware playbook” meant to help both businesses and individuals that have been on the receiving end of an attack. The former will be funneled through a new Cyber Incident Review Board that gets involved after major breaches. Businesses will also benefit from a single reporting portal established at cyber.gov.au.
Critical infrastructure subject to new legislation
Another important note in the cybersecurity plan is that industries in critical infrastructure sectors will be moving from being regulated by the Telecommunications Act to the Security of Critical Infrastructure Act. This bill, which went into force December 2021, governs 11 sectors and 22 categories of critical infrastructure assets.
The longer-term objectives of the cybersecurity plan include beefing up the country’s IT workforce, something slated for the 2026-2028 “Horizon 2” phase. The final phase is much more general, calling for the country to become a world leader in cyber defense and a primary developer of related technologies.
It is not yet clear at what point this will be implemented or exactly what form it will take, but the cybersecurity plan also calls for the country’s businesses to get serious about minimizing data. The scope of the Optus and Medibank breaches was in part caused by the companies holding onto customer data for a very long time, most likely longer than is really necessary for any useful purpose. Going forward, Australia’s businesses will likely face some sort of new restrictions on how long they can hold onto old data for and the purposes that they can use to justify holding it for extended periods.