Professional Documents
Culture Documents
-
2030
AUSTRALIAN
CYBER
SECURITY
STRATEGY
DISCUSSION
PAPER
Expert Advisory Board
Andrew Penn AO (Chair)
Air Marshal (ret’d) Mel Hupfeld AO DSC
Rachael Falk
We acknowledge the Traditional Custodians
throughout Australia and their continuing
connection to land, sea and community.
We acknowledge the Ngunnawal people,
the Traditional Custodians of the land on which this
paper was prepared, and we pay our respects
to their Elders, past, present and emerging.
INISTER’S
OREWORD
3
Minister’s
Foreword
As Australia’s first Cabinet Minister for Cyber I have appointed an Expert Advisory Board
Security I am focused on creating a digital to assist and advise the Government on the
environment that is safe, trusted and secure. development of the 2023-2030 Australian
As a nation we have a unique opportunity to Cyber Security Strategy. The Board is chaired
move cyber security beyond a niche technical by former Telstra CEO Andrew Penn AO,
field to a strategic national security capability who is joined by Mel Hupfeld AO DSC and
that underpins our future prosperity. Rachael Falk. The Board is working closely
with industry, civil society and academia
The case for change is clear. Australia has
to advise the Australian Government on
a patchwork of policies, laws and frameworks
the steps we need to take to make Australia
that are not keeping up with the challenges
the most cyber secure nation in the world
presented by the digital age. Voluntary
by 2030. The Assistant Foreign Minister, the
measures and poorly executed plans will
Hon. Tim Watts MP, is also closely involved in
not get Australia where we need to be to
the development of the 2023-2030 Australian
thrive in the contested environment of 2030.
Cyber Security Strategy, leading our approach
The digital age presents enormous to how Australia can work in partnership with
opportunities. To achieve our vision of our region to lift our collective cyber security.
being the world’s most cyber secure country
Setting Australia up for success in the digital
by 2030, we need the unified effort of
age begins with meaningful engagement and
government, industry and the community.
transformative partnerships across all levels
Together, we can equip our community to
of government, industry and the community.
reduce the number and impact of cyber
To achieve this goal, the Government is
incidents through improved cyber hygiene
developing the 2023-2030 Australian Cyber
and provide clear advice on how to respond
Security Strategy, and we want you to be
confidently when they occur.
a part of the discussion.
This discussion paper is an opportunity
to provide your views on how we can work
together to make Australia a world-leader
in cyber security by 2030. This means:
The Hon Clare O’Neil MP
Minister for Home Affairs
• Australia has a secure economy Minister for Cyber Security
and thriving cyber ecosystem;
• our critical infrastructure and
government systems are resilient
and secure;
• we have a sovereign and assured
capability to counter cyber threats;
and
• Australia is a trusted and influential
global cyber leader, working in
partnership with our neighbours
to lift cyber security and build
a cyber resilient region.
5
Introduction
from the Expert
Advisory Board
While this is a discussion paper for the Our national resilience, economic success,
2023-2030 Australian Cyber Security Strategy and security rely on us getting our cyber
(the ‘Strategy’), when we refer to ‘cyber’ we settings right. Importantly, 99% of Australians
mean the conduit by which all Australians can now have access to the internet.1 During
engage in a wide range of activity digitally the COVID 19 pandemic, classrooms and
such as shopping, banking, work, education, workplaces moved entirely online, which
and healthcare. However, we also note that contributed to the rapid acceleration of living
‘cyber’ provides a conduit for crime, foreign in a digitally connected world. The adoption
interference, espionage, disinformation and of digital technologies by some organisations
misinformation. Cyber security is the means was sped up by three to seven years in
by which the cyber foundations of the digital just months.2
world are secured. We are seeking your
Uplifting Australia’s cyber resilience would
views to inform our recommendations to
also provide a significant boost to the
Government as to what it should consider
domestic digital economy. The Australian
when developing cyber security measures
cyber market contributed approximately
to better protect and enhance our collective
$2.4 billion in Gross Value Added (GVA)
cyber resilience, both in Australia and in
in 2022, and the sector’s GVA grew by
the region.
11% from 2020 to 2022.3
1 www.acma.gov.au/publications/2022-12/report/communications-and-media-australia-how-we-use-internet
2 www.mckinsey.com/~/media/mckinsey/business%20functions/mckinsey%20digital/our%20insights/the%20new%20digital%20edge%20
rethinking%20strategy%20for%20the%20postpandemic%20era/the-new-digital-edge-rethinking-strategy-for-the-postpandemic-era.pdf
3 AustCyber Sector Competitiveness Plan (2022)
4 CSIRO Futures, Cyber Security A Roadmap to enable growth opportunities for Australia (2018)
5 www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022
6 www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022
Andrew Penn AO
Mel Hupfeld AO DSC
Rachael Falk
effort, building on our history The Expert Advisory Board has commenced
consultation on the Strategy through a series
of collaborative cyber resilience. of roundtables focussed on the core policy
themes identified in this discussion paper.
Australia is uniquely placed to define and Consultation will continue through to the
adopt world-leading policies in cyber security. drafting and publication of the final Strategy
Since Defence 2000: Our Future Defence before the end of 2023.
Force, Australia has been alert to the need The Expert Advisory Board and the
to consider cyber security as a matter of Department of Home Affairs will lead
national security. consultations on domestic components
Australia’s Cyber Security Strategy 2016 of the Strategy, and partner with the
introduced cyber security as a risk to a Department of Foreign Affairs and Trade
broad audience at the foundational level, to lead international-themed consultations
and Australia’s Cyber Security Strategy 2020 to ensure that the Strategy accounts for
then recommended action across three pillars: global perspectives and partnerships.
governments protecting against sophisticated The Minister for Home Affairs and Cyber
cyber threats, businesses protecting their Security and the Expert Advisory Board are
customers, and the community making also being advised on global best practice
cyber-aware choices. by a Global Advisory Panel comprising the
Australia’s Cyber Security Strategy 2020 was best minds from our closest allies. The Global
complemented by Australia’s 2021 International Advisory Panel is chaired by Ciaran Martin CB,
Cyber and Critical Technology Engagement former CEO of the United Kingdom’s National
Strategy, which set out Australia’s vision Cyber Security Centre.
for a safe, secure and prosperous Australia,
Indo-Pacific region and world, enabled by
cyberspace and critical technology. Moving
forward, domestic and international cyber
security policy considerations will be
combined into a whole-of-nation effort
under the Strategy.
13
The 2023-2030
Australian Cyber
Security Strategy
Australia’s cyber landscape has evolved There are a range of other important
significantly since Australia’s Cyber Security Government priorities which will significantly
Strategy 2020 was released. COVID-19 enhance Australia’s digital security and which
highlighted our critical dependence on will progress in parallel with the Strategy.
cyber for our productivity, prosperity, and These include:
national security as Australians spent more
• the outcomes of the Attorney-General
time online than ever before. The Russia-
Department’s Review of the Privacy
Ukraine conflict demonstrated that cyber
Act 1988;
attacks by both nation states and criminal
groups can rapidly spill across borders and • the National Plan to Combat Cybercrime;
affect critical infrastructure and essential
• the Australian Competition and
services around the world.7 The Optus and
Consumer Commission Digital Platform
Medibank incidents also represented two
Services Inquiry 2020–25;
of the most significant data breaches
in Australia’s history. • Commonwealth Digital ID policy
development and reforms;
Collectively, these events underscore
an urgent need to deliver a national cyber • measures enhancing the growth
security strategy which: of critical technology industries
and resilience of supply chains led
• takes lessons learned from previous
by the Minister for Industry and Science,
stakeholder consultations and major
including the National Quantum Strategy;
incidents to inform current policy
and
responses;
• investment through the REDSPICE
• sets out the priorities for Australia’s
(Resilience, Effects, Defence, Space,
cyber security uplift from 2023-2030;
Intelligence, Cyber, Enablers) package
and
administered by the Minister for Defence.
• seizes opportunities to get ahead of
The Privacy Act Review Report was publicly
changes in the risk environment, harness
released on 16 February 2023 for consultation
new technologies, and position Australia
on the development of the Government
as a global leader on cyber.
response to the report. Public consultation
will remain open until 31 March 2023.
The feedback received will also contribute
to the development of the Strategy.
7 https://www.cyber.gov.au/acsc/view-all-content/advisories/russian-state-sponsored-and-criminal-cyber-threats-critical-infrastructure
8 www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022
This attachment consolidates the questions for security, and are there opportunities
consultation in the 2023-2030 Australian Cyber to streamline existing regulatory
Security Strategy Discussion Paper and includes frameworks?
further specific detail. f. S
hould the Government prohibit the
Respondents may make a submission regarding payment of ransoms and extortion
the entire discussion paper and full list of demands by cyber criminals by:
questions, or select only those questions (a) victims of cybercrime; and/or
which are most relevant. (b) insurers? If so, under
what circumstances?
1. What ideas would you like to see included i. W
hat impact would a strict
in the Strategy to make Australia the most prohibition of payment of ransoms
cyber secure nation in the world by 2030? and extortion demands by cyber
criminals have on victims of
2. What legislative or regulatory reforms
cybercrime, companies and
should Government pursue to: enhance
insurers?
cyber resilience across the digital
economy? g. S
hould Government clarify its position
with respect to payment or non-
a. W
hat is the appropriate mechanism
payment of ransoms by companies, and
for reforms to improve mandatory
the circumstances in which this may
operational cyber security standards
constitute a breach of Australian law?
across the economy (e.g. legislation,
regulation, or further regulatory 3. How can Australia, working with our
guidance)? neighbours, build our regional cyber
resilience and better respond to
b. I s further reform to the Security of
cyber incidents?
Critical Infrastructure Act required?
Should this extend beyond the existing 4. What opportunities exist for Australia
definitions of ‘critical assets’ so that to elevate its existing international
customer data and ‘systems’ bilateral and multilateral partnerships
are included in this definition? from a cyber security perspective?
c. Should the obligations of company 5. How should Australia better contribute
directors specifically address cyber to international standards-setting
security risks and consequences? processes in relation to cyber security,
and shape laws, norms and standards
d. S
hould Australia consider a Cyber
that uphold responsible state behaviour
Security Act, and what should
in cyber space?
this include?
6. How can Commonwealth Government
e. How should Government seek to monitor
departments and agencies better
the regulatory burden on businesses
demonstrate and deliver cyber security
as a result of legal obligations to cyber
best practice and serve as a model for
other entities?