A ransomware playbook for businesses and attracting migrants with cyber expertise are some of the ways Australia will look to bolster its cybersecurity, according to a new federal government plan.
Key points:
- The 2023-2030 Australian Cyber Security Strategy outlines how the government would try to better protect themselves, individuals and businesses from cyber criminals
- As part of the $586 million plan, the government has committed to better-protected infrastructure
- The government has also vowed to work with international partners to help deter malicious cyber activity
The 2023-2030 Australian Cyber Security Strategy has outlined ways the Australian government and its agencies would try to better protect themselves, individuals and businesses from cyber criminals – a year after millions of Optus and Medibank customers had their personal data leaked in high-profile cyber attacks.
The report also comes a week after the nation’s digital spy agency revealed reports of cybercrime were up 23 per cent on the year before and were now being made to law enforcement agencies every six minutes.
Cyber Security and Home Affairs Minister Clare O’Neil pointed the finger at the previous government for leaving Australia in a “cyber slumber,” but promised the plan would make businesses, government agencies and individuals more difficult targets for cybercriminals.
Ms O’Neil also noted that while the cyber threat is growing, cybersecurity provided an opportunity for jobs and product development.
Ransomware playbook for businesses
As part of the $586 million plan, the government has committed to better-protected infrastructure, while also funding cyber awareness programs to better educate the population.
It will also look to expand its Digital ID program – which is a way to verify yourself online without handing over personal data – to limit how much sensitive information people need to share with businesses and government services online. But it did not outline exactly what the expansion would look like.
The plan has put a focus on businesses too, promising to create a “ransomware playbook” to guide businesses on how to prepare for and respond to a cyber attack.
After receiving hundreds of submissions from business and stakeholders, the government said it would also consider developing a single reporting portal to make it easier for businesses to report cyber incidents.
The government also wants to establish a mandatory no-fault reporting scheme so businesses report ransomware attacks and payments, after concerns some businesses were withholding information about the scale and scope of hacks out of fear customers and regulators would use that against them.
The federal government confirmed last week it was considering legislation, similar to what is in place for agencies in the United States, which would create a “legal safe harbour” and ensure information provided to intelligence agencies in such circumstances could not be used for other purposes.
Smart devices could also be measured for how cyber safe they are, but the plan showed this would be a voluntary scheme, designed with industry.
Attracting migrants to grow cyber workforce
Following last year’s Optus attack – and in changes flagged by Mr O’Neil earlier this month – telecommunications companies will be classified as “critical infrastructure,” requiring them to report to government on their cybersecurity strategies in the same way as energy providers, hospitals and ports.
During a national cyber crisis, the government also wants to be able to direct businesses to take specific actions when responding to the hack, to ensure any secondary consequences are managed, but outlined this would only be used as a last resort.
The plan showed Australia would look abroad to boost its cyber defences, by seeking to attract highly skilled migrants to grow the cyber security workforce.
The government has also vowed to work with international partners to help deter malicious cyber activity by publicly imposing sanctions on those who take part in major cyber attacks.
All up, the government said it would spend more than $586 million to implement the strategy, on top of the $2.3 billion already being spent on cybersecurity.