Cyber security in Australia: Policies, funding and initiatives for the digital economy

Digital Economy Strategy

The Digital Economy Strategy was released on 6 May 2021 and discusses a number of actions the government will take to grow Australia's future as a leading digital economy, including cyber security measures. Its goal is that by 2030, "Australia leads the world in smart regulation and initiatives to ensure Australia has the safest and most cyber secure environment for Australians living and working online, building trust in the digital economy and opening up new economic opportunities." Measures of success in the strategy include:

• 95 per cent of SMEs use e-commerce and cyber security tools, opening them up to new markets and improved productivity and resilience
• the security of critical infrastructure and essential services like water, telecommunications and energy is enhanced
• high levels of cyber security across Australian Government systems to protect national security and personal information.

Strengthening Australia’s cyber security regulations and incentives

On 13 July 2021, the Australian Government opened consultation on "options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia's digital economy". It is intended that the progression of recommendations will build on current reforms for critical infrastructure by uplifting cyber security requirements of all digitally enabled businesses.

The government sought feedback on three areas:

• Setting clear cyber security expectations through cyber security standards for corporate governance, personal information and internet of things devices
• Increasing transparency through cyber security labelling for smart devices, software vulnerability disclosure policies and health checks for small businesses
• Protecting consumer rights through appropriate legal remedies for victims

Written submissions closed on 27 August 2021. As of 20 October 2021, the Department had received 143 submissions in response to the discussion paper.

Ransomware Action Plan

In October 2020, the government released the Ransomware Action Plan, outlining a plan to introduce tougher penalties for ransomware criminals, in line with its position that "Australia takes a zero tolerance approach to ransomware."

Legislative reforms will see a standalone aggravated offence created for cyber criminals who target critical infrastructure. The government also supported the introduction of a mandatory reporting scheme for ransomware incidents. It is intended that these new measures will be developed through the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently being considered by Parliament.

Further legislative measures will also be taken, including the criminalisation of buying and selling of malware for the purposes of undertaking computer crimes as well as the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties.

The Plan also outlines current initiatives already being undertaken to improve general cyber security including strengthening capabilities to counter cyber crime with a $164.9 million investment, providing the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) with additional powers, as introduced by the previously discussed Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 and providing technical advice to businesses.

Finally, the Plan firmly sets out the Commonwealth's policy position regarding ransomware payments. The Plan states that it does not condone ransom payments and that any payment fuels the ransomware business model, putting other Australians at risk.

Cyber Security Cooperative Research Centre policy paper

On 12 October 2021, the Cyber Security Cooperative Research Centre (CSCRC) published its policy paper titled "Underwritten or oversold? How cyber insurance can hinder (or help) cyber security in Australia". The paper argued that whilst cyber insurance can play a positive role in uplifting cyber security in Australia, it is problematic.

The CSCRC identified extortion payment cover as the main area of concern, stating that it feeds the criminal enterprise of ransomware gangs, especially those that prey on insured organisations. The paper concluded by recommending that cyber insurers should be banned from offering cover to pay ransoms. It also identified two other problems with cyber insurance - namely, that in the event of a cyber attack, the insurer's role in the complete management of a cyber incident may result in the insurer potentially being in the position of a shadow director; and that cyber insurance engenders complacency.

However, a direction not to pay the ransom is easier said than done. It assumes an organisation's ability to recover and survive without paying a ransom to recover its data. A ban on extortion cover will also not stop ransom payment. Our analysis of this policy paper can be found here.

State government policies

NSW Cyber Security Policy

The 2021 NSW Cyber Security Strategy builds on the previous NSW Cyber Security Strategy and the 2018 NSW Cyber Security Industry Development Strategy and creates one overarching strategy.

The Policy's principles include that the government leads by example in cyber resilience. To do so, government agencies will have increased accountability for adhering to the mandatory Cyber Security Policy requirements and there will be an emphasis on preparedness through incident and emergency plans and business continuity plans. The NSW Government also committed to establishing a mandatory notifiable data breach scheme for government agencies.

Victoria's Cyber Strategy 2021

In September 2021, the Victorian Government released its cyber security strategy for the next five years. Actions to take under the Plan by the end of 2022 include:

• deploying a monitoring program to protect the public sector against attacks to improve risk governance of government agencies' IT assets and ensure high cyber resilience. Suppliers to government will also need to be aware of this program
• collaborating with critical infrastructure sectors to support the continuous review of Victoria's cyber emergency management arrangements and ensuring consistent cyber standards. This will also include intelligence sharing between these sectors and the government
• boosting police capability to prevent, detect, disrupt and prosecute cybercrime
• establishing an Expert Advisory Panel to provide insight on current and future risks and offer mitigation strategies, as well as feedback on cybercrime education programs and possible legislative reform
• enhancing cyber skills pathways by establishing internship opportunities and continuing to support cyber skill-based education courses.

Digital Strategy for the Western Australian Government 2021-2025

The WA Government plans to improve cyber security resilience, expand the delivery of secure online government services, and improve transparency and accountability about how the government manages personal data. Initiatives include:

• establishing the Cyber Security Incident Reporting Portal to assist government agencies
• building public sector capability by hiring cyber security professionals
• utilising the Cyber Security Operations Centre to improve visibility of cyber threats and to detect and respond to incidents
• progressing privacy and responsible information sharing legislation
• introducing cyber security controls outlining safety standards that must be implemented by government agencies.

Northern Territory Government Joint Cyber Security Service (JCSS)

On 26 June 2021, the Northern Territory Government, in partnership with the Australian Government, launched the Darwin Joint Cyber Security Service. The NT's JCSS is the sixth to launch in Australia since 2018 and is a collaborative hub between the state and federal governments delivered as part of the Australian Cyber Security Centre's wider Partnership Program. The JCSS will offer cybersecurity advice and expertise to the local industry, with a main focus on guiding SMEs.

Funding

Cyber Security Skills Partnership Innovation Fund

On 25 October 2021, the Australian Government announced an additional $43.8 million in funding to grow Australia's cyber security workforce through the Cyber Security Skills Partnership Innovation Fund. The fund will provide grants between $250,000 and $3 million to support innovative projects that boost Australia's cyber security workforce.

Eligible activities include developing and delivering specialist cyber security courses for professionals, retraining programs, professional development, apprenticeships, establishing new internships, cadetships, work experience and staff exchanges, and establishing cyber labs and training facilities.

Cyber Security Assessment Tool

In 2021, the Department of Industry, Science, Energy and Resources launched its Cyber Security Assessment Tool for small to medium-sized businesses. The tool asks a series of questions about how cyber security is currently managed within an organisation and assists businesses in:

• identifying cyber security strengths
• understanding areas for improvement
• providing recommendations on how to improve cyber security and where to find assistance.

Hardening Government IT (HGIT) Initiative

In July 2021, three Cyber Hub Pilots were established by the Department of Home Affairs, Department of Defence and Services Australia to provide cyber services for those government agencies who cannot match their breadth and depth of skills. The three departments are responsible for their own design and implementation of their hubs, which should provide services and an operating model to improve their own and other agencies' defences.

This initiative, however, has been problematic, with the Department of Home Affairs outsourcing work on its hub to Ernst & Young for nearly $2.5million as it does not have staff with the necessary specialist skills.