Australia’s New Cyber Security Strategy: Call for submissions

Published at 19:11 on 20 Apr 2023

On 8 December 2022, the Minister for Cyber Security, the Hon. Clare O’Neil MP, announced an ambition to develop the 2023-2030 Australian Cyber Security Strategy with a view to Australia becoming the most cyber secure nation by 2030. An Expert Advisory board was appointed to oversee the development of the strategy and, on 27 February 2023, the board released a discussion paper inviting the public to make submissions. Although it now seems that a lot has happened in the cyber security space since 27 February 2023!

Background to Australia’s New Cyber Security Strategy

The background to all of this is a well-trodden path littered with the compromised personal data of some of Australia’s largest companies and institutions, Medibank, Optus and QUT to name the most prominent. The Discussion Paper acknowledges that relatively regional and contained conflicts such as the Russia-Ukraine conflict might spill across boarders and impact essential services on the other side of the world and, in this context, acknowledges that existing regulatory frameworks need to be enhanced and harmonised.

All of this, of course, seems to have developed an even more painful sting and greater urgency in light of the Pentagon leaks that saw top secret data on military activities, including U.S. drone spy planes deployments and use of ammunition by Ukrainian forces, published on social media.

Australia’s New Cyber Security Strategy: Call for legislative or regulatory reforms

Acknowledging that the outcomes of the Attorney-General Department’s Review of the Privacy Act 1988 will significantly enhance Australia’s digital Security, as will the National Plan to Combat Cybercrime and the Australian Competition and Consumer Commission Digital Platform Services Inquiry 2020–25, the discussion paper calls for suggestions about what legislative or regulatory reforms could be pursued to enhance cyber resilience across the digital economy.

The discussion paper also asks for input about how Australia might elevate engagement with international partners, what opportunities there are to better support the development of international technology standards, particularly in relation to cyber security, and how government and industry could partner to uplift cyber resilience and secure access to the digital economy, especially in South East Asia and the Pacific. It also asked for input on building cyber skills through enhancements to the Government’s broader STEM agenda and existing education, immigration and accreditation frameworks.

If any of this sounds familiar, it might be worth re-reading the 2020 Cyber Security Strategy and its core themes. We covered the current strategy in our post from 2020.

Australia’s Cyber Security Strategy 2020: What About Privacy?

Australia’s New Cyber Security Strategy: Back to basics?

All of this and it looks like the Pentagon data breach is probably more attributable to poor document control and management rather than anything that might require a bleeding-edge cybersecurity posture. Now that’s a ringing endorsement of the OAIC’s Privacy Awareness Week 2023 mantra of Privacy 101 – Back to Basics. It looks like some of the leaked documents were photocopies.

And then, just after the release of the Discussion Paper, MIT Technology Review released its benchmark of the digital security preparedness of enterprises across the threat landscapes of the world’s top economies CDIreport.pdf (mittrinsights.s3.amazonaws.com) and declared Australia in first place showing the greatest progress in, and commitment to progressing cyber security. It ranked Australia first in 3 of 4 assessment criteria being critical infrastructure, organisational capacity and policy commitment. The only gong that Australia missed out on was cybersecurity resources (being technological and legal enforcement including data privacy and protection legislation).

While that might come as a surprise to those of us who have been lining up for new driver’s licences, it perhaps even more bewildering that the MIT Technology Review assesses Germany’s economy as ‘lacking digital savvy’, being the lowest-ranked EU member in the CDI with a low uptake of modern cloud-native approaches to technology, hampered by a lack of appropriately skilled workforce talent.

It is also no doubt a surprise for those of us who have watched previous iterations of grandiose Cyber Security Strategies which, while aspirational, have had limited actual impact on the ground in terms of turning up the dial on cyber security capabilities in Australia. This is notwithstanding the findings of the MIT Technology Review.

So watch this space …