Navigating the Changes: A Breakdown of the Australian Government's Cyber Security Initiatives

Australian Government Cyber Security Strategy 2023-2030

The newly introduced strategy outlines the government's commitment to strengthen cyber security nationwide, safeguarding Australia and its citizens from cyber threats while seizing opportunities to emerge as a leader in the cyber technology sector. The strategy employs a holistic approach by establishing six defensive "shields" which distribute cyber responsibilities across the community, from individuals securing personal information to businesses fortifying systems, and collaborations between the government and critical infrastructure providers.

From a business standpoint, key considerations include:

• Supporting small and medium businesses in enhancing cyber security
• Collaborating with industries to counteract the ransomware business model
• Offering clear guidance for businesses    
• Establishing a comprehensive threat intelligence network for the entire economy
• Strengthening law enforcement and global cooperation to combat cybercrime

Key points and topics affecting businesses are:

Small and Medium Business Support

To assist small and medium-sized businesses in fortifying their cyber security, the government will provide free, tailored assessments through a cyber health check program. This initiative aims to enhance the cyber posture of businesses by offering educational tools and materials. Additionally, a new Small Business Cyber Security Resilience service will provide victim support services to help businesses respond to and recover from cyber incidents.

Ransomware

As ransomware attacks escalate, the government is collaborating with industry to design a no-fault, no-liability ransomware reporting obligation. This mandatory reporting, coupled with a no-fault principle, ensures that reporting incidents will not result in blame allocation. The gathered data will contribute to the development of a ransomware playbook, offering clear guidance on preparing for, dealing with, and recovering from ransomware attacks.

Clear Guidance

Recognizing the need for clear guidance on cyber security, the government plans to collaborate with industry to design best practice principles for good cyber governance. A Cyber Incident Review Board will be established to review incidents, share lessons learned, and uplift cyber resilience nationally. To improve access to advice and support post-cyber incidents, a single reporting portal will be introduced on cyber.gov.au.

Threat Intelligence

In partnership with industry, the government aims to establish a threat-sharing network for rapid information exchange across industries. Enhancements to the Australian Signals Directorate's threat sharing platforms, developed collaboratively with industry, will facilitate the generation and sharing of threat intelligence across sectors.

Enforcement

Acknowledging the need for international collaboration, the government aims to defend and strengthen international standards in cyberspace. Australia will align with industry-led standards and advocate for high-quality trade rules to support a reliable and interoperable environment for digital trade. The government will deter and respond to malicious cyber attacks, holding those who breach international law accountable.

Essential Eight Update

The Australian Signals Directorate have released their annual update to the Essential Eight Maturity Model. These changes are based on cyber threat intelligence, feedback from both government and industry and uplift activities.

The key areas which have been a focus for this update are:

• Balancing patching timeframes, to prioritise and emphasise the patching of high risk applications and vulnerabilities as well as updating timeframes for all patching to reflect the priorities. 
• Strengthening Multi Factor Authentication (MFA) by requiring it for web portals which store sensitive data (eg personal, health and identity documentation)  and tightening up on use of stronger forms of MFA and increasing adoption of phishing resistant MFA (e.g. smart cards, security keys or Windows Hello for Business)
• Enhancing administration privileges controls to explicitly identify and strictly limit to required accesses and duties of accounts. Requirements have also been added to ensure consistency with governance processes for granting, controlling and rescinding privileged access to systems and applications.
• Other adjustments to the requirements around application control and application hardening in particular based on the maturity level.

For more detailed information on the changes to the different maturity levels of the Essential Eight, visit here. Other information on the Essential Eight can be found here.

Government response to the Privacy Act Review

Following on from public consultation to the Privacy Act Review Report released in February 2023, the Government has released its formal response, which can be found here.

This will drive the reform of the Privacy Act under the following 5 focus areas.

1. Bringing the Privacy Act into the digital age – by recognising the need to protect privacy and determining further how best to apply the Act to a broader range of information and entities which handle personal information online.
2. Uplift protections – by requiring entities to be accountable for handling individuals’ information and enhancing requirements to keep information secure and destroying it when it Is no longer needed.
3. Increase clarity and simplicity for entities and individuals - by providing greater clarity on how to protect people’s privacy and simplify the obligations that apply when handling personal information. This will aim to improve coherence across different legal frameworks, simplify requirements and reduce inconsistencies.
4. Improve control and transparency for individuals over their personal information – by improving consent and notice mechanisms and exploring individuals’ rights in relation to personal information and increasing avenues to seek redress for interferences with privacy.
5. Strengthen enforcement – by increasing OAIC enforcement powers and expanding the scope of orders a court may make in civil penalty proceedings.

There are still many steps before the Privacy Act legislation is implemented, including the development of legislative proposals, engaging with entities to determine how they could be implemented and detailed impact analysis. Additionally, transition periods will need to be considered to give industry time to implement any changes they are required to make because of the changes.

Conclusion

The Government is responding to the rapidly evolving landscape of cyber security and developing a cohesive strategy to respond in the future. These initiatives underscore the government's commitment to bolstering cyber resilience across the nation. For businesses, this translates to enhanced support for small and medium enterprises, collaborative efforts to combat ransomware, and clearer guidance on cyber security measures. The focus on threat intelligence sharing, enforcement of international standards, and updates to the Essential Eight further emphasise the government's proactive stance. As Australia navigates these advancements, businesses can anticipate a more secure and privacy-focused digital environment, driving growth and innovation with confidence.