Australia is ranked as the world’s fifth most powerful cybernation, with a cybersecurity market that is estimated to be worth US$5.99 billion as of 2023 and is expected to reach US$13.95 billion by 2028. Yet every 7 minutes, a cybercrime is reported in Australia. In the 2021–2022 fiscal year, 76,000 cybercrimes were reported in Australia. This is a 13 percent increase from the previous year. Clearly, the scale and sophistication of cyberattacks are increasing.
To combat this, in early 2023, the Australian government announced the development of the 2023-2030 Australian Cybersecurity Strategy. The objective of the strategy is to make Australia the most cybersecure nation in the world by 2030. The Australian government plans to lead a nationally coordinated approach to build Australia’s cybersecurity and resilience. To accomplish this, the Australian government also released a discussion paper for review and consultation. The discussion paper outlines the core policy areas that are addressed in the strategy and a series of potential actions to take by 2030. Other regions around the world can learn valuable lessons about cybersecurity from this effort, and as such, it is worth exploring each topic in more detail.
Core Policy Areas
The cyberstrategy highlights three guiding policies:
- Enhance and harmonize regulatory frameworks—One of the challenges facing enterprises in Australia today is a lack of clarity in terms of cybersecurity obligations, both from an operational perspective and as organizational directors. Though there are a range of implicit cybersecurity obligations designated to Australian enterprises and nongovernment entities, it is the need of the hour to have more explicitly stated obligations to increase national cyberresilience.There are also opportunities to simplify and streamline existing regulatory frameworks to ensure easy adoption of those frameworks and cybersecurity obligations. It is being debated whether there is a need to develop a new cybersecurity act and whether further development to the existing Australian Security of Critical Infrastructure (SOCI) Act is necessary to ensure that the powers afforded to the government under the act extend to major data breaches.
- Strengthen Australia’s international cybersecurity strategy—Another important aspect of the upcoming Australian Cybersecurity Strategy is to strengthen international cyberleaders to enable them to seize opportunities and address challenges presented by the shifting cyberenvironment. To keep up with new and emerging technologies, this cybersecurity strategy aims to take tangible steps to shape global thinking about cybersecurity.
- Secure government systems—Only 11% of government entities and agencies reached Overall Maturity Level 2 through the implementation of the Essentials 8 controls, and the majority of the entities have yet to implement basic policies and procedures. Enhancing governmental cyberposture requires a framework that accounts for best practice standards, evaluation, transparency, reporting and aligned incentives. Sufficient support, accountability and leadership for individual government departments and agencies are necessary to manage their cybersecurity risk profiles.
Areas for Potential Action by 2030
Multiple action items have been outlined to support Australia’s desired cybersecurity strategy, including:
- Improving public-private mechanisms for cyberthreat sharing and blocking—It is a goal to enhance cybersecurity threat sharing and blocking through public-private partnerships, including consideration of issues pertaining to information sharing, access, declassification of intelligence and existing regulatory frameworks.
- Supporting Australia’s cybersecurity workforce and skills pipeline—The Australian government is pursuing a broad agenda related to science, technology, engineering, and mathematics (STEM) skills, which support the growth of the future workforce, including those in the field of cybersecurity.
- National frameworks to respond to major cyberincidents—The strategy aims to provide a mechanism to improve the manner in which Australia responds to major cyberincidents. The Australian government must ensure that frameworks for incident management and coordination are fit-for-purpose and conduct post-incident reviews and consequence management procedures following major cyberincidents. The Australian government should also share the root cause findings from investigations of major cyberincidents to further secure systems and take proactive steps to minimize such incidents in the future.
- Community awareness and victim support—The strategy also aims to invest further in cybersecurity community awareness and skills building. The Australian government must explore opportunities to increase support available to victims of cybercrime.
- Investing in the cybersecurity ecosystem—To become the most cybersecure nation by 2030, Australia must create an environment that attracts investment in cybersecurity and other critical technologies. There is a range of potential measures that could be explored to promote trade and investment in this space, with clear opportunities for collaboration between federal, state and territory governments.
- Designing and sustaining security in new technologies—Another potential action item of the strategy is to investigate and be accountable for changes in the strategic and technological environment in the coming years. The strategy must address the cybersecurity landscape with consideration for new technologies such as quantum, communication technologies, the Internet of Things (IoT), artificial intelligence (AI) and machine learning (ML).
- Implementation governance and ongoing evaluation—The cybersecurity strategy will form a solid foundation for an evolving approach to Australia’s cybersecurity lasting into the future. This requires strong governance and a transparent, meaningful evaluation framework to ensure that the Australian government’s vision is realized and that the strategy is fit-for-purpose now and into the future.
Reshaping the Cybersecurity Landscape
The discussion paper and the upcoming Australian Cybersecurity Strategy demonstrate the Australian government’s commitment to reforming and reshaping its existing cybersecurity landscape. The Australian government has made clear that it wants to be at the forefront of leading Australia’s cybersecurity reform and working with enterprises to create a nationally cohesive cybersecurity framework. It will be interesting to see what steps the Australian government takes next toward its goal of making Australia the most cybersecure nation by 2030.
Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-CDPO is an analytical thinker, writer, certified trainer, global mentor, and advisor in the areas of information and communications technology (ICT) governance, cybersecurity, business continuity and organizational resilience, data privacy and protection, risk management, enterprise excellence and innovation, and digital and strategic transformation. He is a certified data protection officer and was awarded Chief Information Security Officer (CISO) of the Year awards in 2021 and 2022, granted by GCC Security Symposium Middle East and Cyber Sentinels Middle East, respectively. He was also named a 2022 Certified Trainer of the Year by the Professional Evaluation and Certification Board (PECB). He is a public speaker and conducts regular training, workshops, and webinars on the latest trends and technologies in the fields of digital transformation, cybersecurity, and data privacy. He volunteers at the global level of ISACA® in different working groups and forums. He can be contacted through email at hafiz.ahmed@azaanbiservices.com.