Australia’s new cybersecurity strategy tackles the tough issues

The cybersecurity strategy released last week by the Albanese government is about collaboration and communication, not about conjuring our worst national-security nightmares. It’s focused on industry and consumers.

The government, industry and citizens must work together with trust for Australia to make real changes in our cybersecurity, and this strategy recognises that. One of Cyber Security Minister Clare O’Neil’s objectives seems to be humanising cyber and making it appealing and accessible to everyday Australians.

Of the six ‘cyber shields’ in the strategy, ‘strong businesses and citizens’ is number one. The first actions out of the gate are directly helping small and medium-sized businesses with free cyber health checks and establishing a small business cybersecurity resilience service to give advice. Arguably, these are things the Australian Cyber Security Centre should be doing already, but the $7.2 million health checks and $11 million advice program have been welcomed by industry groups.

The government is also inviting business to ‘co-design options’ for regulation or legislative changes that affect industry. These include a ransomware reporting obligation, a new cyber incident review board, a code of practice for cyber incident response providers, mandatory standards for smart devices, a voluntary labelling scheme for smart devices and a code of practice for software development.

It’s great that the government is including industry in the conversation, but open-ended ‘co-design’ risks delaying real action. These phases must be strictly controlled with defined end dates.

More broadly, the strategy isn’t revolutionary. On a generous assessment, perhaps eight of the 48 prescribed actions are new initiatives. The rest Australia has tried before, or has already introduced.

This shows that, even in a constantly moving cybersecurity landscape, there are enduring problems. It also shows that the government is willing to build on what has been done before rather than wipe the slate clean for the sake of politics.

The two most important enduring problems that frustrate Australia’s cybersecurity are information-sharing and cyber workforce shortages, and each has a ‘cyber shield’ dedicated to it.

Information asymmetries between consumers, companies and governments make stopping threats and responding to incidents slow, ineffective and expensive. The strategy seeks to improve information-sharing by creating better motivations and opportunities to share.

Share-price drops, reputation risks and legal ramifications are among the reasons companies avoid reporting cyber incidents to the government. Sometimes it’s honest confusion about when and how to report. The strategy proposes a range of actions to create the right environment to motivate information-sharing.

The ‘no fault, no liability’ ransomware reporting proposal and a proposed ‘limited use obligation’ that clarifies how the Australian Signals Directorate and the cybersecurity coordinator may use cyber incident reporting will give companies greater peace of mind. Clarifying the cybersecurity reporting obligations for owners and operators of critical infrastructure will remove ambiguity about how and when to report.

The strategy also creates opportunities and platforms to foster industry–government threat intelligence sharing through a cyber executive council, streamlining ASD’s reporting portal and establishing or scaling up Information Sharing and Analysis Centres—a model that has worked fairly effectively in the United States for 20 years.

The co-led Microsoft–ASD Cyber Shield, or MACS—although currently opaque—should also enhance national threat intelligence sharing and capabilities. It will focus on detecting, analysing and defending against sophisticated nation-state cyber threats.

Australia’s cyber workforce, however, is the fly in the ointment. Our workforce shortage has been around for decades and is only getting bigger. The problem is even more acute in government, where below-market salaries and onerous security requirements are additional barriers to an adequate cyber workforce.

The strategy refers to building the local cyber skills pipeline through better workforce analysis, vocational training, changes to the primary and secondary curriculum, and additional higher education Commonwealth-supported places. These are good but existing policies. The strategy’s only real new action is increasing skilled migration. In the same breath, questions of detail are shifted to the government’s upcoming migration strategy to answer.

Australia isn’t alone in the global struggle to attract talent, and skilled migration settings are difficult to get right. It also raises complex questions about other major policy areas, not least of which are housing, infrastructure and the cost of living.

There’s a sense that increasing migration is an easy answer to what should be a more expensive and difficult conversation on how to build on the existing policies. One moonshot would be to redirect some of the $15 billion National Reconstruction Fund into subsidising education to get tens of thousands of young Australians into cyber training and careers.

As with all strategies, implementation is essential. An action plan naming lead agencies offers welcome accountability. The strategy’s two-year ‘horizons’ also create a realistic runway with what should be built-in evaluation and pivot points.

And we should expect to pivot, given the degrading security environment and the rate of development of transformational technologies like artificial intelligence. On these, the strategy’s actions are unlikely to put Australia ahead of the curve, being limited to ‘embedding’ cybersecurity into ongoing work and updating the Information Security Manual.

In many ways, the Department of Home Affairs and the broader Australian government are well placed to move forward on cybersecurity. As the strategy itself states, we have robust regulation in the recent Security of Critical Infrastructure Act and strong offensive and defensive capabilities with ASD’s REDSPICE funding of $9.9 billion over 10 years. Australia is a trusted partner sitting within a powerful set of multilateral arrangements, including the Five Eyes, AUKUS, the Quad and the Pacific Islands Forum.

Home Affairs has also established the new cybersecurity coordinator’s office, a separate team to manage the strategy’s implementation, and a detailed action plan to execute. On the other hand, the department is still reeling from the departures of secretary Mike Pezzulo in September and cybersecurity coordinator Darren Goldie last week, after only four months in the job.

Dennis Richardson’s scathing review of Home Affairs’ handling of offshore detention was leaked around the same time Goldie’s recall was announced. One of the unspoken actions of this strategy’s first horizon out to 2025 will be navigating Home Affairs’ leadership uncertainty, fiscal constraint and external scrutiny.