Feds call for input on Australia's next cyber security strategy

The federal government has begun consulting on the development of Australia’s next cyber security strategy to best position the nation to respond to a changing threat environment.

Home Affairs minister Peter Dutton on Friday released a discussion paper [pdf] seeking views to shape the country’s 2020 cyber security strategy.

The strategy will replace the 2016 cyber security strategy, which was the first update to Australia’s national cyber security policy since 2009 and was accompanied by $230 million.  

But with the threat environment fast evolving, the discussion paper points to the need to reconsider the role that governments, businesses and the community play in responding to threats.

“Cyber security has always been a shared responsibility, but it is worth asking whether the balance of responsibilities among these groups is right,” the discussion paper states.

As part of this, the discussion paper also asks “whether government’s role should change to offer greater assistance to Australian businesses to defend against highly sophisticated malicious actors”.

“The Government currently uses its cyber security capabilities within a legislative framework that was established before the internet became a foundational element of our economy, and without a modern perspective on how malicious cyber activity crosses traditional geographical borders,” the paper states.

“Maintaining the confidence of the Australian community is the first priority when considering how and when Government should use its cyber security capabilities.”

The government is particularly concerned about critical infrastructure such as energy, water, telecommunications and transport.

It has already moved to shore-up these industries through new legislation last year aimed at securing around 165 “highest-risk critical infrastructure assets”.

The new strategy, which Dutton said would build on the foundations established through the 2016 strategy, will be developed with input from industry, research partners and community groups.

“Strong collaboration and partnerships are vital to ensure this strategy is well positioned to tackle the cyber security challenges we face as a nation,” he said.

He said a panel of cyber security experts would also be appointed in the “coming weeks” to guide the development and implementation of the strategy.

Submissions to the discussion paper will close November 1.

Progress on 2016 strategy

With only one annual update of the 2016 cyber security strategy released to date, the government also used the discussion paper to provide its second annual progress report.

The progress update reveals that 25 of the 33 goals set in the 2016 strategy are now complete, with eight ongoing or having been updated.

Only six goals had been completed at the time of the only other annual update, which was released in April 2017.

Dutton described the latest progress against the goals as “strong” in the discussion paper’s foreword, but said the government needed to adapt its approach in light of the changing threat environment.

Much of the progress relates to the reorganisation of Australia’s cyber operations, including co-locating the government’s cyber security functions in the Australian Cyber Security Centre, and building capacity within the law enforcement agencies.

Other completed actions include creating Joint Cyber Security Centres in Sydney, Brisbane, Melbourne, Perth and Adelaide, as well as establishing the Cyber Security Growth Network.

While the majority of five incomplete goals are relate to ongoing partnerships with other governments, businesses and education providers, one reveals that annual cyber security leaders’ meetings have not been held since 2017.

The three “updated approach” actions relate to improving the cyber security of government agencies through a “rolling program of independent assessments” and take into account funding at the last federal budget for sprint teams.

“ASD is using new technology solutions to improve agency cyber hygiene at scale. This includes automated scanning tools to identify vulnerabilities in external facing systems across government,” the paper states.

“Dedicated technical ‘Sprint Teams’ have also been created to uplift cyber security for select Australian Government agencies.

“In addition to improving cyber hygiene these Sprint Teams will create a situational awareness of the maturity across these agencies of their implementation of the Essential Eight Maturity Model.”