Gov to encourage vuln research, puts insurers and NFPs on notice

The federal government will knuckle down on its cyber security strategy, with browser-level threat blocking, vulnerability research, a potential intervention on cyber insurance, and a frank discussion of whether regulations help or hinder cyber maturity, all now on the table.

Home Affairs late yesterday kicked off the transition from horizon one to horizon two under the 2023-2030 cyber security strategy.

This comes with a cache of documents, including a report card [pdf] on its horizon one initiatives; a priority list [pdf] for horizon two, which spans 2026 to 2028; and a new “evaluation model” intended to benchmark its progress.

The cyber strategy is arranged around six overlapping ‘shields’ that, together, are intended to create a multi-layered defensive architecture for Australia.

The big interest will be in the specific initiatives proposed to run under the six shields.

While not exhaustive, at a high level, some of the highlights include:

Potential cyber insurance industry intervention

The government is weighing a potential incursion into the cyber insurance industry to make it easier for small and not-for-profit organisations to access these products.

The insurance industry is credited with “facilitating faster response and recovery from cyber attacks” - for those that are covered.

But policies generally require certain systems and protections to be in place, for the company to even be considered for coverage.

“We have heard many Australian businesses have difficulty accessing cyber insurance, or see it as too expensive,” Home Affairs wrote.

“The complexities or technical requirements of insurers could also be a deterrent, particularly to SMBs, where they may be unable to meet the cyber security standards applied to larger enterprises.”

Home Affairs notes the cyber insurance market in Australia is “evolving” and that “any interventions from the government need to be carefully considered to not distort the market or inadvertently affect pricing.”

“However, there is a potential role for the government to better support availability of cyber insurance products, particularly for SMBs,” it added.

A frank discussion about cyber regulation

The government is inviting a discussion about whether regulatory or compliance requirements around cyber security - especially imposed by multiple pieces of legislation - have “negatively impacted the cyber maturity of organisations”.

It has foreshadowed further changes to potentially harmonise cyber security laws or obligations, although it notes a delicate balance must be struck.

Data in motion

The government will use the next period to build its understanding of critical data in motion or in transit.

It wants to get a better handle on “data access and transfer across the economy”, particularly to understand data flows in and out of AI models.

“Significant advancements in AI - its ability to ingest and analyse large volumes of data at scale - will enhance risks to Australian industry and communities,” it said.

“To keep pace, we need to enhance our data security.”

Vulnerability research

The government sees security vulnerability researchers as “a valuable, and often free resource” to build resilience, and is finally opening the door to giving them greater protections.

This was a key request in the early days of scoping the cyber security strategy, with UNSW - among others - calling out the legal limbo that researchers face in their line of work.

The government looks set to finally take action under horizon two.

“From a policy perspective, more needs to be done to understand the barriers to vulnerability researchers operating in Australia, the incentives required to encourage them to operate in Australia, and incentives for industry to adopt vulnerability disclosure policies and utilise vulnerability researchers,” it wrote.

“How could [the] government better incentivise businesses to adopt vulnerability disclosure policies? 

“Does Australia need a vulnerability disclosure program to provide security researchers with a mechanism for safely reporting vulnerabilities?”

Security and scam-blocking at the browser level

A key change between horizons is the move to a more granular level of threat and scam blocking - from industry-level to browser-level models.

“The focus of horizon one has been on the entities that can block and share at scale (ISPs, telcos and financial services) to ensure malicious threats are blocked before they reach end users,” Home Affairs wrote.

“To complement this, under horizon two we want to explore the layers of threat blocking capabilities that exist across our economy and promote the benefits of these to increase uptake (for example enterprise browser security, users increasing security on browsers).”

The government specifically asks how “the use of safe browsing and deceptive warning pages [could] be amplified?”

Not-for-profit protections

The government will use horizon two to put specific focus on not-for-profits and their ability to safeguard sensitive information.

This comes on the back of incidents that have either impacted charities’ systems directly or third-party dependencies.

“NFP workforces are highly reliant on volunteers. This can limit their ability to embed a strong security culture through ongoing training and awareness raising initiatives,” Home Affairs wrote.

“The sector concurrently faces pressures to reduce spending on non-mission focused operations including administration and cyber security. 

“Public trust is a necessity for NFPs to continue delivering critical services while also encouraging financial, resource and time contributions from the community. 

“Ongoing cyber security uplift and resilience is essential to ensure NFPs maintain public confidence in the security of both their sensitive data holdings, as well as donor information.”