The federal government has finally unveiled its delayed cyber security strategy but left much of the detail to forthcoming legislation that is yet to be put before parliament.
The 52-page strategy [pdf], released on Thursday, will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia's cyber security over the next decade.
Much of the funding is from the previously announced $1.35 billion cyber enhanced situational awareness and response (CESAR) package.
The strategy’s key elements include proposed laws and an “enhanced regulatory framework” to secure critical infrastructure, deemed the “best way to protect Australians at scale”.
The new framework will outline the government’s minimum expectation, including an “enforceable positive security obligation for designated critical infrastructure entities”.
“These powers will ensure the Australian Government can actively defend networks and help the private sector recover in the event of a cyber attack,” the strategy states.
“The nature of this assistance will depend on the circumstances, but could include expert advice, direct assistance or the use of classified tools.
“This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians.”
The framework, which will be delivered through amendments to the Security of Critical Infrastructure Act, is also expected to extend to systems of national significance.
While much of the focus on critical infrastructure is ensuring assets are properly defended during a cyber attack, the government will also assist operators to "enhance their cyber security posture".
It will do this by using the proposed $62.3 million "classified national situational awareness capability", funded in the CESAR package, to response to threats against critical infrastructure.
Critical infrastructure operators will similarly be able to share intelligence about malicious cyber activity through the government's $35 million cyber threat-sharing platform, which has been on the cards for several years.
Further afield, the government is also considering additional “legislative changes that set a minimum cyber security baseline across the economy”.
It will also expand the cyber security incident exercise program run by the Australian Cyber Security Centre to improve how government and businesses prepare for incidents.
Secure government hubs
With departments and agencies continuing to struggle to implement rudimentary cyber security controls, government systems and data are key concerns.
In a bid to uplift cyber resilience, the government is planning to “centralise the management and operations of the large number of networks” run by agencies as a priority.
The strategy said that centralising networks would allow the government to “focus its cyber security investment on a smaller number of more secure networks”.
“A centralised model will be designed to promote innovation and agility while still achieving economies of scale,” the strategy states.
It also plans to explore the creation of “secure hubs” to reduce the number of networks that hostile actors can target even further, though the strategy does not elaborate on what this might look like.
Standard cyber security clauses will also be introduced into government IT contracts to avoid unnecessary risks.
The strategy notes that federal, state and territory agencies were the target of 35.4 percent of the 2266 cyber security incidents that the ACSC responded to in the 2019-20 financial year.
Around the same number of incidents impacted critical infrastructure providers in the healthcare, education, banking, water, communications, transport and energy sectors.
The government will also provide law enforcement agencies with $124.9 million to strengthen their ability to counter cyber crime, including $89.9 million for the Australian Federal Police.
The funding will sit alongside planned legislation that will assist the AFP to identify individuals engaging in serious criminal activity on the dark web.
The ACSC will also receive a further $31.6 million to improve its ability to counter cyber crime offshore and assist federal, state and territory law enforcement to identify and disrupt cyber criminals.
"The Australian Government will ensure it has fit-for-purpose powers and capabilities to discover target, investigate and disrupt cyber crime, including on the dark web," the strategy states.
The strategy also outlines the government's $63.4 million plan to assist small and medium enterprises (SMEs) to uplift their cyber security capabilities with the help of large businesses.
One such initiative will see large businesses and service provider provide SMEs with ‘bundles’ of secure services such as threat blocking and antivirus, as well as other awareness training.
“Integrating cyber security products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cyber security staff,” the strategy states.
The government also plans to "provide online training and a 24/7 helpdesk for SMEs that needs cyber security advice or assistance".