The federal government has finally unveiled its delayed cyber security strategy but left much of the detail to forthcoming legislation that is yet to be put before parliament.

The 52-page strategy [pdf], released on Thursday, will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia's cyber security over the next decade.

Much of the funding is from the previously announced $1.35 billion cyber enhanced situational awareness and response package.

The strategy’s key elements include proposed laws and an “enhanced regulatory framework” to secure critical infrastructure, deemed the “best way to protect Australians at scale”.

The new powers will outline the government’s minimum expectation, including an “enforceable positive security obligation for designated critical infrastructure entities”.

“These powers will ensure the Australian Government can actively defend networks and help the private sector recover in the event of a cyber attack,” the strategy states.

“The nature of this assistance will depend on the circumstances, but could include expert advice, direct assistance or the use of classified tools.

“This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians.”

The framework, which will be delivered through amendments to the Security of Critical Infrastructure Act, is also expected to extend to systems of national significance

Further afield, the government is also considering “legislative changes that set a minimum cyber security baseline across the economy”.

While securing critical infrastructure is a major focus of the strategy, the government also plans to assist SMEs to uplift their cyber security capabilities with the help of large businesses.

One such capability could provide SMEs with ‘bundles’ of secure services such as threat blocking and antivirus, as well as other cyber security awareness training.

“Integrating cyber security products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cyber security staff,” the strategy states.

Secure government hubs

With departments and agencies continuing to struggle to implement rudimentary cyber security controls, government systems and data are key concerns.

In a bid to address them, the government is planning to “centralise the management and operations of the large number of networks” run by agencies as a priority.

The strategy said that centralising networks would allow the government to “focus its cyber security investment on a smaller number of more secure networks”.

“A centralised model will be designed to promote innovation and agility while still achieving economies of scale,” the strategy states.

It also plans to explore the establishment of “secure hubs” to reduce the number of networks that hostile actors can target even further, though the strategy does not elaborate on what this might look like.

The government also plans to expand its cyber security incident exercise program run by the Australian Cyber Security Centre to improve how government and businesses prepare for incidents.

