The federal government will lean heavily on the private sector to help it deliver its long-awaited national cyber security policy and initiatives like voluntary infosec health checks for businesses and joint threat sharing centres in capital cities.
iTnews can exclusively reveal the policy, which is expected to be released in the coming weeks, will contain five key pillars intended to help Australia grow by embracing disruptive technologies from a secure footing in all areas of the economy.
The 46-page strategy, sighted by iTnews, is the first update to Australia's national cyber security policy since 2009.
Businesses and government agencies have been awaiting the updated document since late 2014, when then-PM Tony Abbott announced a review of the ageing strategy.
It had initially been planned for delivery in mid-2015 but failed to materialise, and was subject to further delays following Malcolm Turnbull's ascension to the prime ministership.
iTnews understands several minor tweaks have been made to the version of the document iTnews sighted in the lead up to its launch, expected within the next fortnight.
While the document makes no mention of funding, several well-placed sources told iTnews the policy is expected to be allocated several hundred million dollars from existing coffers.
It is understood there will be no new funding for the policy in the upcoming federal budget.
A spokesperson for the Department of Prime Minister and Cabinet said the policy's funding allocation would be announced when the strategy is released in a few weeks' time.
They said the strategy had yet to be finalised.
Leaning on the private sector
The document outlines five key areas: strengthening cyber defences, education, partnerships, research and development, and awareness, containing a total of around 19 specific initiatives.
Much of the policy relies on assistance from the private sector, which the government will lean on to help deliver the majority of its points of action.
To harden Australia's networks and systems to compromise and make them resilient to attack, joint public-private sector threat centres will be established in "key" capital cities to share information on threats quickly, the policy states.
The initiative will include a real-time, online information sharing portal for organisations on cyber security threats.
Businesses, government agencies from around the country, and researchers will be co-located and help produce data and advice for organisations to help improve their security posture.
The government will fund a pilot of the threat centres before rolling out nationally to assess the viability of the approach.
The private sector will also be asked to help design voluntary cyber security guidelines that outline good practice, alongside "health checks" for cyber security governance that boards and senior management can use to compare their infosec defences to others.
The guidelines will be based on the Australian Signals Directorate's 'strategies to mitigate targeted cyber intrusion'.
The health checks will initially be limited to ASX 100 organisations and will become available to others over time, according to the policy.
Guidance will also be developed for government agencies to help them manage supply chain risks for IT equipment and services, and rolling independent assessments will be funded to ensure agencies are properly implementing the ASD’s 'strategies to mitigate targeted cyber intrusions'.
As announced in Turnbull's December 2015 innovation statement. the government plans to create a 'cyber security growth centre' that will facilitate research and development in the field to ensure Australia is "open for business".
It also intends to promote the export of Australian cyber security services, particularly to the Indo-Pacific region, through things like expanding its 'enterpreneurs and innovation' program to support cyber security.
The region is a specific focus of the policy, which reveals the government wants to build out cyber security capability in the Indo-Pacific through public-private partnerships as part of its goal to prevent and stop "malicious cyber activity" in the region.
The strategy pledges to partner with international law enforcement agencies to "shut down safe havens" for cyber criminals.
Skills and education
The document acknowledges a cyber security skills "crisis" and pledges to establish "academic centres of excellence" in universities to help increase the quality and amount of skilled IT security professionals.
The standard for accreditation in the centres will be "high", according to the strategy, without offering further detail.
All centres will offer under- and post-graduate cyber security courses, and, in limited centres, executives will have the opportunity to upskill.
The policy identifies the tertiary sector as requiring the most urgent attention. Within schools, the government said it would work with businesses and researchers to "ensure more children at school study relevant subjects".
The government also plans to partner with the private sector and state governments to create cyber security apprenticeships in TAFEs.
Boosting cyber skills in government
The government promised to increase the size of the national Computer Emergency Response Team (CERT Australia), which serves as the main port of call within government for infosec issues affecting businesses, by an undisclosed number.
It similarly pledged to increase the number of skilled cyber security specialists within the AFP, Crime Commission and Australian Signals Directorate.
Internally, the government intends to streamline its cyber security structures. At the moment, cyber capability and expertise exists in pieces across a myriad of agencies including the Department of Premier and Cabinet, the AGD, ASD and others.
More broadly, Turnbull will hold annual cyber security summits with business leaders to "set the strategic cyber security agenda" and "drive the delivery of key initiatives", according to the document.
Awareness campaigns will be undertaken to alert the general public to cyber security risks.
The government also plans to quantify the cost of cyber attacks to the Australian economy, with the help of the private sector. The figure most often quoted is Symantec's estimate of $1 billion a year.
It has pledged to update the document's action plans every 12 months and review and modernise the strategy every three years.
Is it enough?
Early reactions to the strategy by security industry insiders indicate the long wait for its arrival may not have been worth it.
"This is hardly pushing the boundaries," one infosec specialist said, requesting anonymity due to employment sensitivities.
"The initiatives mirror those overseas, it's hardly new."
"This is about Australia playing catch up with the rest of the world," another high-ranking industry insider said.
Specifically, several cyber security specialists questioned the need for another set of voluntary guidelines given the existence and use of the ISO and NIST standards.
The Australian Securities and Investments Commission last year endorsed the US NIST framework as part of its cyber security resilience health check [pdf].
"NIST is becomingly widely adopted. How is this Australian standard different to ISO and NIST, and what is the overhead to business? You don't want NIST plus ISO plus an Australian standard," the first infosec specialist said.
Questions were also raised about the undetailed funding attached to the policy given the amount of money poured into cyber security by the US and UK governments.
In February, US President Barack Obama proposed a US$5 billion (A$6.62 billion) hike in cyber security funding for the fiscal 2017 budget to US$19 billion, while the UK government last year announced plans for a £1.9 billion (A$3.5 billion) investment in cyber security.
It is understood the Australian government will reallocate several hundreds of millions in funding to the policy without providing any new money in the next federal budget.
"Whether or not it will be effective depends on the funding," the first industry insider said.
"If it's well funded and implemented well, that makes all the difference. If not, what's the point."
A spokesperson for the Department of Prime Minister and Cabinet said the agency had consulted with over 190 public and private sector organisations both locally and overseas to develop the strategy.
They said feedback from the private sector indicated a necessity for partnerships between government, industry and researchers.
"The private sector owns and operates much of the nation's critical infrastructure and they rely on the internet to innovate in their business models and deliver products and services online," the spokesperson said.
"They have overwhelmingly supported the government's intention to update its cyber security strategy.
"Companies and academic institutions have indicated they are keen to align their work with the government's strategy, including co-design and co-investment in initiatives to strengthen Australia's capacity to tackle the threats and maximise the economic opportunities of a secure and trusted cyberspace."