On 22 November 2023, the Australian Government committed to investing $586.9 million into its 2023-2030 Australian Cyber Security Strategy (the Strategy) over the next seven years,[1] and delivering key initiatives under three major phases (Horizons).
Phase |
Period |
Description |
Horizon 1 |
2023-2025 |
‘strengthen foundations’ by addressing critical gaps in Australia’s ‘cyber shields’, building better protections for vulnerable individuals/businesses, and supporting initial cyber maturity uplift across the region. |
Horizon 2 |
2026-2028 |
‘expand its reach’ via the Government’s further investments into the broader cyber ecosystem and growing a diverse cyber workforce. |
Horizon 3 |
2029-2030 |
‘lead the frontier’, through the development of emerging cyber technologies to adapt to new risks and opportunities across the cyber landscape. |
The Strategy is supported by a Cyber Security Action Plan (Plan), which identifies actions and the Government agencies accountable for delivery Horizon 1 of the Strategy.
A new Executive Cyber Council will facilitate the delivery of the Plan, which is to be delivered under six ‘Cyber Shields’. The Plan will be reviewed every two years. In this article, we outline the key initiatives businesses need to be aware of in preparation of adapting to the Strategy through to 2030.
The Government has foreshadowed the release of a Consultation Paper to work with industry to inform the proposed legislative reforms on new initiatives to address gaps in existing laws and the amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act).
Public consultation is now open in relation to the Cyber Security legislative reforms discussed in the Consultation Paper, with submissions open until 5pm AEDT, Friday 1 March 2024 (see here).
Please do not hesitate to reach out to us if your business requires assistance in making a submission during this consultation period.
Previous submissions during the public consultation on the Strategy (between 27 February 2023 to 15 April 2023) can be found here.
What reforms does your business need to prepare for?
The Plan provides a roadmap for the following key proposed legislative reforms, which may impact organisations doing business in Australia over the next two years. These include, notably:
Subject to industry input on design, the Government has proposed that anonymised reports of ransomware and cyber extortion trends be shared publicly with the industry and broader community subject to industry input on design.
Whilst Australia currently does not explicitly prohibit the payment of a ransomware demand, there are regulatory considerations businesses need to consider, such as the Criminal Code Act 1995 (Cth), Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), with the Australian Cyber Security Centre (ACSC) recommending that victims do not pay a ransom.
There has been no indication of the repercussions for businesses who fail to report or the protection for businesses who do report ransomware incidents.
Mandatory reporting was previously considered by and withdrawn from Parliament in the Ransomware Payments Bill 2021 (Cth). We discussed the implications of that bill here.
The Government has also foreshadowed the co-design a code of practice for cyber incident response providers to provide businesses with greater confidence when engaging with cyber security professionals, which will define service quality and expected professional standards.
Following a review of the data brokerage system, the Government may minimise and simplify data retention requirements to restrict unwanted transfer of data to malicious actors via data markets and to complement proposed Privacy Act reforms. The Government also looks to develop a voluntary data classification model to reduce enterprise risk and ensure organisations hold data in a consistent and unified way.
This includes autonomous vehicles and distributed energy devices without built-in security which may present vulnerabilities that malicious actors can exploit. Further details for this mandatory standard are yet to be provided.
The Government also looks to develop a voluntary labelling scheme for consumer-grade smart devices to align Australian with international markets, including the United States, Singapore and the United Kingdom.
See our previous discussions on SOCI Act reforms here and here.
Separate but related to the Strategy, on 27 November 2023 the Attorney General Hon Mark Dreyfus KC MP announced the appointment of standalone Privacy and Freedom of Information (FOI) Commissioners in addition to the Information Commissioner, fully restoring the Office of the Australian Information Commissioner (OAIC) to its original three Commissioner model enacted by Parliament in 2015.
Ms Elizabeth Tydd has been appointed as the FOI Commissioner for a five-year term, commencing 19 February 2024.
Ms Angelene Falk, who will maintain the role of Information Commissioner has stated that this 3-Commissioner model is a ‘significant and welcome step for the OAIC and the Australian community’.
Ms Falk will remain as Privacy Commissioner until Ms Carly Kind (previously inaugural Director of the London-based Ada Lovelace Institute since 2019) commences her role as Privacy Commissioner on 26 February 2024.
[1] This is in addition to the Australian Government’s 2022 national security investment into REDSPICE (here) which sought to increase the offensive capabilities of the Australian Signals Directorate (ASD), bringing the total investment into cybersecurity to approx. $2.8 billion.