Tierney - stock.adobe.com

Australia updates cyber security strategy but offers little new

The nation’s latest cyber security strategy includes centralised management of networks and a voluntary code of practice for deploying internet-connected devices, among other areas

The federal government has announced Australia’s next cyber security strategy just weeks after prime minister Scott Morrison informed the nation of a major attack being executed by an unnamed nation state.

The updated strategy focuses on protecting essential information and services, the economy and people from the dark web, which home affairs minister Peter Dutton described as “the sewer of the internet”.

While the latest policy boasts an impressive budget of A$1.67bn, delving into the details reveals that less than 20%, or $320m, is new expenditure added to the initial strategy.

That additional expenditure is spread over 10 years and will likely be used to support hiring, training and ongoing retention of a new force of 100 “cyber detectives”.

The release of the strategy was delayed for some months because of the Covid-19 pandemic. But the changing landscape created by the pandemic was noted in the strategy – although this was a simple note that “everyone – governments, businesses and the community – has a role to play in creating a more cyber secure Australia”.

Nigel Phair, University of New South Wales Canberra’s cyber director, said: “I am encouraged to see the government make a commitment to tackling these issues head-on and providing a path forward to ensure we are as prepared as we can be.”

The strategy is built around actions by government, business and the community. Each has a part to play, with government providing resources to support the other groups and protecting key systems and infrastructure. The strategy puts the onus on businesses and consumers to take responsibility for securing their own systems and assets.

One of the biggest challenges facing businesses and consumers is the proliferation of internet of things (IoT) devices – small and inexpensive equipment that often lacks strong security controls. Part of the strategy is to create a voluntary code of practice to set out the Australian government’s security expectations for IoT consumer devices Australians use every day.

With the number of attacks being reported to the Australian Cyber Security Centre now averaging about six per day, it is clear businesses are being significantly impacted. According to the home affairs department, the average cost of cyber incident is in excess of A$275,000 and costs the country as much as A$29bn per year, or almost 2% of the GDP.

The most controversial areas of the Australian government’s cyber security strategy and policy falls in the area of privacy.

Dutton, a former police officer, repeatedly referred to paedophiles as one of the key groups of offenders the strategy targeted and focused much of his rhetoric on the dangers of the dark web and encryption.

He specifically mentioned negotiations with Facebook during the media briefing at the strategy release, but the strategy also noted that the government would be looking at the role of privacy, consumer and data protection laws.

Read more about cyber security in Australia

As part of the strategy, the government plans to lead by example and centralise the management and operation of the many networks used by government agencies.

“Centralisation could reduce the number of targets available to hostile actors such as nation states or state-sponsored adversaries and allow the Australian government to focus its cyber security investment on a smaller number of more secure networks,” it said.

Other areas in the strategy continue from the previous strategy, with a focus on cyber security skills development, continued investment in cyber security centres in each state and continuing to support programmes such as Stay Smart Online for consumers and businesses.

The strategy includes an action plan, although none of the actions have specific deadlines, making it difficult to assess progress. The government did note how it would measure success – just not when success is expected.

Read more on Security policy and user awareness