Industry responds to the 2023–2030 Australian Cyber Security Strategy

To achieve the goals of the strategy, the government has dedicated $587 million in funding, which will build upon the current $2.3 billion that it spends every year.

While this is a major step in the right direction, which has been applauded by industry leaders, who have said it highlights the key areas that need to be addressed to create a cyber secure Australia, the new plan is not without its critics.

Here is what industry leaders are saying.

Sadiq Iqbal
Evangelist, Office of the CTO, and manager, Check Point Software Technologies

I am very encouraged by the proposed strategy that includes a number of reforms such as creating a zero-trust culture by which all government agencies will need to abide by, along with the ASD Essential Eight, effectively mirroring the approach by the White House for US government entities.

Another welcome addition is pressure-testing the preparedness of critical infrastructure after a plan to further strengthen their cyber obligations, which is still quite lacking despite the SOCI reforms as evidenced most recently by DP World.

Many of the proposed reforms are in line with Check Point’s methodology, with a much stronger focus on threat-intelligence sharing between entities but also on blocking of threats, both in real time and at scale.

We would, however, like to see a more diverse grouping of cyber organisations involved. There is also an increased focus on cyber resiliency and the need to have incident response plans in place, and provided playbooks to recover from a ransomware attack.

VIEW ALL

A number of “free” initiatives have been proposed for small businesses, [which] have become one of the most targeted areas of late due to their lack of investment in cyber defences. This is great if it can actually be delivered, and we will be keen to see how the government delivers on its promise to provide free cyber assessments and support to over 2 million SMBs.

The cyber strategy does correctly recognise that the uplift to most organisations’ maturity levels, which will consist of substantial cost and effort, will start and stop at the boardroom, and overall, it is good to see a number of measures to address this.

Marcus Thompson
Former ADF Information Warfare chief, senior adviser at Macquarie Technology Group, and chair of ParaFlare

The strategy’s emphasis on resilience and urgency is welcome, and its aim to make Australia a world leader is admirable, though no easy feat. Overall, the six shields outlined speak to the changes needed and what the industry has been calling for, but perhaps one dedicated solely to citizen responsibility would have been a useful inclusion.

While it is a focus area of the strategy, the role and responsibility every single citizen has to protect themselves and the community cannot be understated.

The government’s strong focus on sovereign industry is something for which I and others have long campaigned; the nature of cyber crime and the role played by foreign threat actors means we cannot be assured in our defences without a strong, local, sovereign base.

A greater emphasis on threat sharing is something the industry has long been calling for. Regulations such as the Security of Critical Infrastructure (SOCI) Act and the Notifiable Data Breaches scheme have put the onus on industry, but now, the government is committing to increase its threat sharing with industry.

Initiatives to professionalise the domestic cyber security workforce are long overdue. Professions such as law, medicine and engineering have national bodies that accredit courses and certify skills. But in the cyber industry, employers have to make their own individual assessments.

The attributes of cyber security as an industry and its role in keeping the economy going fully justify the same professionalisation in this industry.

David Fairman
Chief information and security officer APAC, Netskope

Fundamentally, I think the strategy is focusing on the relevant issues that need to be addressed now, with a time frame and objectives that make sense for the next seven years. Having participated in some of the conversations that led to the strategy, I can tell that the government has listened to the perspectives and recommendations given by industry partners.

But there are a few areas to address, starting with a higher level of clarity and details on how the funds are going to help achieve all the initiatives outlined in the plan.

Even though there’s $600 million allocated for this strategy in addition to the $2.3 billion already committed by the previous government, I think it would help everyone to understand how the funds are going to be allocated with more granularity to complement the overarching plan, and answer concerns that the funding may not be high enough in some aspects. For example, there’s $7.2 million dedicated to building a voluntary cyber health check program for SMBs. With more than 2 million SMBs in Australia, is it really going to be enough?

The strategy is also light on how the government will track and communicate progress to the wider community. Strategies are only good if they’re successfully implemented, and committing to reporting deadlines or processes is a way to reassure everyone that you will do your best to stick to the plan.

Finally, we have to consider the financial impact of some of those measures on businesses and the costs they will have to bear. The economy is still very much in a recovery phase, and many businesses will probably need some sort of financial support to afford cyber security upgrades. A cyber health check for SMBs is great, but if most can’t afford to fill the identified cyber security gaps, the plan will fail.

Kurt Hansen
Chief executive officer, Tesserent

Tesserent works closely with the federal government and made a submission to the recent consultation to inform the new Cyber Security Strategy for Australia.

We commend the federal government for championing the bolstering of Australian cyber security defences, increasing industry awareness and working cooperatively with the private sector.

We are all on the same team when it comes to combating the escalation of cyber attacks and strengthening our national defences against criminals and other groups intent on stealing data and disrupting the lives of Australians and compromising Australian businesses and organisations.

Tesserent has over 190 team members [who] hold Australian government security clearance. Thales Australia and Tesserent’s combined team of more than 550 of Australia’s leading cyber security professionals are at the forefront of protecting Australia’s digital assets.

Tesserent, through Thales Australia, now has the most in-depth global threat intelligence on offer in the Australian market.

We are committed to partnering with all levels of government and private enterprises in Australia to drive change and promote solid cyber security practices. We are confident that through collaboration and engagement, we will play a leading role in making Australia and New Zealand the most cyber secure countries in the world by 2030.

Professor Matthew Warren
Director, RMIT Centre for Cyber Security Research and Innovation

Over 10 years ago, Australia introduced its first National Security Strategy. Since then, the scale and scope of the problems it was designed to address have increased, but we have seen subsequent Australian governments deal with this very complex problem.

The new national Cyber Security Strategy highlights several key changes and investments that aim to:

• Support small and medium businesses to deal with cyber incidents.
• Strengthen critical infrastructure and enhance government cyber security.
• Activate regional and global cyber resilience initiatives.
• Protect and respond against ransomware attacks.

The strategy demonstrates the government recognises the importance of protecting all of Australia, from critical infrastructure to small businesses and citizens.

It’s great they have acknowledged the key role that universities have in contributing to sovereign capability development and innovation, especially through research.

We are living in the new cyber normal. This strategy is a key step in helping to protect Australia in the future against the wide range of cyber threats that Australia faces.

Unlike previous national cyber security strategies, this strategy clearly defines what success looks like and the three phases of implementation needed to get to a successful outcome.

Professor Nigel Phair
Department of software systems and cyber security, faculty of information technology, Monash University

The strategy highlights the need for a skilled workforce to solve the cyber security problems of the future. The higher education sector is well placed and stands ready to support the government in this aim.

Partnerships between academia, business and government will be critical to meeting the goals of the strategy. A joined-up approach where all three sectors work together is efficient and effective.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.