News reaction: Australia announces strengthening of cyber rules in new 2023-2030 Cyber Security Strategy

In December 2022, Australia’s Minister for Cyber Security, the Hon. Clare O’Neil MP announced the development of the 2023-2030 Australian Cyber Security Strategy to help the Government achieve its vision of making Australia the most cyber secure nation in the world by 2030.

The Expert Advisory Board appointed to oversee the development of the Strategy released a discussion paper to seek views on how the Australian Government could go about achieving the vision set out in the Strategy which NCC Group responded to earlier this year. After a period of consultation, the Australian Government has this week published its 2023-2030 Australian Cyber Security Strategy and Action Plan.  

Under the Strategy, the Government is building six ‘cyber shields’ to help defend citizens and businesses from cyber threats: strong businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities, and resilient region and global initiatives.

The Government has signalled its intention to continue strengthening the cyber rules applied to technology developers and others across the economy. This includes the introduction of a mandatory no fault, no liability ransomware reporting obligation, the mandating of cyber security requirements for consumer IoT devices, and the use of procurement and Codes of Practices to drive up software and app store security standards.

Critical infrastructure providers will also face enhanced and clarified regulations. The SOCI Act (as announced last week) will be extended to include telecoms providers, there will be new cyber rules for maritime and aviation, and “Systems of National Significance” will face additional cyber security obligations such as requirements to develop cyber incident response plans, undertake cyber security exercises and conduct vulnerability assessments.

Following its release, Charles Spencer, Regional Managing Director for NCC Group in Asia Pacific, highlights how the final strategy compares to NCC Group’s recommendations put to the Government earlier this year.

“Australia is, in many ways, at the forefront of cyber resilience and we support the Government’s focus and drive to establish cyber security as a strategic national capability. We are pleased to see several of our practical considerations and recommendations we put forward adopted as core components of the Strategy, including:

• Extending ‘secure by default’ principles to emerging tech like AI, and introducing a security labelling scheme for consumer IoT devices;
• Mandating cyber security assurance testing for the most high-risk parts of Australia’s critical infrastructure;
• Enhancing information sharing to build a fuller picture of the cyber threat landscape;
• Utilising statecraft to disincentivise ransomware actors, prioritising collaboration and alignment with global security partners; and,
• Driving up cyber literacy across Australia, so that everyone has the cyber skills they need to thrive in the digital age.”

What’s next?

The Government will deliver the strategy in three phases up to 2030, focussing initially on Australia’s foundations, before scaling cyber maturity across the whole economy and finally advancing the global frontier of cyber security:

• Horizon 1 (2023–25): Strengthen Australia’s foundations
• Horizon 2 (2026–28): Scale cyber maturity across the whole economy
• Horizon 3 (2029–30): Advance the global frontier of cyber security

NCC Group will continue to support the Australian Government with practical considerations and recommendations for protecting citizens, the public sector and industry, enabling Australian communities and the economy to thrive in the digital age.