Key considerations for Australia’s forthcoming Cyber Security Strategy

In December 2022, Australia’s Minister for Cyber Security, the Hon. Clare O’Neil MP announced the development of the 2023-2030 Australian Cyber Security Strategy to help the Government achieve its vision of making Australia the most cyber secure nation in the world by 2030.

The Expert Advisory Board appointed to oversee the development of the Strategy released a discussion paper to seek views on how the Australian Government could go about achieving the vision set out in the Strategy and ensure:

• A secure economy and thriving cyber ecosystem
• A secure and resilient critical infrastructure and government sector
• A sovereign and assured capability to counter cyber threats
• Australia as a trusted and influential global cyber leader, working in partnership with our neighbours to lift cyber security and build a cyber resilient region

Following the closure of submissions last week (15 April 2023), Charles Spencer, Regional Managing Director for NCC Group in Asia Pacific outlines our key considerations and recommendations:

We are pleased that the Government is taking the time to review its approach through to 2030, and we are keen to support the development of a new Cyber Security Strategy by sharing our expertise and insights from experience operating in Australia since 2006.

In our submission to the call for views on the Strategy, we have put forward practical considerations and recommendations for protecting citizens, the public sector and industry, enabling Australian communities and the economy to thrive in the digital age.

Principally, we advocate for a National Cyber Security Strategy that:

• Establishes the evidence-base needed to make informed decisions on cyber security policies and investment, through the formation of a Bureau for National Cyber Statistics. A centrally coordinated institution that will bring together existing and new datasets to build a comprehensive picture of the threat landscape. This perspective would enable the Government to accurately analyse and effectively communicate the realistic threat to the public, prioritise investment, task resources and measure the success of enablement and intervention.

• Through the new Cyber Security Act, embeds a consistent, proportionate and risk-based ‘secure by default’ approach across all parts of the economy. At an industry level, we welcome the Government’s ambitions for Australian-made products to set the international benchmark for safety and security, while balancing consumer rights and economic competitiveness. We support theintroduction of a new Cyber Security Act. We hope this Act will introduce a consistent, proportionate and risk-based ‘secure by default’ approach across all parts of the economy that for the most high-risk sectors, mandating the adoption of realistic, intelligence-driven cyber security assurance testing and, also implementing a security labelling scheme for consumer IoT devices.

• Encourages public and private sector collaboration, including industry secondment schemes like the Industry100 programme delivered by the UK National Cyber Security Centre. As participants in the Industry100 programme since its inception, we would be delighted to support the Australian Cyber Security Centre (ACSC) to establish an equivalent scheme. A close partnership between Government and industry is essential to delivering a reliable and resilient cyberspace.
  
• Promotes close cooperation and collaboration with global allies, particularly the ‘Five Eyes’ strengthening global cooperation and coordination against opportunistic and persistent threats. Close international cooperation is critical to ensuring a resilient and trusted global supply chain for Australia’s economy.
  
• Improves cyber literacyso that all levels of society, age groups and professions can use technology securely. At a public level, empowering individuals and users to make informed decisions about their personal security should be a core part of the Government’s approach. We believe a step change is needed further to embed cyber awareness and incentives into everyday conversations, to make it an integral part of the national psyche.

It is vital that the Government uses all its levers to prioritise and manage cyber threats, in partnership with the private sector, driven by a culture of information sharing and open dialogue.

Australia is, in many ways, at the forefront of cyber resilience and we support the Government’s focus and drive to establish cyber security as a strategic national capability.

The final Strategy is due to be announced before the end of 2023.