Cybersecurity minister Clare O’Neil has released the Australian government’s long-anticipated cybersecurity strategy, a seven-year plan to make Australia “a world leader in cyber security” by 2030.
The plan includes $587 million in additional funding over the forward estimates committed to initiatives to boost cyber capability.
Among “six cyber ‘shields’” outlined in the 2023-2030 Australian Cyber Security Strategy is a commitment to building cyber sovereign capability. This is backed by $8.6 million toward professionalising the cyber workforce and supporting the local cyber industry.
In the strategy, the government said the quality of Australia’s research and development institutions would “allow Australia to become a global leader in cyber innovation”.
However, shadow cybersecurity minister and Senator James Paterson said the “underwhelming cyber strategy [was] too little too late”.
Minister for Cybersecurity minister Clare O’Neil.
A commitment to safe technology is also one of the strategy’s shields and will include a mandatory safety standard for internet-of-things products. This scheme will reportedly be based on the standard developed by the European Telecommunications Standards Institute.
The government has committed $4.8 million to the establishment of the standards. It will also develop a voluntary labelling scheme that denotes whether consumer-grade smart devices meet the mandatory standard.
The other four cyber shields are for strong businesses and citizens, world-class threat sharing and blocking, protected critical infrastructure, and resilient region and global leadership.
The largest funding commitment of $290.8 million is committed to protecting businesses and citizens from cyberattacks, including a $75 million funding boost for the Australian Federal Police and Australian Signals Directorate’s (ASD) ‘hack the hackers’ initiative. This includes the previously announced $20 million for an SME cyberhealth-check program, and to provide one-on-one assistance to help SMEs address cyber challenges.
Other large funding packages include $129.7 million to building regional cyber resilience and global leadership and $143.6 million to strengthening our critical infrastructure protections and uplifting government cyber security.
The remaining $9.4 million is being invested in the development of a threat sharing platform for the health sector.
During the development of the strategy, multinational consultancy McKinsey was contracted for $950,000 for project management work on the strategy, but this later blew out to $2.4 million.
Initiatives outlined under the sovereign capability shield strategy include new TAFE training initiatives, using the government’s purchasing power to support the local sector in line with the Buy Australia Plan, and the establishment of a Cyber Security Challenge through an existing Business Research and Innovation Initiative (BRII) run by the Industry department.
The BRII is a competitive grants program to help startups and small to medium sized enterprises to undertake feasibility tests in response to a government proposed initiative.
An initial $100,000 grant is awarded in the first stage, with a subsequent competitive $1 million grant for the development of a proof of concept also available. After completion of the prototype or proof of concept the government will have an opportunity to buy the solution, although participating businesses can still look for other commercial opportunities.
An impact evaluation completed by consultancy Nous Group at the end of August 2021, estimated that the first round of the program delivered a $1.64 return to the economy per dollar of government money invested.
The strategy also includes a commitment to the development of a mandatory ransomware reporting scheme, which was announced last week. Security regulation of the Telecommunications sector will also be moved from the Telecommunications Act 1997 to the Security of Critical Infrastructure Act.
Commenting on the relatively small amount of funding committed to building cyber skills, about $2.8 million, Ms O’Neil told InnovationAus.com that during consultation it became clear that “it’s actually not a lack of funding, and it’s not a lack of programs that is driving our cyber skills problem here in Australia, it’s actually the fact that we don’t have enough people who are hungry to try to study cyber”.
“One of our solutions to this initiative is to push harder on bringing cyber into the whole school curriculum so that we’ve got young people around this country thinking about this as a career pathway and getting interested in this,” Ms O’Neil said.
“The big piece of feedback we got that was specific to cyber from a skills point of view is that today, the cyber training environment isn’t properly structured. And what I mean by that is you can get a bachelor’s degree from one university and a bachelor’s degree from another university and those two students are being taught entirely different things.”
Shadow cybersecurity minister and Senator James Paterson said the strategy was not worth the more than one year of development time and “millions spent on high-priced consultants”.
“With only $587 million of investment, it pales in comparison to the $1.67 billion from the 2020 Cyber Security Strategy and the $9.9 billion injection into the Australian Signals Directorate under the REDSPICE program under the former government,” Mr Paterson said.
“After announcing in August 2022 that she was going to ‘tear up’ the existing cyber security strategy to make Australia the most cyber secure country in the world by 2030, Home Affairs and Cyber Security Minister Clare O’Neil has now unveiled a series of minor tweaks and logical extensions of the previous government’s policies.
“There is nothing radical or revolutionary in the Strategy, nor anything that will substantially shift the dial on cyber security. Rhetoric does not equate to action, and it is striking just how far the Strategy falls short of the Minister’s self-stated ambition to make Australia the most cyber secure nation in the world by 2030.”
