On 6 August 2020, The Australian Government released its new Cyber Security Strategy 2020 (the Strategy). The Strategy will invest $1.67 billion over the next 10 years to achieve its vision of creating a more secure online world for Australians, their businesses and essential services.
The Strategy builds on the previous 2016 Cyber Security Strategy which, in comparison, invested $230 million.
Actions by the Australian Government
As part of the Strategy, the Australian Government has committed to the following actions:
- Development of new government powers (accompanied safeguards and oversight mechanisms) to enable it to defend networks from cyber attack and assist the private sector in recovering from any such incidents. Assistance would likely take the form of expert advice, direct assistance and the use of classified tools.
- Consultation with business to consider the legislative reforms:
- duties for company directors and other business entities; and
- placing obligations on manufacturers of internet connected devices.
- The Australian Signals Directorate will be recruiting 500 extra intelligence and cyber personnel to identify and respond to cyber security threats.
- $89.9 million will be invested in the Australian Federal Police (AFP) to increase their ability to investigate and prosecute cyber criminals.
- Expanding the cyber security incident exercise program run by the Australian Cyber Security Centre– this program is designed to ensure that business’ and governments are well practiced in their incident responses.
- $62 million investment in a national situational awareness capacity, complimented by more incident reporting and near-real-time threat information.
The Telecommunications Sector Security Reforms and Security of Critical Infrastructure Act 2018 (Cth) (the Act) will be amended to bring additional ‘critical’ sectors under the regulatory framework established by the Act. The framework will apply to owners and operators of relevant critical infrastructure, notwithstanding the particulars of ownership structures. The framework will include a combination of:
- Enforceable positive security obligations for critical infrastructure entities;
- Enhanced cyber security obligations;
- Government assistance for business after significant cyber attacks through directions and direct action; and
- A range of voluntary measures.
Additional details are not yet available, however businesses should monitor government announcements on the following new initiatives;
- Creation of a Voluntary Code of Practice: Securing the Internet of Things for Consumers;
- Establishment of a Cyber Security Best Practice Regulation Task Force to make sure that cyber security is built into digital products, services and supply chains; and
- Complimenting the cyber security skills pipeline through a new Cyber Security National Workforce Growth Program and related Cyber Skills Partnerships Innovations Fund.
All of these initiatives are a reminder that cyber risks are risks that must be managed by all businesses. The obligation is a mainstream governance and risk management issue for all businesses. It will become mainstream for businesses to be able to demonstrate that they are cyber secure to win work and to keep customers.
With more employees settling into the WFH environment, and struggling to navigate the digital society COVID is bringing us ever closer to, the Strategy is a reminder that organisations and individuals must take the importance of cyber security seriously.
As the strategy notes at , the economic consequence are stark:
According to one expert analysis, cyber incidents targeting small, medium and large Australian businesses can cost the economy up to $29 billion per year, or 1.9% of Australia’s gross domestic product (GDP).1 Further, it is estimated that a four week interruption to digital infrastructures resulting from a significant cyber incident would cost the economy $30 billion (1.5% of Australia’s Gross Domestic Product) and around 163,000 jobs.2
If you have any questions in relation to the Strategy, or would like advice on how the Strategy will impact you or your business, please do not hesitate to contact Iain Freeman or Lorraine Madden.
Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.