Commonwealth to establish an agency to fight cyber attacks; a cyber security office and national co ordinator

February 27, 2023 |

When confronted with a difficult issue, either establish an inquiry or create a governmental office. The Government, conftonting the reality of significant data breaches has opted for the bureaurocratic option, establish a cyber tsar.  And of course, a discussion paper.

The rationale is set out in an interview between Clare O’Neil, the Minister for Home Affairs, on AM this morning.  It provides:

SPEAKER: First this half hour, months after millions of people had their personal data hacked during the Optus and Medibank cyber-attacks, the Federal Government setting up a new agency to tackle the problem, there will be a new senior official called a Coordinator For Cyber Security, who will lead a National Office for Cyber Security, and that’s within the Federal Government’s Department of Home Affairs, and along with a round table of business security and tech leaders the Prime Minister is releasing a discussion paper about a new cyber security strategy.

The Home Affairs Minister is Clare O’Neil, she’s spoken with the ABC this morning, saying the Government’s taking an important step forward.

CLARE O’NEIL: We arrived in Government confronting a real mess with cyber security, so what we saw was different parts of Government and the private sector doing important things, but kind of all rowing in different directions, and what was clearly needed here was political leadership, and we’ve got that from the personal investment of the PM, and he today has decided to appoint a coordinator to ensure that there is spine and strategy for the work being done throughout Government, and also an office within my department that will support the coordination work.

SABRA LANE: So practically what will that person do, and when will this office be in place? 

CLARE O’NEIL: So two really important tasks for this person. The first will be, as I said, to try to provide some strategy and structure and spine to the work being done across Government. So it will mean things like making sure that the billions of dollars that we are investing in cyber security each year are being spent in a way that’s strategic and appropriate, that we’ve got different parts of Government communicating with each other and working together on helping with cyber security protections across the country.

But Sabra, the other really important part of this person’s job will be to help manage cyber incidents in a proper, seamless strategic way across the Australian Government. That is something that has been missing due to the negligence of the former Government in managing this critical area of national security, and today the PM has moved to fix that problem.

SABRA LANE: When will it be in place? 

CLARE O’NEIL: We’re in the process of advertising for that role, so we’re looking at something over the next month.

SABRA LANE: A discussion paper is also going to be released today on a new cyber security strategy that the Government wants in place from next year. Is it going to set minimum cyber security arrangements for businesses and companies? 

CLARE O’NEIL: Sabra, the Australian Government is coordinating a huge cyber uplift that’s been occurring now for eight months. We want Australia to be the most cyber secure country in the world by 2030, and the cyber strategy is the main mechanism that will get us there.

So today the discussion paper was released, which asks a bunch of questions about how we can be the most cyber secure country in the world by 2030, and one of those is about how we can work with business to make sure that they are lifting cyber security standards in partnership with Government.

So I can actually already set minimum cyber security standards, which I have done across eight major sectors of the Australian economy, and the question posed by the cyber strategy is, is that enough, and do we need to lift standards higher for more businesses across Australia.

SABRA LANE: Therefore, do you also envisage widening the definition perhaps of what a critical asset is, and therefore, what entities and businesses have to do to better protect consumer data and themselves? 

CLARE O’NEIL: Yep. It’s a really important question, Sabra. We went through Optus and Medibank to the bigger cyber-attacks that Australia has experienced last year, and in those events we were meant to have at our disposal a piece of law that was passed by the former Government, to help us engage with companies under cyber-attack, and that law was bloody useless, like not worth being printed on the paper when it came to actually using it in a cyber incident, it was poorly drafted, and the discussion paper asked a bunch of questions about how it is that we could redraft those laws so they’re actually useful to us. They’re not fit for purpose at the moment, and I do think they need reform.

SABRA LANE: All right. You talked about Optus and Medibank. Had this coordinator in office been in place when those hacks happened, what difference would they have made? 

CLARE O’NEIL: It would have made a huge difference, Sabra. When Optus hit, much to my shock as Cyber Security Minister, there was no cyber emergency response function in the Australian Government. I am really angry about that. Those events were completely foreseeable events that were completely not foreseen by the previous Government.

Now, we dealt with those incidents well, but that is in spite of Government structures, not because of them. Literally Cabinet ministers stepped in and managed the incident in a way that is not sustainable when we are under basically relentless cyber-attack.

So what we will have now is an individual in the Public Service who is going to coordinate the response across Government and make sure that not only are we deterring and preventing cyber-attacks, but when this occur, which they will continue to occur, Sabra, we are not going to reduce cyber risk to zero, but Australians can get up off that quickly; get services restored, get their data protected, get their identity numbers changed. These are the sort of core things that this person would have been able to do much more seamlessly.

SABRA LANE: Is there merit in having a public discussion about whether ransom should be paid to get back sensitive data that’s stolen? 

CLARE O’NEIL: Yeah, I do think it’s an important public discussion, Sabra, and that’s why I haven’t shut it down and said that it’s something that we won’t consider. Today the PM is hosting a round table in Sydney with cyber experts from around Australia, and this is just the sort of subject that we’ll be talking about. But the key question is, we know cyber-attacks are relentless, and they’re growing over time, how do we set ourselves up for a safe future in the context of a really dangerous geopolitical environment that wear heading into. So this is a core national security risk, and the PM is very actively and personally involved in it.

SPEAKER: That is Clare O’Neil, she’s the Home Affairs Minister speaking with AM’s Sabra Lane on the ABC this morning.

The ABC reports on this development in Government announces cyber security office and national coordinator.The Australian reports in Anthony Albanese to set up agency to fight cyber attacks

Anthony Albanese will set up a new agency to lead Australia’s fight against mass cyber attacks by state-sponsored hackers and criminal gangs, under a seven-year strategy to strengthen defences and end blame-shifting inside government and across the ­private sector.

The overhaul of Scott Morrison’s $1.7bn 10-year national cyber security strategy comes amid fears Australia’s legislative, government and private sector cyber defences are not keeping pace with fast-moving technological and geostrategic threats.

The appointment of a new co-ordinator for cyber security, who will lead the National Office for Cyber Security within the Department of Home Affairs, follows Joe Biden’s establishment of a US ­Office of the National Cyber ­Director in 2021.

Tasked with leading whole-of-government co-ordination and triage of major cyber incidents, similar to last year’s Optus and Medibank hacks, the cyber security chief will lead policy development and harden commonwealth digital systems.

The Prime Minister, who is hosting a roundtable with business, security and tech leaders in Sydney on Monday, will launch consultation on the new strategy led by former Telstra chief executive Andy Penn.

As the Albanese government increases co-operation with Quad and AUKUS partners on critical technologies, quantum and critical minerals, there is also a shared focus on aligning cyber defences to thwart rapidly evolving threats emanating from Russia and China.

The Australian Cyber Security Centre last year reported significant surges in cybercrime, which is now estimated to cost the country more than $33bn annually.

Following last year’s federal election, The Australian revealed Home Affairs and Cyber Security Minister Clare O’Neil had ­ordered – as a top priority – an ­urgent review of the Morrison government’s 2020 cyber security strategy.

Ms O’Neil’s expert advisory panel, consisting of Mr Penn, former air force chief Mel Hupfeld and Cyber Security Co-operative Research Centre chief executive Rachael Falk, has provided the government with a 15-page discussion paper outlining how Australia can better protect households, businesses and governments from cyber attacks.

The paper outlines priorities and core policies for the updated cyber strategy, which will be finalised in the second half of the year and is expected to include 2030 targets that establish Australia as a world-leading cyber security force.

The Australian understands it focuses on a new cyber security act and what that should include, strengthening critical infrastructure legislation to set baseline cyber security requirements for companies and governments, boosting regional cyber resilience and building a frontline cyber workforce.

Other suggestions include ­establishing a cyber review board to examine incidents and inform future responses, ensuring the commonwealth sets the standards for best practice in managing data and providing better awareness and victim support.

As revealed by The Australian last week, rules imposed by the ­Albanese government will hold boards and directors of critical ­infrastructure more accountable to protect Australians from cyber and physical attacks.

The regulatory costs for businesses and governments of beefing up infrastructure defences is expected to be about $11.5bn over 10 years. Ms O’Neil said Australia’s “patchwork of policies, laws and frameworks … are not keeping up with the challenges presented by the digital age”.

The Cyber Security Minister said the case for change was clear because “voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030”.

“To achieve our vision of being the world’s most cyber-­secure country by 2030, we need the unified effort of government, industry and the community,” she said. “Together, we can equip our community to reduce the number and impact of cyber incidents through improved cyber hygiene and provide clear advice on how to respond confidently.”

While responsibility for cyber security and critical infrastructure policy is led by the Department of Home Affairs, the Australian Signals Directorate and Australian Cyber Security Centre fall under Defence, the Australian Federal Police ­reports to the Attorney-General’s Department and the ­eSafety Commissioner is part of the Department of Communications.

The private sector has repeatedly raised concerns about cyber security being straddled across four departments and the spiralling costs for business to bolster their cyber defences.

The Morrison government’s strategy, which was considered by some in industry and the ­bureaucracy to have been rushed-out during Covid, will be refocused on boosting sovereign capability and workforce to combat threats from malicious state-based actors and criminal gangs.

Mr Penn, who also led the 2020 cyber security strategy ­advisory panel, warned that “our national resilience, economic success, and security rely on us getting our cyber settings right”.

“If we are to lift and sustain cyber resilience and security, it must be an integrated whole-of-nation endeavour,” Mr Penn said. “We believe that the development of a new forward-looking strategy … is a unique opportunity for us to be ambitious and innovative.”

In response to rising cyber ­attacks linked to China, Russia, eastern Europe, Iran and North Korea, the Morrison government announced a $9.9bn package in its pre-election budget last year for the ASD and ACSC.

The cyber security agencies, which were tasked with recruiting more than 1900 staff, are facing a skills shortage that the government is seeking to remedy by attracting more skilled migrants and upskilling Australians faster.

Cyber security is now front and centre a political issue with the Government attacking its predecessor for having poor cyber security laws, as reported by the Australian with ‘Absolutely bloody useless’: Minister slams cyber laws and the opposition critisizing the Government for shifting responsibility to a cyber security minister rather than the Home Affairs Minister.  The reality is that Governments of both persuasions presided over poor quality privacy legislation, inadequate funding of the Privacy Commissioner now Information Commissioner and contentment that the regulator would be timid.  In doing so the loyal opposition at any time was relatively muted and focused on other matters.  After the Optus and Medibank data breaches a policy backwater has been put to the forefront.

Some of the issues covered by the discussion paper include:

  • the three issues for consideration are:
    • How Australia can elevate the existing level of engagement with international partners through concrete steps to
      promote cyber resilience?
    • What opportunities are there to better support the development of international technology standards, particularly in
      relation to cyber security?
    • How can government and industry partner to uplift cyber resilience and secure access to the digital economy, especially in Southeast Asia and the Pacific?
  • the Commonwealth Cyber Security Posture in 2022 report  reveals:
    • government agencies have a long way to go to properly secure government systems. Only 11% of entities in the Cyber Posture Report reached Overall Maturity Level 2 through the implementation of Essential Eight controls,
    • the majority of entities are yet to implement basic policies and procedures.
  • Public sector cyber security is comprised of  both non-technical and technical elements,
    • Non-technical aspects include things like governance frameworks and accountability mechanisms, cyber security culture, and risk management planning.
    • Technical aspects include elements such as inventory management and legacy systems, variation across government systems and attack surfaces, and the nature of essential services delivered by each entity.
  • Enhancing government cyber posture will require a framework which accounts for:
    • best practice standards, evaluation, transparency, reporting, and aligned incentives; and
    • the appropriate support, accountability and leadership for individual government departments and agencies to manage
      their cyber security risk profile.

Areas for action include:

  • Improving public-private mechanisms for cyber threat sharing and blocking.  This involves:
    •  enhance cyber security threat sharing and blocking through public-private partnerships through an  analysis of
      feasible technical approaches, which can be deployed sustainably at scale.
    • qualitative issues, such as government practice related to information sharing, access, declassification of intelligence,
      and existing regulatory frameworks such as the Privacy Act and the Surveillance Legislation Amendment (Identify and Disrupt) Act.
    • international approaches which Australia could also consider through the Strategy, recognising these would require further consultation
  • Supporting Australia’s cyber security workforce and skills pipeline through:
    • the Government committing  to reach 1.2 million tech jobs by 2030.
    •  cyber security is embedded in STEM curricula,
  • National frameworks to respond to major cyber incidents by
    • clarifyimg what the community and victims of a cyber attack can expect from the Government following an incident in the context of victim support and post incident response. Government must ensure that frameworks for incident
      management and coordination are fit-forpurpose, and conduct post-incident review and consequence management following major cyber incidents.
    • sharimg the root cause findings from investigations of major cyber incidents so that we can all benefit from these learnings.
  • Community awareness and victim support.  There is no consistent understanding of the practical steps that consumers, small and medium-sized enterprises (SMEs), and other organisations must take to enhance their cyber security. There is a need to invest further in community awareness and skills building for cyber security
  • Investing in the cyber security ecosystem Protective cyber security technologies have been identified as a critical technology
    by the Government, and cyber security is essential to the secure development and implementation of a broad range of
    other critical technologies.
  • Designing and sustaining security in new technologies such as quantum, communications technologies, the Internet of Things, and artificial intelligence which will significantly impact, and be impacted by, cyber security.
  • Implementation governance and ongoing evaluation.  The Strategy will form the foundation of an evolving approach to cyber security into the future. Implementation will require strong governance and a transparent, meaningful evaluation framework to ensure the Australian Government’s vision is realised, and the Strategy is fit-for-purpose now and into the future

The Questions the Paper asks are:

1. What ideas would you like to see included in the Strategy to make Australia the most cyber secure nation in the world by 2030?
2. What legislative or regulatory reforms should Government pursue to: enhance cyber resilience across the digital

a. What is the appropriate mechanism for reforms to improve mandatory operational cyber security standards
across the economy (e.g. legislation, regulation, or further regulatory guidance)?
b. Is further reform to the Security of Critical Infrastructure Act required? Should this extend beyond the existing
definitions of ‘critical assets’ so that customer data and ‘systems’ are included in this definition?
c. Should the obligations of company directors specifically address cyber security risks and consequences?
d. Should Australia consider a Cyber Security Act, and what should this include?
e. How should Government seek to monitor the regulatory burden on businesses as a result of legal obligations to cyber security, and are there opportunities to streamline existing regulatory frameworks?
f. Should the Government prohibit the payment of ransoms and extortion demands by cyber criminals by:
(a) victims of cybercrime; and/or
(b) insurers?

If so, under what circumstances?
i. What impact would a strict prohibition of payment of ransoms and extortion demands by cyber criminals have on victims of cybercrime, companies and insurers?
g. Should Government clarify its position with respect to payment or nonpayment of ransoms by companies, and the circumstances in which this may constitute a breach of Australian law?

3. How can Australia, working with our neighbours, build our regional cyber resilience and better respond to cyber incidents?
4. What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber security perspective?
5. How should Australia better contribute to international standards-setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?
6. How can Commonwealth Government departments and agencies better demonstrate and deliver cyber security best practice and serve as a model for other entities?

7. What can government do to improve information sharing with industry on cyber threats?
8. During a cyber incident, would an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) improve engagement with organisations that experience a cyber incident so as to allow information to be shared between the organisation and ASD/ACSC without the concern that this will be shared with regulators?
9. Would expanding the existing regime for notification of cyber security incidents (e.g. to require mandatory reporting of
ransomware or extortion demands) improve the public understanding of the nature and scale of ransomware and extortion
as a cybercrime type?
10. What best practice models are available for automated threat-blocking at scale?
11. Does Australia require a tailored approach to uplifting cyber skills beyond the Government’s broader STEM agenda?
12. What more can Government do to support Australia’s cyber security workforce through education, immigration,
and accreditation?
13. How should the government respond to major cyber incidents (beyond existing law enforcement and operational responses) to protect Australians? a. Should government consider a single reporting portal for all cyber incidents, harmonising existing requirements to report separately to multiple regulators?
14. What would an effective post-incident review and consequence management model with industry involve?
15. How can government and industry work to improve cyber security best practice knowledge and behaviours, and support
victims of cybercrime?
a. What assistance do small businesses need from government to manage their cyber security risks to keep their data
and their customers’ data safe?
16. What opportunities are available for government to enhance Australia’s cyber security technologies ecosystem and
support the uptake of cyber security services and technologies in Australia?

17. How should we approach future proofing for cyber security technologies out to 2030?
18. Are there opportunities for government to better use procurement as a lever to support and encourage the Australian cyber security ecosystem and ensure that there is a viable path to market for Australian cyber security firms?
19. How should the Strategy evolve to address the cyber security of emerging technologies and promote security by design in new technologies?
20. How should government measure its impact in uplifting national cyber resilience?
21. What evaluation measures would support ongoing public transparency and input regarding the implementation of the Strategy

Leave a Reply

Verified by MonsterInsights