The whole country is “unnecessarily vulnerable” to cyber attacks and we all needs to rethink the way we secure our networks and data, Home Affairs Minister Clare O’Neil has warned.

In a speech to the National Press Club last week, O’Neil – who has dealt with the fallout of Australia’s two most significant data breaches in recent memory since coming into office – said her government would use the opportunity those incidents created to shift the national conversation when it comes to information security.

Optus and Medibank were terrible events,” O’Neil said. “I felt them deeply, my family was caught up in both.

“It’s now my job to turn this set of disasters into a permanent step change in cyber security for the country.”

O’Neil talked up actions her government has already undertaken, including the 100-person strong team comprising members of the Australian Federal Police and the Australian Signals Directorate who are tasked with "hunting down people seeking to hack our systems, and hacking back".

She also noted the Privacy Act changes which increase penalties for companies who suffer significant data breaches from $2.5 million to the greater of $50 million, three times the value of any benefit obtained through a data breach, or 30 percent of the organisation’s adjusted turnover for the financial year.

Privacy advocates have pointed out that this was a bandage fix to a serious and rife data security problem and that the government must follow through with its commitment to completely overhaul the Privacy Act if Australia is to have meaningful deterrents for clumsy data gathering and storage.

O’Neil said she wanted Australia to be “the world’s most cyber-secure country by 2030” and announced the next step to achieving this: a new strategy.

Time to strategise

“Better cyber security for Australia means all businesses and citizens changing how they engage with the internet,” she said.

“We need to prepare for more major cyber-attacks over the coming years as we undertake this important work. The truth is, we are unnecessarily vulnerable.”

In response to a question about diversity, O’Neil said improving the diversity of Australia’s cyber security work force would be a “critical part” of the strategy’s goals.

“I spend a lot of time with the Australian Signals Directorate and the Australian Cyber Security Centre,” she said.

“Their organisations, and indeed their equivalents around the world, are really pushing on this because we know if we only have cyber experts that look a particular way, we’re missing huge skills and capabilities across the rest of the population.”

Women are notoriously underrepresented in the cyber security industry, by some figures making up just 24 per cent of the workforce.

The previous government released its delayed cyber security strategy in 2020, which included controversial changes to the Critical Infrastructure Act, along with a familiar-sounding 100-person strong team of “cyber detectives” to hunt down “criminal syndicates”.

Exactly what the government’s next cyber security strategy will entail is up to the people who will develop it, including former Telstra CEO Andy Penn, Information Commissioner Rachel Falk, and former Air Force Chief Mel Hupfield.

The cyber security industry has responded favourably to greater attention being paid to its domain.

Adrian Covich, regional director with cyber security company Proofpoint, called the updated strategy “a positive step forward” but said there must be “collaboration between government, enterprises, industry partners and educational institutions” to upskill the nation.

“With the government’s new strategy, we hope Australia can work toward adopting a clear, unified approach to anticipating and overcoming future cyber security challenges,” he said.

Aaron Bugal, regional engineer with security company Sophos, said the government can, realistically, only take Australia’s cyber resilience so far.

“As recent high-profile data breaches have shown, Australian businesses need to step up and work hand-in-hand with the government towards this goal,” he said.

“Internal initiatives must be taken to ensure companies are educated about the current threat landscape, how to respond efficiently and how to conduct strong cyber hygiene. Everyone must play their part for Australia to become the most cyber-secure nation by 2030.”