The federal government has stopped short of banning ransom payments but will provide a ransomware “playbook” for Australian businesses and require the reporting of attacks as part of its long-awaited $586 million Cyber Security Strategy.
Home Affairs Minister Clare O’Neil unveiled the 2023-2030 Cyber Security Strategy on Wednesday morning, after a year of consultations and development following the high-profile cyber attacks on Optus and Medibank.
New policies in the strategy include a ransomware “playbook” for Australian businesses, increased efforts to attract skilled cyber workers from overseas, stronger reporting requirements for telcos, mandatory reporting of ransomware attacks and a review of current data retention laws.
O’Neil blamed the previous Coalition government for a “cyber slumber” and said the new strategy will make Australia a “harder target”.
“This is going to be a game-changing strategy for cybersecurity in Australia, which is without a question our fastest-growing national security challenge,” O’Neil told ABC RN Breakfast.
“The cyber strategy the government is releasing today is not just a big vision document about what the world may look like in 2030, it is a very specific set of tangible things the government will do to change the game for our country.”
The government has opted to not make the payment of ransoms to cyber hackers by businesses illegal, with O’Neil saying the “hard work” has not yet been done on what the impact of such a ban would be.
“This is a really big problem for the country and we do need to move towards a position where we implement a complete ban on paying ransoms,” she said.
The government will also work with industry to develop legislation introducing a “no-fault, no-liability” ransomware reporting obligation for business, which will involve anonymised reports of ransomware and cyber extortion trends shared with industry and the broader community.
It’s an initiative aiming to address concerns that businesses are not reporting cyber incidents due to fears of recriminations for authorities and regulators.
The strategy is split into six “cyber shields”: strong businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities and, resilient region and global leadership.
Phase one of the new strategy will run until 2025 and is based on “building out strong foundations” by addressing serious gaps in national cyber security.
It includes $586.9 million in new funding for a range of initiatives, on top of the $2.3 billion already allocated to cyber by the federal government.
Metadata retention review
As part of the strategy, the Commonwealth will review legislative data retention requirements to look at whether these measures are appropriately balanced and if there are “any unnecessary burden and vulnerabilities that arise from entities holding significant volumes of data for longer than necessary”.
Following the review, the government will then explore options to “minimise and simplify data retention requirements”.
This could lead to significant changes to the controversial metadata retention scheme, which requires telecommunication firms to keep data on the time and type of communications of users for at least two years.
For small and medium businesses, $290.8 million will go towards building awareness, combating cyber crime and assistance in the event of a hack. This includes a cyber health check program, where businesses can receive a free and tailored assessment of their cyber maturity, and the Small Business Cyber Security Resilience Service, which will provide advice and assistance following a security incident.
The strategy also includes the establishment of a new Cyber Incident Review Board, providing a no-fault post-incident review mechanism, and plans to legislate a limited use obligation for the Australian Signals Directorate and the Cyber Coordinator, meaning the bodies will be limited in sharing information on cyber attacks with regulators.
Telecommunications companies will also be included in the government’s critical infrastructure regime under the new strategy.
“This will better align obligations for critical infrastructure entities that span multiple sectors, reduce regulatory duplication and complexity and provide scalable obligations for the telecommunications sector,” the strategy said.
The strategy includes $129.7 million for regional cooperation, cyber capacity uplift programs and leadership in cyber governance forums on the international stage, and $143.6 million for critical infrastructure strengthening.
The new strategy was designed with the help of consulting giant McKinsey, which was paid a total of $2.1 million over three months to work on it.
