Cyber Security Strategy – Australian Discussion Paper
This week, a discussion paper was released on the Australian Government’s Australian Cyber Security Strategy 2023-2030. The discussion paper mentions the ambitious goal of making Australia the most cyber-secure country by 2030.
The discussion paper admits the Australian government was ‘unprepared’ to respond to major data breaches in 2022 (Medibank and Optus) to protect customer data and ensure Australians remain accessible emphasizing the importance of doing a critical service in the event of a cyber attack.
One of the key policy areas addressed in this strategy is ‘strengthening and harmonizing the regulatory framework’. Several options are being explored to enable this, including:
- Developing best practices for cybersecurity standards.
- New legislation, such as the Cyber Security Act, to more clearly define cyber security obligations.
- Extension of existing critical infrastructure protection laws to include customer data and systems within the definition of critical assets. The proposal is particularly controversial given that Australia’s Signal Authority is empowered to “intervene” and control critical assets as a last resort under its legislation; and
- A single reporting portal for all cyber incidents to harmonize existing requirements for separate reporting to multiple regulators.
Additional policy areas identified for further consideration in the discussion paper include:
- Developed a national framework for responding to major incidents, including the development of a fit-for-purpose approach to incident management and coordination, conducted post-mortem reviews of major incidents, and shared root cause findings.
- Designing and maintaining security in emerging technologies such as quantum computing, IoT, and AI. Each of these can have a significant impact on and be affected by cybersecurity issues.
- Support Australia’s cybersecurity workforce and skills pipeline.
The strategy is expected to be finalized by the end of 2023. An expert advisory panel has been established to help develop the strategy and is seeking consultation on the areas outlined in the discussion paper until 15 April 2023.
Appointment of a cyber security coordinator to support coordinated responses to cyber attacks
Since the publication of the discussion paper, the federal government has announced its intention to establish a national cybersecurity coordinator.
The Coordinator forms part of the broader National Cybersecurity Office and is responsible for ensuring a “centrally coordinated approach” to cybersecurity, including coordination of major incidents.
Latest data breach statistics show data breaches are on the rise
The release of the discussion paper on cybersecurity coincides with the release of the latest statistics on the notifiable data breach regime by the Australian Information Commissioner’s Office.
These statistics support the common view that data breaches are on the rise in Australia.
The number of data breaches reported in the six months from July to December 2022 increased by 26% compared to the previous six months. For breaches caused by criminals or malicious attacks, the increase was 46% over the same period. Healthcare and financial services continue to be the two most reported sectors.
Importantly, there were five breaches that affected more than 1 million Australians and one that affected more than 10 million. High-profile incidents affecting Optus and Medibank account for two of these incidents, but these statistics highlight that there are several major unreported data breaches in Australia.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – delta-compliance.com