Cyber Security Strategy


Budget Review 2020–21 Index

Cat Barker

The Government released Australia’s Cyber Security Strategy 2020 (the Strategy) on 6 August 2020. The Strategy, which was delayed due to the COVID-19 pandemic, replaces the 2016 Cyber Security Strategy. The release of the Strategy was informed by extensive public consultation following the release of a discussion paper in September 2019, and an Industry Advisory Panel that reported in July 2020. The Strategy outlines what the Government sees as the responsibilities of government, business and the community, and actions in relation to each, with the Australian Government to ‘focus on critical threats and the most sophisticated actors, while ensuring a baseline of cyber resilience across the economy’.

Key spending measures

The Strategy involves $1.7 billion in funding over ten years. Most of that funding was already committed ahead of the Strategy’s release, under the Cyber Enhanced Situational Awareness and Response (CESAR) package announced in June 2020, and included in the July Economic and Fiscal Update.

The CESAR package redirected $1.4 billion of existing funding from within the Defence portfolio for the Australian Signals Directorate (ASD), the Australian Cyber Security Centre, and the Department of Defence to ‘identify cyber threats, disrupt foreign cyber criminals and increase partnerships with industry and other governments’. As the funding was redirected within the portfolio, the spread of funding across ASD and Defence was not stated. However, it appears that the bulk of the funding, which spans ten years, will go to ASD. Among the most significant funding measures included under the CESAR package and since incorporated into the Strategy were:

  • $470 million to expand the cybersecurity workforce by creating over 500 new jobs within ASD
  • over $118 million for ASD to expand its data science and intelligence capabilities
  • over $62 million for a national situational awareness capability in ASD to better understand and respond to ‘cyber threats on a national scale’
  • over $35 million to deliver a new cyberthreat sharing platform so that government and industry can ‘share intelligence about malicious cyber activity and block emerging threats in near real-time’ and
  • over $31 million to enhance ASD’s ability to disrupt cybercrime offshore and assist Australian law enforcement agencies. This follows the ASD being given an explicit legislative mandate to prevent and disrupt cybercrime undertaken by people or organisations outside Australia when it was established as a statutory agency in 2018.

On top of the CESAR package, the Strategy committed $164.9 million to strengthen capabilities to counter cybercrime, $90.2 million to grow Australia’s cybersecurity skills, $63.4 million to support small and medium enterprises and vulnerable Australians, and $1.6 million to enhance cybersecurity at universities (a detailed list of measures is at Appendix A to the Strategy).

To implement these commitments, the Budget Measures: Budget Paper No. 2: 2020–21 includes a
cross-portfolio measure of $201.5 million over four years, and commits to $40.5 million per year in ongoing funding. Some of this funding will be offset by redirecting existing resources from within ASD and the Department of Home Affairs (DoHA). The Australian Federal Police (AFP) will receive the largest component of that funding ($89.9 million), with the remainder spread across DoHA, the Department of Industry, Science, Energy and Resources (DISER), and the Australian Transaction Reports and Analysis Centre (AUSTRAC). The funding comprises:

  • $128.1 million for the AFP, AUSTRAC and DoHA to enhance their capabilities to counter cybercrime
  • $37.7 million for DISER to work with industry and academia on ‘innovative approaches to improve cyber security skills and long-term workforce planning’, redirected from funds allocated to ASD in the Mid-Year Economic and Fiscal Outlook 2019–20 (under the Cyber Security Resilience and Workforce Package)
  • $19.1 million for DoHA to undertake various measures relating to outreach and awareness-raising, and support services for victims of identity theft and cybercrime, partially offset from within existing resources and
  • $8.3 million each for DISER and DoHA to improve the cybersecurity resilience of small and medium enterprises and to strengthen the protection of critical infrastructure assets respectively.

Reaction to the Strategy and associated funding

Some aspects of the Strategy were welcomed, including its focus on protecting critical infrastructure and its clear message to business to take the issue seriously, while other aspects were questioned or criticised. A key criticism of the Strategy and the Government’s communications about it has been the focus on the ‘pointy end’ of cybersecurity, with much of the associated funding and messaging focused on improving intelligence and law enforcement agency capabilities. While the Strategy also includes measures aimed at improving the cybersecurity resilience of smaller businesses and building the cybersecurity workforce, those aspects were seen as less prominent and received less government funding. The Strategy was also criticised for lacking clear timeframes, measurable outcomes, and support for the local cybersecurity sector, and for leaving responsibility for cybersecurity with the Minister for Home Affairs instead of a dedicated minister, as had existed from 2016 to 2018. Commentators also noted that the funding, while significantly higher than the $230 million allocated under the 2016 strategy, is spread over ten years and may not be adequate for the task.

Proposed legislative reforms

Some of the measures outlined in the Strategy will require legislation.

As recommended by the Industry Advisory Panel, the Strategy includes a focus on increasing the cyber resilience of Australia’s critical infrastructure. Among the related measures proposed in the Strategy are amendments to the Security of Critical Infrastructure Act 2018 (SCI Act) to establish an enhanced regulatory framework for critical infrastructure.

The Government released a consultation paper on the proposed framework in August 2020 (submissions closed on 16 September). The proposed regulatory framework comprises three key components:

  • positive security obligations for critical infrastructure entities (including, but not limited to, cybersecurity; the framework will take an ‘all-hazards’ approach) supported by sector-specific standards
  • enhanced cybersecurity obligations for systems of national significance (the subset of entities assessed as being of highest criticality) and
  • assistance for entities targeted by cyber attacks, including the ability for the Government to issue directions to entities and in limited circumstances to ‘take direct action to protect a critical infrastructure entity or system in the national interest’ (the latter has been categorised as a power for ASD to ‘hack back’).

The SCI Act currently imposes regulatory obligations on certain entities in the electricity, gas, water and maritime ports sectors, and the telecommunications sector has obligations under similar sector-specific legislation. The proposed reforms will impose security obligations on a broader range of sectors, including banking and finance, industry for defence, food and grocery, health, and transport.

The Strategy also stated that the Government would ‘work to ensure law enforcement has the powers and capabilities to investigate and disrupt cyber crime, including on the dark web’. The Government has yet to release full details of this proposal. Based on comments by the Minister for Home Affairs at a press conference and various media reports (including in the Australian, Sydney Morning Herald and Guardian), it appears that the Government intends to allow the AFP and the Australian Criminal Intelligence Commission to obtain court-issued warrants under which they can identify and disrupt online criminal activity, supported by ASD’s advice on technical capability.

 

All online articles accessed October 2020

For copyright reasons some linked items are only available to members of Parliament.

© Commonwealth of Australia

Creative commons logo

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

This work has been prepared to support the work of the Australian Parliament using information available at the time of production. The views expressed do not reflect an official position of the Parliamentary Library, nor do they constitute professional legal opinion.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.