Budget Review 2020–21 Index
The Government released Australia’s
Cyber Security Strategy 2020 (the Strategy) on 6 August 2020. The
Strategy, which was delayed
due to the COVID-19 pandemic, replaces the 2016 Cyber
Security Strategy. The release of the Strategy was informed by
consultation following the release of a discussion
paper in September 2019, and an Industry
Advisory Panel that reported in July 2020. The Strategy outlines what the
Government sees as the responsibilities of government, business and the
community, and actions in relation to each, with the Australian Government to
‘focus on critical threats and the most sophisticated actors, while ensuring a
baseline of cyber resilience across the economy’.
Key spending measures
The Strategy involves $1.7
billion in funding over ten years. Most of that funding was already committed
ahead of the Strategy’s release, under the Cyber
Enhanced Situational Awareness and Response (CESAR) package announced in June
2020, and included in the July Economic and
The CESAR package redirected $1.4
billion of existing funding from within the Defence portfolio for the
Australian Signals Directorate (ASD), the Australian
Cyber Security Centre, and the Department of Defence to ‘identify cyber
threats, disrupt foreign cyber criminals and increase partnerships with
industry and other governments’. As the funding was redirected within the
portfolio, the spread of funding across ASD and Defence was not stated.
However, it appears that the bulk of the funding, which spans ten years, will
go to ASD. Among the most significant funding measures included
under the CESAR package and since incorporated into the Strategy were:
- $470 million to expand the cybersecurity workforce by
creating over 500 new jobs within ASD
- over $118 million for ASD to expand its data science and
- over $62 million for a national situational awareness
capability in ASD to better understand and respond to ‘cyber threats on a
- over $35 million to deliver a new cyberthreat sharing
platform so that government and industry can ‘share intelligence about
malicious cyber activity and block emerging threats in near real-time’ and
- over $31 million to enhance ASD’s ability to disrupt
cybercrime offshore and assist Australian law enforcement agencies. This
follows the ASD being given an explicit legislative
mandate to prevent
and disrupt cybercrime undertaken by people or organisations outside
Australia when it was established as a statutory agency in 2018.
On top of the CESAR
package, the Strategy committed $164.9 million to strengthen capabilities
to counter cybercrime, $90.2 million to grow Australia’s cybersecurity
skills, $63.4 million to support small and medium enterprises and
vulnerable Australians, and $1.6 million to enhance cybersecurity at
universities (a detailed list of measures is at Appendix A to the Strategy).
To implement these commitments, the Budget Measures:
Budget Paper No. 2: 2020–21 includes a
cross-portfolio measure of $201.5 million over four years, and commits to
$40.5 million per year in ongoing funding. Some of this funding will be
offset by redirecting existing resources from within ASD and the Department of
Home Affairs (DoHA). The Australian Federal Police (AFP) will receive the
largest component of that funding ($89.9 million), with the remainder
spread across DoHA, the Department of Industry, Science, Energy and Resources
(DISER), and the Australian Transaction Reports and Analysis Centre (AUSTRAC).
The funding comprises:
- $128.1 million for the AFP, AUSTRAC and DoHA to enhance
their capabilities to counter cybercrime
- $37.7 million for DISER to work with industry and academia
on ‘innovative approaches to improve cyber security skills and long-term
workforce planning’, redirected from funds allocated to ASD in the Mid-Year
Economic and Fiscal Outlook 2019–20 (under the Cyber Security
Resilience and Workforce Package)
$19.1 million for DoHA to undertake various measures
relating to outreach and awareness-raising, and support services for victims of
identity theft and cybercrime, partially offset from within existing resources
$8.3 million each for DISER and DoHA to improve the cybersecurity
resilience of small and medium enterprises and to strengthen the protection of
critical infrastructure assets respectively.
Reaction to the Strategy and
aspects of the Strategy were welcomed, including its focus on protecting
critical infrastructure and its clear message to business to take the issue
seriously, while other aspects were questioned or criticised. A key criticism
of the Strategy and the Government’s communications about it has been the
focus on the ‘pointy end’ of cybersecurity, with much of the associated
funding and messaging focused on improving
intelligence and law enforcement agency capabilities. While the Strategy
also includes measures aimed at improving
the cybersecurity resilience of smaller businesses and building the cybersecurity
workforce, those aspects were seen
as less prominent and received less government funding. The Strategy was
also criticised for lacking clear
outcomes, and support
for the local cybersecurity sector, and for leaving
responsibility for cybersecurity with the Minister for Home Affairs instead
of a dedicated
minister, as had existed from 2016 to 2018. Commentators also noted that
the funding, while significantly
higher than the $230 million
allocated under the 2016 strategy, is spread
years and may
not be adequate for the task.
Proposed legislative reforms
Some of the measures outlined in the Strategy will require
by the Industry Advisory Panel, the Strategy includes a focus on increasing
the cyber resilience of Australia’s critical infrastructure. Among the related measures
proposed in the Strategy are amendments to the Security of
Critical Infrastructure Act 2018 (SCI Act) to establish an enhanced
regulatory framework for critical infrastructure.
The Government released a consultation
paper on the proposed framework in August 2020 (submissions
closed on 16 September). The proposed
regulatory framework comprises three key components:
- positive security obligations for critical infrastructure
entities (including, but not limited to, cybersecurity; the framework will take
an ‘all-hazards’ approach) supported by sector-specific standards
- enhanced cybersecurity obligations for systems of national
significance (the subset of entities assessed as being of highest criticality)
- assistance for entities targeted by cyber attacks, including the
ability for the Government to issue directions to entities and in limited
circumstances to ‘take direct action to protect a critical infrastructure
entity or system in the national interest’ (the latter has been categorised as
for ASD to ‘hack back’).
The SCI Act currently imposes regulatory obligations
on certain entities in the electricity, gas, water and maritime ports sectors,
and the telecommunications sector has obligations under similar
sector-specific legislation. The proposed reforms will impose security
obligations on a broader range of sectors, including banking and finance, industry
for defence, food and grocery, health, and transport.
The Strategy also stated that the Government would ‘work to
ensure law enforcement has the powers and capabilities to investigate and
disrupt cyber crime, including on the dark web’. The Government has yet to
release full details of this proposal. Based on comments
by the Minister for Home Affairs at a press conference and various media
reports (including in the Australian,
Morning Herald and Guardian),
it appears that the Government intends to allow the AFP and the Australian
Criminal Intelligence Commission to obtain court-issued warrants under which
they can identify and disrupt online criminal activity, supported by ASD’s
advice on technical capability.
All online articles accessed October 2020
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to email@example.com.
This work has been prepared to support the work of the Australian Parliament using information available at the time of production. The views expressed do not reflect an official position of the Parliamentary Library, nor do they constitute professional legal opinion.
Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.