Loading

Action Plan

Overview

This Action Plan complements the Strategy by outlining the actions the Government will take to achieve Australia’s cyber security goals by 2020:

  • Governments, business and the research community together advance Australia’s cyber security through a national cyber partnership.
  • Australia’s networks and systems are hard to compromise and resilient to cyber attacks.
  • Australia promotes an open, free and secure cyberspace by taking global responsibility and exercising international influence.
  • Australian businesses grow and prosper through cyber security innovation.
  • Australians have the cyber security skills and knowledge to thrive in the digital age.

Recognising that cyberspace constantly changes, the Government will evaluate its progress and update this Action Plan annually.

Action

In partnership with the private sector, establish a layered approach to cyber threat information sharing through:

  • partnerships between businesses and the Government within the Australian Cyber Security Centre;
  • co-designed joint cyber threat sharing centres (initially as a pilot) in key capital cities; and
  • a co-designed online information sharing portal.
Outcome

Partnerships between the Australian Cyber Security Centre and the private sector are increased and proven valuable for both parties.

 

An operating model for the joint cyber threat sharing centres is developed, successfully piloted and reviewed.

 

Based on the outcomes of the pilot, a rollout of joint cyber threat sharing centres nationally improves co-location of businesses, the research community together with State, Territory and Government agencies and share:

• timely and actionable information on cyber security threats and risks;
• knowledge about new/evolving actors and intrusion methods; and
• expertise to solve problems and learn lessons from ‘near misses’ and compromises.

 

Cyber security information is delivered to a wider range of organisations through the online information sharing portal.

Action

Increase the Computer Emergency Response Team (CERT) Australia’s capacity.

Outcome

CERT Australia’s services are expanded for a wider group of businesses, with improved technical capability.

 

CERT Australia increases its international partnerships, focusing on prevention and shutting down malicious cyber activity.

Action

Boost the Government’s capacity to fight cybercrime in the Australian Crime Commission.

Outcome

The Australian Crime Commission increases its capacity and capability to detect and analyse cybercrime.

Action

Boost the Government’s capacity to fight cybercrime in the Australian Federal Police.

Outcome

The Australian Federal Police increases its capacity and capability to investigate cybercrime.

Action

Collaborate with Australian governments to ensure law enforcement officers receive the training they need to fight cybercrime across the nation.

Outcome

Skills needs for law enforcement officers, including specialist roles, to fight cybercrime are identified.

 

A specialist training strategy is developed and implemented.

Action

Increase the Australian Signals Directorate’s capacity to identify new and emerging cyber threats to our security and improve intrusion analysis capabilities.

Outcome

The Australian Signals Directorate increases its capacity and capability to identify cyber threats and develops responses to an increasingly complex digital environment.

 

The Australian Signals Directorate expands the number of cyber security services it offers to a wider range of organisations.

Action

Strengthen Defence’s cyber security capacity and capability, through initiatives in the 2016 Defence White Paper.

Outcome

Defence strengthens its cyber capabilities to protect itself and other critical Australian Government systems from malicious cyber intrusion and disruption.

 

Defence enhances the resilience of networks, including networks used by deployed forces, and the capability of the Australian Cyber Security Centre and its cyber workforce, including new military and APS positions and training programs.

Action

Expand the nation’s cyber incident management arrangements and exercising program.

Outcome

The Government’s cyber incident management arrangements respond to the evolving cyber threat landscape.

 

Australian governments understand how their respective cyber and incident response teams would operate together in a cyber crisis.

 

The Government and private sector establish a program of joint cyber exercises.

 

Australia works with international partners on developing policies for incident response as a confidence building measure.

Action

Co-design voluntary guidelines on good cyber security practice.

Outcome

The Government and private sector co-design and publish baseline guidance for Australian cyber security that provides a benchmark for good practice, informs cyber security insurance and meets corporate obligations.

 

Australia’s good practice guidelines are an economic and security asset—they provide a commercial advantage and ensure cyber risks to critical services are risk assessed and managed.

 

Australian businesses, small and large, have improved understanding of good cyber security practices.
Governments, critical services and high risk sectors demonstrate good cyber security practices.

Action

Continue to regularly update the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.

Outcome

The Strategies to Mitigate Cyber Intrusions remain world leading publicly available advice on how to best protect against targeted malicious cyber activity.

Action

Co-design voluntary cyber security ‘health checks’ for ASX100 listed businesses.

Outcome

Executives and boards in the ASX100 better understand cyber security strengths and opportunities for their business.

 

Decision makers in the ASX100 receive tailored information on the impact of cyber risks to their companies.

 

Australia’s highest performing businesses lead a national effort towards best practice cyber security.

 

Increased cyber resilience in Australia’s largest companies.

Action

Support the Council of Registered Ethical Security Testers (CREST) Australia New Zealand to expand its range of cyber security services.

Outcome

CREST Australia New Zealand grows its current pool of accredited companies to meet the demand of businesses accessing their services.

 

CREST Australia New Zealand diversifies the services it accredits. Types of assessment might include penetration testing, vulnerability analysis and assessment against best practice standards.

Action

Support small businesses to have their cyber security tested by CREST Australia New Zealand accredited providers.

Outcome

Australian small businesses have access to accredited experts to assess their cyber security, helping them to take responsibility for the security of their own networks.

 

Australian small businesses understand their potential cyber security vulnerabilities and where to find trusted cyber security advice.

 

Australian small businesses are empowered with the knowledge they need to make considered cyber security investments to protect their business long term.

 

Large and small businesses increase trust in the connections they have with each other.

Action

Improve Government agencies’ cyber security through a rolling program of independent assessments of agencies’ implementation of the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.

Outcome

Government agency cyber security practices are the exemplar for public and private sector organisations in Australia.

 

Government agencies are empowered to maintain a high level of cyber security and are equipped to improve their cyber security capability.

 

Non Government information stored on Government networks is resilient to malicious cyber activity.

Action

Improve Government agencies’ cyber security through independent cyber security assessments for agencies at higher risk of malicious cyber activity that also helps those agencies address the findings.

Outcome

Government agency cyber security practices are the exemplar for public and private sector organisations in Australia.

 

Government agencies are empowered to maintain a high level of cyber security and are equipped to improve their cyber security capability.

 

Non Government information stored on Government networks is resilient to malicious cyber activity/

Action

Improve Government agencies’ cyber security through increasing the Australian Signals Directorate’s capacity to assess Government agencies’ vulnerability, provide technical security advice and investigate emerging technologies.

Outcome

Government agency cyber security practices are the exemplar for public and private sector organisations in Australia.

 

Government agencies are empowered to maintain a high level of cyber security and are equipped to improve their cyber security capability.

 

Non Government information stored on Government networks is resilient to malicious cyber activity.

Action

Develop guidance for Government agencies to consistently manage supply chain security risks for ICT equipment and services.

Outcome

Government agencies have clear guidance on identifying and managing cyber security risks when procuring ICT equipment and services.