Goal

Australia’s networks and systems are hard to compromise and resilient to cyber attacks.

By strengthening our cyber defences, we build resilience and derive trust and confidence. Cyber security incidents also offer an opportunity to learn. We continue to share and collaborate between the public and private sectors, but we need to change the parameters and be more forward leaning: getting Joint Cyber Security Centres up and running is just the beginning.

Delivering the Strategy

  • The pilot Joint Cyber Security Centre was opened in Brisbane on 24 February 2017. More than 20 organisations are represented from the energy, water, finance, transport and mining sectors, as well as Queensland Government, CERT Australia, the Australian Federal Police and the Australian Criminal Intelligence Commission. Priorities for the Centre are automated information sharing and targeted analysis of specific cybercrime threats against Australian industry networks.
  • CERT Australia has commenced scoping the Cyber Security Information Sharing Portal, building on their existing industry portal and the Australian Signals Directorate’s OnSecure service for government agencies.
  • Government’s cyber security agencies have been recruiting: CERT Australia has expanded its capability to provide specialised security advice to Australia’s critical infrastructure companies on industrial control systems; the Australian Criminal Intelligence Commission has boosted its capacity to link online cybercrime personas with real world identities, pinpointing a group that specialise in targeting Australians.
  • The Australian Federal Police has commenced a comprehensive program to up-skill staff to tackle contemporary cybercrime. Programs for cyber investigators are also open to participation by state and territory police.
  • The Office of the Cyber Security Special Adviser has comprehensively revised the Government’s Cyber Incident Management Arrangements which outline roles and responsibilities for response to malicious cyber incidents. The arrangements are being tested with the private sector in April 2017.

“Crisis incident response remains a key challenge across government and business given the uncertainty and intangible nature of cyber incidents compared to other incidents such as natural disasters and terrorism. A joint program between government and the private sector is important so that capability and best practices can be shared”.

Steve Jackson, Head of Security, Qantas
  • CERT Australia has drafted national cyber security exercise program guidelines and an evaluation framework, which will be socialised with Commonwealth, state and territory governments and private sector partners. Two discussion exercises have been held and a program is being developed to test a range of cyber readiness and resilience scenarios.
  • The Australian Signals Directorate’s Strategies to Mitigate Cyber Security Intrusions has been comprehensively updated. A new Essential Eight sets a contemporary global cyber security standard, with practical steps organisations can implement to make their networks and data more secure.
  • A public-private co-design process, led by CERT Australia, kick-started the development of Voluntary Cyber Security Guidelines in late 2016.
  • The Department of Defence has commenced recruitment and capability planning for the cyber security initiatives to be delivered through the Defence White Paper 2016.
  • The ASX 100 Health Check has brought cyber security into our top boardrooms, with an April launch of the industry-led survey report on cyber security governance in our top companies.
  • The Australian Signals Directorate conducted surveys of commonwealth agencies’ cyber security postures based on their implementation of the ‘Top 4’ Strategies to Mitigate Targeted Cyber Intrusions (from 2017, this will extend to the ‘Essential Eight’). This effort allows the Commonwealth to focus security efforts on high risk agencies and systems of national importance.

Building on the Strategy

The #Censusfail of 2016 afforded Government an opportunity to look introspectively at how cyber security is implemented. From system design to contract management, there were lessons for all government agencies. As a result, we will see greater awareness of cyber security at the executive level, increased understanding and uptake of cloud services, and the security of online systems being assessed with more rigour – ensuring the Australian public trust the government to deliver securely online.

Following the declaration of Australia’s offensive cyber capability in the Cyber Security Strategy¸ the Prime Minister announced in November 2016 that offensive cyber capabilities are being employed in support of Australian Defence Force operations against Islamic State. This contributes to our national deterrence posture, and promoted mature discussion about the application of such capabilities under international law.

The Australian Cyber Security Centre 2016 Threat Report - the most forward leaning yet in describing government’s understanding of the cyber security landscape - was welcomed by the private sector for its content and practical guidance on cyber security mitigation. Delivering on the Prime Minister’s intent to be more open about acknowledging, explaining and analysing the problem, the Government is committed to continuing to publish material in this vein, such as the April 2017 advice on the global targeting of enterprises via malicious compromise of managed service providers.

Next Steps

Australians and their businesses are at the front line of cybercrime and they expect government to act. The Government is committed to working with states and territories to enhance our national response, including through a proposal to develop a new ‘National Plan to Combat Cybercrime’. Working with industry, government will also explore a policy framework to identify measures to protect Australians from cybercrime: more than merely logging and monitoring malicious activity, to take proactive steps to reduce the threat.

The new Critical Infrastructure Centre in the Attorney-General’s Department – in cooperation with the Australian Cyber Security Centre – will work closely with our national critical infrastructure companies to identify cyber vulnerabilities, develop risk assessments and risk management strategies.

The Joint Cyber Security Centre program will be accelerated to meet demand with further centres to open in Melbourne, Sydney and Perth in 2017. This will be followed by Adelaide in the first half of 2018 and this will ensure that we have more on the ground exchange of information and expertise, more quickly.

Strong Defenses
Strong Cyber Defenses

It has become clear since the launch of the Cyber Security Strategy that more needs to be done to support the cyber security capacity of Australia’s small and medium businesses. Consultation has commenced with both small and large businesses and industry associations about developing a targeted approach.

Initiatives will take account of the reality of the environment in which these businesses operate, where time and resources are not readily available to tackle what can seem to be an insurmountable problem. This will complement the Cyber Security Strategy commitment to expand the services of the Council of Registered Ethical Security and Testers Australia and New Zealand and provide grants to small business to access these services, which will commence in 2018.

Work will commence on scoping a policy approach to ICT supply chain security risks to government systems and services. Government will also collaborate with industry to identify practical measures to improve the security of Internet of Things devices.

“The Strategy has helped raise the profile of the risks of cyber attack for the 3 million small to medium enterprises in Australia but more needs to be done. Many small businesses don’t understand customer databases are valuable and ransomware can bring most businesses to a standstill. The challenge for the next 12 months is to show all businesses that they are easy targets if they have not adopted simple and inexpensive procedures to protect their data and systems.”

Kate Carnell, Australian Small Business and Family Enterprise Ombudsman