2023-2030 Australian Cyber Security Strategy

Summary

• The Commonwealth Government's 2023 Cyber Security Strategy outlines six 'cyber shields' to make Australia a cybersecurity leader by 2030. Read more at 2023-2030 Australian Cyber Security Strategy.
• The 'cyber shields' include strong businesses and citizens, safe technology, threat sharing, protected critical infrastructure, sovereign capabilities, and global leadership. The strategy supports small businesses in handling cyber incidents and promotes safer technology to protect assets and ensure trust. It emphasises Australia’s role in international cyber law and regional support.
• The Government proposed amending the Security of Critical Infrastructure Act 2018 (Cth) ("SOCI Act") to address gaps from recent cyber incidents (see Security of Critical Infrastructure). Amendments include clarifying data protection obligations, introducing a last-resort power for the Minister, simplifying information sharing, and consolidating telecommunications security under the SOCI Act.
• In 2022-23, the MCIR regime reported 188 significant cyber incidents. The Government committed to minimal regulatory burdens while supporting industry, aligning with the Privacy Act 1988 (Cth) (for more information, see Privacy Law page).

2023-2030 Australian Cyber Security Strategy: Legislative Reforms Consultation Paper

• The Consultation Paper covered new cyber security laws and SOCI Act amendments. It did not address “co-design” initiatives or the Privacy Act Review.
• Submissions were sought on Internet of Things security standards. The voluntary Code of Practice: Securing the Internet of Things for Consumers was introduced in 2020. Proposals included a no-fault ransomware reporting obligation, modeled after the US CISA Act. Other proposals included a ‘limited use’ obligation for Australian Signals Directorate ("ASD") information, under the Intelligence Services Act 2001 (Cth). Establishing a Cyber Incident Review Board ("CIRB“) for no-fault reviews was also proposed, modeled after the US Cyber Safety Review Board.

Amendments to the SOCI Act

• The Government considered SOCI Act reforms due to gaps from recent cyber incidents. Amendments included clarifying data protection obligations, introducing a last-resort power for the Minister, simplifying information sharing, allowing the Secretary to direct entities to fix deficiencies, and consolidating telecommunications security under the SOCI Act.
• Proposed changes to the SOCI Act included expanding the definition of "asset" to include 'business-critical data', updating rules to classify risks, allowing directions to prevent incident consequences, and authorizing information sharing (see page 45 of the Consultation Paper).

Importance of Protecting Critical Infrastructure

• Critical infrastructure is vital for daily life and national security. Cyber threats, like 2021–2022 Optus and Medibank cyber incidents, have highlighted the impact of breaches (for more on this, see Litigation).

Other resources

• Lyria Bennett Moses et al, ‘2023-2030 Australian Cyber Security Strategy: Legislative Reforms‘ (Consultation Paper, UNSW Institute for Cyber Security and UNSW Allens Hub for Technology, Law and Innovation, 1 March 2024).
• Law Council of Australia, ‘2023-2030 Australian Cyber Security Strategy‘ (Consultation Paper, 5 May 2023).
• ‘Australia's Cyber Security Strategy for 2023-2030 is here‘, Gilbert + Tobin (Web Page, 28 November 2023).
• ‘Securing Australia's Digital Future: Unpacking the 2020-30 Cyber Security Strategy' (Web Page, 5 December 2023).