A powerful partner for the UK: Insight into Australia’s 2023-2030 Cyber security strategy
To maintain our global defence in cyber security, we rely on the standing of the UK and our partners. Joined by our long-standing Five Eyes alliance and the AUKUS partnership as of 2021, Australia is a key partner for the UK. While we’re separated geographically by a large distance, this difference proves insignificant in the cyber domain.
The Australian government recently released its 2023-2030 Cyber Security Strategy and accompanying Action Plan to become a world leader over the next seven years. Given that only three years ago, Australia was ranked at #10 and is now #5 as the Most Comprehensive Cyber Power according to a Harvard study, we’re intrigued by Australia’s perspective and approach to progress.
To reach its vision, Australia lays out a three-phase approach across six shields or defence layers:
- Strong businesses and citizens
- Safe technology
- World-class threat sharing and blocking
- Protected critical infrastructure
- Sovereign capabilities, and
- Resilient region and global leadership.
The first phase (2023-2025) will address gaps and raise cyber maturity across the region. The second phase (2026-2028) will scale cyber maturity, and the third phase (2029-2030) sees Australia advancing cyber security technologies and shaping global standards.
In this article, we identify several key areas in Australia’s cyber strategy, relate them to the UK’s own initiatives, recommend where the UK should follow suit, and share how Australia’s plans could impact the UK and the international community.
Arming businesses with knowledge
Small and medium businesses (SMBs) are increasingly a target for cyber criminals deterred by the defences of large corporations. Australia aims to strengthen SMBs and diverse organisations through free cyber maturity assessments and resources online, initiatives which the UK currently has in place. The UK’s National Cyber Security Centre (NCSC) publishes online resources for small businesses and maintains a certification program called Cyber Essentials (CE), where business owners self-assess against government-backed standards of protection against cyber threats. For further reassurance, businesses can opt for independent verification via Cyber Essentials Plus, as we’ve done. A secondary goal of CE is to collect threat intelligence; in the certification program, businesses are asked if they’re comfortable with IASME, a delivery partner of NCSC, contacting them in the event of a breach to gather and use their data to plot threat actor movements and targets.
Zero Trust: A welcome change
The security model of zero trust means that no user is trusted; users must be authenticated, authorised, and verified regardless of where they exist in a network, and they’re given only necessary access. In effect, a system administrator can track all devices on a network and revoke a device’s access immediately. Australia is shifting to a zero-trust culture for the entire government, which is a big improvement for any country, considering the challenges of legacy systems and the sheer size of a governmental organization. We have yet to see this level of commitment from the UK government, although the government does encourage and publish guidance on zero trust.
Expanding digital ID
To minimise sharing personal information as a means of authentication, Australia plans to expand the Digital ID program. This initiative is aligned with a global effort that has been underway for a few years, as outlined in a report by the World Economic Forum. The need to verify COVID-19 status during the pandemic proved the viability of decentralised Digital ID with cryptography and developed into the basis for creating a wider program for Digital ID to change the identity landscape completely.
Fortifying critical infrastructure, MSPs included
Strengthening Australia’s foundations goes beyond strengthening individual businesses and authenticating individual accounts. In its strategy, Australia declares it will also align telecom providers to the same standards as all other critical infrastructure. Similarly, the UK government set to accomplish this with the Telecommunications Security Act 2021. Before the government stepped in, telecom providers set their own standards but had little incentive to do so. By requiring standards across the country—for both Australia and the UK—the telephone and internet equipment that we all depend on will be less vulnerable to cyber criminals and nation state actors.
Australia also specifies that managed service providers (MSPs) are in-scope: if an MSP handles critical infrastructure, that MSP must abide by the relevant regulations and obligations as well. After a public consultation in 2022, the UK government concluded the same; one pending update is to bring MSPs under the scope of Network and Information Systems (NIS) Regulations 2018. Ensuring MSPs meet the same standards makes complete sense, as the focus should be on what is being protected (i.e., critical infrastructure) rather than on who is performing the work.
Raising the stakes to fight ransomware
The Australian government plans to require businesses to report ransomware attempts (and successes) with a “mandatory no fault, no liability ransomware reporting obligation.” We think Australia’s push is much needed — when businesses are transparent, their collective research data can increase our defences and reduce risk across the board. As far as where the UK stands, “mandatory” is the key word here; the UK encourages reporting but doesn’t require it. We’d like to see the UK government prioritise its response to ransomware and require participation as Australia envisions. Given a December 2023 parliamentary committee report that concludes “a high risk that the Government will face a catastrophic ransomware attack at any moment and that its planning will be found lacking,” we’re not alone.
Threat intelligence via industry partnerships
To “create a whole-of-economy threat intelligence network,” Australia will scale its existing threat intelligence platform so industry and government can exchange high volumes of intelligence at speed. This initiative is familiar to the UK; since 2013, NCSC has hosted the Cyber Security Information Sharing Partnership (CiSP), a platform for organisations to share threat information securely in a confidential environment. To scale threat blocking, as Australia also plans to do, the UK also partners with industry (recently, BAE Systems) for its National Cyber Force, which counters and disrupts cyberspace threats. Information is power, and as Australia is part of our Five Eyes signals intelligence alliance, improvements on their end will enhance the UK’s knowledge as well.
The power and capability to respond to crisis
Complementing threat intelligence is the ability to respond when incidents happen. To position itself as the partner of choice with neighbours in the Pacific and Southeast Asia, Australia is building a cyber crisis response team and piloting technologies to deploy cyber protection at scale. Strength to this region supports the UK’s interests through AUKUS as well, which includes cyber capabilities in artificial intelligence (AI) and quantum cryptography, both of which NCSC has recently published guidance for.
Australia will introduce a last-resort power that allows the government to direct entities through incidents that significantly affect the nation. The UK has laws that give regulators powers to instruct organisations on their security response and to impose fines if necessary. As an aside, the UK’s intention is not simply to instruct but also to support — the NCSC Incident Management team partners with industry to respond to serious incidents nationwide, performing analysis and clean-up post incident, all free of charge.
No-fault cyber incident reviews
With industry, Australia will establish a Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned with the public. Currently, in the UK, the Information Commissioner’s Office (ICO) is our source of truth for fined data breaches against the GDPR, where companies have either been honest or were reported. We believe the ideal solution would be an international, widely adopted Cyber Incident Review Board with the “no-fault, no-liability” claim such as Australia’s proposed. More companies would be willing to admit when incidents occur rather than stay silent due to potentially hefty GDPR fines imposed by the ICO. We have more to gain by learning from each other than keeping incidents under wraps.
As part of the envisioned cyber incident review board, Australia will build a reporting portal as a central location for data analysis. If an international board comes to fruition, Australia’s portal could be used by the international community as well. Investigators could collate and map data to identify the entire attack surface, minimise this surface, and recommend next steps for companies to take, such as meeting NCSC’s baselines outlined in Cyber Essentials.
World leaders as partners
Australia lays out an ambitious strategy to position itself as a world leader in cyber security over the next seven years. While Australia walks the same path the UK has in areas such as aligning critical infrastructure security and scaling threat intelligence networks, Australia forges ahead by committing to zero trust, mandating businesses to report ransomware, and establishing a culture of transparency with a no-fault cyber incident review board. We look forward to seeing how Australia progresses toward its vision, and perhaps the UK will soon follow suit. Either way, a stronger Australia means a more robust alliance for our national security and a safer cyber domain for all.