Australia: Cyber security round-up – new Cyber Security Strategy, data breach stats and more

By Magda Zmorka on March 3, 2023

Cyber Security Strategy discussion paper launched

This week saw the launch of a discussion paper for the Australian Government’s 2023-2030 Australian Cyber Security Strategy. The discussion paper refers to the lofty aim of making Australia the most cyber secure nation by 2030.

The discussion paper, which acknowledges that the Australian Government was “ill-equipped” to respond to the large scale data breaches which occurred in 2022 (namely Medibank and Optus), emphasises the importance of protecting customer data and enduring that Australians can continue to access critical services in the event of a cyber-attack.

One of the core policy areas that will be addressed in the Strategy is the “enhancement and harmonisation of regulatory frameworks”. Several options are being considered to give effect to this, including:

Development of best practice cyber security standards.
New laws, such as a Cyber Security Act, to provide a more explicit specification of cyber security obligations;
Expansion of the existing Security of Critical Infrastructure Act to include customer data and systems within the definition of critical assets. This proposal is particularly controversial given the power for the Australian Signals Directorate to “step-in” and control critical assets as a measure of last resort under that Act; and
A single reporting portal for all cyber incidents, to harmonise the existing requirements to report separately to multiple regulators.

Additional policy areas identified for further consideration in the discussion paper include:

Developing national frameworks to respond to major incidents, including the development of fit-for-purpose approaches to incident management and coordination and ensuring that post-incident reviews of major incidents are conducted and root cause findings shared.
Designing and sustaining security in new technologies, such as quantum computing, IoT and AI, each of which have the potential to significantly impact, and be impacted by, cyber security issues.
Supporting Australia’s cyber security workforce and skills pipeline.

The Strategy is expected to be finalised by the end of 2023. An Expert Advisory Board has been established to assist with development of the Strategy, and is inviting consultations on the areas outlined in the discussion paper until 15 April 2023.

Establishment of Cyber Security Coordinator to assist with coordinated responses to cyber attacks

Since the release of the discussion paper, the Federal Government has announced its intent to establish a national Coordinator for Cyber Security.

The Coordinator will form part of a broader National Office for Cyber Security and will be responsible for ensuring a “centrally coordinated approach” to cyber security, including coordination of major incidents.

Latest data breach statistics show that data breaches are on the rise

The launch of the cyber security discussion paper coincides the with publication of the Office of the Australian Information Commissioner’s latest statistics on the notifiable data breach regime.

These statistics confirm the commonly held view that data breaches are on the rise in Australia.

The 6 month period from July – December 2022 saw a 26% increase in the number of data breaches reported against the previous 6 month period. For breaches caused by criminal or malicious attacks, the increase was 46% for the same period. Health care and financial services remain the two highest reporting sectors.

Significantly there were five breaches which impacted more than 1 million Australians –with one impacting more than 10 million. Whilst the high-profile incidents affecting Optus and Medibank account for two of these incidents, these statistics highlight that several major data breaches have gone unreported in Australia.