Cyber security plan will centralise government networks
Prime Minister Scott Morrison has promised stronger defences for government networks and data as he released the long-awaited 2020 cybersecurity strategy.
The $1.67 billion, 10-year strategy includes proposals for a centralised government cyber security system and the creation of secure hubs, as well as measures to build the cyber security workforce, protect critical infrastructure and beef up law enforcement agency powers against cybercrime.
“There are three key things we’re seeking to do here,” Mr Morrison said.
“We need to protect essential infrastructure and services. We need to protect our economy … and we need to protect you from those who would seek to take advantage of the most vulnerable in our community.”
The report says governments have a responsibility to lead by example.
“Shifting more government services online is making the lives of Australians easier but citizens need to have confidence that their data is safe, underscoring the need for government systems and data to be secure,” the strategy says.
“This strategy will drive long-term work by the Australian government to strengthen the defences of Commonwealth public sector networks.”
Government agencies targeted
The strategy says federal, state and territory government entities were targeted in 35.4 per cent of all incidents the Australian Cyber Security Centre responded to in the year to 30 June 2020.
Around 35 per cent of incidents affected critical infrastructure providers delivering essential services like healthcare, education, banking, water, communications, transport and energy.
It says this is part of worldwide trend, with attacks in recent years against power facilities in Ukraine, Saudi petrochemical facilities, and financial, transport and healthcare services across the globe.
“Highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers,” the strategy says.
Mr Morrison also announced in June that all levels of government across the country had been attacked by “a sophisticated state-based cyber actor”.
A centralised system
The strategy says centralising the management and operation of government networks will reduce targets for cyber criminals, focus cyber security investment, promote innovation and achieve economies of scale.
“This centralisation seeks to reduce opportunities for malicious actors to target smaller agencies with less secure IT, and will increase opportunities to focus the Australian government’s cyber security investment,” it says.
Standard cyber security clauses will be in government IT contracts and government agencies will be required to renew their focus on policies and procedures to manage cyber security risks.
The strategy also invests $66.5 million to help critical infrastructure providers to assess vulnerabilities and enhance cyber security, and delivers an enhanced threat-sharing platform where critical infrastructure operators can share intelligence.
“The Government will work with owners and operators of critical infrastructure to update legislation to ensure that critical infrastructure sectors deliver their essential services with security front of mind,” home affairs minister Peter Dutton told reporters.
The plan includes a $50 million program to grow the cyber security workforce and $118 million to expand data science capabilities at the national cyber spy agency, the Australian Signals Directorate.
The ASD will recruit 500 additional intelligence and cyber security personnel at a cost of $469.7 million over 10 years.
Meanwhile $385.4 million will go towards enhancing intelligence capabilities and the government will introduce legislation to bolster the powers of the AFP and Australian Criminal Intelligence Commission (ACIC) to identify criminals operating on the dark web.
CEO of cyber security company Avertro, Ian Yip, welcomed initiatives to protect critical infrastructure, but said there were some missed opportunities in the strategy as well as gaps in the “how” and “what”.
He also questioned the way in which the budget had been allocated, saying almost all of it would go directly to government agencies responsible for national cyber defences, with less than a third of total funding likely to flow to the wider ecosystem.
“Using this financial lens, the strategy looks to be primarily about bolstering our nation’s front-line cyber capabilities,” he said in a statement.
“While this is great for national security, the need for more collaboration, which the government has also been promoting, requires a more balanced allocation of funds.”