The Australian federal government has released the 2023-2030 Australian Cyber Security Strategy with a focus on protecting the country’s most vulnerable citizens and businesses. At first glance, the strategy covers a lot of ground, and the government will need to work hard and fast to ensure some of all the actions proposed are put in place before the next big breach.

As previously reported, the cyber strategy is based on the idea of six cyber shields to provide an additional layer of defence against cyber threats. These shields aim to create strong businesses and citizens, safe technology, world-class threat sharing and blocking, protected critical infrastructure, sovereign capabilities and resilient region and global leadership. “I don’t believe that the programs described in the first ‘shield’ (strong citizens and business) can either be operationalised, or for programs that do already exist, be scaled up to deliver within a meaningful timeframe. While I have significant general concerns regarding the wholly inadequate funding for the 2030 strategy, these concerns become particularly relevant with respect to this first ‘shield’,” KordaMentha executive director, cybersecurity Tony Vizza told CSO.

On top of $2.3 billion already being spent on cybersecurity, the government has committed $586.9 million to execute the seven-year strategy. The money will go towards the following:

• $290.8 million to provide support for small and medium businesses, build public awareness, fight cybercrime, break the ransomware business model, and strengthen the security of Australians’ identities.
• $4.8 million to establish consumer standards for smart devices and software.
• $9.4 million to build a threat-sharing platform for the health sector.
• $143.6 million to strengthen critical infrastructure protections and uplift government cyber security.
• Growing our sovereign cyber capabilities by investing $8.6 million to “professionalise” the country’s cyber workforce and accelerate the cyber industry.
• $129.7 million investment in regional cooperation, cyber capacity uplift programs, and leadership in cyber governance forums on the international stage.

The federal government had shared earlier this week an 18.2-million investment to help small and medium businesses improve cybersecurity resilience and response to cyber-attacks, also part of the strategy. “Given the federal government claims that there are 2.5 million small businesses operating in Australia today, this equates just more than a takeaway coffee’s worth of cyber assistance for each small business over the next seven years. It’s a pittance and it’s nowhere near enough,” Vizza said.

The delivery of the strategy

The Australian cybersecurity strategy has most, if not all, aspects of cybersecurity covered but there are a lot of things to focus on and the timelines for the delivery of each is not clear. The 28-page action plan details each action the strategy proposes and the departments that will be involved, but not by when each is expected to be in place. It only states some will commence immediately, and the plan will be reviewed every two years.

A lack of concrete steps to deliver the strategy worries some in the industry. “The strategy aims high and aspires to meet the needs of as many stakeholders as possible. It’s often said in aiming to please all, you please none. I feel that this outcome is highly likely here and as a result, we will see a failure of this Strategy to achieve many of its stated outcomes,” Vizza said.