This morning before I got on with some more dull affairs of business, I saw the following:
2023-2030 Australian Cyber Security Strategy Discussion Paper
How we (humanity) and people (including governments etc.) respond to the changing digital landscape and cyber threats that affect society and humanity as a whole is really important. It’s great to see the Australian government using an advisory board and panel structure as they look to review/renew their national cyber security strategy. I’m posting this to raise awareness as I think these things are ever so important that people in the community, industry, academia etc. give their inputs, help and support to the people charged with the incredibly complex task of developing and implementing cyber strategies at country scale! A task not so simple, hence they are calling for inputs as part of a general consultation request from people and organizations.
Key Themes
- The key themes outlined in the document appear to be around these areas:
- Improving public-private mechanisms for cyber threat sharing and blocking
- Supporting Australia’s cyber security workforce and skills pipeline
- National frameworks to respond to major cyber incidents
- Community awareness and victim support
- Investing in the cyber security ecosystem
- Designing and sustaining security in new technologies
- Implementation governance and ongoing evaluation
Questions Raised by the Australian Cyber Security Strategy Discussion Document
In the document the following questions are raised through the discussion document:
- What legislative or regulatory reforms should the Government pursue to enhance cyber resilience across the digital economy?
- How can Australia, working with our neighbours, build our regional cyber resilience and better respond to cyber incidents?
- What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber security perspective?
- How should Australia better contribute to international standards[1]setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?
- How can Commonwealth Government departments and agencies better demonstrate and deliver cyber security best practice and serve as a model for other entities?
- What can Government do to improve information sharing with industry on cyber threats?
- What best practice models are available for automated threat-blocking at scale?
- Does Australia require a tailored approach to uplifting cyber skills beyond the Government’s broader STEM agenda?
- What more can the Australian Government do to support Australia’s cyber security workforce through education, immigration, and accreditation?
- How should the Government respond to major cyber incidents (beyond existing law enforcement and operational responses) to protect Australians?
- What would an effective post-incident review and consequence management model with industry involve?
- How can Government and industry work to improve cyber security best practice knowledge and behaviours and support victims of cybercrime?
- What opportunities are available for Government to enhance Australia’s domestic cyber security technologies ecosystem and support the uptake of cyber security services and technologies in Australia?
- How should we approach cyber security technologies future-proofing out to 2030?
- Are there opportunities for Government to better use procurement as a lever to support the Australian cyber security technologies ecosystem and ensure that there is a viable path to market for Australian cyber security firms?
- How should the Strategy evolve to address the cyber security of emerging technologies and promote security-by-design in new technologies?
- How should Government measure its impact in uplifting national cyber resilience?
- What evaluation measures would support ongoing public transparency and input regarding the implementation of the Strategy?
Questions
In Appendix A there are the following questions (I have not done a comparison between the two):
(Please note this was extracted from a converted PDF so there may be some typos/formatting issues)
- What ideas would you like to see included in the Strategy to make Australia the most cyber secure nation in the world by 2030?
- What legislative or regulatory reforms should Government pursue to: enhance cyber resilience across the digital economy?
- What is the appropriate mechanism for reforms to improve mandatory operational cyber security standards across the economy (e.g. legislation, regulation, or further regulatory guidance)?
- Is further reform to the Security of
Critical Infrastructure Act required? Should this extend beyond the existing definitions of ‘critical assets’ so that customer data and ‘systems’ are included in this definition?
- Should the obligations of company directors specifically address cyber security risks and consequences?
- Should Australia consider a Cyber Security Act, and what should this include?
- How should Government seek to monitor the regulatory burden on businesses as a result of legal obligations to cyber
security, and are there opportunities to streamline existing regulatory frameworks?
- Should the Government prohibit the payment of ransoms and extortion demands by cyber criminals by: (a) victims of cybercrime; and/or
(b) insurers? If so, under what circumstances?
i. What impact would a strict prohibition of payment of ransoms and extortion demands by cyber criminals have on victims of cybercrime, companies and insurers?
- Should Government clarify its position with respect to payment or nonpayment of ransoms by companies, and the circumstances in which this may constitute a breach of Australian law?
- How can Australia, working with our neighbours, build our regional cyber resilience and better respond to cyber incidents?
- What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber security perspective?
- How should Australia better contribute to international standards-setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?
- How can Commonwealth Government departments and agencies better demonstrate and deliver cyber security best practice and serve as a model for other entities?
- What can government do to improve information sharing with industry on cyber threats?
- During a cyber incident, would an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) improve engagement with organisations that experience a cyber incident so as to allow information to be shared between the organisation and ASD/ACSC without the concern that this will be shared with regulators?
- Would expanding the existing regime for notification of cyber security incidents (e.g. to require mandatory reporting of ransomware or extortion demands) improve the public understanding of the nature and scale of ransomware and extortion as a cybercrime type?
- What best practice models are available for automated threat-blocking at scale?
- Does Australia require a tailored approach to uplifting cyber skills beyond the
Government’s broader STEM agenda?
- What more can Government do to support Australia’s cyber security workforce through education, immigration, and accreditation?
- How should the government respond to major cyber incidents (beyond existing law enforcement and operational responses) to protect Australians?
- Should government consider a single reporting portal for all cyber incidents, harmonising existing requirements to report separately to multiple regulators?
- What would an effective post-incident review and consequence management model with industry involve?
- How can government and industry work to improve cyber security best practice knowledge and behaviours, and support victims of cybercrime?
- What assistance do small businesses need from government to manage their cyber security risks to keep their data and their customers’ data safe?
- What opportunities are available for government to enhance Australia’s cyber security technologies ecosystem and support the uptake of cyber security services and technologies in Australia?
- How should we approach future proofing for cyber security technologies out to 2030?
- Are there opportunities for government to better use procurement as a lever to support and encourage the Australian cyber security ecosystem and ensure that there is a viable path to market for Australian cyber security firms?
- How should the Strategy evolve to address the cyber security of emerging technologies and promote security by design in new technologies?
- How should government measure its impact in uplifting national cyber resilience?
- What evaluation measures would support ongoing public transparency and input regarding the implementation of the Strategy?
They ask people respond:
Please provide responses to [email protected] by COB 15 April 2023.
The official document is here:
There is also a webform for responses: