{"id":50459,"date":"2019-09-10T11:18:34","date_gmt":"2019-09-10T01:18:34","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=50459"},"modified":"2019-12-06T15:37:30","modified_gmt":"2019-12-06T04:37:30","slug":"australias-cyber-strategy-version-2-0","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/","title":{"rendered":"Australia\u2019s cyber strategy, version 2.0"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"724\" height=\"483\" class=\"alignnone size-full wp-image-50461\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg 724w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886-205x137.jpg 205w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886-332x221.jpg 332w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><\/figure>\n<p>Back in 2016, Australia launched a new <a href=\"https:\/\/cybersecuritystrategy.homeaffairs.gov.au\/AssetLibrary\/dist\/assets\/images\/PMC-Cyber-Strategy.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">national cybersecurity strategy<\/a>.* The strategy covers a four-year period to 2020, and given the changes in the security environment, an update is now clearly warranted. To that end, the government has just released a <a href=\"https:\/\/www.homeaffairs.gov.au\/reports-and-publications\/submissions-and-discussion-papers\/cyber-security-strategy-2020\" target=\"_blank\" rel=\"noopener noreferrer\">discussion paper<\/a> to kick off the public consultation. The closing date for submissions on the discussion paper is 1 November.<\/p>\n<p>To complement the public submission process, ASPI\u2019s International Cyber Policy Centre is initiating a public debate on what should be included in the next cybersecurity strategy. Contributions will be compiled into a report that we will deliver to the Department of Home Affairs to inform the strategy\u2019s development.<\/p>\n<p>The overarching themes are what the strategy should focus on and how the government can achieve maximum impact in a resource-constrained environment.<\/p>\n<p>The last strategy had 33 initiatives and a funding package of $230 million for four years. That was a huge number of initiatives and a pretty modest budget given what was proposed. The next strategy needs to be a lot more focused, given significantly greater resourcing seems unlikely.<\/p>\n<p>There are, of course, lots of things that could be included in the strategy, and the government\u2019s discussion paper poses plenty of questions for contributors to explore. But to kick things off, I wanted to propose three areas of focus.<\/p>\n<p>The first is the safety of physical systems as we connect more and more of them to the internet. We\u2019re rapidly shifting from a world that connected things that couldn\u2019t physically hurt us if compromised (like phones, laptops and PCs) to a world where we\u2019re connecting lots of things that could seriously injure or kill us if compromised (cars, machinery, aeroplanes). We\u2019ve <a href=\"https:\/\/www.wired.com\/2015\/01\/german-steel-mill-hack-destruction\/\" target=\"_blank\" rel=\"noopener noreferrer\">already seen<\/a> several <a href=\"https:\/\/www.wired.com\/2015\/01\/german-steel-mill-hack-destruction\/\" target=\"_blank\" rel=\"noopener noreferrer\">near misses<\/a> at <a href=\"https:\/\/www.nytimes.com\/2018\/03\/15\/technology\/saudi-arabia-hacks-cyberattacks.html\" target=\"_blank\" rel=\"noopener noreferrer\">factories<\/a> and <a href=\"https:\/\/www.theguardian.com\/technology\/2018\/mar\/19\/uber-self-driving-car-kills-woman-arizona-tempe\" target=\"_blank\" rel=\"noopener noreferrer\">fatal crashes<\/a> involving driverless cars (although not yet due to a malicious cyber compromise).<\/p>\n<p>Injuries and deaths from cyberattacks will dramatically increase political attention. But in the case of social media companies, we\u2019ve seen how problematic it can be to retrospectively regulate in a hurry, especially when it involves writing <a href=\"https:\/\/www.nytimes.com\/2019\/04\/03\/world\/australia\/social-media-law.html\" target=\"_blank\" rel=\"noopener noreferrer\">new legislation<\/a> over the weekend. A top priority for the strategy has to be narrowing down the types of systems that pose a real risk of causing injury and\/or death and ensuring a high level of cybersecurity for those connected devices (noting the many <a href=\"https:\/\/www.aspistrategist.ru\/report\/InternetOfInsecureThings\" target=\"_blank\" rel=\"noopener noreferrer\">pitfalls of regulation<\/a>).<\/p>\n<p>The second proposal is to make greater use of the government\u2019s procuring power to drive improved standards within government and for firms that sell to government. There are several ways the government could do this. It could, for example, mandate minimum cybersecurity standards in its tender documents (at present, it mostly doesn\u2019t do this)\u2014for example, when purchasing new hardware and software for the public service.<\/p>\n<p>It could also mandate that contractors that sell to government meet minimum cybersecurity standards themselves. At present, there\u2019s lots of potential for contractors to handle government data using less secure systems. The Department of Human Services has done some good work leveraging its purchasing power to extend the secure supply chain, and the Australian Prudential Regulation Authority\u2019s <a href=\"https:\/\/www.apra.gov.au\/file\/3531\" target=\"_blank\" rel=\"noopener noreferrer\">draft standard on information security<\/a> looks at extending obligations on regulated entities to third parties.<\/p>\n<p>The third proposal is to expand the scope of the rules for mandatory reporting of data breaches. There are two key aspects to this. First, the law needs to be expanded beyond personal data to breaches in general. At present, a company could lose all of its intellectual property without any obligation on it to disclose what in reality would be a major breach. Companies also don\u2019t need to disclose a breach that affects their customers (for example, in the case of <a href=\"https:\/\/www.reuters.com\/investigates\/special-report\/china-cyber-cloudhopper\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cloud Hopper<\/a>, it seems that at least some managed service providers did not notify their clients that they had been compromised).<\/p>\n<p>One argument commonly used against compulsory disclosure is that notification laws could perversely discourage companies from searching for breaches. But that\u2019s the situation that exists already\u2014compromises are rife, security is poor, and it\u2019s past time for overlapping direct measures that ensure all organisations take security seriously.<\/p>\n<p>The second change to the law that\u2019s needed is the imposition of fines. At present, there\u2019s no incentive for some sectors to respond to the current \u2018name and shame\u2019 tactics. Without fail, every quarter, the health sector is the <a href=\"https:\/\/www.oaic.gov.au\/privacy\/notifiable-data-breaches\/notifiable-data-breaches-statistics\/\" target=\"_blank\" rel=\"noopener noreferrer\">worst offender <\/a>under Australia\u2019s notifiable data breach scheme. Even though data on people\u2019s health is the most sensitive information anyone holds, the sector has no incentive to improve because consumers have no choice but to go to their doctors and hospitals and there is no single brand on which consumers can target their frustration. So bad behaviour persists. Fines would help sharpen the focus on dealing with this current failure.<\/p>\n<p>That is by no means an exhaustive list. The government\u2019s paper poses <a href=\"https:\/\/www.homeaffairs.gov.au\/reports-and-pubs\/files\/cyber-security-strategy-2020-discussion-paper.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">26 questions<\/a> to start the discussion. Over the coming weeks, we look forward to hearing a wide range of views. Please send your contribution to ASPI\u2019s International Cyber Policy Centre at <a href=\"mailto:icpc@aspistrategist.ru\" target=\"_blank\" rel=\"noopener noreferrer\">icpc@aspistrategist.ru<\/a>.<\/p>\n<p><em>* An earlier version of this post referred to the 2016 cybersecurity strategy as the first one for Australia. The <a href=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/AG-Cyber-Security-Strategy-2009-for-website.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">inaugural cybersecurity strategy<\/a> was <a href=\"https:\/\/webarchive.nla.gov.au\/awa\/20140802123050\/https:\/\/www.ag.gov.au\/RightsAndProtections\/CyberSecurity\/Pages\/default.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">released in 2009<\/a> by the Attorney-General\u2019s Department. Many thanks to the reader who brought this error to our attention.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Back in 2016, Australia launched a new national cybersecurity strategy.* The strategy covers a four-year period to 2020, and given the changes in the security environment, an update is now clearly warranted. To that end, &#8230;<\/p>\n","protected":false},"author":685,"featured_media":50461,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[17,1597,2138,1966],"class_list":["post-50459","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australia","tag-cyber-strategy","tag-cybersecurity","tag-home-affairs","dinkus-cybersecurity-strategy"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Australia\u2019s cyber strategy, version 2.0 | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Australia\u2019s cyber strategy, version 2.0 | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Back in 2016, Australia launched a new national cybersecurity strategy.* The strategy covers a four-year period to 2020, and given the changes in the security environment, an update is now clearly warranted. To that end, ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-10T01:18:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-12-06T04:37:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"724\" \/>\n\t<meta property=\"og:image:height\" content=\"483\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fergus Hanson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fergus Hanson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg\",\"width\":724,\"height\":483,\"caption\":\"Business, technology, internet and networking concept. Young businesswoman working on his laptop in the office, select the icon security on the virtual display.\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/\",\"name\":\"Australia\u2019s cyber strategy, version 2.0 | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#primaryimage\"},\"datePublished\":\"2019-09-10T01:18:34+00:00\",\"dateModified\":\"2019-12-06T04:37:30+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Australia\u2019s cyber strategy, version 2.0\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f\",\"name\":\"Fergus Hanson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g\",\"caption\":\"Fergus Hanson\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/fergus-hanson\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Australia\u2019s cyber strategy, version 2.0 | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/","og_locale":"en_US","og_type":"article","og_title":"Australia\u2019s cyber strategy, version 2.0 | The Strategist","og_description":"Back in 2016, Australia launched a new national cybersecurity strategy.* The strategy covers a four-year period to 2020, and given the changes in the security environment, an update is now clearly warranted. To that end, ...","og_url":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2019-09-10T01:18:34+00:00","article_modified_time":"2019-12-06T04:37:30+00:00","og_image":[{"width":724,"height":483,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg","type":"image\/jpeg"}],"author":"Fergus Hanson","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Fergus Hanson","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/09\/GettyImages-1016968886.jpg","width":724,"height":483,"caption":"Business, technology, internet and networking concept. Young businesswoman working on his laptop in the office, select the icon security on the virtual display."},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/","url":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/","name":"Australia\u2019s cyber strategy, version 2.0 | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#primaryimage"},"datePublished":"2019-09-10T01:18:34+00:00","dateModified":"2019-12-06T04:37:30+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/australias-cyber-strategy-version-2-0\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Australia\u2019s cyber strategy, version 2.0"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f","name":"Fergus Hanson","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g","caption":"Fergus Hanson"},"url":"https:\/\/www.aspistrategist.ru\/author\/fergus-hanson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/50459"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/685"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=50459"}],"version-history":[{"count":7,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/50459\/revisions"}],"predecessor-version":[{"id":52398,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/50459\/revisions\/52398"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/50461"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=50459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=50459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=50459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}