The government has released its long awaited 2020 Cyber Security Strategy, which plans to strengthen the defences of federal public sector networks and expand the powers of law enforcement agencies.
Prime Minister Scott Morrison and Home Affairs minister Peter Dutton on Thursday said the document would allow the government to protect critical infrastructure, as well as help families and businesses protect themselves.
The strategy encourages collaboration across agencies, jurisdictions, and nations.
“To hold cyber criminals to account and prevent cyber crime, law enforcement agencies across Australia will need to work together,” it states.
“Building on the success of approaches to counter terrorism and child exploitation, this strategy will encourage even greater cooperation across Australia and with international partners. The Australian government will work with state and territory governments to prioritise our efforts and equip agencies with the capabilities to make a difference.”
Law enforcement agencies will receive greater powers and technical capabilities to “detect, target, investigate and disrupt cybercrime, including on the dark web” through new legislation.
Under the proposed laws, the Australian Federal Police and the Australian Criminal Intelligence Commission will be able to identify cyber criminals and their networks on the dark web, allowing “law enforcement to take the fight to the digital front door of those using anonymising technology for evil purposes”.
The government will also invest $89.9 million to allow the AFP to establish target development teams with partners, build technical cyber capabilities and enhance operational capacity.
Meanwhile, the Australian Transaction Reports and Analysis Centre’s “financial intelligence expertise” will be harnessed to target the profits of cyber criminals, and the ACSC’s ability to counter cyber crime actors offshore will be expanded.
The strategy notes that the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act, introduced in 2018, has “helped Australia’s law enforcement and security agencies, working with industry, tackle online criminal and terrorist threats”.
“Through this strategy, the Australian government will ensure law enforcement agencies have appropriate legislative powers and technical capabilities to deter, disrupt and defeat the criminal exploitation of anonymising technology and the dark web,” it says.
The strategy aims to strengthen the defences of federal public sector networks with a number of measures.
“The first priority is to centralise the management and operations of the large number of networks run by Australian government agencies, including considering secure hubs,” the document says.
“Centralisation could reduce the number of targets available to hostile actors such as nation states or state-sponsored adversaries, and allow the Australian government to focus its cyber security investment on a smaller number of more secure networks. A centralised model will be designed to promote innovation and agility while still achieving economies of scale.”
Agencies should implement the ACSC’s Essential Eight mitigation strategies, the document said. Agencies “will also put a renewed focus on policies and procedures to manage cyber security risks”, and standard cyber security clauses will be included in federal government IT contracts.
As previously reported, the Australian Signals Directorate will recruit 500 additional intelligence and cyber security personnel at a cost of $469.7 million over 10 years. The government will also invest $385.4 million in “enabling and enhancing intelligence capabilities”.
Under the strategy, the government will invest $1.67 billion over 10 years to achieve the vision of “a more secure online world” for Australians, their businesses and essential services, by:
- Protecting and “actively defending” critical infrastructure,
- Using new ways to investigate and shut down cyber crime,
- Strengthening defences for government networks and data,
- Increasing collaboration to build Australia’s cyber skills pipeline,
- Increasing situational awareness and improved sharing of threat information,
- Strengthening partnerships with industry through the Joint Cyber Security Centre program,
- Providing advice to small and medium businesses to increase their cyber resilience,
- Creating clear guidance for businesses and consumers about securing Internet of Things devices,
- Having a 24/7 cyber security advice hotline for SMEs and families,
- Improving community awareness of cyber security threats.
A security framework is being introduced to “bolster the nation’s resilience” and quicken its response time in an emergency. The framework includes security obligations for critical infrastructure providers and government assistance to industry in response to immediate and serious cyber attacks on Australia’s most critical systems.
The strategy has been informed by community consultation and advice from the government’s industry advisory panel, chaired by Telstra CEO Andy Penn.