Australia aiming to become ‘most cyber-secure country’ by 2030

Australia is assembling an offensive cyber team with a view towards becoming the world's "most cyber-secure country" by the end of the decade, a government minister has revealed.

The announcement of the strategy comes on the heels of the Optus and Medibank Private cyber attacks, which Claire O’Neil, the country’s home affairs minister, described as “the worst in Australian history”. The two attacks occurred within three weeks of each other in September and October 2022.

In response to these attacks - and an overall increase in cyber-security incidents across the globe - the Australian government has launched a programme to develop a new cyber-security strategy that will replace the one designed in 2020. 

Speaking at the National Press Club, O’Neil said the strategy will be led by cyber-security cooperative research centre CEO Rachael Falk, former Telstra CEO Andy Penn, and former chief of the Air Force Mel Hupfeld.

There will also be an expert panel drawn from around the world, led by former UK National Cyber Security Centre CEO and Oxford University professor Ciaran Martin.

“I want Australia to be the world’s most cyber-secure country by 2030," O'Neil said in her address. "I believe that is possible. But we need a reset and a pathway to get there.”

O’Neil listed four ways that the government plans to achieve this goal: bringing the nation into the fight to protect citizens and the economy; strengthening international engagements so that Australia can be a global cyber leader; strengthening critical infrastructure and government networks; and building sovereign cyber-security capabilities.

“What I am most worried about is cascading disasters,” she added. “Imagine a future January, where we see a Black Saturday-size bushfire in the south-east, a major flood in the north, then overlay a cyber attack on a major hospital system in the west.

“Our country would be fully absorbed in the management of domestic crises. Then consider how capable we would be of engaging with a security issue in our region.”

According to O’Neil, Australia has been in a “cyber slumber”, as evidenced by former prime minister Scott Morrison’s decision to abolish the cyber-security ministry when he came to office. However, she described the recent Optus and Medibank breaches as a wake-up call.

The minister highlighted the changes that the Australian government had already implemented in light of those breaches, including bringing in new penalties under the Privacy Law.

Once enacted, this will see new maximum penalties for businesses, which will change from $2.22m (£1.2m) to a new maximum of either $50m (£27m) - three times the value of any benefit obtained through the misuse of information - or 30 per cent of a company's adjusted turnover in the relevant period, whichever is the highest amount. 

However, O'Neil stressed that realising Australia's cyber-security goals will require time and money, admitting that the country is "not spending enough on cyber defence".

“This will be a 100-person team, permanently focused on hunting down people seeking to hack our systems and hacking back,” said O’Neil. “It will take some time to get this singing, but when it does, it will change the game for cyber in Australia.”

The announcement was welcomed by at least some parts of the IT industry.

“The federal government’s announcement of a new cyber-security strategy for a cyber-secure Australia is a timely and necessary development that we hope will play a critical role in bolstering Australia’s cyber resilience,” said Adrian Covich, Proofpoint’s senior director in Asia-Pacific and Japan.

“With the government’s new strategy, we hope Australia can work toward adopting a clear, unified approach to anticipating and overcoming future cyber security challenges.”

In its latest report, the Australian Cyber Security Centre (ACSC) said the company received 76,000 cyber-crime reports last financial year, up 13 per cent from the previous period, resulting in costs of around A$39,000 for a small business and A$62,000 for a large business.

As a result, the ACSC warned that cyber space “has become a battleground” and is “increasingly the domain of warfare”.

Over the past year, organisations across the world, from the UK’s NHS to Apple in the US and even the Albanian government, have suffered severe cyber attacks that have disrupted their services and put their users’ personal information at risk. 

In the last two months alone, Australia experienced the two worst cyber attacks in its history, within three weeks of each other. The first was the Medibank hack, which affected 9.7 million current and former customers; the second was the Optus hack, a data breach of 10 million customer accounts.

The National Australian Bank also revealed two months ago that Australians are subject to 50 million attempted cyber attacks each month, while the Australian Taxation Office said the figure was around three million.