Government mulls greater role protecting private sector from cyber threats

Prepares for 2020 refresh of cyber security strategy

The government is seeking feedback as to whether its role in fighting cyber crime should change in order to offer “greater assistance to Australian businesses to defend against highly sophisticated malicious actors”.

“State actors target Australian businesses for a range of reasons, including access to intellectual property and espionage. In these situations, it might not be possible for businesses to fully defend themselves given the skills and expertise of those targeting them,” a government discussion paper released today states.

“The Government is most concerned about threats to Australian businesses that provide essential services, such as energy, water, telecommunications and transport.”

The discussion paper and accompanying consultation process are intended to inform an update to Australia’s National Cyber Security Strategy, which was originally launched in 2016 and updated in 2017.

The current legislative framework governing use of Canberra’s cyber security capabilities “was established before the internet became a foundational element of our economy, and without a modern perspective on how malicious cyber activity crosses traditional geographical borders,” the paper states.

Federal, state and territory governments have thus far been limited to “protecting government networks, enforcing the law and offering advice,” the paper notes. There is also no legislative requirement for businesses to report “significant incidents” that have potential national security implications, unless it involves Australia’s Notifiable Data Breaches scheme.

The largest concentration of government defensive and offensive cyber capabilities is the Australian Signals Directorate (which leads the Australian Cyber Security Centre). The ASD in 2017 was authorised to use its capabilities to take on “organised offshore cyber criminal networks”.

In June this year a journalist was raided by the Australian Federal Police after reporting details of government discussions about a potential on-shore role for the ASD. Home Affairs minister Peter Dutton has said there should be a “sensible discussion” about a domestic role for the agency.

The discussion paper doesn’t explicitly contemplate giving the ASD a greater role in protecting private sector networks.

“Maintaining the confidence of the Australian community is the first priority when considering how and when Government should use its cyber security capabilities,” the paper states. “With this in mind, we are seeking your views on whether Government’s role could evolve to better meet your expectations of security while maintaining your trust.”

“Key to this is whether you think Government could do more to confront cybercrime and protect the networks that underpin our way of life, or whether you think the current arrangements are right,” it adds.

Dutton said that he intends to appoint a panel of cyber security experts to guide development and implementation of the refreshed strategy.

“Strong collaboration and partnerships are vital to ensure this strategy is well positioned to tackle the cyber security challenges we face as a nation,” Dutton said.

“The government's 2016 Cyber Security Strategy has strengthened Australia's national cyber security footing, deepened our engagement with industry, and positioned Australia as a prominent regional leader in cyber security,” the minister said.

The discussion paper is available online. Submissions are being accepted until 1 November.