A new three-stage cybersecurity plan from the Australian government promises gradual but major changes over the next seven years, with some elements to take place in the very near future.
One near-term main focus of the new plan is incident reporting, which will have tighter time limits for companies but also a more streamlined process that promises less punitive action for those making good faith attempts to comply. Law enforcement and small-to-medium businesses can also expect substantial new financial support from the A$587 million set aside for the plan, and residents can expect less of their personal data to be held by companies for extended periods.
Australia responds to recent breaches, spikes in cyber crime claims
Unsurprisingly, one of the central points of focus for the cybersecurity plan is the protection of critical infrastructure; the country is still just weeks off of a shutdown of four ports for several days after being hit by a ransomware attack. Critical infrastructure companies will move to being regulated in the online world by the Security of Critical Infrastructure Act rather than the Telecommunications Act (which the country is in the midst of a very long process of updating).
The cybersecurity plan is divided into three phases: one for 2023 to 2025, another for 2026 to 2028, and a final phase in 2029 and 2030. In terms of first-phase near-term developments, one of the points of focus seems to be to get Australian companies on board with data minimization as regards stored customer information. Concrete details of this have yet to shape up, but it is likely that companies will not be able to hold personal data for years indiscriminately and will have to provide stronger justifications for retaining it for extended periods.
The massive Medibank and Optus breaches, involving nearly 10 million records each and prompting many Australians to get identification re-issued, were an obvious source of motivation for this and other new regulations that have been rapidly put into place. The country has seen a sustained increase in attacks on businesses and scam or phishing attempts against individuals during this time, however, and the average cost of an incident is also beginning to climb.
Cybersecurity plan offers financial assistance to small and rural businesses
Small businesses may see the biggest benefit from the money set aside for the cybersecurity plan, particularly those that serve rural and underprivileged communities. “Cyber health checks” for small businesses are something that is likely to come online in the very near future, a free program aimed at providing a training and resilience boost to companies that may struggle to keep up with IT needs. A Small Business Cyber Security Resilience Service will be offered that is aimed at making it much more simple for smaller victims of cyber attacks to make reports and receive support.
All residents of the country can expect security awareness and education training as part of the cybersecurity plan. Community organizations that serve a wide variety of vulnerable groups will also be eligible for grant money in this area, so that they can tailor delivery programs that are better suited to their unique populations.
Money is also set aside to promote regional law enforcement cooperation via groups such as the ASEAN Senior Officials Meeting on Transnational Crime, and the existing offensive cyber programs that pursue criminal hackers will also see improved funding under the first segment of the cybersecurity plan.
Organizations are likely to see stricter reporting requirements, but also an easier path to getting reports in and one that may expose them to less liability providing they are acting in good faith. A new no-fault no-liability system of reporting is set to be discussed with stakeholders, and a new Cyber Incident Review Board is being formed that will handle the fallout of “major” data breaches in the country.