2023-2030 Australian Cyber Security Strategy

Overview and Background

• The 2023–2030 Australian Cyber Security Strategy outlines the Australian Government's plan to make Australia a world leader in cybersecurity by 2030. The Strategy is structured around six "cyber shields," which represent layers of defence for the nation. This page provides an overview of the shields and details the key legislative and policy actions taken to implement them.
• The Strategy was developed following extensive consultation with an Expert Advisory Board and industry. It defines a whole-of-nation effort to strengthen Australia's cyber defences and resilience, supported by significant new legislation passed in late 2024.
• The imperative for the Strategy was driven by a rapidly deteriorating cyber threat landscape. A 2023 report from the Australian Signals Directorate (ASD) noted that a cybercrime is reported every six minutes, with ransomware attacks costing the Australian economy up to $3 billion annually. The increasing connectivity of the 'Internet of Things' (IoT) and the rise of Artificial Intelligence (AI) are expected to expand the attack surface for malicious actors, making a coordinated national action all-important.
• The delivery of the Strategy is structured across three different phases:

1. Horizon 1 (2023-2025): Focuses on strengthening foundations and addressing critical gaps. The major legislative reforms of late 2024, including the Cyber Security Act 2024 (Cth) and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (ERP Act), were key deliverables of this horizon.
2. Horizon 2 (2026-2028): Aims to scale up cyber maturity across the entire economy, with a focus on growing the cyber industry and workforce.
3. Horizon 3 (2029-2030): Intends to position Australia as a global leader in developing and adopting emerging cyber technologies.

• The Strategy is accompanied by a public Action Plan that outlines the specific initiatives for Horizon 1 and designates lead and support agencies for each action. This Action Plan is intended to be updated every two years to adapt to the changing threat landscape.

The Six Cyber Shields: Strategy and Implementation

As noted above, the Strategy is built around a central metaphor of six national "cyber shields" working together to provide layered protection. The shields are: (1) Strong businesses and citizens; (2) Safe technology; (3) World-class threat sharing and blocking; (4) Protected critical infrastructure; (5) Sovereign capabilities; and (6) Resilient region and global leadership. The core principle is to shift more of the cybersecurity burden from individuals and small businesses to those better equipped to manage it, including government and large corporations. Many of the initiatives proposed under these shields have now been enacted into law.

Shield 1: Strong businesses and citizens

Stated Goal: To better protect citizens and businesses from cyber threats and enable them to recover quickly from attacks. This includes providing clearer guidance, supporting small and medium businesses, and disrupting cybercrime.

• To break the ransomware business model, Part 3 of the Cyber Security Act 2024 (Cth) introduced a mandatory, no-fault ransomware payment reporting obligation for businesses with an annual turnover of over $3 million. This is designed to enhance visibility of the ransomware threat and inform government and law enforcement responses.
• The Strategy proposed a "ransomware playbook" to provide clear guidance to businesses on how to respond to ransom demands. This is being supported by the practical information gathered through the mandatory reporting scheme.
• The Strategy committed to expanding the AFP and ASD's joint standing operation (Operation Aquila) to disrupt criminal syndicates using offensive cyber capabilities.
• The Strategy includes increased funding for victim support services to help individuals recover from identity theft.

Shield 2: Safe technology

Stated Goal: To ensure Australians can trust that their digital products and software are safe, secure, and fit for purpose, with security built-in by design and default. This includes protecting valuable datasets and promoting the safe use of emerging technologies like AI.

• Security Standards for Smart Devices: Part 2 of the Cyber Security Act 2024 (Cth) creates a framework for mandatory security standards for IoT and other 'smart' devices. This addresses the Strategy's specific proposal to legislate in this area. The Act requires manufacturers and suppliers to issue statements of compliance for products sold in Australia.
• Protecting Datasets: The Strategy proposed a review of data retention requirements and the development of a voluntary data classification model to help industry protect critical data.
• AI Safety: The Strategy supports the development of AI ethics principles and guardrails for the safe and responsible use of AI.

Shield 3: World-class threat sharing and blocking

Stated Goal: To build a whole-of-economy threat intelligence network that facilitates real-time, machine-speed data sharing and enables automated threat blocking at scale.

• Limited Use Obligations: To encourage industry to share threat information, a key initiative of the Strategy was to co-design a "limited use" obligation. This was enacted via:
  • Part 4 of the Cyber Security Act 2024 (Cth), which allows entities to voluntarily share information about significant cyber incidents with the National Cyber Security Coordinator, with protections on how that information can be used by other government agencies.
  • The Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth), which provides similar protections for information shared with the ASD.

Shield 4: Protected critical infrastructure

Stated Goal: To ensure Australia's critical infrastructure and essential government systems can withstand and bounce back from cyber-attacks and other hazards. This involves clarifying and strengthening obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

• The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (ERP Act) directly implemented the key reforms proposed under this shield, including:
  • Clarifying the scope of the SOCI Act to cover data storage systems holding business-critical data (ERP Act, Schedule 1).
  • Expanding government assistance powers to cover 'all-hazards' incidents, not just cyber incidents (ERP Act, Schedule 2).
  • Creating a new power for regulators to direct entities to remedy 'seriously deficient' risk management programs (ERP Act, Schedule 4).
  • Consolidating telecommunications security obligations from the Telecommunications Act 1997 (Cth) into the SOCI Act to streamline regulation (ERP Act, Schedule 5).

Shield 5: Sovereign capabilities

Stated Goal: To grow a flourishing Australian cyber industry and a diverse, professional cyber workforce.

Shield 6: Resilient region and global leadership

Stated Goal: To support a more cyber-resilient region and to uphold and shape international cyber rules, norms, and standards.

Regulatory & Policy Framework

• Cyber Incident Review Board: As proposed in the Strategy , Part 5 of the Cyber Security Act 2024 (Cth) establishes a no-fault Cyber Incident Review Board to conduct post-incident reviews of significant cyber incidents and share lessons learned with industry.
• National Cyber Security Coordinator: The Strategy formalised the role of the Cyber Coordinator to lead whole-of-government incident response. The Coordinator's functions and powers are now established in Part 4 of the Cyber Security Act 2024 (Cth). The Coordinator is supported by an Executive Cyber Council, which includes leaders from industry and government, to enable co-design and collaboration on national cyber security priorities.

Related Topics

• Security of Critical Infrastructure
• Privacy Law
• LitigationAndInvestigations
• Directors' Duties
• CyberOffences

Other Resources

• Lyria Bennett Moses et al, ‘2023-2030 Australian Cyber Security Strategy: Legislative Reforms‘ (Consultation Paper, UNSW Institute for Cyber Security and UNSW Allens Hub for Technology, Law and Innovation, 1 March 2024).
• Law Council of Australia, ‘2023-2030 Australian Cyber Security Strategy‘ (Consultation Paper, 5 May 2023).
• ‘Australia's Cyber Security Strategy for 2023-2030 is here‘, Gilbert + Tobin (Web Page, 28 November 2023).
• ‘Securing Australia's Digital Future: Unpacking the 2020-30 Cyber Security Strategy' (Web Page, 5 December 2023).