Businesses will be required to comply with minimum standards of cyber security under a federal government plan to harden the nation’s defences of vulnerable computer networks against foreign adversaries and cyber criminals.
Firms will also need to ramp up their spending on cyber security, including potentially contributing to the cost of the national agencies as part of an updated cyber security strategy.
Prime Minister Scott Morrison has confirmed the strategy will also see Canberra lift its spending following revelations a “sophisticated state-based actor” had attempted to hack into Australian networks on an industrial scale.
China is being blamed for unleashing the attacks, which began about 18 months ago when Australia rejected Huawei’s participation in the rollout of the 5G network.
The attacks have escalated in recent months after the Morrison government angered Beijing over its advocacy of an inquiry into the origins of the coronavirus pandemic.
The attacks have targeted all levels of government plus the private sector, most notably firms in the financial services, defence and healthcare industries, but there has been no major data breach identified.
The updated cyber security strategy was due to be released in the run up to the postponed May federal budget but was delayed because of the pandemic.
It is very clear that state and non-state actors are increasing their ‘grey zone’ attacks on Australia’s cyber networks.
— Linda Reynolds, Defence Minister
Industry sources said the strategy was expected to require firms to comply with a minimum level of cyber security set by the federal government, with those in the critical infrastructure field such as banks, healthcare and utilities expected to be the top priority.
The government would be responsible for setting an industry-by-industry standard to apply to all firms in that sector. The standards would be applied either through a code of conduct, with potentially a regulator to ensure compliance.
The Home Affairs Department, which is preparing the strategy, believes while there are already mature cyber security requirements in industries such as telecommunications, there are minimal or highly variable requirements in other sectors and different standards of enforcements.
In particular, the department has identified gaps when services are provided across different levels of governments, or by smaller organisations, such as local councils which oversee water and sewerage services.
“Often the government encourages the private sector to set their own rules but there is no one to set standards,” a source said.
A discussion paper on the strategy also flagged the government could seek to recover the cost of providing services to owners of critical systems through direct charges or other alternative funding models rather than relying on tax revenue.
Did You See This CB Softwares?
37 SOFTWARE TOOLS... FOR $27!?Join Affiliate Bots Right Away
The head of the Australian Strategic Policy Institute’s International Cyber Policy Centre Fergus Hanson said hardware and software vendors and internet service providers would likely have to shoulder the direct cost of increased cyber security requirements, but these would flow through to businesses and eventually their customers.
Mr Hanson said Telstra’s “Cleaner Pipes” project, which gathers reams of data to block malicious websites, could be a model for other ISPs to follow.
Defence Minister Linda Reynolds said the government had committed $386 million on cyber security since 2013 to strengthen defences, develop innovation and grow the workforce.
“It is very clear that state and non-state actors are increasing their ‘grey zone’ attacks on Australia’s cyber networks,” she said.
“However, the federal government cannot do this alone. It is imperative that state and local governments, companies and institutions all take action to protect themselves.”
She said following Friday’s announcement that a state actor had been attacking Australian institutions, almost 500 companies had sought advice on how to partner with the Australian Cyber Security Centre to boost their cyber protection.
There was also a six-fold increase in traffic to cyber.gov.au, with 150,000 page views of advice on how to mitigate attacks.
While Mr Morrison did not identify the culprit behind the cyber attacks, China’s Foreign Ministry late on Friday denied involvement and said it was a “staunch guardian” of cyber security.
Beijing attacked the Australian Strategic Policy Institute “slandering” China by claiming it was responsible for the cyber attacks, saying the think-tank lacked credibility because the US government and arms dealers funded it.