The federal government has unveiled its delayed cyber security strategy, leaving key details for upcoming legislation yet to reach parliament.

The 52-page strategy, released Thursday, allocates $1.67 billion to improve Australia’s cyber security over the next decade. Most of this funding comes from the previously announced $1.35 billion CESAR (Cyber Enhanced Situational Awareness and Response) package.

Key elements include new laws and an “enhanced regulatory framework” to protect critical infrastructure, described as the “best way to protect Australians at scale.”

The framework will set minimum standards, including an “enforceable positive security obligation” for designated critical infrastructure entities.

“These powers let the Australian Government actively defend networks and support the private sector during cyber attacks,” the strategy states. Support may include expert advice, direct intervention, or the use of classified tools.

This approach aims to reduce downtime for essential services and limit the impact of cyber attacks on Australians.

The framework will be implemented through amendments to the Security of Critical Infrastructure Act and will extend to systems of national significance.

Beyond defending assets during attacks, the government will help operators strengthen their cyber security. The $62.3 million “classified national situational awareness capability” will support responses to threats.

Critical infrastructure operators can also share intelligence through the government’s $35 million cyber threat-sharing platform.

The government is considering further legislation to set a minimum cyber security standard across the economy. It will expand the Australian Cyber Security Centre’s incident exercise program to help businesses and government prepare for attacks.

Government networks and secure hubs

Many agencies still fail to implement basic security controls, making government systems a priority. The government plans to centralise the management of agency networks to strengthen resilience.

Centralisation will allow investment in fewer, more secure networks and promote innovation and efficiency. The government may also create “secure hubs” to reduce attack surfaces, though details remain vague.

Standard cyber security clauses will be added to government IT contracts to minimise risks.

Federal, state, and territory agencies accounted for 35.4% of the 2,266 cyber security incidents handled by ACSC in 2019-20. Critical infrastructure in sectors like healthcare, banking, water, and energy saw similar attack levels.

Boosting law enforcement

The government will provide $124.9 million to law enforcement to fight cyber crime, including $89.9 million for the Australian Federal Police. Planned legislation will help AFP identify criminals operating on the dark web.

The ACSC will receive $31.6 million to combat cyber crime internationally and assist domestic law enforcement in disrupting cyber criminals.

“The Australian Government will develop the tools to discover, target, investigate, and disrupt cyber crime, including on the dark web,” the strategy states.

Supporting SMEs

The strategy includes $63.4 million to help small and medium enterprises (SMEs) improve cyber security. Large businesses will partner with SMEs to offer “bundles” of secure services, such as threat blocking, antivirus, and awareness training.

“Integrating cyber security into other service offerings helps protect SMEs at scale. Many cannot hire dedicated cyber security staff,” the strategy notes.

The government will also provide online training and a 24/7 cyber security helpdesk for SMEs.