Cyber Engineering Community

 View Only
  • 1.  Submission for 2023 - 2030 Australian Cyber Security Strategy Discussion Paper

    Posted 29-03-2023 08:19 AM
    Hi Everyone,
    On 8 December 2022, the Minister for Cyber Security, the Hon. Clare O'Neil MP, announced the development of the ​2023-2030 Australian Cyber Security Strategy (the Strategy)​.

    The Strategy Expert Advisory Board has released a discussion paper seeking views on how Government can achieve these goals.

    Engineers Australia is considering a submission to the 2023 – 2030 Australian Cyber Security discussion paper and we are seeking your help to understand if we would have anything significant to add from an engineering point of view to the questions listed in Attachment A of the discussion paper (they are given at this end of this post for easy reference).
    In particular, is there anything new to add from Engineers Australia previous submission on the National Data Security Action Plan submitted last year?
    We would welcome feedback in this discussion thread or contact me directly if you prefer. Submissions close 15 April 2023, so if you could provide your feedback as soon as possible, that will allow your feedback to be collated into the Engineers Australia response.

    I also invite those who are interested in Cyber Security to join the Cyber Engineering Community on EA Xchange. There you will find the latest discussion in the area of Cyber Engineering.
    Thank you and looking forward to hearing your feedback and seeing you in the Cyber Engineering Community.
    Kind Regards,
    Questions from Attachment A of the discussion paper
    1. What ideas would you like to see included in the Strategy to make Australia the most cyber secure nation in the world by 2030?
    2. What legislative or regulatory reforms should Government pursue to: enhance cyber resilience across the digital economy?
      1. What is the appropriate mechanism for reforms to improve mandatory operational cyber security standards across the economy (e.g. legislation, regulation, or further regulatory guidance)?
      2. Is further reform to the Security of Critical Infrastructure Act required? Should this extend beyond the existing definitions of 'critical assets' so that customer data and 'systems' are included in this definition?
      3. Should the obligations of company directors specifically address cyber security risks and consequences?
      4.  Should Australia consider a Cyber Security Act, and what should this include?
      5.  How should Government seek to monitor the regulatory burden on businesses as a result of legal obligations to cyber security, and are there opportunities to streamline existing regulatory frameworks?
      6. Should the Government prohibit the payment of ransoms and extortion demands by cyber criminals by: (a) victims of cybercrime; and/or (b) insurers? If so, under what circumstances?
        1. What impact would a strict prohibition of payment of ransoms and extortion demands by cyber criminals have on victims of cybercrime, companies and insurers?
    3. Should Government clarify its position with respect to payment or nonpayment of ransoms by companies, and the circumstances in which this may constitute a breach of Australian law? How can Australia, working with our neighbours, build our regional cyber resilience and better respond to cyber incidents?
    4. What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber security perspective?
    5. How should Australia better contribute to international standards-setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?
    6. How can Commonwealth Government departments and agencies better demonstrate and deliver cyber security best practice and serve as a model for other entities?
    7. What can government do to improve information sharing with industry on cyber threats?
    8. During a cyber incident, would an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) improve engagement with organisations that experience a cyber incident so as to allow information to be shared between the organisation and ASD/ACSC without the concern that this will be shared with regulators?
    9. Would expanding the existing regime for notification of cyber security incidents (e.g. to require mandatory reporting of ransomware or extortion demands) improve the public understanding of the nature and scale of ransomware and extortion as a cybercrime type?
    10. What best practice models are available for automated threat-blocking at scale?
    11. Does Australia require a tailored approach to uplifting cyber skills beyond the Government's broader STEM agenda?
    12. What more can Government do to support Australia's cyber security workforce through education, immigration, and accreditation?
    13. How should the government respond to major cyber incidents (beyond existing law enforcement and operational responses) to protect Australians?
      1. Should government consider a single reporting portal for all cyber incidents, harmonising existing requirements to report separately to multiple regulators?
    14.  What would an effective post-incident review and consequence management model with industry involve?
    15. How can government and industry work to improve cyber security best practice knowledge and behaviours, and support victims of cybercrime?
      1. What assistance do small businesses need from government to manage their cyber security risks to keep their data and their customers' data safe?
    16. What opportunities are available for government to enhance Australia's cyber security technologies ecosystem and support the uptake of cyber security services and technologies in Australia?
    17. How should we approach future proofing for cyber security technologies out to 2030?
    18. Are there opportunities for government to better use procurement as a lever to support and encourage the Australian cyber security ecosystem and ensure that there is a viable path to market for Australian cyber security firms?
    19. How should the Strategy evolve to address the cyber security of emerging technologies and promote security by design in new technologies?
    20. How should government measure its impact in uplifting national cyber resilience?
    21. What evaluation measures would support ongoing public transparency and input regarding the implementation of the Strategy?

    Dr Peter Stepien
    Chair ITEE College

  • 2.  RE: Submission for 2023 - 2030 Australian Cyber Security Strategy Discussion Paper

    Posted 06-06-2023 08:22 PM

    What happened with this? Did EA end up making a submission? Is it available to read anywhere?

    Nick Spurry

  • 3.  RE: Submission for 2023 - 2030 Australian Cyber Security Strategy Discussion Paper

    Posted 12-06-2023 01:09 PM


    The EA submission is here


    Shireane McKinnie

  • 4.  RE: Submission for 2023 - 2030 Australian Cyber Security Strategy Discussion Paper

    Posted 12-06-2023 05:47 PM

    Hi Nick,

    Apologies for not replying sooner and thanks Shireane for providing the link to the submission.

    The submission was announced in an Engineering News dated 2 May, which I incidentally missed. The link provided in the news item has a document summary:

    2023–2030 Australian Cyber Security Strategy - Engineers Australia's submission

    "Securing Australian cyber space and building a robust and resilient cyber ecosystem will require a comprehensive, agile, and inclusive strategy. Engineers Australia's submission offers the view of its expert members on what the Government could do to achieve the goal of securing our nation's cyber ecosystem and shift the dial to move cyber security front of mind."

    Thank you and everyone else for contributing to the submission. Without your support, these types of submissions could not be made.

    Kind Regards,

    Dr Peter Stepien
    Chair ITEE College