The Australian government has moved to restrict the chances of Optus and Medibank-style data breaches in its newly released cyber strategy, a move welcomed by a major industry body.
The 2023-2030 Cyber Security Strategy includes commitments to review data retention requirements for businesses and the “data-brokering ecosystem,” after millions had their private information leaked online during the Optus and Medibank breaches.
Home Affairs Minister Clare O’Neil, while releasing the strategy, said cyber security is the country’s fastest-growing national security challenge.
“We’ve got data flying around the country, we’ve got cyber attacks on major pieces of infrastructure, and we’ve got citizens, businesses who keep saying to me that they feel really alone in this challenge and unnecessarily vulnerable,” she said in an interview with ABC Radio.
“The cyber strategy that the government is releasing today is not just a big vision document about what the world might look like in 2030, it is a very specific set of tangible things the government will do to change the game for our country.”
The strategy committed to a review of Commonwealth legislative data retention requirements and the identification of “Australia’s most sensitive and critical datasets across the economy”.
“Technological advancements have enabled malicious actors to develop vast data profiles on businesses, individuals and officials for intelligence gathering and commercial purposes,” the strategy reads.
“Many businesses have voiced concerns that they are required to store substantial data records for excessive periods of time, which can often be high-value targets for malicious cyber actors.”
The Albanese government has committed $586 million to achieving the strategy’s goals, which also include expanding law enforcement’s ability to respond to cyber incidents and protecting businesses from malicious actors.
The hacks of Optus and Medibank exposed millions of Australian’s private information. Photo: TND
Kate Pounder, CEO of the Tech Council of Australia, said the strategy is “a comprehensive response to the increasing threat of cyber attacks and data breaches that will help bring Australia up to the world’s best practice”.
“The strategy recognises there is no silver bullet and there is no single shield that will protect us from cyber criminals,” she said.
“It will take a comprehensive and multi-pronged approach, underpinned by strong collaboration between the government, industry and the community.”
Ransomware attacks consist of systems being locked down using software or the threat of leaking information unless payment is received from the business, and the government said it will legislate a “no-fault, liability ransomware reporting obligation for businesses”.
It will also develop a ransomware playbook, to provide guidance on how businesses can prepare for, handle and respond to ransom demands, and a cyber health check program.
The government is also planning on expanding its Digital ID program to reduce the sharing of sensitive personal information online and increase funding for victim support services when identity theft occurs.
“Cyber criminals go to great lengths to steal identities of Australian citizens, including through large-scale breaches of business customer data,” the strategy said.
“Personal data, including identity information, is bought and sold on the dark web for a high price.”
The data-brokering industry often trades and sells thinly-anonymised information on Australian customers in marketplaces, and their privacy policies allow a huge breadth of data to be collected.
The Australian Competition and Consumer Commission is examining businesses that gather or sell their customers data, and the government has committed to its own review.
“The government will review the data brokerage ecosystem to assess whether further action is required to address risks associated with the transfer of data to malicious actors via data markets,” the strategy said.
“This review will complement the proposed reforms to the Privacy Act.”
Other actions flagged by the government include protecting critical infrastructure, diversifying Australia’s cyber security industry and public education.