The Australian government has handed down its 2020 Cyber Security Strategy [PDF], with the Commonwealth to develop legislation that would impose cyber standards on operators of critical infrastructure and systems of national significance; consider what laws need to be changed to have a minimum cyber baseline across the economy; and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.
"We work to actively prevent cyber attacks, minimise damage, and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation," the strategy states in its only use of bold typeface.
"Our actions are lawful and aligned with the values we seek to uphold, and will therefore be proportionate, always contextual, and collaborative.
"We can choose not to respond."
As well as allowing it to attack networks, the new powers would also help the private sector recover from an attack.
"The nature of this assistance will depend on the circumstances, but could include expert advice [and] direct assistance or the use of classified tools. This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians," the strategy states.
The government intends to spend AU$62.3 million on a "classified national situational awareness capability" that would allow the government to "understand and respond" to threats on critical infrastructure and high priority networks.
"This will be complemented by increased incident reporting and near-real-time threat information from the most essential pieces of infrastructure as part of future regulatory requirements," it said.
"To make use of all sources of threat information, the Australian government will deliver an enhanced threat-sharing platform, enabling critical infrastructure operators to share intelligence about malicious cyber activity with government and other providers at machine speed, and block emerging threats as they occur."
An enforceable "positive security obligation" will be imposed on designated critical infrastructure operators through amendments to the Security of Critical Infrastructure Act 2018.
The government said it would also ensure Australia is not a soft target and continue to publicly call out countries when it is in the nation's interest. The government would also hand law enforcement powers to target "criminal activity on the dark web".
"The Australian government will confront illegal activity, including by using our offensive cyber capabilities against offshore criminals, consistent with international law," it said. "The Australian government will continue to strengthen the defences of its networks, including against threats from sophisticated nation states and state-sponsored actors."
Continuing to paint encryption as a tool used by criminals, the strategy said the government would "ensure" law enforcement has powers to tackle cyber crime.
"If our law enforcement agencies are to remain effective in reducing cyber crime, their ability to tackle the volume and anonymity enabled by the dark web and encryption technologies must be enhanced," it said.
The government has also reversed its stance on leaving government departments responsible for their own cybersecurity, and will instead centralise the management and operations of Commonwealth networks.
"Centralisation could reduce the number of targets available to hostile actors such as nation states or state-sponsored adversaries, and allow the Australian government to focus its cyber security investment on a smaller number of more secure networks," the strategy said.
"A centralised model will be designed to promote innovation and agility while still achieving economies of scale."
For businesses, the government will introduce a voluntary code of practice for internet-connected devices, as well as getting larger businesses to support smaller ones, as outlined in the industry advisory panel paper released last month.
"The Australian government will work with large businesses and service providers to provide SMEs with cybersecurity information and tools as part of 'bundles' of secure services (such as threat blocking, antivirus, and cybersecurity awareness training)," it states.
"Integrating cybersecurity products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cybersecurity staff."
Should the code of practice fail to "drive change", the government said it would look at implementing additional steps and also look to draw up a set of supply chain principles.
Per its recommendations, the industry advisory panel will also be morphing into a standing advisory committee.
In June, Australian Prime Minister Scott Morrison stated the country was under cyber attack from a state-based actor, widely tipped to be China.
"The Australian government knows it was a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used," the strategy said on the attack.
The strategy also revealed that the Australian Signals Directorate will be used to target COVID-themed phishers, taking down their systems and "blocking their access to stolen information".
Some 91% of businesses reported an increase in cyber attacks with employees working from home, including 93% in Singapore, where 89% and 86% also noted gaps in their business recovery planning and IT operations, respectively, as a result of the global pandemic.
Shadow Assistant Minister for Cyber Security Tim Watts hopes the new strategy shows the 'substance and imagination that our national cyber-resilience deserves' and that it's accompanied by an accountable minister.