How Australia can coordinate a collective response to cybercrime

EY’s submission to the development of Australia’s Cyber Security Strategy 2023-2030 recommends a fundamental strategy reset to uplift our ability to counter cyber threats and deepen global trust in our society

In brief:

• Cyber security is critical for the wellbeing of every Australian public and private organisation and citizen – and the competitiveness of our nation.
• Australia is not where we need to be in our levels of cyber maturity given the increasing frequency of cyber attacks and their cost to the economy.
• We need a transparent, collective national approach where the focus moves from reaction to prevention and response and better targets malicious actors.

To deliver on Australia’s Minister for Cyber Security’s aspiration for Australia to become the world’s most cyber secure nation by 2030, we must do more than simply refresh our national cyber security strategy. A fundamental strategy reset, a refocus on citizen centricity and incident prevention and significant, considered and long-term investment are required to make a step-change in our ability to counter cyber crime.

EY considers that Australia’s next Cyber Security Strategy should be founded on three overarching principles:

1. Citizen-centricity
   To protect the citizens whose lives and jobs are being disrupted by cybercriminals, we must design penalties to punish aggressors – not victims. This will require harnessing behavioural economics to find drivers that produce the outcomes we want, that: citizens are protected; companies are incentivised to invest in cyber security proportionate to their upside and downside risk landscape and only punished for genuine malpractice; and malicious actors are stopped, and where possible, caught and penalised.
   
   
2. Collective defence
   To create a sovereign and assured capability to counter cyber threats, we must shift from our reactive stance and focus on collective prevention. For example, we suggest targeting a capability that takes a hybrid of the US Information Sharing and Analysis Centres, which handle threats in sector context and risk translation against maturity, and Israel’s national Cyber Emergency Response Team, which handles cyber incidents in the civilian cyber sphere and has visibility of risk across critical infrastructure.
   
   
3. Commensurate investment
   Government and industry need to invest appropriately to protect citizens’ data and their right to privacy, and to defend our critical infrastructure at a level commensurate with the cost of malicious cyber activity to Australia’s economy and community. We recommend investing 10% of the annual cost of cybercrime each year (around A$4 billion per year) as a starting point. Around half of this investment should go towards hardening Australia’s organisational cyber capabilities and growing Australia’s cyber security industry in its capacity and maturity. The other half should be put into a sovereign cyber investment fund to accelerate buildout of sovereign defence capabilities through collaboration between government, industry and academia.

We also suggest consideration is given to whether further, stand-alone cyber security legislation is required. Australia’s many existing laws and regulations are not being fully applied to the digital domain. This should be the first line of enquiry, along with clarifying standards of practice within relevant existing regimes, ahead of adding further federal legislation.

Additional, stand-alone legislation risks further confusion around entity and individual obligations. It also risks degrading our sovereign ability to adapt to the near-term disruptive effects of step-changing technologies such as quantum computing, generative AI and outer space-based communications. Within the commercial context, it also risks decreasing supply and value chain competitiveness and Australia’s ability to deliver against industry driven commitments under trade agreements, at a time when these economic and security factors have never been so important.