Australian Cyber Security Strategy for Hardening

Australia Cyber Security Strategy

Australia aims to be the world leader in cyber security by 2030 using the Australian Cyber Security Strategy that was released on 22 November 2023.

With the cost of cybercrime on Australian businesses growing by up to 14% per annum, the Cyber Security Strategy seeks to improve cyber security, manage cyber risks and better support citizens and Australian businesses to manage their cyber environment by using six cyber shields and actions to be taken:

Shield 1: Strong businesses and citizens

• • Support small and medium businesses to strengthen their cyber security
  • Help Australians defend themselves from cyber threats
  • Disrupt and deter cyber threat actors from attacking Australia
  • Work with industry to break the ransomware business model
  • Provide clear cyber guidance for businesses
  • Make it easier for Australian businesses to access advice and support after a cyber incident
  • Secure our identities and provide better support to victims of identity theft

Shield 2: Safe technology

• • Ensure Australians can trust their digital products and software
  • Protect our most valuable datasets
  • Promote the safe use of emerging technology

Shield 3: World-class threat sharing and blocking

• • Create a whole-of-economy threat intelligence network
  • Scale threat blocking capabilities to stop cyber attacks

Shield 4: Protected critical infrastructure

• • Clarify the scope of critical infrastructure regulation
  • Strengthen cyber security obligations and compliance for critical infrastructure
  • Uplift cyber security of the Commonwealth Government
  • Pressure-test our critical infrastructure to identify vulnerabilities

Shield 5: Sovereign capabilities

• • Grow and professionalize our national cyber workforce
  • Accelerate our local cyber industry, research and innovation

Sheild 6: Resilient region and global leadership

• • Support a cyber-resilient region as the partner of choice
  • Shape, uphold and defend international cyber rules,norms and standards

(2023-2030 Australian Cyber Security Strategy PDF, Australia six cyber shields)

Australian Cyber Security Center’s Information Security Manual

The Australian Signals Directorate (ASD) produces the Information Security Manual (ISM), a cyber security framework for protecting IT and operational systems, applications, and data from cyber threats. It is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and IT managers.

ISM’s risk management framework is based on NIST Special Publication 800-37 Rev. 2. Each cybersecurity guideline addresses related security risks and includes controls that the ASD deems efficient and effective for achieving security objectives.

Implementing these controls manually is time-consuming due to the extensive number of detailed requirements and the need for precise configuration and continuous monitoring. A plan of action to regularly update and audit these controls to stay compliant, will reduce the likelihood of mistakes and oversight.

Hardening Action Plan

To achieve Australia’s 2030 vision, the Government has delivered the strategy in three phases called horizons. These Horizons are:

In Horizon 1 (2023-25): Address critical gaps in the cyber shields, build better protection for the most vulnerable citizens and businesses, and support improved cyber maturity uplift across the region.

In Horizon 2 (2026-28): Scale cyber maturity across the whole economy. More investments to be made in the broader cyber ecosystem, continue to scale the Governments cyber industry and grow a diverse cyber workforce.

In Horizon 3 (2029-30):  Lead the development of emerging cyber technologies capable of adapting to new risks and opportunities across the cyber landscape.

To begin, an Action Plan was created, which outlines the initiatives to be taken to deliver Horizon 1 and will be reviewed every two years.

The ISM controls for system hardening number in the hundreds because they address a comprehensive range of potential vulnerabilities across various system components. Each control addresses a specific vulnerability, and with such a vast attack surface, a comprehensive approach is necessary.

Given the complexity and volume of these controls, manual implementation are both impractical and error-prone. Therefore, companies should consider using server hardening platforms that offer automated hardening solutions. These platforms streamline the process, guaranteeing consistent and accurate application of all relevant controls.

Scope of Critical Infrastructure Sectors

From the regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act), appropriate risk mitigation plans are being put in place to protect against cyber threats for Australia's designated critical infrastructure sectors.

The SOCI Act provides a robust framework for defining and regulating the cyber security

obligations for the critical infrastructures, which are:

(2023-2030 Australian Cyber Security Strategy PDF, Australia's 11 designated critical infrastructure sectors)

Australia’s government will work with industries to provide a high level of assurance that owners and operators are complying with their security obligations.

How the Australian Cyber Security Strategy and Privacy Act 1988 relate

Both contribute to Australia's digital security landscape however the Privacy Act 1988 specifically safeguards personal information, while the Cyber Security Strategy addresses broader cyber resilience.

While the Privacy Act is concerned with personal information protection and how organizations handle it, the Australian Cyber Security Strategy focuses on national defense against cyberattacks while improving overall cyber resilience.

The Privacy Act applies to government agencies and private organizations exceeding a certain revenue threshold, while the Cyber Security Strategy applies to critical infrastructure sectors and government agencies.

Where the two intersect is in data breaches. If a cyberattack compromises personal information, the Privacy Act’s Notifiable Data Breaches (NDB) scheme mandates reporting data breaches to affected individuals and the Office of the Australian Information Commissioner (OAIC) if there’s a risk of serious harm.