Further to our recent analysis of shields 1, 2 and 3 of the Australian Government’s 2023-2030 Australian Cyber Security Strategy released on 22 November 2023, shield 4 of the Strategy focuses on protecting the nation’s critical infrastructure, enhancing regulatory obligations for owners and operators of essential services, and uplifting the cyber security of the Commonwealth Government.

Shield 4 – Protected critical infrastructure

To achieve the vision of shield 4, the Government proposes:

• exploring regulatory reform options to:
  • move the security regulation of the telecommunications sector to the Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’)
  • strengthen cyber security regulations for the aviation and maritime sectors
  • clarify obligations for managed services providers to critical infrastructure entities, and
  • require critical infrastructure entities to adequately protect their data storage systems.
• expediting the implementation of the “Systems of National Significance framework”, and for that framework to include enhanced cyber security obligations for the relevant vital systems
• implementing a SOCI Act compliance monitoring and evaluation framework to ensure critical infrastructure entities are properly informed of their SOCI Act regulatory obligations, and developing enhanced review and remedy powers
• consulting with industry to explore how Government can better help critical infrastructure entities manage the consequences of cyber incidents
• strengthening the cyber maturity of Government departments and agencies through whole-of-government cyber security uplifts, and skills development for public service staff, overseen by a new Cyber Coordinator, and
• designating new “Systems of Government Significance” that will be required to meet enhanced security standards.

The Government has also committed to:

• conducting national cyber security exercises under a National Cyber Exercise Program, led by the Cyber Coordinator, that test incident response plans as well as consequence management and communications channels, and
• developing incident response playbooks, based on guidance from business leaders, and lessons learned throughout the progression of other measures in the Strategy.

The proposed SOCI Act compliance monitoring and evaluation framework could be an important part of the overall regime for ensuring critical infrastructure is secure. Hopefully, a ‘carrot not stick’ approach will be favoured in keeping with the calls from critical infrastructure entities for increased Government support in managing and mitigating the consequences of cyber incidents. The more assistance the Government can provide, particularly around expectations, the more prepared critical infrastructure will be.

It is also pleasing that the Government has recognised the vital part it has to play in ensuring Australia’s cyber security and has acknowledged its shortcomings in this regard – it appears to have listened to industry’s concerns around the need for Government cyber security to be improved and for public sector cyber maturity, and accountability, to be addressed.

The Strategy states that the National Cyber Exercise Program will ‘complement and build on’ the Enhanced Cyber Security Obligation applicable to Systems of National Significance under the SOCI Act. Whilst there is benefit in not reinventing the wheel if existing systems, requirements and processes are already working well, the interaction of the new Program with existing SOCI obligations will need to be carefully considered to ensure that there is no duplication of obligations or activities for those entities already subject to the most robust regulation under the SOCI Act.