09 May 2016

Australia's cybersecurity strategy: the impact on business

This article was written by Cheng Lim and Millie Zhong.

The Australian Government’s Cyber Security Strategy (Cyber Security Strategy) was released on 21 April 2016, after 18 months of consultation with more than 190 organisations across business, government and academia, both in Australia and overseas.

In it, the government establishes five themes of action over the next four years to 2020:

  • a national cyber partnership;
  • strong cyber defences;
  • global responsibility and influence;
  • growth and innovation; and
  • a cyber smart nation.

The executive summary of the Cyber Security Strategy is set out here.

Nature of the Threat

The Cyber Security Strategy itself, and the Prime Minister’s preface, openly recognised that the cybersecurity threat has many dimensions, including from foreign adversaries and state sponsored actors. This reflects the 2016 Defence White Paper which stated

Cyber attacks are a real and present threat to the ADF’s warfighting ability as well as to other government agencies and other sectors of Australia’s economy and critical infrastructure.

Significantly, the Prime Minister, in introducing the Cyber Security Strategy, acknowledged that the Government’s options to respond to cybersecurity threats included an offensive cyber capability housed in the Australian signals directorate. A full transcript of his speech is available here.

Impact on business

The Cyber Security Strategy emphasises the potential damage that malicious cyber activity can cause to business, particularly the theft of intellectual property and other sensitive commercial information. While breaches which result in the compromise of personal information often get headlines and significant media coverage, businesses need to recognise that they can be very significantly adversely affected should their confidential information or trade secrets be compromised by competitors, or should they be the subject of “hacktivist” attacks such as those made against Sony, allegedly by North Korean hackers.

Measures to support business

The Cyber Security Strategy reiterates our key message that cybersecurity is not simply an IT issue, but is a business issue that needs to be driven from the top, in terms of both strategic development and organisational culture.

In line with this ‘top-down’ approach to cybersecurity, the government will introduce a number of measures to assist the private sector. These include

  • support to cybersecurity start-ups as part of the National Innovation and Science Agenda (predominantly through CSIRO’s Data61);
  • providing small businesses with support to have their cybersecurity tested by security practitioners; and
  • assisting businesses to identify and respond to cybersecurity incidents, by increasing the capacity of the national Computer Emergency Response Team (CERT Australia) to work with Australian businesses.

The government also proposes to introduce voluntary cybersecurity governance ‘health checks’ which will initially to be offered to ASX 100 listed businesses, with a view to extending this to other public and private organisations more generally (subject to tailoring for size and industry). The ‘health checks’ are stated to be similar to the UK’s FTSE 350 cyber governance health checks, and differ from the self-assessment recommended in ASIC’s Cyber resilience: Health check (Report 429) in that participants will receive information which enables them to better understand their cybersecurity status and how they compare to similar organisations. In this regard, it appears to enable businesses to benchmark themselves against their peers.

The Government sector

The government will devote significant resources to improving its own cybersecurity governance and capabilities, including increased spending and increased recruitment of cybersecurity specialists across government agencies and departments. Enhancements in intelligence, space and cybersecurity will require around 900 new positions to be filled in the Defence Force alone.

Recognising that cyber attacks are directed at the weakest link, and that primary targets can be accessed through connected networks and equipment, the government will also develop guidance for government agencies to consistently manage supply chain security risks for ICT equipment and services.


While these initiatives may be a tacit acknowledgement from the government that it needs to step up its game, the Australian government’s cybersecurity investment of A$230 million over 4 years under the Cyber Security Strategy is only a fraction of that pledged by its counterparts in the UK (£1.9 billion over 5 years) and the US (US$19 billion for FY2017). It is perhaps not surprising then that information sharing and collaboration with the private sector are a key focus of the Cyber Security Strategy, which will implement initiatives such as:

  • real-time information sharing on cybersecurity threats and responses between and within the public and private sectors, including from classified sources;
  • establishing links to global sharing initiatives; and
  • investigating legislative impediments to sharing.

While businesses will no doubt welcome the availability of government intelligence and inter and intra-sector information, they also face the same dilemma articulated by the Prime Minister’s special cybersecurity advisor, between openness about cybersecurity issues and avoiding further damage and “hanging out [their] crown jewels”. Businesses have been reluctant to openly acknowledge cybersecurity incidents. For example, MailGuard reported that 693,053 Australian businesses experienced a cyber crime in 2014, but only 11,703 reported a cyber incident.

In co-designing the sharing centres, both public and private sector collaborators will need to consider not only the security of the information exchanged, but also the protection of collaborators’ anonymity, as well as mechanisms to guard against guard against free riding.

The need for training and resources

The Cyber Security Strategy leaves wide scope for industry led collaborative development in the regulation and growth of the cybersecurity sector. Private sector organisations will be called on to co-design internationally aligned national voluntary cybersecurity guidelines, and also to participate in the establishment of academic centres of cybersecurity excellence to train the next generation of graduates.

As part of the National Innovation and Science Agenda, the government will also invest over $30 million to establish an industry-led Cyber Security Growth Centre, which will be tasked with developing a national plan to grow Australia’s cybersecurity sector, as well as

  • identifying cyber research and technology gaps or priorities for industry, and informing the science and research community of industry needs and commercial opportunities;
  • coordinating a national cybersecurity innovation network and linking with existing cybersecurity innovation hubs overseas; and
  • acting as the national mechanism for cross-sector collaboration and investment in nationally-significant cybersecurity infrastructure and frameworks.

The opportunities for business

As stated in the government’s Cyber Security Strategy, businesses own and operate most of the key supporting infrastructure for cyberspace. They are highly vulnerable to any cybersecurity risks, and need to be aware of the potential threats and have appropriate mitigation strategies in place. At the same time, they are also best placed to exploit the opportunities in the internet based economy, which in Australia is predicted to grow to A$139 billion by 2020. The collaborative framework set out in the Cyber Security Strategy is the first step in opening new avenues for doing so.

The Turnbull government places has a strong focus on innovation, and it is clear that it sees innovation in cybersecurity as a potential opportunity for Australia in coming years. The expanded tax incentives and venture capital arrangements under the National Science and Science Agenda announced in the recently released budget (available here) will also make investment in innovative sectors such as cybersecurity increasingly attractive. Angel investors investing in innovative, high growth potential start-ups are now able to access the 10 year capital gains tax exemption after a holding period of 12 months (reduced from 3 years), with a cap of A$200,000 per year.

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    The goal posts for executing a deal in the financial services sector have changed. In this difficult regulatory environment, sellers are finding it harder to get their deals away.

    27 February 2020

    Bringing directors, management and shareholders together, the Annual General Meeting provides a platform for discussion on company performance and key corporate governance matters.

    27 February 2020

    Our experts bring you what's happening in the marketplace and an update on litigation funding commissions.

    27 February 2020

    After the United States, Australia has the highest number of climate change disputes globally.

    27 February 2020

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.