Consultation on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy

Rebecca

Good afternoon everybody. Welcome to Horizon Two: Charting New Horizons, the first of two town halls that we will have to support the development of the Cyber Security Strategy, second tranche. My name’s Bec. I’m representing the team that will be developing Horizon Two of the Cyber Security Strategy within the Department of Home Affairs. This is one of many instances where we’ll have to consult and engage with industry and the public on the next tranche of reforms that will support us as we move forward to 2030.

Before we kick off to details on how today’s session will run, I’d first like to pass to Danni, who will perform our acknowledgment of country.

Danni

Thank you, Bec. Good afternoon everyone. I’ve been asked to perform today’s acknowledgment of country. As a proud Kamilaroi woman, I would like to, on behalf of everyone here in this meeting, acknowledge the lands we are meeting on. For those of us here in Canberra, it’s the   Ngunnawal people, and recognize any other people or families with connection to the lands and surrounding regions.

I wish to also acknowledge and respect the continuing culture and contributions that they make to the life of this city and region. I would also like to acknowledge and welcome any other Aboriginal Torres Strait Islander peoples who may be attending today’s meeting.

Thanks very much, Danni. Acknowledging that we have a few attendees still joining, we will be placing some of the housekeeping detail in the chat for reference. For those of us who are with us now, note that we will be undertaking questions through the chat function.

Rebecca 

If you are going to ask a question, we do ask that you also provide your name, if that’s not clear on your attendance profile as well as the organisation that you’re representing. I understand we may also have some individuals attending this town hall, and in that case, it’s absolutely fine for you not to reference your organisation. We will get to as many questions as we can throughout the session.

If we don’t get to your question, we will take that away and we will answer that as part of a bulk upload of questions and answers to the Town Hall landing page on the Home Affairs website. This is being recorded and a transcript is also being provided for our reference. If at any time throughout the session there are any technical issues, please reach out to us through the chat.

 

You can also email the team at [email protected] and we’ll work to try and fix that problem for you. Again, we’ll be providing some of those details in the chat and if there are any issues, please do let us know. Barring that, I’m very pleased to announce our two main speakers for today’s session.

We’re joined by Mr. Peter Anstee, who is our First Assistant Secretary for our Countering Foreign Interference and Cyber Security Division, and we’re also joined by Ash Bell, who is our Cyber Policy and Programs Assistant Secretary. Without further ado, I’d like to hand to Pete.

Peter Anstee

Thanks, Bec and thanks, Danni. Welcome everyone to the first town hall for Horizon Two of the Cyber Security Strategy. For those of you who spend a lot of time around the cyber policy community, it feels like it’s only been a moment since the launch of the 2023 to 2030 Cyber Security Strategy, and it’s with great pleasure that we are reaching the near end of Horizon One and embarking on this conversation, discussion and consultation around Horizon Two.

So, thank you all for your engagement and enthusiasm for engaging through this process. As many of you know, the Cyber Security Strategy running from 2023 to 2030 was launched in November 2023 by the then Minister at the time, Claire O’Neill. And the Minister set up a bold vision for presenting Australia as a world leader in cyber security by 2030.

Underpinning her vision was a new spirit of collaboration between industry, civil society, academia and government, and presenting Australia as a safe, prosperous and of course, secure country. The strategy itself was designed around six shields, which you can see on the screen and built around the concept of three horizons. So, the first horizon running from 2023 to 2025, was really building the foundations for what a national strategic approach looked like.

At the centrepiece of that strategy was, a new cyber security act, as well as 60 initiatives that informed a national cyber security strategic landscape. We’re now entering consultation for Horizon Two, which is about expanding the scope, scale and reach of those strategic objectives, and that will commence at the beginning of next year.

So, consultation running from now until the beginning of next year. And finally, Horizon Three, which will run towards the end of the decade, where we cement our position as a leading cyber security nation. And those who have been following the agenda for some time, you’ll be familiar with the progress that government and industry, and the broader cyber security policy community have made in this space.

 

2016 was about building the foundations for our cyber security agenda. 2020 revolved around critical infrastructure legislation. 2023, as I mentioned, was building the foundations of this national strategic policy project.

And now we’re embarking on that moment of scaling these initiatives, scaling our policy priorities, expanding the reach to those who most need cyber security assistance and protection, and that’s what we’re seeking your engagement on today. I’m really proud to say that 20 months into this journey on our Cyber Security Strategy, we have seen really significant momentum across a range of cyber reforms, policies, programs and initiatives. As I said, there are 60 initiatives outlined in Horizon One of the strategy.

We’re extremely confident we will have either completed those initiatives, or be in the sustainment mode for those initiatives by the end of this calendar year, so, on track for completion by the end of 2025. The slide in front of you captures some of the highlights. It’s by no means exhaustive, but captures some of the highlights under the, 23 to 30 Cyber Security Strategy. And as you can see, it has been a serious uplift in terms of engagement and delivery across the cyber security community.

So we now build on Horizon Two. I hope many of you who’ve had some time to engage with the discussion paper, we intended it to be comprehensive in the nature of the questions we were asking, seeking to touch on many of the questions across the cyber security community. With us today, we have colleagues from the Australian Signals Directorate, from the Department of Foreign Affairs and many other parts of government.

With that, I’ll pass to Ash, who in many ways is the architect of the delivery both of Horizon One,but as we launch into Horizon Two of the consultation and leadership that will underpin that, and I look forward to your collaboration as we talk about these strategic priorities. Over to you, Ash. Thanks so much,

Ashley Bell

Pete. I don’t know about architect, but certainly the team and I are really excited to be kicking off this consultation process. and I think, you know, primarily just really excited to be getting out there and talking with industry and talking with individuals about, policy opportunities that we can take together. And I think we’ll cover a little bit around some of the detail in the paper, some of the framing points and some of the ideas at the shield level, but we want to make as much time as possible for questions. So, think of this as a quick journey around the paper, hopefully you’ll have an opportunity to engage with that, and then we’ll get into more exciting discussions through the questions.

To frame where we’ve got to with Horizon Two, obviously, as we are still focused on implementing the remaining initiatives for Horizon One. A lot of those have been delivered, but also are still being worked through and further implementation work is being done. At the same time, we wanted to make sure that we are looking towards the next big tranche. And I think one of the strengths of the design of the soft strategy is the opportunity for us to collectively review the policy direction as part of each horizon.

This is critical for cyber security policy, given the speed in which both threats and opportunities are developing. Importantly, it allows us to reflect on the impact that these policy initiatives and programs are having across Australia. I’ll make the point now, but I’m sure we’ll come back to it later, the second townhall, which I really encourage you to come to, we’re going to focus a lot more on that conceptual model that we introduced in the paper, that talks about the kind of theory of change loop.

That’s a really important piece about looking at the broader element of what we’re trying to do in cyber policy collectively, as Australia. Focusing on those outcomes and making sure that we are seeking to put our investment and our policy ideas towards an outcome, not necessarily just the interventions themselves. So, a bit of a plug for that town hall, which is coming up soon, so please join that.

But that’s a real big piece of how we’re looking at both the impact and assessing where we are at the moment in terms of our journey towards being world leading in 2030. So, as Pete mentioned, the world’s changed since 2023 in many different ways, so this consultation discussion paper is intended to be an opportunity for us to take stock and consider what that next tranche of reforms should look like.

It’s an opportunity for us to take a whole of nation approach to cyber security. and This is absolutely centred on the partnership between the private sector and public sector and individuals as well.Cyber security also presents a lot of opportunities. It’s not just a narrative of risk and threats. So through this work, we’re looking at how we can leverage cyber security policies to provide an economic opportunity for Australia, both in developing sovereign capability, driving productivity and competitiveness and supporting individuals, as well.

As part of Horizon Two, what we want to be able to do is to ensure that Australia’s cyber resilience evolves with the global threat landscape. And we have three principles that we outline in the paper. The first being that we want to embed cyber security messaging standards, capability and efforts across society – from homes and schools to businesses and government partners.

We want to empower businesses. Particularly small businesses and not-for-profits and citizens to protect ourselves and each other, reduce the barrier for applying protective frameworks and ensuring Australian businesses are more productive and can bounce back quicker. And then lastly, we want to enhance our cyber entry frameworks through structural reforms to harmonize and simplify regulation, strengthen cyber workforce in the business ecosystem, and better coordinate security outcomes for government cyber uplift. As I mentioned, at the core of the strategy and our policy design for Horizon Two is ensuring that the public-private partnership is at the centre of the work and the thinking and everything that we do. We know that we can’t do this alone in government. It’s only together that we’re able to achieve what we want to do.

And we’ve seen this as Horizon One, as unfolded. We’ve seen the tremendous work that industry has done, that individuals have done, that people have invested behind the strategy, the work that’s been taken forward independently through things like the Executive Cyber Council to really drive and look for opportunities where business or particularly large business can actually start to solve some of these challenges themselves or work with government to support.

And it’s in this spirit that we really want to take forward the next horizon. As the Minister said in the forward, building a cyber resilient nature reflects the best of Australian values. Collaboration, innovation and an unwavering commitment to protecting what matters most. It’s often said that cyber security is a team sport, and that’s kind of the phrase that gets thrown around a lot.

But I think that is absolutely true and quite unique nature of this policy space and the work that you all do every day in supporting Australians and Australian businesses to remain safe and secure. We’ve developed this paper with a view of looking at different cohorts within Australia that will be contributing to the mission. Our view is that everyone has a role to strengthen our nation’s cyber resilience, and everyone’s going to benefit from a secure and thriving economy where we’re capable of bouncing back quickly after an attack.

This is about making sure that we are supporting the different structures and making sure that the economic incidence of this, the work to uplift resilience sits at the right space. What’s the role for government? What’s the role for big business? What’s the role for small business? Everyone has a part to play, and how do we then craft policy initiatives that are going to have an impact, that are going to be structural, that are going to stand the test of time and get us to where we want to be.

I think that’s the core of Horizon Two. It’s moving beyond foundations and moving into the part where we’re able to say, okay, how do we make sure that we’re getting these reforms into the system, and how do we leverage the different opportunities and roles that we play in government and in business, in different sizes?

By 2028, we want to make sure that the policies that we put in place will allow Australians, particularly vulnerable cohorts of Australians, to be confident participants in the digital economy, to feel safe online, to make informed decisions about the security of the technology they choose to use. For small business and not-for-profits, we want to make sure that they have access to clear standards that are cost effective to implement and provide a simple pathway to cyber resilience. We want to make sure that cyber insurance and other market based mechanisms that support that resilience and uplift, particularly for small entities, are available at a reasonable cost. For large business, we want to work with large businesses to proactively protect Australian networks. We want to make sure that large business has access to a deep cyber security workforce that’s diverse, that is highly skilled and that is globally competitive. We want business to be supported by harmonized cyber regulation. We want to make sure that we get security outcomes at the absolute lowest cost.

For critical infrastructure providers, we want to make sure that they are cyber resilient and supported by a mature regulatory position, ensuring any noncompliance is identified and rectified. And on the government level, whether it’s federal, state or local governments, we want to be working in lockstep to secure government services and critical systems that Australians rely on. We want to also increase and enhance the way that we engage across different jurisdictions with programs, strategies and policies that we’re developing.

We want to ensure that the Australian government is an exemplar in cyber security, leadership and data protection. And finally, Australia remains a cyber partner of choice in the region. We want to make sure that we shape, uphold and defend international cyber rules, but importantly, we also want to impose costs on state and non-state malicious actors.

So, as you have seen within the paper, we are exploring different ideas and focus areas within each of the shields. Again, we want to make sure there’s lots of time for questions, so I’m not going to seek to read out the paper verbatim, the details on the slides there are around it.

I thought we might just kind of pick up a few of the key themes that I’m sure will already be resonating with in the questions and areas that you’d want to be looking at. So, again, starting with Shield One, it was our biggest shield and Horizon One, and it continues to be the foundational conceptual structure of the shields themselves.

It is important that individuals and businesses are protected and Horizon Two will continue to have people in business at its core. We want to collaborate on meaningful measures for businesses, communities that are at the coalface of our digital economy. I think the focus areas are around two things particularly, so that’s societal cyber awareness.

How do we build on cyber awareness messaging to centralize that messaging, to enhance messaging, to even reach cohorts that we haven’t been able to successfully  reach so far? How do we bring our kids in, and the future digital natives of Australia into that discussion so that cyber security becomes ubiquitous, it becomes a commonly understood thing, and it becomes a component of operating in an online world, and being aware of the security components that fit within that. A big part of Shield One will also be looking at supporting small medium businesses and not-for-profits. So small businesses have an absolutely crucial role in the economy, but too often, given the size of the entities or the cost elements, it’s very difficult for those small businesses to divert the attention, let alone the resources, to uplift their cyber security resilience.

So how do we support them and meet them in the middle? How do we find a way to provide a clearer set of ideas or standards of what resilience is necessary and how to do that? And I think that’s the key piece that we’ve heard from industry is that the challenge is actually just getting the attention in the first place.

But then once you’ve got the attention, how do we take action in a way that’s going to be meaningful and fit for purpose for entities of different types? Similar thing for the not-for-profit sector. I mean, obviously that covers both small and large, but there is different factors that come into play for these organisations. You know, you have more volunteers, there’s a lot more pressure on the expenditure of donations, money towards administration aspects versus mission activities. There’s different pressure points in these entities and we want to use this discussion paper to understand those better, so that we can work together to craft policy solutions or ideas or policy programs or things that we want to take forward that are going to get that change to happen.

This is a really important thing for all businesses of all sizes, right? Small businesses are part of the supply chain that support larger businesses. And as we know and as we’ve seen, where there’s a vulnerability within that, that can have an impact on other entities as well. So, it really is that element of a team sport about rising tide lifting all boats on our resilience focus.

Within these elements, we’re also looking at individuals as well, both in terms of enhancing support for those that are victims of cybercrime and looking at ways that we can explore policy interventions for individuals and parts of the community that are more vulnerable groups. So, we’ve called out various vulnerable groups, but we’re really keen to understand from their perspective, and from their lived experience, what would best suit them to help protect themselves?

We’re really excited as part of Horizon One to launch the grant process for cyber awareness grants for vulnerable communities. And that was a way of getting a whole bunch of different community organisations to be delivering that message. We want to build on that and start to see are there specific interventions? Within the gender space, is there elements around technology enabled violence against women?I Is there parts within the cybersecurity space where we can look at that issue and again, address some of these parts, because it’s not just about necessarily securing the data, it’s also about securing the individuals, making sure they feel safe online. And then lastly, there’s a huge focus on cyber regulations and how we can look to harmonize, simplify and reduce the industry burden, as I mentioned. How do we get security outcomes that are important for our economic prosperity, but also for the security of the community? But how do we get those security outcomes at the lowest possible cost?

That’s going to be a real central feature of how we will then drive productivity initiatives to enhance economy. Within Shield Two, this gives us an opportunity to meet the growing attack surface with a proactive approach to mitigate vulnerabilities and empower consumer choices to smarter, more secure options. Again, we had a lot of big initiatives within Horizon One that will continue to unfold over the next couple of years, including labelling and the secure standards.

What else is there to explore in this space? What other technology pieces have changed in the time? What do we need to look at to continue to ensure that Australia remains at the cutting edge of this? There’s obviously policy dimensions to balance. We don’t want to have a situation where we lock out Australian consumers to technology products by picking standards that aren’t going to be consistent with that best practice or international element.

How do we provide an opportunity and hear from you about ways that we can do that, or standards that are evolving, or threats that are changing where you think it would be most useful for government to explore? Similarly, on emerging technologies. I’m surprised that it’s gotten to this far before I’ve said the word AI.

I feel like that’s everywhere I go at the moment, but it’s around us, it is part of it. And even that’s a perfect example of something that was obviously considered in the pipeline when the strategy was formed, but now the conversation around AI has shifted dramatically, and you can say the same about quantum and different other parts.

So, how are we making sure that our strategy and our policies are remaining cresting that wave of emerging tech, but also making sure that we’ve got those secure foundations as we go through? And for Shield Three, there’s quite a lot there that we’ve introduced as new ideas that we’re looking to understand a bit more from you about. Testing some of these ideas around a more proactive posture for cyber security.

We’ve obviously done quite a lot of work on threat sharing and threat blocking in Horizon One, but what are these other elements that are being explored in other countries and that are being put forward by industry? How are we all enabling vulnerability disclosures? For example, what does active cyber defence look like in an Australian context?

What is permissible activities? What isn’t? What more clarity is needed? It’s a policy conversation that we want to have to understand where Australia is on a number of these issues, and I think it’s an exciting piece of work..

Into Shield Four, Australia’s critical infrastructure will continue to play an absolutely key role in maintaining and sustaining our economic social stability. It also makes our critical infrastructure a significant target for malicious, cyber actors and can impact the national interest, if disrupted. So a focus here on this shield is two parts. There’s the critical infrastructure component, which we’ve done quite a lot of work through regulations and reforms to SOCI act particularly, but doing a lot of work in terms of maturing or continuing to consolidate the regime to ensure that it’s working for both critical infrastructure providers, but also, getting the outcomes in

the security context that we need. Then similarly, there’s a whole lot of work in which you would have recently seen last month that was announced around the Commonwealth cyber uplift projects. So there’s more thinking under Shield Four to consider what more needs to be done, whereas those priorities need to shift over that next three-year period.

We’re really excited to have that conversation and particularly with those two mature work programs, start to think about how do we maintain this and how do we maintain our edge? When we go and talk to our international counterparts, often we hear about the importance of our SOCI reforms as real world leading.

For Shield Five on sovereign capabilities, the Australian cybersecurity industry supports prosperity, generates new jobs, contributes over $2 billion to annual GDP. So seeing cyber through an economic lens is not just about security, it is about that prosperity and sharing in the gains that come from growing our industry. We need to have a robust and strong cyber ecosystem to support all of the other programs of work that we want to do, but also as we go through the shields, to provide that actual support and security services to businesses and to individuals.

So a big part of that is continuing our work to expand and build a sustainable cyber workforce, supporting mid-career transitions, reducing entry barriers, strengthening cyber education in schools and working really closely with industry and leveraging the great work that we’ve been doing in Horizon One to understand what more needs to be done and what role government plays, what role private sector plays, where the industry is and looking for opportunities where we can support.

The World Economic Forum said there’s a skills gap of 4 million cyber professionals currently. That figure is going to jump to 85,000,000 in 2030. So it becomes a global competition for these cyber security professionals and skills. and we’re going to make sure that obviously Australia is supported in terms of having access to them and growing our own competitive and exportable services as well.

We’ve also had a look through different elements within the sovereign capability and discussions with industry to explore other components that haven’t been or weren’t fleshed out as much in the strategy. We’re really keen to understand more about other niche parts of the industry or the ecosystem that are thriving or maybe surviving, that need support or maybe need policy intervention.

So we’re really keen to understand the different dynamics of those and the roles that they will play. And then finally, Shield Six is about a resilient, region and global leadership, and we want to work to deepen that collaboration with our existing and additional partners on cyber deterrence. We want to continue our efforts to build a broad coalition of international partners, and leveraging the idea that security is a team sport, we need to make sure that we can work with our partners internationally, but particularly within the region. So that looks like strengthening global partnerships through our existing programs that DFAT have been running through.

So, for example, SEA-PAC and Cyber Rapid to address the rising regional cyber threats, but also looking at different components around things that are emerging, like international cyber regulations and how those are harmonized, or what can we do within the region to look at harmonizing regulations, so that it’s easier for businesses to operate in the Asia Pacific region?

Particularly within the Australian Pacific region. So, there’s lots of different parts that we can explore there and there’s obviously quite a lot of work that’s being taken forward already through DFAT primarily. So that’s a rather exhausting, but hopefully useful walk around the park of the different shields. We wanted to make sure throughout the structure of this discussion paper that we put it all out there, but we also showed the working, we showed the thinking that’s been done.

We showed the conversations that we’ve been having, we’ve showed that we’ve been listening through the consultation processes on the legislation, in the various different meetings. We wanted to show what we think, and what we’ve heard, but at the same time, this is very genuinely the first step. We are absolutely, super excited, but very keen to get your ideas and thoughts on some of these issues, all of these issues, a narrow issue, whatever you want to talk about, we’re here to listen. And at that point I might pause and, perhaps we can shift into Q&A. I can hear my teams doing a lot of bleating and I assume that means we’ve got a rich set of questions. So I’ll hand back to you, Bec.

Rebecca

Thanks, Ash. So, we will jump straight in.  I’m afraid we won’t be giving you much of a break, but I’ll try and read that question nice and slowly, to give you a chance to recover from your overview. We’ve received a question in the chat on whether there’s any particular format we would like to receive feedback on the discussion paper in.

Generally, the team would appreciate that to come through as a PDF. We haven’t put a size limit or a format limit. We don’t want to stifle your creativity. Ash, if there’s anything else you wanted to add to that, grateful. Otherwise, we’ll move to question two.

Ashley Bell

No, I think that’s covered it. However, you want to present, but also please reach out to the team through the email box. You might have a group of companies or businesses, or maybe you represent a particular industry, or you want to pull together a few different people and have a chat about a particular area. Please reach out to us. We’d love to hear from you. And we’re happy to kind of have that conversation in a different way, if that’s easier as well. Also as much as we want to have the submissions by the 29th of August, this is a conversation that, as Pete mentioned, will continue to be going on over for the till the end of the year and we’ll have many more opportunities to be engaging, so please don’t feel like this is your only opportunity.

Rebecca

Very good. Ash, we’ve had a question around whether there are considerations under Horizon Two for amendments to the act. Unless that’s been clarified in the chat, we’re going to assume that’s the Cyber Security Act, noting that the environment’s changed and the threat landscape has evolved. Whether we would be considering amendments to that over time.

Ashley Bell

The first step would be to understand what’s the policy outcome that we’re trying to achieve, and then the first thing we would do is to see what the law permits or allows or restricts or whatever, and consider whether or not legislative changes to the Cybersecurity Act or could be other pieces of legislation in the Commonwealth, or it could be other different pieces. So, I think, nothing is off the table in that sense, because the idea is that we want to make sure that legislation is fit for purpose at all times.

Some of those elements that we set up within the Cybersecurity Act, we purposely did the structure to make subordinate legislation rules  to allow them to remain current and to make sure that that was an easier process. So that’s already baked into it. But certainly from that perspective, legislation always has to be fit for purpose, so  I’d start with, what’s the outcome you’re seeking to achieve rather than what’s the legislative change that you want? Because there might be different ways of achieving the outcome.

Rebecca 

We have received a question from a small business representative who provides cyber security services with some domestic clients. We’ve got in the chat whether there’s a plan to develop and roll out a Cyber Security Australia app to help all citizens and to help alert and inform them better of cyber threats.

I might take that one. And it’s riffing straight off the good work Ashley did to provide that response, which is, we do want to have a good understanding of the kind of outcomes we’re aiming to achieve under Horizon Two. And that’s not to say that submissions shouldn’t include specific examples if you have them ready to go, but if we can link that to how that will support the main themes and may intent and drive a that we’ve concluded onto the discussion paper, that will make our understanding of what we move through next under Horizon Two much better, and much better supported by what the overall intent will be.

Ash, this was another one for you I think. Under Shield One, we have the focus area of harmonizing and simplifying cyber regulation to promote best practice and efficiency. Will this include harmonization between Commonwealth and state legislation and regulation? I think that might be another area where the overall outcome in intent is something that we would be looking to, rather than the hard and fast granular measures.

If you or Pete wanted to add any reflections on that, considering the last engagement under the Cyber Security Act saw us engage with a range of people to push that through, welcome those please.

Ashley Bell

I can kick off and Pete, if you want to jump in. We’ve got a little bit in the in the paper around this. We obviously work closely with state and territory counterparts and colleagues and we’re really keen to enhance and continue to build on that. I think you’re right Bec, I would frame that as what’s the outcome that is the issue. So, if we’re talking about an example of harmonizing regulations or legislations or soft regulation between state, territory and Commonwealth, what’s the particular friction point or overlap or duplication or gap?

Where is that element which isn’t sort of harmonized or working well. Then that can be something to be explored in through different mechanisms. I think when we’ve talked about regulatory harmonization, it doesn’t discount the element of state, territory or local and Commonwealth levels, but primarily we’re looking at it through the Commonwealth statute book primarily because we got those controls in the executive government.

I think it is absolutely an area that we would be really keen to hear your ideas on where that federal regulatory harmonization is needed or could support business. I think we’re really keen to get those ideas. Pete, anything more on that?

Peter Anstee

Thanks, Ash and thank you for the question. All I’d add is that many people have noticed that productivity is a real focus of the government at the moment as they ease into their new term.

And I think a big part of that will be where we can look to regulatory reform, such that it involves harmonization or minimization of relevant statutes. Ash’s point is right. It should also always be outcome or purpose driven, rather than deregulation for deregulation’s sake. In that context, we’re certainly exploring and open to discussions around how we can streamline regulation in the context of federal and state regulations between the Cyber Security Act and the Security Critical Infrastructure Act, but also in the international context, where there might be arguments for harmonization as they relate to international standards and international regulation.

So, it has been a busy space, the cybersecurity regulatory environment. Therefore there is sometimes a congested regulatory dynamic, so it’s an area we’re certainly looking to have an active discussion around what we can do to make life simpler but also secure for Australian businesses.

Rebecca

Thanks, Pete. Speaking of businesses, we do have a query about how an industry body can assist us in delivering information in easy to access media and fact sheets. I’m going to assume that means not just this process, but also our engagement on cyber security uplift and resilience more broadly. As a first port of call, please come to us in that email address that we’ve popped in the chat.

We’d love to start engaging with you on that now. Similarly, we’ve received an additional question around what data sources will inform the baseline against which Horizon Two outcomes are measured and how industry can share additional anonymized data set securely. Again, please reach out to us on our email address, we’d love to talk to you about a separate exploratory impact study that we currently have underway, and we can work you through the intent that is supporting that study.

The other opportunity would be to please come along to our town hall on Thursday, the 21st of August. We’ll provide more detail on our evaluation model, which will also go into how we will be using data to better support our understanding of outcomes under the Cyber Security Strategy going forward.

One for you, Pete. I think this is from another industry representative. Will we be bringing forward education under Horizon Two for those already in employment across cyber security to keep them up to date? Given the generational change to use AI everywhere, could we use things like targeted micro-credentials to upskill the workforce before it’s too late?

There’s also a note in there about how universities are primed and ready for this, and a potential overarching strategy might support. I know we do speak to the intersection between AI and technology, this is a question around capability uplift and the intersection between AI and our workforce. So Pete,  love  to have your thoughts on that one.

Peter Anstee

Thank you. Both on the education piece and on the AI piece, I think they’ll be really central discussions as part of this consultation process and no doubt will live in the final strategic policy document. I think that, through Horizon One of the strategies we’ve done a lot in the skills space and we’re looking to build on that in Horizon Two. That will include discussions around credentials and micro-credentials, particularly as we’re moving through this fast-paced environment around AI. So, absolutely, really keen for practical and pragmatic ideas around how we can work with our departments at the federal Department of Education, with our state and territory departments, as well as,  tape in industry educators to work through the whole stack around how we can uplift our cybersecurity workforce.

It’ll be a real focus of discussion and I’m very, very keen for your inputs and ideas, including  how AI can both supercharge and enhance the development of those skills, as well as what skills will be needed to engage in the cybersecurity AI environment.

Rebecca

Thanks, Pete. And I think that’s gone some way to answering another question around AI in the chat on the intersection of AI and cyber security. As Pete’s mentioned, that’s something we’d like to explore under  the responses to the discussion paper, as well as the outcomes we’d like to achieve under Horizon Two. So, we will work that through as part of our broader approach to the overall, role of AI in cyber security uplift and response.

Pete, I will pick on you again. I think this is another area where we want to unpack a little bit around our established frameworks, as well as how we communicate that out with industry, which you are poised to respond to. A comment first, cyber can’t be seen in a silo. There needs to be an all-hazards approach to addressing the risks to society and business, establishing a requirement to key assets and industry to align with Essential Eight, and we have a few other frameworks listed there. How long, or can we consider where we might have a standardized approach to overall security compliance in line with the PSPF/DSPF, to enable all businesses to have a clear path to good security management?

Peter Anstee

Yeah. Thank you. I think the interaction between the Protective Security Policy Framework and the Security of Critical Infrastructure Act is an area, again, that deserves close exploration. You would have seen a lot of reform in the PSPF area over the last 18 months. We’ve updated the protective security requirements across government, we’ve issued a number of directions for government entities, including a technology stocktake, consideration of foreign ownership and control risk, specific directions around high risk vendors such as Deep Seek, Kaspersky and TikTok. In an informal sense, we’ve seen a large amount of uptake by critical infrastructure providers in terms of mimicking those directions without having to burden them with prescriptive regulatory obligations.

That said, I think that is a really live conversation that we should explore around the interaction between the PSPF and the Security of Critical Infrastructure Act. More broadly, we’re always open to ideas around how best practice, whether that’s government security standards or controls or those that exist in industry can be best  promulgated across society in the least sort of regulatory burden sense.

So, again, really happy to have some discussions around how we might spread best security practice in a light touch regulatory way.

Rebecca

Thanks, Pete. Ash, one for you, noting the discussion we had around intersectional approach in supporting multiple communities under the strategy to thrive during Horizon Two. Are we open to partnering with social enterprises to deliver consistent, measurable learning for students and vulnerable communities? Sharing data and, in essence, providing a real time alert system?

Before I pass to you Ash, I’ll note that again, very happy to connect you with the relevant work area who is doing that sort of work now. So please reach out to our email address. Ash, did you want to add any additional context to that, under Horizon Two.

Ashley Bell

Absolutely. So, the answer is yes. Absolutely keen to hear ideas about programs, pilots, initiatives. I think this is the innovative element and certainly something that Australia does incredibly well, which is to look at novel solutions that can be explored, can be taken forward, and where they’ve got a track record, even more so. We can then look at what is that an opportunity to scale that, or can we trial that in different part?

I mean, there’s a lot of these programs out there with different outcomes at the focus that have been perhaps worked with the state and territory government, and it’s been successful. So, could it apply more broadly? Can we scale it up? Can it solve other problems? We’re very keen to hear about those.

Obviously, we’re also keen to hear about new ideas that haven’t had the chance to sort of, flourish or get a grounding as well. Any of those different elements from social enterprises, from not-for-profits or even just for innovative ways of coming at problems that you might have explored in your own business that’s worked, or within your own community.

We’re really keen as part of that vulnerable communities cohort to understand, what works in a particular pocket of Australia might not necessarily work in other parts, but that’s okay too, because that’s still driving and solving for an outcome consistent with what we’re trying to achieve in the strategy. So, absolutely, love to hear from you.

Rebecca 

Thank you. Ash. We have a query around whether the original submissions from 2023 are also being reviewed and noted in terms of unique ideas for Horizons Two and Three. Great question. Yes, we will be, when we’re considering Horizon Two, I note that there were some ideas and some proposals put forward that we did not have the opportunity to engage under Horizon One fulsomely.

So, we will be considering how they fit into the landscape of Horizon Two. The other thing I’ll note is that the team is also considering Horizon Two as part of an ongoing program of work established under Horizon One. And just because we hit Horizon Two doesn’t mean that the work on the Horizon One stops. And part of establishing that foundational framework on the Horizon One is to create a landscape which will extend out into Horizon Two and then onwards into Horizon Three.

And there will be measures that continue over time and will continue to support anything new introduced under  Horizon Two. So it won’t only be the proposals that were put forward under consultation for Horizon One that potentially have a role within Horizon Two, but the ongoing wins in the ongoing engagements that we have under Horizon One will also continue into Horizon Two as part of the program.

Pete we also have a query here around the accessibility and affordability of cyber insurance, particularly considering the role SMEs may play in that space. Is the government considering mechanisms to improve availability and affordability without distorting the market? As a comment here around whether pool risk schemes or subsidies could be linked to compliance with SME appropriate standards?

Peter Anstee

The short answer is yes. For those who have been playing along for some time, cyber insurance is an issue that raises its head at most national policy discussion forums, and we expect it will again at this point. I think the difference is we are now getting to a point of maturity in the cyber insurance market that we can have a really targeted and focused and deliberate conversation around what practical interventions or not, government might make in this space.

I think that the key thing which you touched on in your question is that, we should be targeting as broader coverage as possible whilst ensuring that there’s not government intervention that distorts the market or that distorts consumer choice. So, it’s in some ways a tricky policy problem because it encroaches on market dynamics and insurance markets and all the rest of it. It’s not a pure cybersecurity play, but we’re really interested, in how we can set up Australia to be best practice in terms of its cyber insurance market, as well as getting coverage for as many SMEs in particular, as possible.

Rebecca 

Maybe speaking to coverage a little bit there Pete, though, I note that the nature of the question is different. A question on everyone’s favourite topic, zero-trust. Will Horizon Two expand on the development of zero-trust within the Australian economy. And as part of this, it would be great to touch on what government’s doing as well, around zero-trust.

Peter Anstee

Sure. Challenge one is that zero-trust sometimes means different things to different people. but such that we could land on an agreed, definition, through this process as to what sort of national zero-trust standard or approach would look like. We think it does represent best practice in terms of a modern, flexible and defensible architecture for Australian businesses in particular. In terms of the Australian federal government approach, we have sort of set up a zero-trust program in terms of articulating what best practice looks like for federal government agencies in designing a zero-trust architecture. That information is already public and accessible, and we encourage organisations to reference that in the design of their own security architectures as it represents good practice. That said, I think arriving at a prescribed national standard will take a lot of thought, design, and might have tricky consequences as well. So, it would be something we’d be really keen to discuss and work through around what a light touch approach that looks like as well.

Rebecca 

Thank you, Pete. I might raise this question up a little bit, as I’m unsure whether our colleagues from the Australian Signals Directorate are on the line. We’ve received a query around if we have more details around how ASD and Home Affairs collaborate in setting and assuring standards across jurisdictions without duplicating state led policies. I think there’s also an opportunity here to talk about how we engage across with ASD and other Commonwealth and state and territory agencies on our policy program. I’ll pass to you to provide a little bit of information on that one.

Ashley Bell

Thanks Bec. And look, I think it’s a pretty, specific question, so  happy to take that one offline to an extent to find out particularly what you’re looking at. But I think in that broader sense, as I mentioned before, that intersection between the levels of government is an absolute critical focus for us in the strategy and particularly within Horizon Two. How do we do that even better? We’ve spoken with counterparts in Canada about this exact same kind of issues. So, they’ve got a central government, but a bunch of provinces and the provinces regulate local governments. So, they have similar challenges in terms of making sure that there’s good alignment and discussions and dialog between the different levels of government so that there isn’t duplication so that we are as harmonious as we can be.

Noting that, within in Australia, our businesses and our people operate across borders quite freely. So, it’s certainly something that we’re taking forward. We have various forums, which I won’t go into because it’s very bureaucratic and a lot of acronyms, but there is a lot of engagement both with ASD and through ASD, but also with our counterparts in the states and territories.

On the Commonwealth level, we also have a lot of established forums for engagement on cyber policy and the development of strategy as well. Just to bring you a little bit sort of inside baseball, we’ve been working on developing this discussion paper and these ideas for Horizon Two quite some time ago. And as part of that, we wanted to do a bottom-up review. We’ve brought out all of the different agencies.

We had a number of workshops and seminars to the question before, we looked at the material that was presented to us previously in the discussion paper from the regional strategy, we’ve taken new consultation, and we’ve also made sure that everyone has a voice from all the different angles of different parts of government as well.

And so, I think part of this is making sure that we are as connected as we can be. So, there’s no wrong door on these conversations and it’s not limited on one angle. We can always do better and we’re always open to feedback on how we can do that as well. So, separate to the submission process, always happy to get that. You’ve got my details, I’m sure that the team can drop my email in the chat. I’m always happy to get feedback on how we can do that better engagement as well. Thanks.

Rebecca 

Thanks, Ash. We are running up against time a little bit, so we might have to be a little bit more targeted in some of our questions and answers. I will note that we’ve received quite a few around artificial intelligence and how we will play that out under Horizon Two and the intersection with other topics and thematics. So just with the leave of attendees here, we’ll take those away and consider them fulsomely so that we can get you, a better and non-duplicative answer, and we’re always happy to come back to you bilaterally if you contact the team again at our email address.

So, moving through what we do have in front of us now, Pete, this is one that goes again to cyber maturity levels, as well as some of the standardization work we spoke through before. There’s a broader comment around cyber is often being seen as it’s a cost to be insured and to reduce risk, potentially against the benefit with that investment which can yield a return. The question whether further incentives to drive private sector adoption of certain cyber maturity levels is being considered, such as through company tax rebates, deductions, grants etcetera. Ash’s comment there around how we will engage across Commonwealth with other like agencies who hold the policy on that. Did you want to unpack anything additional in response to that question?

Peter Anstee

Yeah. Thank you. I think there’s there is still work to be done in terms of measuring and modelling how much of cyber security is a cost, but also the benefits that come from cyber resiliency. I think a big part of our job is a cyber security community is collectively presenting why good cyber security posture and resilience is actually good for the bottom line of your businesses.

Generally, and this is perhaps me speaking more personally than for the division, I don’t think grants, subsidies, rebates will be the panacea in this space. It is more demonstrating to those that making a cybersecurity investments in your business will ultimately return a reward. So, there is a policy question there to continue to build on that has been represented in, the first horizon, but looking forward to working with you to build that in Horizon Two as well.

Whilst I’ve got the microphone, I want to make one final comment on AI. Absolutely cyber security questions around artificial intelligence will be central to the discussion in developing our policy program around Horizon Two. In particular, people are interested in these general-purpose technologies. It will be affecting all departments of state, state and territory policy development, municipal policy development.

So, expect it to be central to the discussion. The point to emphasize or a key point to make is  this is not an AI discussion paper. It is a cybersecurity discussion paper. So, in preparing your submissions and presentations, I really think we should be focusing, a laser like focus on what the cyber security policy questions AI is presenting us with.

Whether that’s around workforce, whether that’s around, defensive tools, whether that’s around adversary, offensive capability. There are some really specific questions that I think we need to explore in the AI context. But I’m keen for this not to become an overarching AI strategy. That is for the Department of Industry in large.

Rebecca 

Thanks, Pete. And in the spirit of ongoing collaboration and engagement, thank you all very much for your time this afternoon. We will take any questions that we haven’t responded to and collate them as part of a question and answer resource that we will provide on the Home Office website. Per the slide that’s currently up, any additional questions that you didn’t think of during the chat or you’d like to unpack more, please contact the team at [email protected].

Please provide any submissions, preferably in a PDF format, but also very happy to receive your request for ongoing engagement. Please also remember to join us for our next Town Hall on the 21st of August again to discuss the policy evaluation framework underpinning the strategy. Thank you also to our presenters, Ash and Pete. Thank you to the team behind the scenes for making sure this all ran very smoothly.

Have a lovely afternoon and we’ll engage with you soon.