In the wake of recent high-profile breaches that tore through Optus and Medibank, Anthony Albanese has announced an overhaul of Scott Morrison’s 10-year cyber security strategy, including the appointment of a new co-ordinator for cyber security and a refreshed seven-year plan that would run through to 2030.

The Prime Minister, and Home Affairs Minister Clare O’Neil, on Monday hosted a cyber security roundtable with business, security and tech leaders to launch consultation on the new strategy, led by former Telstra chief executive Andy Penn.

“I was pleased with the sentiment coming from the room, which was that there couldn’t be a more important time to be escalating this debate in the nation’s narrative,” Mr Penn told The Australian following the roundtable.

“As we’ve all seen the level of digital adoption increase dramatically over several years as a consequence of Covid, and the flip side of that, is unfortunately the level of malicious activity and the risk of further malicious actors only increases the more we do things digitally. So now is a very important time to see if we can’t give ourselves a really big ambition of making this the most cyber secure nation by the end of the decade.”

Mr Penn said the full strategy would be launched by the end of the year.

Several roundtable attendees told The Australian there was broad agreement in the room for greater co-operation between government and industry, and to avoid heavy-handed regulations that may unfairly burden small businesses.

Simon Bush, chief executive of peak body Australian Information Industry Association, participated at the roundtable and said cyber security regulations had been “a bit of a mess” previously.

“To have a new co-ordinator for cyber security, and a recognition that the government needs to do better in governing itself around cyber security is really pleasing,” he said.

“It’s always good for governments to have bold ambitions but what we don’t want the government to do is to respond with more regulation and more duplication; that’s the last thing our economy needs. But it was a very positive meeting, and everyone was in agreement around common themes.”

Mr Albanese said Australia had been “off the pace” when it comes to grappling with cyber threats, while Ms O’Neil said on Monday the previous government’s cyber laws had been “absolutely bloody useless”, and made assisting the likes of Medibank and Optus more difficult.

“Our government is determined to change that,” Mr Albanese said.

“I want to thank those who participated in the roundtable for their innovative ideas, considered feedback and constructive approach to addressing the cyber security challenges facing our nation.”

Katherine Mansted, director of cyber intelligence and public policy at Australia’s largest cyber services outfit CyberCX, praised the level of ambition in the government’s plans.

“We’re excited by the government’s bold vision,” she said. “Making Australia the most cyber secure country by 2030 suggests a level of impetus and focus that we haven’t had for some time, and the creation of a new national cyber co-ordinator is a welcome and exciting move for the fact that it will be a civilian entity.

“Shifting cyber capability outside of the secret halls of intelligence and defence into something that is more public-facing is something that is to be welcomed. But of course, the devil will be in the execution.”

A mooted plan to widen the government’s intervention powers and potentially give the Australian Signals Directorate authority to commandeer the IT systems of companies affected by a cyberattack was concerning, she said.

“Anything around co-ordination is welcomed but something that crosses that threshold into direction and control carries a lot of risk, frankly, that the government won’t have the resources that it needs and when push comes to shove and we have a cyber incident that is a major cascading nature.

“And no organisation knows its network better than that organisation does. So I think there’ll be some anxiety in the halls of corporate Australia wondering precisely what the government has in mind when it talks about amping up its intervention powers.”

Mr Penn said such a move would help businesses in critical industries like telecommunications, banking, healthcare and energy, better respond to attacks, particularly those perpetrated by nation states.

“We’ll continue to test the boundaries of that and get that balance right,” he said.

Elliot Dellys, a former Australian Signals Directorate operations manager and founder of cyber security outfit Phronesis Security, said a more hands-on approach from the federal government would help organisations gain greater resilience to cyber threats.

“For too long we have had policy flip-flopping and a multitude of action plans and strategies that have been counter-productive to progress,” he said.

“The government’s heart is in the right place but this needs to be the beginning of a cultural shift, not just another regulatory hoop for organisations to jump through without the support and resourcing required to make it effective.”

The opposition’s cybersecurity spokesman James Paterson said he would welcome the strengthening of laws to broaden government access to companies during a cyberattack.

“Certainly we learn something new from every cyber incident, and definitely the government’s approach in light of Optus and Medibank needs to change,” he said.

More Coverage

Albanese’s crack agency to fight cyber attacks

GEOFF CHAMBERS

Health data ‘most vulnerable’ to hack attack

Damon Kitney

More related stories

Politics

Big ‘tech tax’ to hold giants to account

A social media inquiry has recommended a new digital affairs portfolio be established and big tech charged to operate platforms in Australia, with some proceeds given to public-­interest journalism.

Read more

Business

Lack of investment holding back innovation – and green solutions

Government regulation to make big business adopt a recycling mindset will ensure Australia becomes a truly circular economy.

Read more