Almost $600 million has today been pledged to beef up Australia’s cyber security to 2030, including plans for “no-fault, no-liability" ransomware reporting obligations for business.

The Government plans to review data retention legislation and examine vulnerabilities that arise from entities holding significant volumes of data for longer than necessary. 

It will also develop guidance to help businesses segment information and implement proportionate controls, and work with industry to establish a new Cyber Incident Review Board to pool lessons learned from major hacks. 

Australians need clearer advice on how to respond to ransom demands, the strategy says, and the government will respond by building a “ransomware playbook” with clear guidance on how to manage ransom demands.

“The Australian Government continues to strongly discourage businesses and individuals from paying ransoms to cybercriminals,” it said. “There is no guarantee you will regain access to your information, or prevent it from being sold or leaked online. You may also be targeted by another attack.”

The new cyber strategy is based on 330 written responses to a discussion paper authored by an Expert Advisory Board chaired by former Axa Asia Pacific Holdings CEO Andrew Penn.

The Insurance Council of Australia (ICA) welcomed its publication and says it will help make Australian businesses less attractive targets.

“The ICA remains committed to collaborating with the Australian Government and other industry stakeholders to ensure the success of this strategy and the safety and protection of customers,” an ICA spokesperson told insuranceNEWS.com.au.

"The insurance industry and our customers are not exempt from the increasing risk of cyber threats and criminals, including through more calculated and callous ransom attacks and demands.” 

Home Affairs Minister Clare O’Neil says cyber security is the fastest growing threat to Australia’s national security and the new strategy ends a “decade of sleepwalking on cyber”.

"The strategy is bold and ambitious – and it has to be," Ms O'Neil said. "We simply can’t continue as we are. We need to push harder, we need to get in front of this problem.

“When we came to government, Australians were more vulnerable to cyber attacks than citizens of any other developed country. We need to act now. I’ve spent the last year and half talking to business leaders, community groups, and cyber experts."

The new strategy puts Australia on track to being a world leader in cyber security by 2030, she says, and will make every organisation a “harder target”.

“Australia is an advanced economy and a rapid adopter of new technologies, making us an attractive target for cyber criminals.” 

The new $586.9 million funding allocation includes investing $290.8 million in support for small and medium business, public awareness, fighting cybercrime, “breaking” the ransomware business model, and reinforcing the security of Australians’ identities.

Strengthening critical infrastructure protections and uplifting government cyber security will receive $143.6 million, while $129.7 million will go to regional cooperation, cyber capacity uplift programs, and leadership forums.

Building a threat-sharing platform for the health sector will cost $9.4 million, accelerating the cyber industry $8.6 million, and consumer standards for smart devices and software $4.8 million.

Ms O’Neil said the cyber industry is growing rapidly worldwide and this presents major opportunities for Australia.

“Cyber security isn't just a threat: it's our big shot. The cyber industry is booming globally, and if we get this right, Australia can create jobs at home and export know-how to our friends and partners overseas.”

See the new strategy here.