Australia Releases 2023–2030 Cyber Security Strategy — November 22, 2023

Australia’s government released the 2023–2030 Cyber Security Strategy on 22 November 2023, outlining a vision to make Australia the world’s most cyber secure nation. The strategy is anchored by six “cyber shields” covering citizens, businesses, critical infrastructure, sovereign capabilities, government, and international partnerships. It is accompanied by a 2023–2025 Action Plan that details legislative reforms, investment priorities, and partnership initiatives. Boards of Australian organisations—and multinationals operating in the country—must mobilise governance structures to interpret the strategy, coordinate implementation across business units, and align data protection practices so increased information sharing does not compromise DSAR obligations under the Privacy Act 1988.

The first shield, “Strong citizens and businesses,” focuses on uplifting cyber hygiene for households and small enterprises. The Action Plan introduces a voluntary cyber health check programme for small businesses, expands the Australian Cyber Security Centre’s guidance, and pursues industry codes for secure-by-design products. Larger enterprises should support their supply chains by offering training, template policies, and incident response assistance. Governance teams should document how they engage SMEs, including how they help suppliers manage personal data securely and respond to DSARs from Australians whose information flows through joint systems. Contracts should include clauses that allocate DSAR responsibilities, breach notification steps, and escalation triggers aligned with Australian Privacy Principles (APPs).

The second shield, “Safe technology,” aims to embed security into products and services. The government plans to consult on mandatory security standards for IoT devices, explore software liability settings, and expand the voluntary Cyber Wardens initiative. Boards should oversee product security roadmaps, ensuring development teams adopt secure-by-design principles, maintain SBOMs, and integrate vulnerability management. Privacy officers must collaborate with product leads to evaluate how new standards affect personal data handling and DSAR processes—particularly for connected devices that collect household information. Clear communication with customers about security features and DSAR channels will be essential to preserve trust.

The third shield, “World-class threat sharing and threat blocking,” proposes a national cyber intelligence network, expanded joint exercises, and closer collaboration between government and industry. Organisations should join or deepen participation in the Cyber and Infrastructure Security Centre, sector-specific information sharing forums, and the Australian Signals Directorate’s threat intelligence programmes. Implementation requires governance frameworks that define what information can be shared, how personal data is minimised, and how DSAR teams can retrieve shared artefacts if individuals request access. Legal teams should review the evolving legislative proposals for ransomware reporting obligations, safe harbour provisions, and liability protections to ensure internal policies remain compliant.

The fourth shield, “Protected critical infrastructure,” builds on reforms to the Security of Critical Infrastructure Act (SOCI). The Action Plan prioritises uplifting cyber maturity in healthcare, water, and education sectors; expanding the Critical Infrastructure Uplift Program; and clarifying obligations for System of National Significance (SoNS) entities. Boards of critical infrastructure operators must oversee compliance with risk management programme rules, incident reporting, and mandatory exercises. They should allocate budget for cyber uplift initiatives, monitor progress against maturity targets, and integrate privacy compliance into operational technology environments. Because SOCI incident response may involve sharing operational logs containing customer or patient data with government agencies, DSAR processes need to accommodate such disclosures and maintain records for auditing.

The fifth shield, “Sovereign capabilities,” seeks to grow Australia’s cyber workforce, research capacity, and industry base. The strategy announces a Cyber Security Skills Partnership Innovation Fund, scholarships, and expanded migration pathways for specialists. Organisations should align workforce planning with these programmes, engaging universities and training providers. Governance committees should track skill gaps, diversity metrics, and background vetting processes. Privacy teams must ensure recruitment systems handle applicant data responsibly and can produce DSAR responses for candidates participating in government-funded programmes. Maintaining transparent privacy notices and consent records becomes critical as organisations share data with educational partners or government agencies administering grants.

The sixth shield, “Resilient region and global leadership,” emphasises international cooperation with Quad partners, ASEAN, and Pacific neighbours. Australian companies with regional operations should map how cross-border data flows intersect with cyber defence initiatives. Implementation steps include harmonising incident response procedures, coordinating DSAR handling across jurisdictions, and ensuring mutual aid agreements address privacy law differences. Boards should receive briefings on geopolitical risk, sanctions compliance, and international law enforcement cooperation to guide decisions about sharing threat intelligence and providing cyber assistance abroad.

The Action Plan sets specific milestones through 2025. Highlights include consulting on a no-fault, no-liability ransomware reporting obligation in 2024; establishing a Cyber Security Coordinator and National Office for Cyber Security; developing a new Cyber Incident Review Board; and introducing a voluntary risk management programme for managed service providers. Organisations should create implementation roadmaps that assign owners, timelines, and budget to each relevant initiative. These plans should integrate with existing compliance calendars for APP privacy reforms, critical infrastructure obligations, and industry-specific regulation. Tracking DSAR volumes, breach notifications, and supplier incidents alongside strategy milestones provides holistic oversight.

Privacy and DSAR readiness must evolve in parallel. The strategy signals continued Privacy Act reform, including potential expansion of the definition of personal information, enhanced controller-processor accountability, and stronger individual rights. Organisations should revisit data inventories, retention schedules, and consent management to anticipate these changes. They should also ensure that threat-sharing platforms log what personal data is transmitted so DSAR teams can answer queries about government disclosures. Coordinating with the Office of the Australian Information Commissioner (OAIC) on breach notifications and DSAR best practice will help demonstrate compliance if the forthcoming Cyber Incident Review Board examines a case involving privacy impacts.

Governance reporting should become more frequent. Boards and executive risk committees ought to schedule quarterly reviews covering progress on each cyber shield, resource allocation, supplier engagement, incident metrics, and DSAR performance. Internal audit can expand its plans to test compliance with SOCI risk management rules, evaluate participation in threat-sharing programmes, and validate privacy controls for shared data. Scenario exercises should simulate simultaneous cyber incidents, regulatory reporting, and DSAR spikes to test the organisation’s ability to meet statutory deadlines while managing public communications.

By translating Australia’s 2023–2030 strategy into detailed governance structures, phased implementation roadmaps, and privacy-aware data sharing, organisations will strengthen national resilience and maintain public trust. Coordinated action across the six shields enables companies to defend against sophisticated adversaries, support the broader ecosystem, and respond transparently when individuals seek assurance about how their personal data is protected in an era of heightened cyber threats.