Australia to hunt down hackers, sets 'most cyber-secure country by 2030' target

Australia is planning on hunting down hackers as part of its plan to be the most cyber-secure country by 2030, a government minister revealed today.

Claire O’Neil, the country’s home affairs minister, launched a programme to develop Australia’s Cyber Security Strategy. She pointed to the Optus and Medibank cyber attacks, branding them “terrible events”, and said that these disasters need to be turned into a permanent step change in cyber security for the country.

As part of this, Australia is looking to “punch back” at hackers through a collaboration between the Australian Federal Police and the Australian Signals Directorate, the agency responsible for its offensive cyber operations.

“This will be a 100-person team, permanently focused on hunting down people seeking to hack our systems, and hacking back,” said O’Neil. “It will take some time to get this singing, but when it does, it will change the game for cyber in Australia.”

The Cyber Security Strategy is aiming to help Australia strengthen its critical infrastructure and government networks, as well as build sovereign cyber security capabilities.

O’Neil also said she wants to bring the whole nation into the fight to protect Australian citizens and the economy, and wants to strengthen its international engagement to make Australia a global cyber leader. This will also see it work with its Pacific neighbours to improve cyber security in the region.

The development of the strategy will be led by three experts, said O’Neil. These are Andy Penn, former Telstra CEO, Rachael Falk, one of Australia’s cyber security and telco experts, and Mel Hupfeld, former chief of the Air Force. The government also has the assistance of other cyber experts, including former UK NCSC CEO Ciaran Martin who will lead a global cyber expert panel.

“We have the burning platform, we have the mandate for change, we’ve genuinely got the best minds on this problem,” said O’Neil. “Now, it’s time to translate that into a more cyber-secure Australia.”

She said that the government had made changes to how it responds to cyber incidents, including bringing in new penalties under the Privacy Law. Once enacted, this will see new maximum penalties for businesses, which will change from $2.22 million (£1.2 million) to a new maximum.

The new maximum is the greatest of either: $50 million (£27 million), three times the value of any benefit obtained through the misuse of information, or 30% of a company's adjusted turnover in the relevant period.

“Our government has [the] commitment and resolve to fix this,” said O’Neil. “But it’s going to take time. Better cybersecurity for Australia means all businesses and citizens changing how they engage with the internet. We need to prepare for more major cyber attacks over the coming years as we undertake this important work.

“The truth is, we are unnecessarily vulnerable. We did not do the work nationally over the last decade to help us prepare for this challenge. Prime Minister Morrison’s decision to abolish the Cyber Security Ministry when he came to office was a shocker.”

O’Neil added that in September and October 2022, the country experienced the two worst cyber attacks in its history, within three weeks of each other. The first of these was the Medibank hack, which affected 9.7 million current and former customers. The other was the Optus hack, a data breach of 10 million customer accounts.

The National Australian Bank also revealed two months ago that Australians are subject to 50 million attempted cyber attacks each month, while the Australian Taxation Office said the figure was around 3 million.