Consultation on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy

The Australian Government released the 2023-2030 Australian Cyber Security Strategy on 21 November 2023 (the Strategy).

The Strategy sets up a framework for government to take action to uplift Australia’s cyber maturity and preparedness over three horizons, making Australia a world-leader in cyber security by 2030.

In Horizon 1 (2023-25): we have strengthened our foundations and addressed critical gaps in our cyber shields, built better protections for our most vulnerable citizens and businesses, and supported cyber maturity uplift across our region.
In Horizon 2 (2026-28): we will scale our maturity across the whole economy. We will make further investments in the broader cyber ecosystem, continuing to scale up our cyber industry and grow a diverse cyber workforce.
In Horizon 3 (2029-30): we will advance the global frontier of cyber security. We will lead the development of emerging critical technologies capable of adapting to new risks and opportunities across the cyber landscape.

The actions and initiatives taken by government under Horizon 1 of the Strategy are listed in the 2023-2030 Australian Cyber Security Strategy: Action Plan (the Action Plan).

As we approach the transition from Horizon 1 to Horizon 2, we are developing the actions and initiatives for government to take, together with industry, for the next three years under Horizon 2.

Our approach to Horizon 2

To commence the consultation process on Horizon 2, the Government has released a Policy Discussion Paper for public consultation.

The Discussion Paper will continue our collaboration with businesses and citizens on identifying and developing policy options that will best position Australia to be a cyber resilient nation, and to explore how to work together to achieve them over the next Horizon.

This is only the first step in our consultation process. Once feedback and ideas from the Policy Discussion Paper are considered, a further industry co-design process will be undertaken on the specific actions and initiatives to take forward in Horizon 2.

To support you in making a submission under this first phase of consultation we have released a package of documents, including a shorter ‘Snapshot’ document which captures the key elements of the Discussion Paper:

Engage with us

The Department of Home Affairs held the following Town Hall events via Microsoft Teams during the consultation period. This was to provide an opportunity to discuss the Discussion Paper and support development of your Submissions.

Town Hall Events
Event name	Date and time	Registration link
Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy	Tuesday 5 August 2025, 3:30 - 4:30pm	Closed
Cyber Security Policy Evaluation Model: Conceptualising, measuring and analysing the impact of the Strategy	Thursday 21 August 2025, 9:30 – 10:30am	Closed
Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy – Outcomes from the discussion paper	Thursday 6 November 2025, 4:00 - 5:00 pm	Closed

Town Hall recordings

Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy

Rebecca

Good afternoon everybody. Welcome to Horizon Two: Charting New Horizons, the first of two town halls that we will have to support the development of the Cyber Security Strategy, second tranche. My name's Bec. I'm representing the team that will be developing Horizon Two of the Cyber Security Strategy within the Department of Home Affairs. This is one of many instances where we'll have to consult and engage with industry and the public on the next tranche of reforms that will support us as we move forward to 2030.

Before we kick off to details on how today's session will run, I’d first like to pass to Danni, who will perform our acknowledgment of country.

Danni

Thank you, Bec. Good afternoon everyone. I've been asked to perform today's acknowledgment of country. As a proud Kamilaroi woman, I would like to, on behalf of everyone here in this meeting, acknowledge the lands we are meeting on. For those of us here in Canberra, it's the Ngunnawal people, and recognize any other people or families with connection to the lands and surrounding regions.

I wish to also acknowledge and respect the continuing culture and contributions that they make to the life of this city and region. I would also like to acknowledge and welcome any other Aboriginal Torres Strait Islander peoples who may be attending today's meeting.

Thanks very much, Danni. Acknowledging that we have a few attendees still joining, we will be placing some of the housekeeping detail in the chat for reference. For those of us who are with us now, note that we will be undertaking questions through the chat function.

Rebecca

If you are going to ask a question, we do ask that you also provide your name, if that's not clear on your attendance profile as well as the organisation that you're representing. I understand we may also have some individuals attending this town hall, and in that case, it's absolutely fine for you not to reference your organisation. We will get to as many questions as we can throughout the session.

If we don't get to your question, we will take that away and we will answer that as part of a bulk upload of questions and answers to the Town Hall landing page on the Home Affairs website. This is being recorded and a transcript is also being provided for our reference. If at any time throughout the session there are any technical issues, please reach out to us through the chat.

You can also email the team at CSSH2@homeaffairs.gov.au and we'll work to try and fix that problem for you. Again, we'll be providing some of those details in the chat and if there are any issues, please do let us know. Barring that, I'm very pleased to announce our two main speakers for today's session.

We're joined by Mr. Peter Anstee, who is our First Assistant Secretary for our Countering Foreign Interference and Cyber Security Division, and we're also joined by Ash Bell, who is our Cyber Policy and Programs Assistant Secretary. Without further ado, I'd like to hand to Pete.

Peter Anstee

Thanks, Bec and thanks, Danni. Welcome everyone to the first town hall for Horizon Two of the Cyber Security Strategy. For those of you who spend a lot of time around the cyber policy community, it feels like it's only been a moment since the launch of the 2023 to 2030 Cyber Security Strategy, and it's with great pleasure that we are reaching the near end of Horizon One and embarking on this conversation, discussion and consultation around Horizon Two.

So, thank you all for your engagement and enthusiasm for engaging through this process. As many of you know, the Cyber Security Strategy running from 2023 to 2030 was launched in November 2023 by the then Minister at the time, Claire O'Neill. And the Minister set up a bold vision for presenting Australia as a world leader in cyber security by 2030.

Underpinning her vision was a new spirit of collaboration between industry, civil society, academia and government, and presenting Australia as a safe, prosperous and of course, secure country. The strategy itself was designed around six shields, which you can see on the screen and built around the concept of three horizons. So, the first horizon running from 2023 to 2025, was really building the foundations for what a national strategic approach looked like.

At the centrepiece of that strategy was, a new cyber security act, as well as 60 initiatives that informed a national cyber security strategic landscape. We're now entering consultation for Horizon Two, which is about expanding the scope, scale and reach of those strategic objectives, and that will commence at the beginning of next year.

So, consultation running from now until the beginning of next year. And finally, Horizon Three, which will run towards the end of the decade, where we cement our position as a leading cyber security nation. And those who have been following the agenda for some time, you'll be familiar with the progress that government and industry, and the broader cyber security policy community have made in this space.

2016 was about building the foundations for our cyber security agenda. 2020 revolved around critical infrastructure legislation. 2023, as I mentioned, was building the foundations of this national strategic policy project.

And now we're embarking on that moment of scaling these initiatives, scaling our policy priorities, expanding the reach to those who most need cyber security assistance and protection, and that's what we're seeking your engagement on today. I'm really proud to say that 20 months into this journey on our Cyber Security Strategy, we have seen really significant momentum across a range of cyber reforms, policies, programs and initiatives. As I said, there are 60 initiatives outlined in Horizon One of the strategy.

We're extremely confident we will have either completed those initiatives, or be in the sustainment mode for those initiatives by the end of this calendar year, so, on track for completion by the end of 2025. The slide in front of you captures some of the highlights. It's by no means exhaustive, but captures some of the highlights under the, 23 to 30 Cyber Security Strategy. And as you can see, it has been a serious uplift in terms of engagement and delivery across the cyber security community.

So we now build on Horizon Two. I hope many of you who've had some time to engage with the discussion paper, we intended it to be comprehensive in the nature of the questions we were asking, seeking to touch on many of the questions across the cyber security community. With us today, we have colleagues from the Australian Signals Directorate, from the Department of Foreign Affairs and many other parts of government.

With that, I'll pass to Ash, who in many ways is the architect of the delivery both of Horizon One,but as we launch into Horizon Two of the consultation and leadership that will underpin that, and I look forward to your collaboration as we talk about these strategic priorities. Over to you, Ash. Thanks so much,

Ashley Bell

Pete. I don't know about architect, but certainly the team and I are really excited to be kicking off this consultation process. and I think, you know, primarily just really excited to be getting out there and talking with industry and talking with individuals about, policy opportunities that we can take together. And I think we'll cover a little bit around some of the detail in the paper, some of the framing points and some of the ideas at the shield level, but we want to make as much time as possible for questions. So, think of this as a quick journey around the paper, hopefully you'll have an opportunity to engage with that, and then we'll get into more exciting discussions through the questions.

To frame where we've got to with Horizon Two, obviously, as we are still focused on implementing the remaining initiatives for Horizon One. A lot of those have been delivered, but also are still being worked through and further implementation work is being done. At the same time, we wanted to make sure that we are looking towards the next big tranche. And I think one of the strengths of the design of the soft strategy is the opportunity for us to collectively review the policy direction as part of each horizon.

This is critical for cyber security policy, given the speed in which both threats and opportunities are developing. Importantly, it allows us to reflect on the impact that these policy initiatives and programs are having across Australia. I'll make the point now, but I'm sure we'll come back to it later, the second townhall, which I really encourage you to come to, we're going to focus a lot more on that conceptual model that we introduced in the paper, that talks about the kind of theory of change loop.

That's a really important piece about looking at the broader element of what we're trying to do in cyber policy collectively, as Australia. Focusing on those outcomes and making sure that we are seeking to put our investment and our policy ideas towards an outcome, not necessarily just the interventions themselves. So, a bit of a plug for that town hall, which is coming up soon, so please join that.

But that's a real big piece of how we're looking at both the impact and assessing where we are at the moment in terms of our journey towards being world leading in 2030. So, as Pete mentioned, the world's changed since 2023 in many different ways, so this consultation discussion paper is intended to be an opportunity for us to take stock and consider what that next tranche of reforms should look like.

It's an opportunity for us to take a whole of nation approach to cyber security. and This is absolutely centred on the partnership between the private sector and public sector and individuals as well.Cyber security also presents a lot of opportunities. It's not just a narrative of risk and threats. So through this work, we're looking at how we can leverage cyber security policies to provide an economic opportunity for Australia, both in developing sovereign capability, driving productivity and competitiveness and supporting individuals, as well.

As part of Horizon Two, what we want to be able to do is to ensure that Australia's cyber resilience evolves with the global threat landscape. And we have three principles that we outline in the paper. The first being that we want to embed cyber security messaging standards, capability and efforts across society - from homes and schools to businesses and government partners.

We want to empower businesses. Particularly small businesses and not-for-profits and citizens to protect ourselves and each other, reduce the barrier for applying protective frameworks and ensuring Australian businesses are more productive and can bounce back quicker. And then lastly, we want to enhance our cyber entry frameworks through structural reforms to harmonize and simplify regulation, strengthen cyber workforce in the business ecosystem, and better coordinate security outcomes for government cyber uplift. As I mentioned, at the core of the strategy and our policy design for Horizon Two is ensuring that the public-private partnership is at the centre of the work and the thinking and everything that we do. We know that we can't do this alone in government. It's only together that we're able to achieve what we want to do.

And we've seen this as Horizon One, as unfolded. We've seen the tremendous work that industry has done, that individuals have done, that people have invested behind the strategy, the work that's been taken forward independently through things like the Executive Cyber Council to really drive and look for opportunities where business or particularly large business can actually start to solve some of these challenges themselves or work with government to support.

And it's in this spirit that we really want to take forward the next horizon. As the Minister said in the forward, building a cyber resilient nature reflects the best of Australian values. Collaboration, innovation and an unwavering commitment to protecting what matters most. It's often said that cyber security is a team sport, and that's kind of the phrase that gets thrown around a lot.

But I think that is absolutely true and quite unique nature of this policy space and the work that you all do every day in supporting Australians and Australian businesses to remain safe and secure. We've developed this paper with a view of looking at different cohorts within Australia that will be contributing to the mission. Our view is that everyone has a role to strengthen our nation's cyber resilience, and everyone's going to benefit from a secure and thriving economy where we're capable of bouncing back quickly after an attack.

This is about making sure that we are supporting the different structures and making sure that the economic incidence of this, the work to uplift resilience sits at the right space. What's the role for government? What's the role for big business? What's the role for small business? Everyone has a part to play, and how do we then craft policy initiatives that are going to have an impact, that are going to be structural, that are going to stand the test of time and get us to where we want to be.

I think that's the core of Horizon Two. It's moving beyond foundations and moving into the part where we're able to say, okay, how do we make sure that we're getting these reforms into the system, and how do we leverage the different opportunities and roles that we play in government and in business, in different sizes?

By 2028, we want to make sure that the policies that we put in place will allow Australians, particularly vulnerable cohorts of Australians, to be confident participants in the digital economy, to feel safe online, to make informed decisions about the security of the technology they choose to use. For small business and not-for-profits, we want to make sure that they have access to clear standards that are cost effective to implement and provide a simple pathway to cyber resilience. We want to make sure that cyber insurance and other market based mechanisms that support that resilience and uplift, particularly for small entities, are available at a reasonable cost. For large business, we want to work with large businesses to proactively protect Australian networks. We want to make sure that large business has access to a deep cyber security workforce that's diverse, that is highly skilled and that is globally competitive. We want business to be supported by harmonized cyber regulation. We want to make sure that we get security outcomes at the absolute lowest cost.

For critical infrastructure providers, we want to make sure that they are cyber resilient and supported by a mature regulatory position, ensuring any noncompliance is identified and rectified. And on the government level, whether it's federal, state or local governments, we want to be working in lockstep to secure government services and critical systems that Australians rely on. We want to also increase and enhance the way that we engage across different jurisdictions with programs, strategies and policies that we're developing.

We want to ensure that the Australian government is an exemplar in cyber security, leadership and data protection. And finally, Australia remains a cyber partner of choice in the region. We want to make sure that we shape, uphold and defend international cyber rules, but importantly, we also want to impose costs on state and non-state malicious actors.

So, as you have seen within the paper, we are exploring different ideas and focus areas within each of the shields. Again, we want to make sure there's lots of time for questions, so I'm not going to seek to read out the paper verbatim, the details on the slides there are around it.

I thought we might just kind of pick up a few of the key themes that I'm sure will already be resonating with in the questions and areas that you'd want to be looking at. So, again, starting with Shield One, it was our biggest shield and Horizon One, and it continues to be the foundational conceptual structure of the shields themselves.

It is important that individuals and businesses are protected and Horizon Two will continue to have people in business at its core. We want to collaborate on meaningful measures for businesses, communities that are at the coalface of our digital economy. I think the focus areas are around two things particularly, so that’s societal cyber awareness.

How do we build on cyber awareness messaging to centralize that messaging, to enhance messaging, to even reach cohorts that we haven't been able to successfully reach so far? How do we bring our kids in, and the future digital natives of Australia into that discussion so that cyber security becomes ubiquitous, it becomes a commonly understood thing, and it becomes a component of operating in an online world, and being aware of the security components that fit within that. A big part of Shield One will also be looking at supporting small medium businesses and not-for-profits. So small businesses have an absolutely crucial role in the economy, but too often, given the size of the entities or the cost elements, it's very difficult for those small businesses to divert the attention, let alone the resources, to uplift their cyber security resilience.

So how do we support them and meet them in the middle? How do we find a way to provide a clearer set of ideas or standards of what resilience is necessary and how to do that? And I think that's the key piece that we've heard from industry is that the challenge is actually just getting the attention in the first place.

But then once you've got the attention, how do we take action in a way that's going to be meaningful and fit for purpose for entities of different types? Similar thing for the not-for-profit sector. I mean, obviously that covers both small and large, but there is different factors that come into play for these organisations. You know, you have more volunteers, there's a lot more pressure on the expenditure of donations, money towards administration aspects versus mission activities. There's different pressure points in these entities and we want to use this discussion paper to understand those better, so that we can work together to craft policy solutions or ideas or policy programs or things that we want to take forward that are going to get that change to happen.

This is a really important thing for all businesses of all sizes, right? Small businesses are part of the supply chain that support larger businesses. And as we know and as we've seen, where there's a vulnerability within that, that can have an impact on other entities as well. So, it really is that element of a team sport about rising tide lifting all boats on our resilience focus.

Within these elements, we're also looking at individuals as well, both in terms of enhancing support for those that are victims of cybercrime and looking at ways that we can explore policy interventions for individuals and parts of the community that are more vulnerable groups. So, we've called out various vulnerable groups, but we're really keen to understand from their perspective, and from their lived experience, what would best suit them to help protect themselves?

We're really excited as part of Horizon One to launch the grant process for cyber awareness grants for vulnerable communities. And that was a way of getting a whole bunch of different community organisations to be delivering that message. We want to build on that and start to see are there specific interventions? Within the gender space, is there elements around technology enabled violence against women?I Is there parts within the cybersecurity space where we can look at that issue and again, address some of these parts, because it's not just about necessarily securing the data, it's also about securing the individuals, making sure they feel safe online. And then lastly, there's a huge focus on cyber regulations and how we can look to harmonize, simplify and reduce the industry burden, as I mentioned. How do we get security outcomes that are important for our economic prosperity, but also for the security of the community? But how do we get those security outcomes at the lowest possible cost?

That's going to be a real central feature of how we will then drive productivity initiatives to enhance economy. Within Shield Two, this gives us an opportunity to meet the growing attack surface with a proactive approach to mitigate vulnerabilities and empower consumer choices to smarter, more secure options. Again, we had a lot of big initiatives within Horizon One that will continue to unfold over the next couple of years, including labelling and the secure standards.

What else is there to explore in this space? What other technology pieces have changed in the time? What do we need to look at to continue to ensure that Australia remains at the cutting edge of this? There's obviously policy dimensions to balance. We don't want to have a situation where we lock out Australian consumers to technology products by picking standards that aren't going to be consistent with that best practice or international element.

How do we provide an opportunity and hear from you about ways that we can do that, or standards that are evolving, or threats that are changing where you think it would be most useful for government to explore? Similarly, on emerging technologies. I'm surprised that it's gotten to this far before I’ve said the word AI.

I feel like that’s everywhere I go at the moment, but it's around us, it is part of it. And even that's a perfect example of something that was obviously considered in the pipeline when the strategy was formed, but now the conversation around AI has shifted dramatically, and you can say the same about quantum and different other parts.

So, how are we making sure that our strategy and our policies are remaining cresting that wave of emerging tech, but also making sure that we've got those secure foundations as we go through? And for Shield Three, there's quite a lot there that we've introduced as new ideas that we're looking to understand a bit more from you about. Testing some of these ideas around a more proactive posture for cyber security.

We've obviously done quite a lot of work on threat sharing and threat blocking in Horizon One, but what are these other elements that are being explored in other countries and that are being put forward by industry? How are we all enabling vulnerability disclosures? For example, what does active cyber defence look like in an Australian context?

What is permissible activities? What isn't? What more clarity is needed? It's a policy conversation that we want to have to understand where Australia is on a number of these issues, and I think it's an exciting piece of work..

Into Shield Four, Australia's critical infrastructure will continue to play an absolutely key role in maintaining and sustaining our economic social stability. It also makes our critical infrastructure a significant target for malicious, cyber actors and can impact the national interest, if disrupted. So a focus here on this shield is two parts. There's the critical infrastructure component, which we've done quite a lot of work through regulations and reforms to SOCI act particularly, but doing a lot of work in terms of maturing or continuing to consolidate the regime to ensure that it's working for both critical infrastructure providers, but also, getting the outcomes in

the security context that we need. Then similarly, there's a whole lot of work in which you would have recently seen last month that was announced around the Commonwealth cyber uplift projects. So there's more thinking under Shield Four to consider what more needs to be done, whereas those priorities need to shift over that next three-year period.

We're really excited to have that conversation and particularly with those two mature work programs, start to think about how do we maintain this and how do we maintain our edge? When we go and talk to our international counterparts, often we hear about the importance of our SOCI reforms as real world leading.

For Shield Five on sovereign capabilities, the Australian cybersecurity industry supports prosperity, generates new jobs, contributes over $2 billion to annual GDP. So seeing cyber through an economic lens is not just about security, it is about that prosperity and sharing in the gains that come from growing our industry. We need to have a robust and strong cyber ecosystem to support all of the other programs of work that we want to do, but also as we go through the shields, to provide that actual support and security services to businesses and to individuals.

So a big part of that is continuing our work to expand and build a sustainable cyber workforce, supporting mid-career transitions, reducing entry barriers, strengthening cyber education in schools and working really closely with industry and leveraging the great work that we've been doing in Horizon One to understand what more needs to be done and what role government plays, what role private sector plays, where the industry is and looking for opportunities where we can support.

The World Economic Forum said there's a skills gap of 4 million cyber professionals currently. That figure is going to jump to 85,000,000 in 2030. So it becomes a global competition for these cyber security professionals and skills. and we're going to make sure that obviously Australia is supported in terms of having access to them and growing our own competitive and exportable services as well.

We've also had a look through different elements within the sovereign capability and discussions with industry to explore other components that haven't been or weren't fleshed out as much in the strategy. We're really keen to understand more about other niche parts of the industry or the ecosystem that are thriving or maybe surviving, that need support or maybe need policy intervention.

So we're really keen to understand the different dynamics of those and the roles that they will play. And then finally, Shield Six is about a resilient, region and global leadership, and we want to work to deepen that collaboration with our existing and additional partners on cyber deterrence. We want to continue our efforts to build a broad coalition of international partners, and leveraging the idea that security is a team sport, we need to make sure that we can work with our partners internationally, but particularly within the region. So that looks like strengthening global partnerships through our existing programs that DFAT have been running through.

So, for example, SEA-PAC and Cyber Rapid to address the rising regional cyber threats, but also looking at different components around things that are emerging, like international cyber regulations and how those are harmonized, or what can we do within the region to look at harmonizing regulations, so that it's easier for businesses to operate in the Asia Pacific region?

Particularly within the Australian Pacific region. So, there's lots of different parts that we can explore there and there's obviously quite a lot of work that's being taken forward already through DFAT primarily. So that's a rather exhausting, but hopefully useful walk around the park of the different shields. We wanted to make sure throughout the structure of this discussion paper that we put it all out there, but we also showed the working, we showed the thinking that's been done.

We showed the conversations that we've been having, we’ve showed that we've been listening through the consultation processes on the legislation, in the various different meetings. We wanted to show what we think, and what we've heard, but at the same time, this is very genuinely the first step. We are absolutely, super excited, but very keen to get your ideas and thoughts on some of these issues, all of these issues, a narrow issue, whatever you want to talk about, we're here to listen. And at that point I might pause and, perhaps we can shift into Q&A. I can hear my teams doing a lot of bleating and I assume that means we've got a rich set of questions. So I'll hand back to you, Bec.

Rebecca

Thanks, Ash. So, we will jump straight in. I'm afraid we won't be giving you much of a break, but I'll try and read that question nice and slowly, to give you a chance to recover from your overview. We've received a question in the chat on whether there's any particular format we would like to receive feedback on the discussion paper in.

Generally, the team would appreciate that to come through as a PDF. We haven't put a size limit or a format limit. We don't want to stifle your creativity. Ash, if there's anything else you wanted to add to that, grateful. Otherwise, we'll move to question two.

Ashley Bell

No, I think that's covered it. However, you want to present, but also please reach out to the team through the email box. You might have a group of companies or businesses, or maybe you represent a particular industry, or you want to pull together a few different people and have a chat about a particular area. Please reach out to us. We'd love to hear from you. And we're happy to kind of have that conversation in a different way, if that's easier as well. Also as much as we want to have the submissions by the 29th of August, this is a conversation that, as Pete mentioned, will continue to be going on over for the till the end of the year and we'll have many more opportunities to be engaging, so please don't feel like this is your only opportunity.

Rebecca

Very good. Ash, we've had a question around whether there are considerations under Horizon Two for amendments to the act. Unless that's been clarified in the chat, we're going to assume that's the Cyber Security Act, noting that the environment's changed and the threat landscape has evolved. Whether we would be considering amendments to that over time.

Ashley Bell

The first step would be to understand what's the policy outcome that we're trying to achieve, and then the first thing we would do is to see what the law permits or allows or restricts or whatever, and consider whether or not legislative changes to the Cybersecurity Act or could be other pieces of legislation in the Commonwealth, or it could be other different pieces. So, I think, nothing is off the table in that sense, because the idea is that we want to make sure that legislation is fit for purpose at all times.

Some of those elements that we set up within the Cybersecurity Act, we purposely did the structure to make subordinate legislation rules to allow them to remain current and to make sure that that was an easier process. So that's already baked into it. But certainly from that perspective, legislation always has to be fit for purpose, so I'd start with, what's the outcome you're seeking to achieve rather than what's the legislative change that you want? Because there might be different ways of achieving the outcome.

Rebecca

We have received a question from a small business representative who provides cyber security services with some domestic clients. We've got in the chat whether there's a plan to develop and roll out a Cyber Security Australia app to help all citizens and to help alert and inform them better of cyber threats.

I might take that one. And it's riffing straight off the good work Ashley did to provide that response, which is, we do want to have a good understanding of the kind of outcomes we’re aiming to achieve under Horizon Two. And that's not to say that submissions shouldn't include specific examples if you have them ready to go, but if we can link that to how that will support the main themes and may intent and drive a that we've concluded onto the discussion paper, that will make our understanding of what we move through next under Horizon Two much better, and much better supported by what the overall intent will be.

Ash, this was another one for you I think. Under Shield One, we have the focus area of harmonizing and simplifying cyber regulation to promote best practice and efficiency. Will this include harmonization between Commonwealth and state legislation and regulation? I think that might be another area where the overall outcome in intent is something that we would be looking to, rather than the hard and fast granular measures.

If you or Pete wanted to add any reflections on that, considering the last engagement under the Cyber Security Act saw us engage with a range of people to push that through, welcome those please.

Ashley Bell

I can kick off and Pete, if you want to jump in. We've got a little bit in the in the paper around this. We obviously work closely with state and territory counterparts and colleagues and we're really keen to enhance and continue to build on that. I think you're right Bec, I would frame that as what's the outcome that is the issue. So, if we're talking about an example of harmonizing regulations or legislations or soft regulation between state, territory and Commonwealth, what's the particular friction point or overlap or duplication or gap?

Where is that element which isn't sort of harmonized or working well. Then that can be something to be explored in through different mechanisms. I think when we've talked about regulatory harmonization, it doesn't discount the element of state, territory or local and Commonwealth levels, but primarily we're looking at it through the Commonwealth statute book primarily because we got those controls in the executive government.

I think it is absolutely an area that we would be really keen to hear your ideas on where that federal regulatory harmonization is needed or could support business. I think we're really keen to get those ideas. Pete, anything more on that?

Peter Anstee

Thanks, Ash and thank you for the question. All I'd add is that many people have noticed that productivity is a real focus of the government at the moment as they ease into their new term.

And I think a big part of that will be where we can look to regulatory reform, such that it involves harmonization or minimization of relevant statutes. Ash’s point is right. It should also always be outcome or purpose driven, rather than deregulation for deregulation’s sake. In that context, we're certainly exploring and open to discussions around how we can streamline regulation in the context of federal and state regulations between the Cyber Security Act and the Security Critical Infrastructure Act, but also in the international context, where there might be arguments for harmonization as they relate to international standards and international regulation.

So, it has been a busy space, the cybersecurity regulatory environment. Therefore there is sometimes a congested regulatory dynamic, so it's an area we're certainly looking to have an active discussion around what we can do to make life simpler but also secure for Australian businesses.

Rebecca

Thanks, Pete. Speaking of businesses, we do have a query about how an industry body can assist us in delivering information in easy to access media and fact sheets. I'm going to assume that means not just this process, but also our engagement on cyber security uplift and resilience more broadly. As a first port of call, please come to us in that email address that we've popped in the chat.

We'd love to start engaging with you on that now. Similarly, we've received an additional question around what data sources will inform the baseline against which Horizon Two outcomes are measured and how industry can share additional anonymized data set securely. Again, please reach out to us on our email address, we'd love to talk to you about a separate exploratory impact study that we currently have underway, and we can work you through the intent that is supporting that study.

The other opportunity would be to please come along to our town hall on Thursday, the 21st of August. We'll provide more detail on our evaluation model, which will also go into how we will be using data to better support our understanding of outcomes under the Cyber Security Strategy going forward.

One for you, Pete. I think this is from another industry representative. Will we be bringing forward education under Horizon Two for those already in employment across cyber security to keep them up to date? Given the generational change to use AI everywhere, could we use things like targeted micro-credentials to upskill the workforce before it's too late?

There's also a note in there about how universities are primed and ready for this, and a potential overarching strategy might support. I know we do speak to the intersection between AI and technology, this is a question around capability uplift and the intersection between AI and our workforce. So Pete, love to have your thoughts on that one.

Peter Anstee

Thank you. Both on the education piece and on the AI piece, I think they'll be really central discussions as part of this consultation process and no doubt will live in the final strategic policy document. I think that, through Horizon One of the strategies we've done a lot in the skills space and we're looking to build on that in Horizon Two. That will include discussions around credentials and micro-credentials, particularly as we're moving through this fast-paced environment around AI. So, absolutely, really keen for practical and pragmatic ideas around how we can work with our departments at the federal Department of Education, with our state and territory departments, as well as, tape in industry educators to work through the whole stack around how we can uplift our cybersecurity workforce.

It'll be a real focus of discussion and I'm very, very keen for your inputs and ideas, including how AI can both supercharge and enhance the development of those skills, as well as what skills will be needed to engage in the cybersecurity AI environment.

Rebecca

Thanks, Pete. And I think that's gone some way to answering another question around AI in the chat on the intersection of AI and cyber security. As Pete’s mentioned, that's something we'd like to explore under the responses to the discussion paper, as well as the outcomes we'd like to achieve under Horizon Two. So, we will work that through as part of our broader approach to the overall, role of AI in cyber security uplift and response.

Pete, I will pick on you again. I think this is another area where we want to unpack a little bit around our established frameworks, as well as how we communicate that out with industry, which you are poised to respond to. A comment first, cyber can't be seen in a silo. There needs to be an all-hazards approach to addressing the risks to society and business, establishing a requirement to key assets and industry to align with Essential Eight, and we have a few other frameworks listed there. How long, or can we consider where we might have a standardized approach to overall security compliance in line with the PSPF/DSPF, to enable all businesses to have a clear path to good security management?

Peter Anstee

Yeah. Thank you. I think the interaction between the Protective Security Policy Framework and the Security of Critical Infrastructure Act is an area, again, that deserves close exploration. You would have seen a lot of reform in the PSPF area over the last 18 months. We've updated the protective security requirements across government, we've issued a number of directions for government entities, including a technology stocktake, consideration of foreign ownership and control risk, specific directions around high risk vendors such as Deep Seek, Kaspersky and TikTok. In an informal sense, we've seen a large amount of uptake by critical infrastructure providers in terms of mimicking those directions without having to burden them with prescriptive regulatory obligations.

That said, I think that is a really live conversation that we should explore around the interaction between the PSPF and the Security of Critical Infrastructure Act. More broadly, we're always open to ideas around how best practice, whether that's government security standards or controls or those that exist in industry can be best promulgated across society in the least sort of regulatory burden sense.

So, again, really happy to have some discussions around how we might spread best security practice in a light touch regulatory way.

Rebecca

Thanks, Pete. Ash, one for you, noting the discussion we had around intersectional approach in supporting multiple communities under the strategy to thrive during Horizon Two. Are we open to partnering with social enterprises to deliver consistent, measurable learning for students and vulnerable communities? Sharing data and, in essence, providing a real time alert system?

Before I pass to you Ash, I'll note that again, very happy to connect you with the relevant work area who is doing that sort of work now. So please reach out to our email address. Ash, did you want to add any additional context to that, under Horizon Two.

Ashley Bell

Absolutely. So, the answer is yes. Absolutely keen to hear ideas about programs, pilots, initiatives. I think this is the innovative element and certainly something that Australia does incredibly well, which is to look at novel solutions that can be explored, can be taken forward, and where they've got a track record, even more so. We can then look at what is that an opportunity to scale that, or can we trial that in different part?

I mean, there's a lot of these programs out there with different outcomes at the focus that have been perhaps worked with the state and territory government, and it's been successful. So, could it apply more broadly? Can we scale it up? Can it solve other problems? We're very keen to hear about those.

Obviously, we're also keen to hear about new ideas that haven't had the chance to sort of, flourish or get a grounding as well. Any of those different elements from social enterprises, from not-for-profits or even just for innovative ways of coming at problems that you might have explored in your own business that's worked, or within your own community.

We're really keen as part of that vulnerable communities cohort to understand, what works in a particular pocket of Australia might not necessarily work in other parts, but that's okay too, because that's still driving and solving for an outcome consistent with what we're trying to achieve in the strategy. So, absolutely, love to hear from you.

Rebecca

Thank you. Ash. We have a query around whether the original submissions from 2023 are also being reviewed and noted in terms of unique ideas for Horizons Two and Three. Great question. Yes, we will be, when we're considering Horizon Two, I note that there were some ideas and some proposals put forward that we did not have the opportunity to engage under Horizon One fulsomely.

So, we will be considering how they fit into the landscape of Horizon Two. The other thing I'll note is that the team is also considering Horizon Two as part of an ongoing program of work established under Horizon One. And just because we hit Horizon Two doesn't mean that the work on the Horizon One stops. And part of establishing that foundational framework on the Horizon One is to create a landscape which will extend out into Horizon Two and then onwards into Horizon Three.

And there will be measures that continue over time and will continue to support anything new introduced under Horizon Two. So it won't only be the proposals that were put forward under consultation for Horizon One that potentially have a role within Horizon Two, but the ongoing wins in the ongoing engagements that we have under Horizon One will also continue into Horizon Two as part of the program.

Pete we also have a query here around the accessibility and affordability of cyber insurance, particularly considering the role SMEs may play in that space. Is the government considering mechanisms to improve availability and affordability without distorting the market? As a comment here around whether pool risk schemes or subsidies could be linked to compliance with SME appropriate standards?

Peter Anstee

The short answer is yes. For those who have been playing along for some time, cyber insurance is an issue that raises its head at most national policy discussion forums, and we expect it will again at this point. I think the difference is we are now getting to a point of maturity in the cyber insurance market that we can have a really targeted and focused and deliberate conversation around what practical interventions or not, government might make in this space.

I think that the key thing which you touched on in your question is that, we should be targeting as broader coverage as possible whilst ensuring that there's not government intervention that distorts the market or that distorts consumer choice. So, it’s in some ways a tricky policy problem because it encroaches on market dynamics and insurance markets and all the rest of it. It's not a pure cybersecurity play, but we're really interested, in how we can set up Australia to be best practice in terms of its cyber insurance market, as well as getting coverage for as many SMEs in particular, as possible.

Rebecca

Maybe speaking to coverage a little bit there Pete, though, I note that the nature of the question is different. A question on everyone's favourite topic, zero-trust. Will Horizon Two expand on the development of zero-trust within the Australian economy. And as part of this, it would be great to touch on what government's doing as well, around zero-trust.

Peter Anstee

Sure. Challenge one is that zero-trust sometimes means different things to different people. but such that we could land on an agreed, definition, through this process as to what sort of national zero-trust standard or approach would look like. We think it does represent best practice in terms of a modern, flexible and defensible architecture for Australian businesses in particular. In terms of the Australian federal government approach, we have sort of set up a zero-trust program in terms of articulating what best practice looks like for federal government agencies in designing a zero-trust architecture. That information is already public and accessible, and we encourage organisations to reference that in the design of their own security architectures as it represents good practice. That said, I think arriving at a prescribed national standard will take a lot of thought, design, and might have tricky consequences as well. So, it would be something we'd be really keen to discuss and work through around what a light touch approach that looks like as well.

Rebecca

Thank you, Pete. I might raise this question up a little bit, as I'm unsure whether our colleagues from the Australian Signals Directorate are on the line. We've received a query around if we have more details around how ASD and Home Affairs collaborate in setting and assuring standards across jurisdictions without duplicating state led policies. I think there's also an opportunity here to talk about how we engage across with ASD and other Commonwealth and state and territory agencies on our policy program. I'll pass to you to provide a little bit of information on that one.

Ashley Bell

Thanks Bec. And look, I think it's a pretty, specific question, so happy to take that one offline to an extent to find out particularly what you're looking at. But I think in that broader sense, as I mentioned before, that intersection between the levels of government is an absolute critical focus for us in the strategy and particularly within Horizon Two. How do we do that even better? We’ve spoken with counterparts in Canada about this exact same kind of issues. So, they've got a central government, but a bunch of provinces and the provinces regulate local governments. So, they have similar challenges in terms of making sure that there's good alignment and discussions and dialog between the different levels of government so that there isn't duplication so that we are as harmonious as we can be.

Noting that, within in Australia, our businesses and our people operate across borders quite freely. So, it's certainly something that we're taking forward. We have various forums, which I won't go into because it's very bureaucratic and a lot of acronyms, but there is a lot of engagement both with ASD and through ASD, but also with our counterparts in the states and territories.

On the Commonwealth level, we also have a lot of established forums for engagement on cyber policy and the development of strategy as well. Just to bring you a little bit sort of inside baseball, we've been working on developing this discussion paper and these ideas for Horizon Two quite some time ago. And as part of that, we wanted to do a bottom-up review. We've brought out all of the different agencies.

We had a number of workshops and seminars to the question before, we looked at the material that was presented to us previously in the discussion paper from the regional strategy, we've taken new consultation, and we've also made sure that everyone has a voice from all the different angles of different parts of government as well.

And so, I think part of this is making sure that we are as connected as we can be. So, there's no wrong door on these conversations and it's not limited on one angle. We can always do better and we're always open to feedback on how we can do that as well. So, separate to the submission process, always happy to get that. You've got my details, I'm sure that the team can drop my email in the chat. I'm always happy to get feedback on how we can do that better engagement as well. Thanks.

Rebecca

Thanks, Ash. We are running up against time a little bit, so we might have to be a little bit more targeted in some of our questions and answers. I will note that we've received quite a few around artificial intelligence and how we will play that out under Horizon Two and the intersection with other topics and thematics. So just with the leave of attendees here, we'll take those away and consider them fulsomely so that we can get you, a better and non-duplicative answer, and we're always happy to come back to you bilaterally if you contact the team again at our email address.

So, moving through what we do have in front of us now, Pete, this is one that goes again to cyber maturity levels, as well as some of the standardization work we spoke through before. There's a broader comment around cyber is often being seen as it's a cost to be insured and to reduce risk, potentially against the benefit with that investment which can yield a return. The question whether further incentives to drive private sector adoption of certain cyber maturity levels is being considered, such as through company tax rebates, deductions, grants etcetera. Ash's comment there around how we will engage across Commonwealth with other like agencies who hold the policy on that. Did you want to unpack anything additional in response to that question?

Peter Anstee

Yeah. Thank you. I think there's there is still work to be done in terms of measuring and modelling how much of cyber security is a cost, but also the benefits that come from cyber resiliency. I think a big part of our job is a cyber security community is collectively presenting why good cyber security posture and resilience is actually good for the bottom line of your businesses.

Generally, and this is perhaps me speaking more personally than for the division, I don't think grants, subsidies, rebates will be the panacea in this space. It is more demonstrating to those that making a cybersecurity investments in your business will ultimately return a reward. So, there is a policy question there to continue to build on that has been represented in, the first horizon, but looking forward to working with you to build that in Horizon Two as well.

Whilst I've got the microphone, I want to make one final comment on AI. Absolutely cyber security questions around artificial intelligence will be central to the discussion in developing our policy program around Horizon Two. In particular, people are interested in these general-purpose technologies. It will be affecting all departments of state, state and territory policy development, municipal policy development.

So, expect it to be central to the discussion. The point to emphasize or a key point to make is this is not an AI discussion paper. It is a cybersecurity discussion paper. So, in preparing your submissions and presentations, I really think we should be focusing, a laser like focus on what the cyber security policy questions AI is presenting us with.

Whether that's around workforce, whether that's around, defensive tools, whether that's around adversary, offensive capability. There are some really specific questions that I think we need to explore in the AI context. But I'm keen for this not to become an overarching AI strategy. That is for the Department of Industry in large.

Rebecca

Thanks, Pete. And in the spirit of ongoing collaboration and engagement, thank you all very much for your time this afternoon. We will take any questions that we haven't responded to and collate them as part of a question and answer resource that we will provide on the Home Office website. Per the slide that's currently up, any additional questions that you didn't think of during the chat or you'd like to unpack more, please contact the team at CSSH2@homeaffairs.gov.au.

Please provide any submissions, preferably in a PDF format, but also very happy to receive your request for ongoing engagement. Please also remember to join us for our next Town Hall on the 21st of August again to discuss the policy evaluation framework underpinning the strategy. Thank you also to our presenters, Ash and Pete. Thank you to the team behind the scenes for making sure this all ran very smoothly.

Have a lovely afternoon and we'll engage with you soon.

Cyber Security Policy Evaluation Model: Conceptualising, measuring and analysing the impact of the Strategy

Rebecca
We'll come back to you at 9:32 and we'll kick off properly.
All right, so those entry beeps are starting to slow down, so we will kick off now and a reminder that this town hall is being recorded. Welcome everybody to our second town hall for the Australian Cybersecurity Strategy, Horizon 2 consultation. My name's Bec , I'm one of two co-directors in the Cyber Security Strategy Program Management Office really pleased to come to you today off the back of our first town hall for Horizon 2, which provided a broad strategic overview of what we're aiming to achieve under both the consultation as well as under Horizon 2 out to 2028.
That recording from town hall number one will be available online shortly, and the recording for this town hall will also be available online. This town hall is specifically focusing today on the policy evaluation model that we have raised in the discussion paper.
Within the model, we are embarking on a world first project to work together to deliver long term cybersecurity strategy outcomes for Australians in a changing world linked to the ability to monitor and evaluate the successes and outcomes for that overtime.
This is an early opportunity to provide and ask questions and to give us some early feedback on the model and to hear about how we aim to develop that out over the next couple of years. Just pausing to allow those to enter. Thank you.

Before we kick off properly, I do want to acknowledge the Ngunnawal people as the traditional custodians on the land that the Canberra team is coming from today and recognise other people within the region who have a connection to the lands of the ACT. We also wish to acknowledge the continuing culture that they provide and the contribution they make to the life of the city and this region, and we'd also like to acknowledge and welcome any Aboriginal and Torres Strait Islander people who may be present today on the call.
Mild housekeeping before we kick off. All participants are muted with their cameras off. Any questions that we're taking today will be provided in the chat when you are providing a question, we'd be very grateful if you could include your name and your organisation alongside that question.
We will have a question and answer segment at the end and aim to get to as many of them as possible. If we don't manage to get to your question, we will take that question away and provide an answer online anonymously and provide that alongside the town hall recording on our strategy landing page.
As with last time, we're joined by first Assistant Secretary Pete Anstey and Pete will be providing our strategic context. We're also joined by Dr Cathy , who's the director of our cybersecurity policy efficacy team. She will walk us through the cybersecurity policy evaluation model.
Today, we're aiming to start as we intend to go on and we're going to commence with a quick poll to learn a little bit about who is in the virtual room. That will allow us to get an understanding of what kind of data we have in front of us and will give us some quantitative feedback to guide our policy design.
A note to say that this poll is voluntary, and all responses will be anonymous. We're not going to be treating those results as definitive, but they will be treated as indicative.
The results will also be collated and made publicly available after the town hall.
So question one, where are you from today and you may not find that you fit neatly into one of those categories, but please pick the response that best suits your circumstance. So, we might give it about a minute to allow everyone to provide their response, and we'll see what we're looking at.
Okay, so already straight out of the block we have participants identifying as being of a large business of 200 or more imported employees at 39%. We then have our small and medium business community of less than 200 employees also represented.
And Australian government at 29% representative body at 10%. And we also have our colleagues from the academic community also on the line. No one for, oh 1%, from other be interested to know what other is feel free to pop that in the chat as well. We'd love to know who we haven't reflected in the poll here, but it looks like we have a good combination of those representing our business community across the large, small, and medium business cohort. Obviously, our partners and friends in government as well and the academic institutions and representative bodies also providing some representation on behalf of both research and assuming we may have some big bodies and others contributing today.
Thank you. We'll take that away and we'll see how that aligns with some of the other poll work that we will do throughout the call. But now I will hand to Pete to introduce and then we'll kick on around the evaluation model. Thank you, Pete.

Peter ANSTEE
Thanks Bec, and good morning, everyone. It's wonderful to be here and thank you all again for joining today's session. The second of our Horizon 2 consultation town halls. For those who don't know me, I'm Pete Anstee. I'm the First Assistant Secretary for Foreign Interference, Cyber and Technology Security here at the Department of Home Affairs. Today we're covering an important topic that too often doesn't really get sufficient attention inside government, policy making. It's the work on how we plan and measure the impact and outcomes of the strategies that we're co-designing with you over the next many months. As I said, you know, we've been through several strategies.
Over the last few years, and often the evaluation of the impact of those strategies is wanting. So, today's session is really stepping you through how we're seeking to kind of design that methodology around what the outcomes of the strategy are and how we've defined those as well as how we're measuring the practical impact of what is a national strategy with many component parts. So, it's a difficult task, but we're keen to make sure that we're anchoring our design and our delivery.
In an evidence based and methodical process, firstly to sort of recap where we've come from. For those who follow cybersecurity policy design closely, this is our third major strategy.
Over the last eight years, in 2016, that was the first funded cybersecurity strategy that really set out many of the architectures that many of us are familiar with across both Australian government and the cybersecurity ecosystem more broadly. In 2020
the second strategy was focused on critical infrastructure and at the heart of that sat the Security of Critical Infrastructure Act and the associated obligations under that legislation. And finally, and this is where we're up to the 2023 to 2030 cybersecurity strategy was around what is that national outlook and impacts that we're looking to drive across the economy. We've completed or near completed Horizon One of that strategy that was underpinned by 60 initiatives that are captured on the six Shields in front of you on the slide. Many of those initiatives will be ongoing, including the cybersecurity legislation that you may well be familiar with, and many will be complete by the end of this calendar year. So we're now moving into Horizon Two of the strategy and designing what will be the next suite of initiatives and outcomes we're looking to put in place really to scale and expand our reach and that the time frame is a two year horizon as you can see from 2026 to 2028, and so that's what we're consulting on in terms of measures and today is to discuss how we're designing the efficacy and measurements of the outcomes across those two horizons.

At the launch of the 2023 strategy, the government was really clear that it was committed to a rigorous monitoring and evaluation approach of what the impact of the strategy would be. The intent of the strategy at the launch of that document.

Thanks, Bec.

Rebecca
Thank you.

Peter ANSTEE
Was really to be an iterative and evolving document, and as we move from the first suite of initiatives that have been introduced and completed over the last 18 months and move into Horizon 2, we think this is right time to introduce how we measure and assess how we're tracking against those initiatives, as well as how we planned an outcomes-oriented approach over the next over the next horizon. And I really want to emphasise that it's those outcomes that we're looking to put to measure most clearly over that horizon as you can see here in terms of designing this outcomes-oriented approach, we're taking stock of what sort of global best practise is. So for example in the 2023 to 2030 strategy you would have seen a number of outcomes that we kind of anchored in that document, whether that was disrupting cyber actors as an outcome, whether it was a higher scale of blocking threats as an outcome, whether it was supporting victims or target organisations bouncing back after an incident was occurred and to make sure to make sure that we're sort of measuring the impact of the specific initiatives that speak to those outcomes, whether that's grants, whether that's legislation, whether that's Community programmes and education, we're really keen to use a clear evidence base and clear data to inform those mechanisms as well as help design what the next set next set of outcomes will be under that program in terms of kind of comparative rankings of how other nations are doing this.
We're really taking a world leading approach in terms of adopting this kind of outcomes-focused methodology. As you can see from that chart, very few if any countries to date have taken this whole-of-nation evidence-based approach to measuring impact through them through their strategies. Part of this is the difficulty of clearly measuring the impacts and outcomes of strategic policy documents. Part of it is a problem with available data and data collection, which is something we're going to be really focused on.
But also we think it's really appropriate at this stage, particularly with our ambition to position Australia as a world leading cybersecurity nation to see, to define what, what that kind of measurement and outcomes-oriented approach would be. So we're really confident that we're placing ourselves in a leading category of countries by adopting this approach. To test with the group and I know that we've spoken in slightly abstract terms, but really keen to seek your input on whether you think adopting an evaluation methodology such as the one I've just outlined at a high level is a sensible thing to be for the government to be undertaking, and whether we have your support in adopting that kind of approach.

Rebecca
Just acknowledging in the chat there might be some attendees who have a poll functionality that is not working for them. If that's the case and you'd like to participate on some of the questions that we've put in, the poll would be keen for you to contact us at the Horizon 2 strategy team, and we'll provide our contact details at the end of the presentation.

Peter ANSTEE
Thanks, Bec. We can see from both the comments and from the from the poll data and I hope it wasn't a push poll with my framing. Such was my confidence and support that we do need this methodology that there is a recognition that this outcome-focused approach and a rigorous monitoring approach is a good thing to adopt in undertaking the strategy. I think on two accounts it will be helpful. Not only will it help measure government's intervention in the way we're dealing with.
You know our strategic policy making and the practical policies, initiatives and interventions that we put into the economy, but we really hope at the organisation level whether that's private sector organisations or non-government organisations.
It will also provide a database and a framework for you to help understand your own cybersecurity postures and the interventions in your organisations that may help strengthen the national cybersecurity ecosystem as well. So that's the ambition. With that—to step us through the design and the structure of the strategy evaluation model—I’ll pass to Dr Cathy , who's a real expert in data analysis and systems thinking and system design, and really is the architect of the model that we're stepping you through today. Cathy will be outlining the design of the model as well as how we're seeking to implement it. And it's keen for your questions and feedback. Over to you, Cathy.

Cathy
Excellent. Thanks so much Pete. Really appreciate that introduction and I'm also excited that so many of you are keen on us taking this outcome-orientated approach. I'll talk a little more in a minute about our thinking behind that that approach. But before I do, I just want to first walk you through three main steps we're taking to mature our strategy level monitoring and evaluation framework. That is, first, as set out in the discussion paper, we've been developing the first goal of our cybersecurity policy evaluation model.
It's being built from the Australian Cybersecurity Strategy. That document was created in conversations with thousands of experts, businesses and citizens, and hundreds of written submissions, and an expert Advisory Board. Like Pete said in his introduction, there's already plenty of outcome statements in that document that we could draw from. So, we're trying to be as true to that as possible in the development of the model, but also in that process of extracting what we needed from the strategy to develop that model. It's really timely, I think to now check back with you that it represents that intent and that it resonates with you as well.

So that's what we're doing at this point. But also, we're also in the middle of the next step of looking at—as we continue to get feedback on the model—working with you to work out what data is currently available. But also working with data agencies, industry, and academic partners to look at the gaps in the current data ecosystem and strategies to address them. And once we've done that and we've pulled together our monitoring and evaluation approach from all of that information, we'll be able to use that data and other feedback—including from stakeholders—to inform implementation. And also the ongoing adaption of interventions as well and future policy development such as we head into Horizon Three and beyond and that biennial review process that Pete talked about. So that's a very high level full view of where we're at and the steps we're going through. And so today this presentation is very much going to focus on those first two parts. First, I'll go through the model itself and give you a bit more content than what's in the discussion paper. And then also talk about the relationship between it and the existing data and the help you might be able to provide us to kind of unpack what's out there. So that's just a bit of an overview of what we're going to do in the next part of the presentation.

So, the cybersecurity policy evaluation model, it's essentially what you'd call in the technical space of evaluation type work, a theory of change. What it does is it documents the outcomes we're trying to achieve, at least the one that we've produced. And like, like Pete said, we're very much focused on outcomes at this strategy-level and this is we've started out our theory of change from here. Often when people create theories of change or program logics, they often start with the intervention. That's not wrong. It's a different way of doing it. For example, they'll document the inputs to the programme, the people, the money, the ideas, the activities, the outputs and then the outcome.
And you can kind of think of that lens of more of a bottom up-approach, starting with the activities and outputs and moving up to outcomes. It's more akin to what we’d do when we're creating a logic for one of the initiatives within the strategy. You could, if you preferred, you could do that for all 60 initiatives. Look at what every initiative is doing, and the outcome their achieving, collate them together and call that your strategy monitoring and evaluation plan. But we're looking at taking a slightly different approach at the strategy level. We're going to complement that bottom-up approach by doing something that's more top down. So starting at the high-level outcomes we're trying to achieve, and identifying and mapping those. Then working back to the interventions that are required to deliver them. Ideally those bottom-up and top-down approaches will meet in the middle and overlap. So, you get a comprehensive view.

We start with the outcomes that we've been talking about. Then we look at like what interventions, policies and programmes we think might help us achieve those outcomes. And we map the relationships between which interventions we think will achieve which outcomes; if you want to get technical, your causal hypothesis. That is, we think this intervention will have this effect. What we're also doing with our policy evaluation model is identifying North Star outcomes. There's four, as you'll see in the discussion paper. The purpose of those is to focus our activity and indicate what success like looks like. If you take the North Star metaphor, imagine you're in a boat in a sea of change and disruption. A lot like the cyber threat landscape; often very dynamic, somewhat disruptive and sometimes unexpected. Our cybersecurity strategy is at risk within all that change and disruption of being pushed off course by wind and waves and obstacles. To stay on course we fix on what's stable and constant; our North Star outcomes. Those big long term outcomes that hopefully will stay constant throughout the life of the strategy and potentially beyond as well.
Another way to think about the North Star outcomes is, when you're asked what's your job, what do you do? You could look at the interventions, the things you do. Like “I manage grants” if you're a public servant. Or “I sell insurance”. But another way you could refer to that is look at those big outcomes that you're trying to achieve. You could say “I help Australians protect themselves from cyber-attacks or bounce back”. So, it's giving you a bit of feel about that.

Another key thing about our policy evaluation model is that it's the foundation for policy development. So, working out which interventions we think will lead to which outcomes and adapting those over time. But also for monitoring and evaluation. So helping us work out did what we do achieve that as outcomes because we're keeping an eye on it. We're measuring it.

It's also a living document. So, we need to be we need to update it as we test our hypothesis in practise but also. We anticipate, as I noted, those outcomes to be stable. The interventions put in place will change over the life of the strategy and we've built that in. In terms of the horizon process. We can at keys at key points and adapt as we go. We may finish them or they get bedded down, and we add new interventions building on these. But also because the space is dynamic. The cyber threat landscape is dynamic and changing and as we intervene, cyber threat actors are going to counteract. They'll come up with new novel strategies to get around our protections and blocks. What works in year one might not work in year three. So, we we've got to keep this as a living document and update as we go.

So that's the overarching kind of concept and framework. It explains the imagery in our policy evaluation model; what these different components mean.
We when we built this first version of our policy evaluation model, as I said, we started with the strategy and the action plan. It's built from those documents that are that are public, that are already in existence and well consulted. We went through, and we found the outcome statements in the strategy and translated those into these orange dots. One of them is targets bounce back or avoid attack. And we looked at all the 60 initiatives in the action plan and how they link to these outcomes. So, there's a bit of that background of how we built it.

And here's a little kind of subcomponent of the Policy Evaluation Model. Just to get you give you a bit of a sense of the nuances of it. We start by clarifying the outcome we're trying to achieve. Here the intended outcome again of targets are prepared and protected from attack. There's going to be several interventions to achieve this outcome. We might put in place guidance and frameworks, embed protections and technology and processes, and legislate standards and responsibilities. These are just illustrative examples.

The key thing to note here is there's not necessarily a one-to-one relationship between intervention and outcome. Often there's several interventions being put in place to achieve an outcome. They might be interventions that different agencies, different government departments put in place. Some industry does. Some others not-for-profits work together to achieve this outcome. So, it's clear when you start mapping this, this is a collaborative process. We need to work together to work out what these outcomes are, and how we're going to work together to achieve them. It's a shared, it's a shared activity.

We also want to identify any unintended outcomes as well. They're the things--when we put in place our interventions—might occur that aren't our intended outcomes. They can be positive or negative, but this one is a negative one. If we over regulate, we may undermine business productivity. That's something we want to keep an eye on. Make sure that those negative unintended consequences, those costs, those harms, those burdens don't outweigh the good that we're trying to achieve with our intended outcomes.

The other thing we want to do is develop metrics to measure whether or not we're achieving those outcomes or not. So we can keep track of them over time and celebrate when we achieve the intended outcomes and mitigate when those unintended negative outcomes start to occur.
When we do that, we can then have a shared picture of what we're working towards and pull in the same direction together. We can know whether our initiatives are effective and or stop working. What worked in year one might not work in year three or year 10. Therefore we can adapt and stop doing what's not working or amplify what does work and really lean into it. We can understand the full impact of our initiatives. So that relationship between the unintended and the intended and make sure we're getting more of the intended and less of any unintended outcomes. And as I said, work collaboratively across initiatives across sectors, etc., to achieve those outcomes.

Now I'll take you through the high level version of the Cybersecurity Policy Evaluation Model. It starts by on the left; it starts where it ends. So we circle back to this, but we also start with new technology being developed. That's orange; we want to embrace new technology. But we want to make sure that when that new technology is brought online, that the vulnerabilities in that technology are minimised. And that potential targets of a cyberattack—be they individuals, businesses, not-for-profits, government agencies, critical infrastructure or even sort of the devices themselves—are prepared and protected from attack. So that, when a cyberattack is attempted, those protections are effective, and the cyberattack is blocked.

But we know, as I noted earlier, that the space is dynamic. When new technology is developed it may have vulnerabilities we've just never seen before. Cyber threat actors may develop new novel strategies that we didn't anticipate. So some will get through. But we want to make sure when those cyber-attacks are successful. That in the immediate moment that targets know what to do. But as the dust starts to settle, they're also continuing to be supported and know how to respond and are supported to recover. So that they either avoid attack or they're able to bounce back and are resilient. Ideally, bounce back stronger than before and we hardened our systems.

And so then together we get these big outcomes that are a big emphasis in government—particularly in our Department of Home Affairs—of prosperity, security and unity. So, when individuals and businesses, for example, can avoid attack or bounce back quickly, they continue to participate in the economy. We get an increased sense of security because people are feeling protected and safer. And, therefore, an increased trust in business and government to do that. Ideally, when those conditions arise, we therefore have a secure digital economy that enables a thriving digital economy. And with that, we circle back to the start. Ideally, new technologies developed and its secure technology. We continue to be able to protect against cyber-attack.

Unfortunately, though, this isn't the only the only loop in the diagram. Just like we're keen to enable Australians in general to be prosperous and secure. Cyber threat actors will also want to be prosperous and secure. So unfortunately, we have this counter loop. When a cyber-attack is successful, the cyber threat actors will learn and profit from crime and then continue to be motivated and capable of attack. One of the outcomes to counter that is to ensure that we put in place actions to disrupt and deter cyber threat actors.

What we want to achieve is less of this cycle, less of the dark grey, we want to dampen that and you know as much as possible. And have more of the orange. More of potential targets being prepared and protected from attack.

So now, just quickly, to go through the North Stars and how they fit into the model. The first one is that cyber threat actors are disrupted or deterred. And the idea here is if there were no cyber threat actors. None of that work upstream would be needed, but unfortunately that is, you know, in the current environment very challenging. So, we also need to make sure that we're blocking cyber-attacks as well. But as I discussed, you know with the changing environment, you know that is difficult with our new technology, new strategies being put in place by cyber threat actors. So we also want to make sure that if cyber-attacks are successful, targets bounce back or avoid attack and are resilient. And together these very security focused North Stars come together into the fourth North Star; That we have a secure digital economy to support a thriving digital economy.

At this level what we're trying to create is potentially a strategy agnostic Policy Evaluation Model. One that lasts beyond the life of the strategy. It's handy when you think about it as a monitoring tool. Because you can then work with agencies like the Australian Bureau of Statistics, for example, to create metrics and data collection tools that that stay consistent and track progress longitudinally over many years. Hence this kind of high level outcomes focus, we can really track progress over time.
I've got next this quote from British statistician George Box, who says “All models are wrong”. So, what this statement is acknowledging is that the model is just a representation of reality. It doesn't capture all the complexity and all the nuances. And I think if you've ever tried to do a model like this that tries to do that. They get very complex and messy, and you get arrows and dots and lines going everywhere and they're hard to unpack. So, we've tried to synthesise it up to something that tells that story and is as tight as possible.

But the question now is “Is it useful? Will it help us? All in the same direction? Does it measure what really matters and does? Will it help us know whether things are working or not, and when we need to change tact?”

One of the ways, as I said earlier that the model is useful, it's going to help us with policy development. It can help us illustrate how all the 60 initiatives within the strategy work together to achieve these outcomes. We can show where each of those Horizon One initiatives articulates with the model.

Here's a few examples for the first North Star. We've got of disrupting and deterring cyber threat actors. We've got the initiatives to make public attribution and impose sanctions advocating for global legal frameworks to combat cyber-crimes. With regard to blocking cyber-attacks, we've got the enhancing the Australian Signal Directorate’s existing threat sharing platforms, for instance. With regard to the third North Star where we've got protections or initiatives in place to harden technology and support businesses and individuals and the critical infrastructure and government to prepare and protect itself. And initiatives that help support response during a cyber-attack and recovery as the dust starts to settle. This is not all the initiatives. Sixty gets quite messy if you try to put them all in. Here's just a selection. For our final North Star, we have things like advocating for digital trade rules and attracting global talent through migration reforms.

There's just a bit of an idea about those. As we head into Horizon Two we can use this model and this connection between our interventions and the outcomes to think about how we might build on them; what is missing, for example. And we could make, as I said, this more complicated. We could add more sub outcomes. We could really dig into things. And you can do that; you can use it for that purpose.

But today we're trying to keep it simple. And so, yes, the model is useful for policy development.

In a minute I was going to talk you through how we might use it to identify the data that we could measure against these outcomes and go through what data is currently available. But before that, we're going to jump to another poll in the Team's chat. Here we're asking whether you support the model as a general concept. We're not. We're talking very general terms here. Not whether you think when we need an outcome or maybe a loop in there as well, a third loop for something, or maybe it's too complicated, we should have fewer outcomes. We're not asking about that level of detail. But more about as an approach and representing the cyber strategy and what we're trying to do here is this one you support; does it resonate with you? So, I'll give you a few moments once the poll is in the in the chat to respond to that. But because I've got screens going everywhere. I might get Bec to jump in again and call out the results of that poll for us after about 30 seconds. Once you think it starts to settle down, if you could do that, that'd be great.
Rebecca
Sure thing, Cathy. I'll also acknowledge we have a couple of members of the audience, popping in their observations in the chat too. And thank you for providing that feedback, noting that you can't access the poll at this stage.
At this stage we have most attendees at that 50% split supporting the model. We have 29% for strongly support and 14% for neutral. We have 5% of our attendees selecting do not support and none for strongly do not support. While we're taking questions in the chat. If you did want to provide initial observations, if you're happy for them to be attributed to you in the chat, very happy to hear. At this stage as well, but we have got these selections.

Cathy
Excellent. Thanks so much. Really appreciate that. Thank you so much for your feedback.

I'm really pleased that it's resonated with many of you and you'll find it useful. For those who are less convinced, love to hear your thoughts and alternative approaches. What you think we should do instead. Welcome that. It would be useful as well. So thank you so much for that and look forward to and hearing what you've got to say.

Next we'll move onto how we might use this for monitoring, evaluation and the data piece.

In a nutshell, as I noted earlier, at this stage, we're really looking to identify the data that's currently available to track these outcomes. There's no point creating new data collections if the data already exists. There's a real opportunities by taking this strategy-level view where we can look for kind of opportunities for cost-effective data collection. So, using the same data collection tool as a survey to provide indicators for outcomes across the different parts of the strategy. So rather than different government agencies, or government and industry, measuring the same things, we can measure once and share and benefit from that collectively.

On the next few slides what I aim to do is give you a taste of what data is available relative to our four North Stars. I won't be covering it all. For some of them, there’s quite a lot. We'll briefly work through these and encourage you to think about what else is available or might be needed so you can send us your thoughts. We'll be asking, you know, do you know of any other data sets we may have missed? We'd love to hear about them.

The neat thing here is that much of this is already publicly shared. We'll be sharing publicly available data and not just by government, but also industry and think tanks. That's great that we're not starting from zero. There's already a rich data ecosystem in this space. So that's fantastic. With regard to this first North Star, the cyber threat actors are disrupted or deterred, the Australian Signals Directorate does some heavy lifting here. It provides a broad range of information, including information about the sanctions that have been imposed, assessments of the cyber threat landscape.

But also if we look at whether cyber threat actors are profiting from crime, we can almost take that as the inverse of the financial losses that Australians and individuals and businesses are experiencing. We can look at it from that perspective. ASD provides that kind of information. The Australian Institute of Criminology looks at financial losses as well. So, a bit of an indication there.
Moving around the loop, regarding the Second North Star, cyber-attacks are blocked. Again, ASD provides lots of information both around threat sharing, intelligence sharing where for instance, domain names have been blocked, but also that activity that looks at what when there's been a cyber-attack, what information we're gathering and then cycling back into hardening the system through things like exercises.
They also provide a good a breakdown of the incidents that have occurred in the previous year, including those that have been unsuccessful or the low level. AIC also provides some information about the types of kind of cyber incidents people have experienced as well.

Moving on to the third North Star I've brought in here an example from Telsyte, an emerging technology and analytics firm, with their analysis of the Australian smart home market. It's providing some information that we've quoted in the snapshot about the threat surface within Australian homes. Like the number of connected devices that are in Australian homes, which is useful. We've got some information here from Allianz about reported business risks with cyber being at the top in the rankings around business risks in 2025. Coming back to the ASD again with their small business survey. It was useful for unpacking both understanding among small business of cybersecurity and the investment in that. And what use they were using of the Essential 8 mitigation strategies. ABS also provides information on the measures being put in place by businesses as well. Then there's data from ABS and AIC on kind of the impacts of cybersecurity incidents as well. Which gets to the extent to which the targets have been impacted and their capacity possibly to bounce back.

And then in the final North Star, there's some great data around the relationship between cybersecurity and the broader economy. So some data here from 2023, from AustCyber about the estimated proportion of GDP that relates to the cybersecurity sector and the number of cybersecurity firms. Plus some data, from the World Economic Forum in the Census around the workforce and again from ABS, some expenditure on R&D, including in information and computing technology as well.
So just circling back to recap. I've just talked through our thinking both behind the Cybersecurity Policy Evaluation model. And also the sort of initial stages of the thinking around what data is currently available, that help might help us achieve those outcomes. We're really keen to hear your suggestions and feedback on the model. Including how it could be refined in any way, what the outcomes that are most important to you, what outcomes would be useful for us to know whether we're achieving those outcomes, and what data we could collect and could be shared. And how data might be collected and shared in a way that enables us to be more agile in response to cyber threat actors and hardening of our system. As I said, please let us know if you think we've there's any reports or data sources we've missed. I haven't included them all here and if people are interested, we could pull together that list of publicly available data sources relative to cybersecurity to share so everyone can access it. Feel free and we'll come back to this at the end after the Q&A about how you can continue to participate in our consultation process. But you can e-mail those suggestions and ideas to our e-mail address or include them in a submission to our discussion paper. Now I'll hand back to Bec, who will lead us through the Q&A component of the town hall.

Rebecca
Thanks, Cathy. I just wanted to acknowledge as well that we've had some great discussions in the chat back and forward between participants on not just the evaluation model, but more broadly, what we're considering under Horizon 2. And while we might not get to some of those statements or some of the themes and ideas that have been raised out of that discussion, we will take them on as part of what we do consider around not only analysis under the discussion paper, but what we consider under Horizon 2. As always, we would really encourage everyone to make a submission through the web form on the landing page that we can consider that as well.
Cathy, we have a few questions around the data related to the monitoring and evaluation model. And we do have a couple of other statements around the evaluation model itself. What we might do is kick off with a question around cost benefit. So, one of the queries is whether there is a cost benefit aspect to this model. Did you want to go into that a little bit deeper for us?

Cathy
Yeah, that's yeah, definitely a very common part of the evaluation of programs and policies. You could do that. It'd be interesting to do that from a strategy level, particularly given we're looking at outcomes that not just government is contributing to, but also other Australian businesses, academics, universities, and others. So it would be interesting to think about it in this context. If we're looking at it at a strategy level, which costs would you include, and which benefits would you include? So, I think that's an interesting question. It'd be great to get some ideas about that. If people are really interested in that. That's something we could think about. Definitely. Yeah. I don't know if Pete had any thoughts on that as well.

Peter ANSTEE
I agree. It's certainly something we'd be keen to incorporate whether it's under the you know, the articulated outcomes or the specific initiatives that inform them. A number of the questions have gone to sort of regulatory growth and complexity of regulation. Something we're really interested in is in measuring the costs of regulatory impact when that's through the Cybersecurity Act or there's the SOCI Act or other compliance mechanisms such as the Essential Eight or otherwise.
How do we measure the economic impact of complying with that regulation versus the potential security outcome of protection? So, it's a, it's a good question. Again, a kind of difficult one to answer in the specific, but something we'd like to incorporate into the measurements and methodology.

Cathy

Pete, I think some of these things you can think about, do you do that at a whole of strategy level or is it more appropriate to do it for initiatives? You know, where it is meaningful in that context. So, we can think about that, that's something to consider as well, I think.

Rebecca
Thanks, Pete and Kathy. And while we're on methodology, there's a question around how we encourage diversity and reward innovation and thinking outside the square against the statement that anchoring to outcomes can sometimes lead to selective bias and thinking through how we're developing the model and how we manage and measure that over time. Cathy, I might through to you to expand on that and how we might account for diversity and challenge selective bias in the model.

Cathy

Yeah, great question. I think those kinds of biases can creep in in all parts of structuring of your model as well. Like how you ask the question can bring biases in as well, what outcomes you focus on can bring biases. So, I would love ideas about whether, at that outcomes level or the questions we're asking, do they have biases built into them? But also then obviously the data that you use make it, it can bias can creep into the data as well. So, we must be very careful about that too. And who's able to participate in a survey, for instance, or where we're getting the data from, who it might exclude.

So those questions are always important through the process. And then also in the analysis as well, who? Who gets a say in the interpretation? From whose perspective is that interpretation being looked at? Yeah. Is it open to that sort of scrutiny of different diverse groups as well? So a key issue that you do need to consider throughout the whole process. So yeah, have that in mind.
And as well as we go and I think having this open to the public, having the opportunity for voices from all sectors of Australian society to be included. I think in the discussion I think is important as well. Opening it up to everyone it's useful, does help with that as well. So we welcome that comment and again we'd love thoughts on anything we might not have considered in that space as well. Really open to that.

Rebecca
Thanks, Cathy. And on behalf of the Horizon 2 strategy team as well, we found that these opportunities to provide direct feedback and provide ideas on initiatives have also been really useful given that the outcomes focus of the discussion paper. As well as having an understanding of the points we can take away to see how this would work in practise has been incredibly valuable for the team. On a similar line of thought we received a question around how monitoring and evaluation can be designed to be uncomplicated, effective and long term. Given so many websites exist across government cybersecurity and we might take that point as well. There being several different data sets and data points we could consider as part of building out of the model. The question was provided alongside an idea for a proposed cyber security app for businesses and citizens and that might support a broader reporting and evaluation tool access. I might take that part of the question, Cathy, before I hand to you on the first component. Again would acknowledge that getting that consistent drip feeding of ideas about how we might be able to operationalize the high level parts of Horizon 2 as well as those components of horizon, one that continue into
They're not already being provided as part of a submission to the discussion paper process. We'll continue to take away those sorts of comments in these town halls and consider them as part of our policy development. Cathy, can we provide some insight on how our monitoring and evaluation can be designed in that environment where there are a range of data points we'll need to consider?

Cathy
Yeah. I think that's a great question. I think I've experienced this too as we started working through the design of the evaluation and monitoring approach. You know every now and then we pick up a rock and there's a new data set I didn't know about or someone who's doing some work we hadn't heard of. So there is a lot in the space going on now that we could potentially share and use. I think there is a real opportunity to be a hub of or somewhere or something to be a hub of that communication about and providing that information out and feedback so that we can all benefit from it. I think that's a great point, to almost convene knowledge and the sharing and the feedback loops that make it easier for people to use. The way I think about this space as well is it's not just government sucking up all the data to monitor our own policies and programmes. It's also how do other people use that information to keep track of what they're doing to provide them with feedback as well? It'd be useful to hear ideas around that around how businesses, small and large, or other groups might find this information useful. And how would you best like to consume that yourselves as well? I would love to hear ideas about that too. Making that simple and streamlined and really user friendly and something that meets people's needs, helps you to understand those big picture outcomes as they evolve over time.

Rebecca
Thanks, Cathy. And as part of evolving over time, I just wanted to provide some clarity. It's been raised, I think in a few questions in the chat around how the model will exist across Horizon 1 and Horizon 2. Talking to the interventions and against those North Stars and those critical outcomes for the model against the strategy, can we clarify for our audience around whether this will exist across Horizon 2 and beyond, how it relates to Horizon 1 and maybe how we adapt and iterate over time?

Cathy
Thanks. Yeah, it is a good question and we've been putting our mind to that. As I said in the presentation in that main loop we're aiming for them to be those big high level outcomes that are consistent, at least across the life of the strategy, ideally beyond. But as I noted, you can also unpack those a bit further to sub outcomes. You can have outcomes for each initiative that are quite proximal to that initiative. For instance, the Cyber Incident Review Board, it needs to publish reports and hopefully those reports are great value for people, and they get fed back into changes in the system.

You can have outcomes that that initiative is specifically trying to achieve, and they may shift and change a bit more than those high level outcomes. So, it's almost like the closer you get to initiatives, potentially the more they shift and change, but ideally then they articulate with something that's more stable, that main loop we're hoping we can keep that stable.

But then as we go through horizons, we'll have initiatives that that get bedded down. And potentially new ones that come in and that will change some of those lower level outcomes that may need to be monitored just for that program or just for that initiative for instance. So, it's a bit of a mix. It's sort of a cascading or a sliding scale between very stable outcomes that we might be looking at and some that shift and change over time, as they sort of cascade and sit under that. I hope that answered the question. That's sort of how we've started to think about the change as we go. And then yeah, ideally that high level stuff, we can put data in place to measure over time in a longitudinal way. It gets a bit messy, if in things like big surveys that ABS do you keep changing the questions every year. It makes it hard to track over time. So, it's useful to have to look at those things so are more stable as well.

Rebecca
Great. Thanks, Cathy. We'll continue to take stock of the questions and comments that are coming through the chat, but we are running up against our stop at 10:30. So I'll pass to Pete to provide some closing words before we answer a few questions around what to from here. Thanks Pete.

Peter ANSTEE
Thanks, Bec, and thank you, Cathy, for such a comprehensive presentation. As I said at the outset, what we're trying to do here is in many ways very novel for government to take a systems thinking approach to evaluation design and methodology and as we all know, working in the cybersecurity field. There are so many component parts to this issue. There are many ways you can kind of slice the cap, so to speak in terms of potential design methodologies. I think Cathy and her team have done a fantastic job of conceptualising this problem and setting out some of those North Stars and those objectives, but we're keen for your feedback. What we're doing here is breaking new ground in terms of best practise for Australian government policy design evaluation and measurement. We may not get it perfect the first time, but we're keen to get it as good as possible and that will be really assisted through your feedback and collaboration in the way we design how we evaluate the impact of the strategy.

Just to remind everyone, consultation is structured in two parts. Now following this presentation, there's this substantive consultation we're conducting on Horizon 2. They will close on the 29th of August. You can see there an e-mail on the slide. We really encourage everyone to submit to that as part of that consultation. If you have interest or involvement in the way we are constructing the evaluation methodology, we really encourage you to kind of document your thoughts in the feedback as well so please submit. Please reach out to us directly if you have any specific questions through the e-mail and thank you again for your ongoing collaboration through the development of Horizon 2. Back to you Bec.

Rebecca
Thanks so much, Pete. And obviously Cathy and Pete have been a chair's dream. There's nothing really left for me to say. We have the overarching process for providing those submissions through to the team. The ongoing engagement with the team. If you're not providing the submission but have additional content or ideas, you'd like to provide. So, there's not much left for me to say then thank you so much, Cathy and Pete for your participation in the town hall and to our guests online who have provided us a lot to think about. Thank you, everyone and have a lovely day.

Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber - Outcomes from discussion paper town hall

Kylie
Good morning, everyone. We'll just wait for the last few people to come in on the line and be admitted before we start.
OK, I think the entry requests have slowed down. So, we'll start.

Ashley BELL
You popped yourself on mute Kylie.

Kylie
Thanks Ash. Welcome everyone to our third consultation session. We're running today on developing Horizon two of the height of the Australian cybersecurity strategy. My name is Kylie, and I work in the Cyber Policy and Programmes Branch with Ash Bell. Before we begin our town hall today, I would like to acknowledge the traditional custodians of the lands of which I am joining you today, the Ngunnawal people, and pay my respects to their elders, past and present. I would also like to acknowledge and welcome Aboriginal and Torres Strait Islander people on the call today.

A little bit of housekeeping before we get started. Today's session is being recorded and transcribed, and both the recording and the transcription will be available on the Home Affairs website. To ensure that we run a smooth session today, I request that all attendees make sure you're muted, and your cameras are off. We invite you to propose questions in the team's chat throughout the event. When you think of them. When you do that, if you could, please include your name and organisation when you do so, just so we if we need to follow up, we know how to get in touch.

So a brief overview before we start for anyone joining us for the first time or catching up via the recording once it goes up on the website Australia cybersecurity strategy was released in November 2023 after extensive consultation, the vision in the strategy is simple but ambitious. To make Australia a world leader in cybersecurity by 2030, ensuring our economy and society can prosper and recover quickly from cyber incidents. The strategy is built around 6 Shields up on the top here, each representing a layer of defence that keep businesses. Citizens and government safe.

As well as the 6 Shields, we have 3 horizons that were set out in the accompanying action plan that was released alongside the strategy and the three horizons outline a phased approach to delivery of cybersecurity uplift for Australia and the ambitious goal of being a world leader in cybersecurity.

By 2030 in Horizon 2, we've strengthened our foundations. We've reviewed the policy and legislative frameworks that we have and filled significant gaps in them. Horizon 2, which we're explaining now from 2026 to 2028, it's our longest horizon of three years.

We're looking to expand our reach and really uplift and roll out those foundations we've established across the Australian economy horizon three in 2029 to 30 aims for Australia to lead the world in cyber resilience. These transition points between horizons are intentional review moments.

A chance to test whether strategy remains fit for purpose considering emerging tech, economic shifts and global events. So where are we at now? It's nearly been two years since this strategy and action plan were released. In that time, the world and the threat landscape has changed dramatically.

Cyber incidents now rank as the top global risk for businesses in 2025, according to Allianz and the Lowy Institute has highlighted cyber as one of Australia's leading national security concerns. This reinforces why we can't treat our strategy as set and forget continuous improvement and stakeholder partnership as central to its success.

For those of you who have been tuned in, Minister Tony Burke recently said in his keynote to the AFR Cyber summit that our strongest defence is our human firewall. We want to take an ambitious people focused approach to horizon 2. It's really acknowledging that technology alone isn't enough. A secure Australia depends on people and organisations who understand and act on cyber risk every day. The evolving challenges don't sit, don't just sit in our boardrooms or in technology circles, but will be felt in the living rooms of ordinary Australians.

And in small businesses and in the vulnerable cohorts of our community, that's why it's important as we think about the next phase of the strategy into Horizon 2, we ensure we are hearing as many perspectives as possible.

So what have we done so far? The Horizon 2 discussion paper was released a month or so ago. We really launched this charting New Horizons paper to invite views from industry, government, academia and the general community. We got a really fancy.
Fantastic response we've received over 170 written submissions. The public submissions. I think there's 122 are all available and published on our website as of today as well. So where you've got the link to register for this town hall, that's where the link is available. We've hosted two previous town halls which were open while the discussion paper was open to submissions, and we've had several Co design workshops on specific policy areas, particularly secure tech threat sharing, and our human firewall. that we're looking to develop a few more workshops and roundtables are still to come, but today's town hall is about reflecting back on what we've heard so far, recognising the input that so many of you have provided and is really valuable and showing you how it's shaping where we're going and where our next steps will be.

I want to thank everyone who's taking the time to contribute, whether through a formal written submission, through workshops, through reaching out to people directly. Your insights are helping us to ensure the strategies next phase is grounded in Australians experiences and response responsive to the real challenges faced across sectors.

My colleague and boss Ash Bell, will outline shortly your how your feedback has been instrumental, including how as we refine our priorities for Horizon one, including how we will look at measuring success supporting implementation.

And in total, strengthening Australia's collective cyber resilience, there's still more to do before Horizon 2 is finalised, but today is a great opportunity to pause and reflect on the progress we've made. Together. With that, I'll hand over to Ash Bell, Assistant secretary for cyber policy and programmes, who will take us through what we've heard so far.

Ashley BELL
Thanks so much, Kylie, and welcome everyone to the town hall. We thought it would be just a good opportunity as Kylie mentioned, to sort of just catch up everyone on what we'd heard. I think a big part of what we're trying to do in as we transition from Horizon one to Horizon 2 is really make sure that stakeholders are part of the policy process. I think you know collaboration, Co design, consultation, all these they can kind of get thrown around a lot. But I think for us the way that we're looking.

At it is have we got all the voices in the room? Have we got? Have we listened openly to everyone but also and importantly, and I think certainly what we're trying to do with this town hall is.

Are we reaching back in to say, hey, this is what we're hearing and providing an opportunity to sort of catch that back up and provide further chances to engage as Kylie covered off, we've had a tonne of feedback, really positive feedback. We've also had a lot of great discussions, and we continue to go through the Co design sessions, which we've kind of set those up in a way that is a little bit more informal, but allowing us to kind of break down into that second and third tier of detail and really off the back of your submission. Where you've provided a submission and focus on a particular area, a chance to sort of thrash those out. We had one this morning looking at small business resilience and it kind of went into a different place and then kind of came out another end and kind of, I mean reflecting the complexity of that policy area, I might add. And then in the end, I kind of got to the end. I was like, I feel like we haven't really gotten to the right meaty part of the policy part. And so, we're going to have another sort of follow up session and I think that's kind of the way that we're hoping to continue that engagement, I think for those some of you will have a lot of experience with policy and working with government, some none, but as someone who's done public policy's whole career, I can assure you it's never linear and it's never tidy. It's always messy, it's creative, it's sometimes challenging.

Ultimately, when we're talking about something as important as this is for each other, the country, we know that we want to take the time to do it right and obviously leverage your time. So I really wanted to 2nd that acknowledgement that Kylie had set out about the excellent input.

Received and also the broad range of contributors from individuals, community groups, educators, businesses, you know, small to large, other government agencies, we've been really supported by not just our colleagues across Commonwealth government but also state territory governments who have really lent in to to support and share their ideas.

So lots of high fives, lots of thank you. Lots of, you know, positive outcomes, but I'm sure you're here to hear a bit more than that. So we'll get into it a little bit and just start to talk about what we've heard and the feedback that we've received so far.
I think looking at the strategy as a broad and reflecting on the discussion paper, we were keen to bring out a really broad range of issues, but we also were keen to show our working on some of the things we're thinking about that are unique to the strategy itself and big part of that was the conceptual frameworks.

For how we monitor or evaluate the strategy, which I must say we had a really great response to that really strong support from the town hall, we did so. If you didn't attend, it's as Kylie mentioned, it's on the website and have a listen.

And if there's interest and let us know, we'd be keen to do another fallout Town hall, maybe down the line a little bit more when we've got some idea on the data sets and the kind of next steps as well for that work. But you know this is a real big challenge and I've just come off the back of three days speaking with Five Eyes colleagues and I must say, like this is a challenge that a lot of other countries are trying to grapple with. How do we know in cybersecurity that we're having the impact we're intending, and how do we get our policy settings right in a way that we can review them, monitor them, but not just did we deliver what we said we'd deliver? That's one metric. The other metric is, is this all trending in the right direction? You know, are we having an impact? Are we more cyber secure? Are our businesses more resilient now you know, how do we measure this so? Cathy and the team done a fantastic job and continue to keep working it through and I think 77% of town hall participants supported the model with the remainder of them neutral backed up by feedback received in the discussion paper. So we're thankful for that and thankfully for your support. I know it was a bit of a novel concept and somewhat complex graphic, but I think you get it and I think you can see the value of that work as we progressive. So that's one area we're happy to continue to engage in and if there's an interest for it, we're happy to have an additional session to kind of kick.

That through a little bit more, but it will be a feature as we go forward no matter what.

So turning to the specific Shields now shield one our biggest shield, you know obviously a huge piece of the strategy. It's not surprising that it was a real focal point for submissions.

There's a lot that we had done within horizon one around this, it was, it was the biggest set of actions and this covered everything from, you know, act now, stay secure campaign, community awareness grants, cyber health check tool which we launched last month and has already seen thousands and thousands of businesses fill out the health check tool and hopefully take action to improve their side resilience. So through to things like limited use obligation which is continually sort of being seen and particularly in international context is real.

Exemplar of how to get that balance right to get incident response information to the right spot without sort of, you know, providing a challenge for lawyers and regulators. And so, there was a lot of different components that we did, but.

In the Horizon 2 discussion paper, our questions were focused on what we can do to better target that cyber awareness messaging, how do we lift cyber literacy in schools or enhance support to victims of cybercrime. And a real big focus of the paper and certainly a lot of your responses, was around how we better target or support uplift for small businesses and particularly not for profits including through, you know low or no cost standards or other support mechanisms, then there was obviously a broad piece of work looking at how we harmonise and simplify cyber regulation, noting that in order to make cyber resilience and reforms effective, we have to balance that element between fit for purpose regulation that actually enhances security outcomes. So how do we get those security outcomes at the lowest cost? So what we heard in the submissions and particularly from a number of Co design workshops that we've had since, is that the awareness raising activities for one area?

Had the biggest impact on site on Australia's cybersecurity during Horizon one, but we've also had that increased support for small business not for profit was the top of participants list of areas that need more work. There was a strong consensus that both small business and not for profits are critical yet highly volatile.

Vulnerable part of the Australian economy. Now, that's not going to be groundbreaking to any of you that's going to be well known. You know they're disproportionately exposed side risks and you know, often lack those financial resources or dedicated staff and technical expertise to implement those robust defences, and so the need for us to calibrate policy responses to that context becomes that much more critical. You know, their vulnerability also represents a systemic risk. Integral parts of the national supply chain, and I think that's become more apparent with recent cyber-attacks, not just here, but also over in the UK recently with the Jaguar Land Rover attack. You know being what happens when these small businesses within a supply chain are impacted and it's not just.

Just a technical thing. It's not just a computer risk like this effects Main Street. You know, this is a real economy shock when these businesses can, to operate. And so, we sort of see this as a real critical focus and that was absolutely played back to us in the submissions and in the workshops we've had subsequently. They have the submissions also outline the complexity of the overlapping compliance regimes across the Commonwealth and both domestic and international jurisdictions and the productivity Burden that that places on business when you know the regulations aren't fit for purpose or where there's overlap or duplication. We also heard that cyber workforce resources are being diverted away from security uplift and instant response and recovery to more regulatory compliance reporting and more of those precious resources are required to be doing this reporting work or regulatory work. And so that was a big focus of the submissions and a strong call to government to review the existing frameworks, identify opportunities to reduce duplication, harmonise definitions and thresholds was a big one and creating a clear cybersecurity regulatory environment that promotes best practise.

And you know, for me, and obviously I'm biassed, but I think, you know in the Australian government context, that's one area where I think, you know, we can really lead the way globally and we can really show how we get those right. And I think certainly within Horizon one, we sought to.

When we were developing initiatives, including those in the Cybersecurity Act, we were really cognizant of getting that balance right between a regulatory regime that's effective, but doesn't necessarily, you know, crack a walnut with a mallet. So but there's more to do. Further to this, we also heard around local government organisations and the need to support them better through a coordinated approach to cybersecurity frameworks, and the submissions called for a lot more collaboration between Commonwealth, State, territory and local governments in a policy and strategy sense and that's something that we acknowledged. It's something that we identified in the paper, which has been previously outlined as AI guess as a weakness of our initial horizon one, we didn't put enough in that. So that's certainly something that we've taken on board and we've obviously over the last horizon been doing a lot of work to set those frameworks up, noting the importance of connectedness across all levels of government, especially given the split of responsibilities.

I think the other component that's come out clearly in that shield one component was around the success of the Cybersecurity ways awareness raising. There was a lot of support for that, but there was a growing demand to support the how.

Of cybersecurity as we move forward into Horizon 2. So, I've got your attention. I sound like I'm about to do the Glengarry gang. Ross closes. But you know, I've got your attention. But like, once we've got that kind of focus of businesses and individuals, how do we direct them to easy to understand and easy to implement actions? And I think that's a real challenge in terms of moving people towards a position that's going to improve their resilience. So, it's certainly a challenge that was called out and then there was a lot of focus around tailoring those supports and awareness to priority groups such as First Nations communities such as elderly Australians or older Australians and other cohorts, and I think the need for those trusted supporters and resources. And there was a lot of support for the initial round of grants that we did for community organisations to tailor those messages, but I think there was a sense that more, more needs to be done to penetrate that cybersecurity message into Australia. And I think from a policy sense, we really see the need that no one's left behind in the cyber journey, I think that's critical and I think that reflects also a lot of what Kylie referenced before the Minister had mentioned around that human firewall and putting people at the centre of cyber, you know, it's not enough to just have, you know or for us to have an echo chamber and be talking to government or talking to tech or talking to big industry. We really need to have cybersecurity, kind of. I don't know, on the dinner table in a way and, but also in the parts of our community that are vulnerable. So that's a real focus and we also had productive discussions around a range of other broader issues, one that kind of came up in particularly in roundtable discussion was around cyber for kids or cyber education. Some suggestions here included ensuring it was low time burden for teachers, building teacher confidence, including cybersecurity, and initial teacher education programmes, and really thinking about how we uplift cyber literacy not just in the context of a workforce space, which we'll get to in the later Shields.

But also just in a broad based resilience element. And like I said, bringing that discussion to the dinner table, I know the conversations I have around my dinner table. It's not around cybersecurity, but you know perfect example is today actually I was reading a cybersecurity book to my kid’s class.

And I'm sure that that's going to be something that, you know, we discuss, and the others discuss around their dinner table. And I think that's the kind of piece about that, you know, whole of nation conversation and how we do that. And I think leveraging education, leveraging that passion our kids have for technology has multiple effects, so that was something that came out of the submissions and something that we're really interested to explore further and understand well what more can be done or how do we support that from a policy sense.

So moving across to SHIELD two, again safe technology has been a real big focus. Within Horizon one, we've done quite a lot in this space, whether that's through our international aligned security standards that come into force next March and which we're working through, whether it's designing voluntary labelling scheme, which we're working through with industry at the moment, and whether or not it's other components like we recently launched the voluntary code of practise for app stores and app developers, we've been working through data elements, including identifying Australia's most sensitive and critical data sets, looking at data retention requirements, which we know is such a huge component of, you know, that upstream risk around cybersecurity. So, there's already been quite a lot of work done in horizon one looking forward in the paper, we carve it off a few different areas, particularly on the secure technology space. We're keen to understand what other areas of focus should be prioritised and we asked question around Edge devices, consumer energy resources, Operational technology and other components and I think looking at that shift from Horizon one to Horizon 2, we're also really interested to understand kind of not what's changed necessarily because technology is always changing. But where has there been a greater focus and where do we need to think about pivoting?

Some of those policy initiatives towards and that's particularly pressing in the emerging technology space, So what have we heard? Well, operational technology was certainly a real focus and it was an element where there was an understanding of the complexity of those requirements of the uniqueness of operational technology, both within an industrial setting, but also, I think within the context of how you can secure that kind of technology. When it has a much longer shelf life, it's more bespoke. When you're looking at operational technology in the context of an industrial complex, you know the failure of that operational technology is such a big risk. But now we're seeing, and I think certainly something that came out in the feedback is the evolution of IoT and IT intersections with operational technology. It's created new vulnerabilities and those are being exploited and those are a risk. And So what can we do note that?

The submissions were really focused on the important goal of international alignment but also referenced the fact that no other jurisdictions have mandated standards in this place and you know, while Europeans are certainly working on a broader approach to this. There wasn't anything specific, so operational technology certainly dominated a lot of the that feedback, particularly around stronger governance, balanced obligations, support for SMBs and clearer guidance on that kind of technology. I think the other one that came out quite strongly was about AI. Its operation in cybersecurity. Defence. I mean, I don't think that you can kind of walk too far out of your door before someone shouts AI at you these days.

So it's kind of everywhere, but in the cyberspace, certainly that how do we leverage AI for cybersecure defence was a big one. The other one was around post quantum cryptography and a bit of that was kind of, I would say more around the how do we demystify that or kind of myth busts some of the elements there is it is it just is it just sort of a jargon and kind of you know? Oh, yes, postponed cryptography. I'm all over that. But how are businesses applying that? How are they getting ready? What do they need to get ready for and what way? And there's a lot of great advice.

That ASD and others have put out, including the work that ASD did on the standards in Horizon one. And so, the question was, well, what more do we do to get Australian businesses ready that need to be for that? So that was another real big focus.
We also, throughout our consultation have looked at extension of existing regimes in terms of our secure by design work, in terms of our smart device standards and where else we would look in terms of other technology to be brought in or to be considered, or how do we shed, you know, sequence those elements noting changes that are happening internationally, like for example, I mentioned before, the E US implementing their CRA, which will have a big change, no doubt on.

Technology manufacturers and suppliers as well I think a big thing that's come out in discussions, particularly as part of the labelling scheme that we're working with, IoT Alliance Australia on IS has come around those consumer preferences for secure technology and trying to understand that dynamic a bit more. How do we drive market expectations or incentives to develop more secure technology. I think a big part of that is how do we get consumers to vote with their wallet? How do we articulate that more effectively? That certainly came out in a lot of the consultation, but I think is a real challenge, given cost of living pressures out there, you know the need and want access to good quality but cheap technology to, you know, support households and businesses. So, it's a real challenge to make that case. Clearly, I think and I think that's something more that we can do together across government and industry. I think on that one there was quite a lot of discussion in the Co design workshops around the international standards and you know what's Australia's role? Should we be fast followers? Should we be leaders? You know, we're a net importer of technology. What does that mean? How do we develop policy ideas that are going to?

Secure our nation without reducing our ability to get productive tech in the hands of businesses and individuals. So, I think that tension was acknowledged by industry and the submissions and in the Co design discussions and I think it's been helpful to sort of just stress test some of those ideas, just talk through those components. You know, there's not a perfect answer to any of this. If there was, we would have done it. So, I think that's been a real positive thing from my perspective in those conversations, I think that discussion is really evolving, which is great to see for SHIELD three, we have focused quite a lot on those cross collective cross sector partnerships that we can reduce cyber risks to individual small business.

Business through larger businesses. So, for our example, our telcos and financial sector in terms of blocking cyber threats at the source, but also how we share threat Intel at scale across Australia in a meaningful way, we've done a lot of work in horizon. One particularly ASD has done a time quite a lot of work in terms of their own threat sharing platforms, but we've also been looking at how we support, you know, creation of ISACS and which we we've promoted a programme through the Health ISAC grant. We've done a lot of engagement within consultation with industry of different types around what more can be done to incentivize threat sharing? Threat blocking? You know, the coordinator has done a fantastic job through the Executive Cyber Council, but also through the NCIP in terms of taking forward those discussions about what more can be done. For Horizon 2, we've sort of shifted the dial a little bit and I must say you responded positively that kind of aperture shift around shield three to sort of focus on what a more proactive cybersecurity posture with and within industry might look like. How do we amplify threat sharing and threat blocking? How are we better prepared for conflict or crisis and things like how we manage vulnerability disclosures and provide security research?

With the mechanism to safely report vulnerabilities. So again, like I said, taking that aperture of this one and lifting it out a little bit to sort of say, well, what more is there and you know things in the in the geostrategic environment have also shifted over the last couple of years as we've been implementing one and are likely to continue to change over the next horizon, so we want to make sure that we're shoulder to shoulder that we're sorted, that we're working with industry and that we're identifying if there's things that we can do now to be better prepared. What does that look like in addition to threat sharing, threat blocking where we're focusing.

So as I said, a really strong feedback from the submissions and in the Co-Design workshops and a clear design across all sectors to move towards that more proactive cyber posture and also to define what we actually mean by that and lots of focus around blocking threats upstream and clarifying rules for things like active cyber defence. What does that mean? What does it mean in the Australian context? You know what's permissible, what's not and an element around sort of just understanding. Do we have the same understanding of that term?

Because for some of some people, it's very clear and it's not a problem and others it's not clear. And I think that was a real focus. Those conversations there was a shared view that, that vulnerability disclosures should remain voluntary.

But perhaps looking at a different approach for critical infrastructure and that best practise vulnerability disclosure toolkit could be a great next step. There was a consideration of legislative protections for security researchers, noting the really important role that they play. I think the benefit that they could provide in the Australian context around that, but that there's risks there around. Does that provide a mechanism for malicious actors to skirt the law? So getting that kind of calibration right so that we're not creating vulnerabilities in the work that we do.

A lot of support and feedback around expanding involvement in threat sharing and more coordinated whole of system approaches to threat blocking, including kind of what happens in the scam context as well as the cybersecurity context and more support and guidance on threat blocking was also raised. It was also a bit of focus on expanded cross sector exercises and more strategic preparedness and one of the ideas that was really flushed out and talked about in Co design sessions as well was around this idea of cyber reserves and what does that look like? It's something that's an idea that's being explored in several other jurisdictions, but what does that mean and how would it apply Australian context and what would you do so that was an interesting conversation? Then shield four, I promise you at some point I'll stop. Also, I am only human so just bear with me and I'll get through these next bits.

Shield 4 - A, big focus, obviously on key sectors of government and our critical infrastructure providers, the providers of important services and goods and that underlies our day, our fabric of our daily life. They are obviously critical to be ensure that they are protected and we did quite a lot of work within that in terms of horizon. One, there was a lot of legislation that we put through alongside the Cybersecurity Act and a huge amount of effort from Tim Neal and his crew on Commonwealth cyber uplift including The Zero Trust Culture, Public service, cyber skills, the PSPF 25 and the work that's been done. And of course, we had the establishment of our cybersecurity coordinator in her office, which has been huge in terms of both the work that they've been able to do, but also the exercise programme response playbooks that they've done. And then I think in this year we were sort of trying to understand more about, OK, well, look, SOCI Act is maturing and kind of evolving, what more can be done in critical infrastructure space?

And how might we further enhance our government security requirements and frameworks? And you know, a lot of the Co design workshops in the surveys that we did report that the critical infrastructure reforms were some of the most impactful initiatives under Horizon One, which is great to see.

And we know that that critical infrastructure regulation will continue to play a key role and that obviously is part of that. We'll be looking to review the SOCI Act, which will itself drive a lot of elements as we mature our regulatory framework, but also now that the PSPF movement.

And these elements are on a steady trajectory. I guess the question then becomes kind of what more can we do and that was certainly called out. But I think we didn't get as much feedback on SHIELD 4.

And that perhaps reflects that there already has been a lot of engagement with industry, particularly on the critical infrastructure front. It's a very mature part and shout out, it is obviously critical infrastructure Awareness Month. So I hope you're enjoying the activities and keeping a close eye on our critical infrastructure social media for the department from the Sync because there's lots of really exciting things to get involved in SHIELD 5 sovereign capability is a more tricky one to articulate and the kind of way that we've sort of sort of thought about it is it underpins that public private partnership for cyber. It looks about how together we can support Australia cybers ecosystem and it thinks about I, I say the plumbing, but that always sort of brings off a bit of a bizarre concept so, but it is it's that it's the, it's the system itself. You know whether that's a strong and diverse skilled cyber workforce, whether that's cyber innovators, our research functions, whether that's looking at those bigger pieces that support all businesses, all government, all structure and all individuals and understanding what other areas of sovereign capability do we need to review? Do we need to think about and then do we need to develop policy for? So we did a lot of work around understanding and considering cyber workforce and some of the things we looked at were in the migration reforms we recently published, our guidance for recruiters to attract diverse talent and that followed a lot of workshops and engagement over the last couple of years to understand how we better target that in a way that's useful.

We've also got work that we've been doing through the professionalisation framework in terms of the grant that we are had put out to support developing a professionalisation framework, the key there being a real focus around.

When the grants announced and awarded industry consultation at the start to really get a good sense of what needs to be done and what can be done, certainly I would say over horizon one I personally have learned a lot about that area, but also particularly about the importance of that diversity of views within the cyber industry itself in Australia, which I think has been really helpful in terms of taking these next steps and on the innovation side, this included the cybersecurity Industry Challenge programme and Graham, which was launched recently. So lots, lots of there, but lots to do and I think what we've heard was a lot of feedback on the cyber workforce, including how the data is not currently capturing the nuance of the workforce challenge, particularly the lack of granular data and deeper collaboration needed between industry, academia, employers and government supporting early career entrance to be workforce ready and to support diverse and flexible entry pathways. We talked a lot about the skills and experience paradox and this challenge that.
I guess has been articulated to me through various forums and certainly came through strongly that you know for some parts of industry they want I think the term was unicorns of you know have all of this experience and you know all this, you know, creation and all this, but you know the role is base pay or whatever and then on the other side it's, you know coming out of training, but then sort of not being skill or job ready and how do we kind of between those two components or those two perspectives?

Find something and find some policy ideas that can support that. How do we encourage incentivize industry to do that? How do we partner with different NGOs or groups, and how do we support that? So, there's a lot about that, a lot about lateral recruitments, surge work capability, as I mentioned cyber reserves came up a bit and the other components in this one that came up were around reducing ICT concentration risk, which was an interesting topic and mapping those sovereign capabilities so that we can understand those cyber risks and vulnerabilities. And I think that's a long term plan across the life of this strategy, but certainly something that we were happy to see raised last year.

We're almost there under SHIELD 6. Obviously, this is about partnering ourselves through word and deed as a regional partner of choice on cybersecurity.

Promoting international cyber rules, norms and standards. You know, we expand our vision of a secure community to include the partners in the Pacific and likeminded countries. But we're also looking at how we can take forward those programmes. This is a shield where our colleagues in DFAT have done a lot of great work and that was really reflected and resonated in the feedback that we received, particularly around the regional cyber crisis response teams piloting options to use technology protect region scale, international standards development, high quality digital trade rules.

Quite a lot that we've been done in Horizon one and then in her, in the discussion, people were kind of asking, well, how is this going? Is it having an effect and what could we build on? And we heard, like I said, very strongly that the work that's being done under SHIELD 6 is critical it continues to be vital to be delivering security outcomes that extend beyond Australia. Obviously, cyber threats don't respect borders well, worn kind of phrase, but it's true. And so how we push that threat outside of our borders and how we manage it is critical. It was a real focus.

On continuing to deepen collaboration with existing partners, but also to build a broader coalition of international partners. So that's kind of it in terms of the feedback that we received across the different Shields.

Gosh, that's a lot. But we also did sort of make you read A50 page discussion, 50 questions in the discussion paper. So, I guess, you know, you reap what you sow. But can I just say once again, just how wonderful it's been to engage with this community and engage with.
Stakeholders across all these different parts, it's been for my team and for I helpful to understand each of these issues as we try to unpack what is a complex system, but also a very broad policy space. And I think that's been the most helpful part is in these Co design sessions has been to sort of take the space to consider one element but keeping that mind open to the bigger picture as well. So, look, I feel like I should stop now. We have about 15 minutes I think for Q&A.

And I'm going to hand off to Cathy now to help facilitate.

Cathy
Excellent. Thanks so much, Ash. And as Ash said, there was a lot of conversations that have been had and a lot to feedback. So, thank you. That was a great debrief on all those conversations we do have. We have one question. I think everyone's been fascinated by listening ash and we just one question in all. They're starting to pop up now, but I'm the first one I have here is it possible for additional organisations to become involved in the ongoing code design and consultation process?

Ashley BELL
The answer is yes, absolutely. I think any situation on Co design where you close the books and put the sign, you know, gone fishing out the front is not real Co design. So, we are open, we'll provide all the details about how that happens.

Again, some of these discussions are starting now to dig into the detail, but we're not in any way at a point where we're giving advice to government about these things. We want to make sure that we're considering all these elements and of course, as these things sharpen up and shape up, we'll be keen to share more and keep your eye out on the website that sort of. You here as a way of keeping up to date on the consultation journey, but yes, reach out to the email, which I'm sure the team will put on.

Cathy
Excellent. Yeah. I think Michaella has just put that in the chat for us. So, thanks. Michaella. The next question is from Paul Buckley. Was there feedback around the current structures of cyber within government and their appropriateness to deliver the strategy?

Ashley BELL
Not really. There wasn't. I. I mean, it's certainly a question we're thinking about. Let me tell you, that's definitely a big focus of ours within government itself and a bit of that is to do the work that Cathy's been doing on the evaluation monitoring, but also a bit of that's around governance and how we work together across government and some of that we've been working through, you know every strategy and every policy area is very different in terms of our constitutional and portfolio allocations. And cyber is one of these vectors where you know it is spread across the Commonwealth, across States and territories. So certainly, in the context of the working across all.

Australian governments in that kind of vertical stream that came out and we've certainly been doing a lot of work to think about how we can improve that across government. I think certainly we have through Horizon one established a lot of governance processes that we'll be looking to both enhance and evolve for Horizon 2. You'll always learn your lessons, and you'll always try to do better on these things and how we do it. But no, there wasn't a lot of feedback in the submissions around that question, but it's a good one, Paul, and it's certainly something that we think about. We just, I guess in the industry stakeholder consultation, we sort of get a bit shy that we think you might think we're just obsessing over ourselves with the bureaucratic elements which you know we love, but we do try to keep the conversation focused on things that matter for you, but appreciate that it's an important area to get right. And so, if there is additional feedback, that's something I'd welcome, emails or thoughts or a conversation about, yeah.

Cathy
Excellent. Thanks Ash. And the next couple of questions are, are they sort of looking forward to what's next, a question from Mark Williams, what are your next steps please?

Ashley BELL
Next steps? Well, I mean the next steps is that the conversation keeps going, right? We are continuing to work through Co design engagements. We really want to work through I think some of these bigger policy questions, so you know, like the ones that we've and you know you can probably deduce it from sort of where I was focusing in some of my remarks before. But you know how do we tackle this element around small business and getting that uplift, how do we deal with it?

How do we define a proactive posture for cyber? How do we build the human firewall and really support individuals who are that that incredibly important line of defence, but also how do we kind of get that message and deepen it, that theme in horizon too really is around that embedding and sort of focusing in and so.

Part of these questions I think, are complex policy questions. They cut across the Shields, they cut across portfolios, they cut across industry and government. I think we're keen to do more to understand what industry can do for industry and the Executive Cyber Council has been helpful in, in, in framing some of that, but.

There's probably more that we'd like to know from you about. Look, here's something that we'd like to do under the strategy or as part of the strategy that supports the outcomes that are defined within that. You know, I think anything that's sort of. Supporting, you know, parts of sex. So, for example, not for profits. You know what industry can be doing to support not for profits, which they already are doing a lot, but is there a way that government can enhance that or is there ideas that you have about?

Models or programmes working overseas that we could look to explore. So, I think those are certainly ideas that we'd be keen to get. We'll continue to be doing that work in Co design as we go forward, particularly over the next few months.

And obviously at some point we will have to pull that advice together for government and then they'll decide in due course as part of their prioritisation processes. So, there's not much more I can say in terms of that government decision process at this stage. Our focus really is around getting the best ideas and that and a real sense of what we can achieve together in horizon too. And so that's what my focus is and what my team's focus is now. So immediate next steps are keeping the conversation going and develop some awesome policy initiatives.

Cathy
Excellent. Thanks, ash. I think you covered up quite a few questions there about what next Chris had us and John had similar questions around sort of that what's happening over the next 12 months and sort of as we move between horizon one and two and so and the question from John as well. So might jump given the short amount of only brief amount of time that we've got left to a question from Shannon Hartley around.

Ashley BELL
Yes.

Cathy
It's not, she said in the in the chat, not currently subject to cosies cosy. I don't. Hopefully you know what that means, ash, but wondering if there are any thoughts that might change that. Also, has there been any consideration of grants to help businesses address how the how aspect of security? And she says thank you for your time, Ash as well.

Michaella
Thanks. Cathy. Just to jump in just correct to SOCI.

Ashley BELL
Fine, thanks.

Cathy
Oh, sorry. Thank you.

Ashley BELL
You are about to watch me, like, invent an acronym? No, I'm just kidding. I would have absolutely admitted I didn't know what a cosy was. But I do know what a soccer is.

Cathy
Me.

Ashley BELL
So in terms of the scope of SOCI, that's not, that's not something I've got a. It's not my area, so I certainly wouldn't want to speak on behalf of Sophie and the team around, you know, designation of critical infrastructure.

Elements other than to say that you know this is an area, and within Saki that they are looking to review the framework and legislation as well. So I think that's a big part of the consideration is aroused.

The broad island's a critical infrastructure, so certainly suggests that engage with them, and I think a big part of that is engaging through their industry participation forums. And what better month to do with that than critical Infrastructure Month in terms of grants to help businesses address the how aspect of security.

I guess this I mean this question came up this morning in the small Business roundtable and I was kind of purposely provocative to try and understand a little bit around the incentives and components. I know unimportance of the importance of grants, the importance of. Incentives and financial incentives to get things off the ground. I guess one of the challenging points that I would say is in terms of the how aspect, what I guess the challenge back is what the grant would serve and how do we make it sustainable. And I think that's the part in terms of the role of industry.

These grants start and finish, and how do we lock in that goodness? Because again, the cyber situation is not going to get not going to finish. We're not going to solve and then everyone's cybersecure and we can kind of pack up and go home. It's a continued sort of. Engagement. And so, I think part of that is maybe understanding better and above your thoughts shattering around. So, send us an email because I'm keen to understand this a lot more. How do we incentivize and how do we leverage market incentives in this space as well? Just so that we've got a sustainable pathway, but certainly where there needs to be an investment from government, that's something that we would be happy to consider in terms of developing our advice.

Cathy
Thanks, ash. Now we've only got 3 minutes left and still a couple of questions. One about does the cyber strategy already include a cyber miss maturity dashboard or is that in development. And one about how small business about the cyber Executive Cyber Council being great? But how? But small businesses are extremely different to big businesses, and maybe ASM. Small and medium business Cyber Council would be a good idea too. So, I don't know if you want to come back to those maybe later or do we have the do you want to spend the last couple of minutes looking at those? Yeah.

Ashley BELL
I'll do a quick one. Simon. Trudy, dashboard, absolutely. Once Cathy gets onto it. No, I'm just kidding. We are working that through and we're looking at how we can develop that model, but that's a long project, right? I can see you're from university.

Academics and others involved in understanding how we can make that sense, because there's a conceptual piece. Then there's a data piece, and then there's a presentation how we make it useful for people. It's a big piece of work, and you've got the chief architect right there and Cathy, so please reach out to us. We're keen to keep that conversation going.

But yes, look, it's a slow burn because of the complexity of what it seeks to do. And you know, I guess the only thing I can be confident in is talking to counterparts overseas. No one's cracked that yet in a meaningful way. And so, this is an area where we are. Trying to be world leading and take that forward on that small business Cyber Council. That's an interesting idea. Thanks for that. I think you're right. There is an element around talking to different levels of business and the experience is very different. So great suggestion and certainly keen to take that on board. Look conscious that. There's a lot more we could cover off. What, again, what we wanted to use this session for was not the sort of be all and end all Horizon 2 conversation, but just to touch base again just to connect back in.

To show you what we've been hearing to reflect on some of the thinking that we've been doing and obviously to continue to offer and put that hand out to connect up again my team and I are really keen to keep that conversation going.

I'm also really keen to get feedback on how we're doing that and if we, if there's things that we can improve, we don't always get it right. Not every session's going to work perfectly. Not every engagement will work perfectly. That's not the standard that I kind of set for everyone. What do is get better at it? And I think that's kind of all we can hope for. So, if you've got feedback on ways that we can make this more effective for you, please let us know as well and there's details on the slides.

And in the chat and I want to just finish off by saying a huge thank you to my team for setting all of this up. These things don't just happen and it's a lot of work from a lot of dedicated people. And so, thank you to all those folks who know who they are. My thanks to Kylie and Cathy for helping me with today's session and then most importantly, my thanks to all of you for joining in for all your investment in the discussion paper and Co design sessions. And we genuinely mean that it's an investment of your time, your money and your effort. And it's absolutely appreciated by us.

For information on how we collect and handle your personal information, see Privacy.

Enquiries

If you have a question or would like to discuss the development of Horizon 2 in further detail, please email CSSH2@homeaffairs.gov.au.

Submissions to the Horizon 2 Public Discussion Paper

Horizon 2 of the 2023-2030 Australian Cyber Security Strategy commences in 2026 and continues to the end of 2028.

A Public Discussion Paper Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy was released on 29 July 2025 seeking submissions by 29 August 2025. Including late submissions, the Department received over 170 submissions in response.

Further targeted engagement activities and industry co-design events are ongoing.

Consultation on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy

Our approach to Horizon 2

Engage with us

Town Hall recordings

Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy

Cyber Security Policy Evaluation Model: Conceptualising, measuring and analysing the impact of the Strategy

Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber - Outcomes from discussion paper town hall

Enquiries

Submissions to the Horizon 2 Public Discussion Paper

Public Submissions to the Discussion Paper

Popular searches

Your previous searches

Consultation on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy

Our approach to Horizon 2

Engage with us

Town Hall recordings

Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy

See transcript

Cyber Security Policy Evaluation Model: Conceptualising, measuring and analysing the impact of the Strategy

See transcript

Charting New Horizons: Developing Horizon 2 of the 2023-2030 Australian Cyber - Outcomes from discussion paper town hall

See transcript

Enquiries

Submissions to the Horizon 2 Public Discussion Paper

Public Submissions to the Discussion Paper

Popular searches

Your previous searches