Charting new horizons: Five key observations from Australia's Cyber Security Strategy Horizon 2 Discussion Paper

As we near the completion of Horizon 1 of the 2023-2030 Cyber Security Strategy, the focus now shifts to Horizon 2, a pivotal phase focused on embedding robust cyber standards across society, empowering organisations and individuals to protect themselves, and enhancing regulation and workforce capacity to strengthen Australia’s overall cyber resilience.

The Australian Government's recently released Discussion Paper seeks ideas and policy options to protect Australia's digital future, while also seizing the opportunities of technological advancements.

Horizon 2 represents a moment to recalibrate Australia’s regulatory, legislative and policy frameworks and highlights the importance of businesses and citizens working together to strengthen and protect our national interests.

This article explores five key observations from the discussion paper, highlighting the opportunities and challenges that lie ahead as Australia charts its course towards a more secure and resilient digital future.

1. Harmonisation of regulation: the paper recognises that the current regulatory framework can be difficult to navigate, and indicates the Government's intention to explore harmonisation of current regulation – albeit without compromising desired security outcomes. In an area where there are multiple, overlapping regimes, simplification will be welcomed by many although it remains to be seen how this will be delivered and whether an increase in the regulatory burden– will result. That is particularly so in light of the Government's stated objective of encouraging the private sector to adopt "a more proactive posture against cyber threat actors".

2. Small to medium businesses: the Government is focused on uplifting cyber standards for small to medium enterprise, and has flagged a desire to "encourage" these businesses to take up existing cyber resources (such as the Small Business Cyber Resilience Service, Cyber Wardens and ACNC guidance). It will also be interesting to see whether this desire translates into an expansion of the reach of current regulation to a broader range of businesses.

3. Security standards: the Cyber Security Act establishes a framework for security standards for a range of smart devices. The questions posed in the paper suggest the Government will look to expand these standards to a broader range of household devices. This will no doubt be of interest to manufacturers, importers and distributors of a range of consumer goods, as the Government seeks to strike a balance between ensuring appropriate protection for Australian citizens while navigating the reality of Australia's significant reliance on overseas supply chains.

4. Safe harbour for ethical hackers: an interesting aspect of the paper concerns the potential for a form of "safe harbour" for security researchers - those who identify vulnerabilities in existing systems and notify organisations of those disclosures (and might be known as "ethical hackers"). At present, such actions do raise the prospect of civil and criminal sanctions, but the government's questions signal a willingness to explore exemptions from these consequences for security researchers in some circumstances, as well as incentivising businesses to adopt policies around the treatment of vulnerabilities that are disclosed.

5. Critical Infrastructure: further reviews of the Security of Critical Infrastructure Act are flagged, as the Government looks to build on the momentum it has generated to date in uplifting the legislation over the last few years. These include the potential development of further sector-specific measures to increase cyber maturity and introduction of additional audit requirements. Again, a watch this space.

The Department of Home Affairs welcomes submissions on the Horizon 2 Public Discussion Paper until 29 August 2025.

At Clayton Utz, we are committed to fostering informed conversations about Australia's cyber future. Recently, we hosted a Digital Economy Live webinar featuring Lieutenant General Michelle McGuinness, the National Cyber Security Coordinator, where we explored some of the key milestones that have been achieved under Horizon 1 and turned our attention to Horizon 2. You can watch this webinar on demand here.