The Australian government has reaffirmed its commitment to bolstering digital security for individuals and businesses across the nation with impactful enhancements introduced to its cybersecurity measures. The government's goal is to be recognised as a global pioneer in cybersecurity by 2030 and these latest efforts are substantial strides towards this objective.
The transition of myGov, an online platform offering citizens access to government services in one secure space, towards a passwordless system has been announced as a primary cybersecurity measure. A phishing-resistant multi-factor authentication (MFA) including passkeys for account sign-ins will further secure the platform.
Previously, breaches due to stolen login credentials from phishing attacks have led to around 4,500 successful intrusions causing $3.1 billion in losses. This led the proactive suspension of thousands of myGov accounts to prevent further breaches.
Last November, the government introduced its Australian Cyber Security Strategy for 2023-2030 intended to impact government, critical infrastructure, public servants, and citizens accessing online services. Furthermore, an update to the Maturity Model for the Essential Eight was announced, which includes phishing-resistant MFA among the eight mitigation strategies.
These government-led initiatives to prioritise phishing-resistance and improve security have been applauded by technology company, Yubico. These declarations indicate more assertive moves are anticipated in the coming months to adopt passkeys as a phishing-resistant MFA by the federal government.
Recent Australian government cybersecurity legislation has also commendably impacted the updated Essential 8 framework. MFA requirements have been enhanced to enforce the use of phishing-resistant MFA at lower maturity levels.
Previously, this was only a requirement at Maturity Level One; however, phishing-resistance is now required from Level One through to Level Three. The framework, supported by the Cyber Security Strategy, will provide a guide for organisations in assessing their cyber posture.
These updates were triggered by several key factors like the rise in MFA adoption, the implementation of international FIDO2/WebAuthn standards, increase in attacks against weaker MFA implementations, and amendments to the cyber policy by the Australian Signals Directorate's international partners.
A new requirement mandates users authenticate to their workstations using a form of phishing-resistant MFA, impacting those at Maturity Level Two and Three.
These changes have been warmly welcomed and they set a higher standard for organisations to embrace modern phishing-resistant MFA on a significant scale. There is anticipation that the government will implement more measures in the upcoming years to ensure citizens are safeguarded against escalating cyber attacks such as phishing.
The endeavour to enhance cybersecurity posture across the Australian government, businesses, and consumers, reflects similar uplifts seen worldwide. Several countries are making significant strides in prioritising phishing-resistant MFA, a move that dramatically reduces cybersecurity risks.
The US government, for instance, has highlighted using solely phishing-resistant MFA over the past years. Meanwhile, the EU is also taking massive steps in enhancing their cybersecurity through laws like the NIS2 Directive and a revision of the EU common identity framework regulation.