The Australian government has positioned itself at the forefront of global cybersecurity measures, taking significant steps towards phishing-resistance for its citizens and businesses. Commenting on the substantial strides in enhancing the nation's digital security, Alex Wilson, Director of Solutions Engineering Asia Pacific & Japan at Yubico, said, "Australia has a goal to be a global leader in cybersecurity by 2030, and these recent measures are making impactful steps toward reaching this mission."
Amongst the most noteworthy moves is the transition of government service portal myGov into a completely passwordless platform, incorporating phishing-resistant multi-factor authentication (MFA) approaches, such as passkeys. This comes in the wake of over 4,500 successful breaches this year alone, resulting in a staggering $3.1 billion in losses. In response, the government suspended thousands of myGov accounts to proactively stop further intrusions.
Besides this, the Australian Government unveiled the Australian Cyber Security Strategy 2023-2030 this November. This strategy is set to have far-reaching impacts, affecting government, critical infrastructure, citizens, and public servants tied to myGov. The updated Essential 8 Maturity Model was also announced, which includes phishing-resistant MFA amongst its eight mitigation strategies. "Yubico applauds these efforts by the Australian government towards prioritising phishing-resistance and significantly raising the security bar for the country and its citizens," said Wilson.
The new Essential 8 framework necessitates the use of phishing-resistant MFA by organisations with a lower maturity level. Formerly required at Maturity Level One, phishing-resistant MFA is now mandatory from Maturity Level One through to Maturity Level Three. This initiative came about as a result of increasing MFA adoption and the implementation of FIDO2/WebAuthn international standards, the surge in attacks against weak MFA implementations prone to real-time phishing or social engineering attacks and cyber policy changes made by Australian Signals Directorates' international partners.
Another key measure is the mandate for users to authenticate their workstations using a form of phishing-resistant MFA, such as Smart Cards and security keys. This development affects Maturity Level Two and Three. "These changes are welcome and raise the bar for organisations to adopt modern phishing-resistant MFA at scale, and represent a significant shift in the Australian market towards adoption of passkeys," Wilson noted.
While these initiatives set an impressive precedent for Australia, similar measures are being implemented globally. The U.S. government has stressed the importance of using phishing-resistant MFA for several years now. The recent National Cybersecurity Strategy shifts the cybersecurity burden from individuals to organisations most equipped to reduce risks. In Europe, the NIS2 Directive, a new piece of EU-wide legislation aims to strengthen the continent's cybersecurity.
In conclusion, the decisive steps taken by the Australian government represent an important advance in phishing-resistance strategies not just in Australia, but around the globe. Yubico echoed this sentiment: "We look forward to additional measures by the Australian government in the coming years to keep their citizens more secure from increasing cyber attacks like phishing," Alex Wilson affirmed.