Australia launches cyber review board modeled on version disbanded in US

Australia announced Monday it is establishing a board to conduct independent reviews following major cyberattacks, joining a small number of other jurisdictions that have created similar programs.

The Cyber Incident Review Board will carry out no-fault, post-incident reviews of significant cyberattacks on Australian government and industry, focusing on systemic lessons rather than individual or corporate culpability. 

Tony Burke, the Australian home affairs and cybersecurity minister, announced seven appointments to the board, which is majority female — a rarity in a field that skews heavily male at senior levels.

It will be chaired by Narelle Devine, the global chief information security officer at Telstra. Other members are drawn from Boeing Australia, NBN Co, the University of New South Wales, law firm Allens, Toll Group and SA Power Networks.

“We know that cyber attacks are constant. This guarantees we learn from every attack and keep increasing our resilience,” Burke said.

The board follows a series of high-profile cyberattacks in Australia in recent years — including those affecting health insurer Medibank and telecommunications company Optus — which put pressure on Canberra to strengthen the country's cyber defences.

It is modeled on the Cyber Safety Review Board established by the Biden administration in 2022, though with a narrower membership drawn largely from critical infrastructure industries.

The U.S. board produced three reports before it was disbanded by the Trump administration. At the time it was scrapped, the board had been in the middle of an investigation into Salt Typhoon, a sweeping Chinese intelligence operation targeting telecommunications networks. Several Democratic senators criticised the administration’s move and called for the board to be reinstated.

While a similar mechanism has also been set up in the European Union under its Cyber Solidarity Act — tasking the EU's cybersecurity agency ENISA with conducting post-incident reviews of significant cross-border attacks — this review function has yet to be exercised.

The U.S. board’s most consequential report accused Microsoft of a cascade of avoidable errors that allowed Chinese state-linked hackers to access email accounts belonging to senior U.S. government officials and demanded “real cultural and leadership changes” at the company.

Following the release of that report, Microsoft chief executive Satya Nadella issued a company-wide directive declaring that prioritizing security “above all else” was critical to the company's future.

The board’s earlier reviews into the Log4j vulnerability and the Lapsus$ hacker group had less impact. Writing in Lawfare, Jeff Greene — a former Biden administration cyber official who helped establish the board — argued that the initial reviews fell short by failing to focus on a specific incident attributable to a single company's failures, limiting their ability to drive accountability.

Unlike its U.S. counterpart, which relied entirely on voluntary cooperation, Australia's board can compel information from entities that decline to participate — something included in Greene’s recommendations. The Australian government’s plans do not follow other suggestions he made, such as the board being able to expand their composition for individual reviews requiring specialist knowledge.