Australia is in the midst of a cybersecurity revolution. On 8 December 2022, the Minister for Cyber Security, the Hon. Clare O’Neil MP, announced the development of the 2023-2030 Australian Cyber Security Strategy (the Strategy). The Minister appointed an Expert Advisory Board (chaired by Telstra’s former CEO, Andrew Penn) to advise on the development of the Strategy, and on 27 February 2023, the Expert Advisory Board released a discussion paper (the Discussion Paper), inviting the public to make submissions on how Government can achieve its vision of making Australia the most cyber secure nation by 2030. Both the Strategy and the Discussion Paper reinforce the notion that Australia is leading the charge in cyber security enhancement, a fact which has received international recognition from the MIT Technology Review Cyber Defence Index (the Review) which ranked Australia in the world in showing the greatest progress and commitment to enhancing cyber security.
Background: Cybersecurity Challenges Faced by the Government in Responding to Data Breaches
The release of the Discussion Paper comes in the wake of two of the most significant data breaches in Australian history; the Optus and Medibank hacks. Over a three-week period in 2022, the personal data of over 9.8 million Optus customers and 9.7 million Medibank customers was stolen by cyber criminals. In light of these breaches, the Discussion Paper makes clear that government was ill-equipped to respond, and did not have the appropriate frameworks and powers to enable an effective national response given the number of Australians whose personal information, including identity data, was compromised.
In light of these incidents, the Government aims to overhaul a $1.7 billion cyber security plan set up by the former Government. In addition to the release of the Discussion Paper, Prime Minister Anthony Albanese held a cyber security roundtable with leaders from the public service and Australian intelligence agencies, as well as independent experts from business, industry and civil society, to discuss best practice cyber behaviours, growing Australia’s cyber security sector and raising national cyber awareness. As part of these discussions, Hon. Clare O’Neil MP made clear that it was the Government’s aim to work with industry to build a nationally consistent cyber security framework. The Government has also announced that it will be appointing a National Coordinator for Cyber Security to “ensure a centrally coordinated approach” to the government’s cyber security responsibilities.
Addressing Cyber Security Gaps: Proposed reform in Australia
The Discussion Paper itself does not outline any reform that is going to take place in the cyber security landscape, instead posing a number of questions regarding the state of cyber security and inviting industry to submit responses to those questions. The Discussion Paper highlights that the Strategy will form the foundation of an evolving approach to cyber security into the future, and that implementation will require strong governance and a transparent, meaningful evaluation framework to ensure that the Strategy is fit-for-purpose now and into the future. It outlines that the Strategy will be developed in partnership with industry academia, state and territory governments and the Australian and international community. The Minister for Home Affairs and Cyber Security and the Expert Advisory Board are also being advised on global best practice by a Global Advisory Panel comprising the best minds from Australia’s closest allies. The Global Advisory Panel is chaired by Ciaran Martin CB, former CEO of the United Kingdom’s National Cyber Security Centre.
The Discussion Paper acknowledges that are a range of implicit cyber security obligations placed on Australian businesses and nongovernment entities, including through the corporations, consumer, critical infrastructure, and privacy legislative and regulatory frameworks. It outlines that due to the severity of major cyber incidents, that more explicit specification of obligations, including some form of best practice cyber security standards, is required across the industry to increase our national cyber resilience and keep Australians and their data safe. While it does not provide an example of what these express obligations may look like, it does posit invite industry to comment on the potential consideration of a new Cyber Security Act, which would draw together cyber-specific legislative obligations and standards across industry and government.
It also highlights that there may also be opportunities to simplify and streamline existing regulatory frameworks. For example, stakeholders have encouraged government to streamline reporting obligations and response requirements following a major cyber incident. This would be a welcome reform considering the current state of reporting obligations strewn across multiple pieces of legislation and industry standards.
Figure 1 – Current Cyber Incident Reporting Requirements
The Discussion Paper also ask submitters to consider whether further developments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) are warranted, such as including customer data and ‘systems’ in the definition of critical assets to ensure the powers afforded to government under the SOCI Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions. Under the SOCI Act, the Government has ‘last resort’ powers to respond to a serious cyber security incident relating to critical infrastructure assets in critical infrastructure sectors. If customer data and ‘systems’ were added to the definition of critical assets under the SOCI Act, this would effectively grant the Minister the power to:
- give directions to a specified entity for the purposes of information gathering in respect of a cyber security incident;
- give directions to a specified entity requiring the entity to take certain actions or do certain things in response to a cyber security incident; and
- request an authorised government agency to provide assistance in responding to a cyber security incident.
Were this change in place at the time of the Medibank or Optus breach, the Government would have had the power to effectively direct the cyber incident response of those businesses if it so chose. While the SOCI Act already does contain Government ‘step in’ rights in the wake of a serious cyber incident, Minister O’Neil has suggested those powers are currently too limited and “very, very narrowly defined” and did not assist the Government practically. However, the definition of ‘asset’ under the SOCI Act is already very broad (including a system, a device, a computer program, data and “any other thing”), raising the question of what effect an expansion of the definition of asset would practically have. For a more in-depth analysis of Government powers under the SOCI Act, please see our previous article here.
The Discussion Paper puts forward this proposal with the aim of clarifying what the community and victims of a cyber-attack can expect from the Government following an incident. It makes clear that Government must ensure that frameworks for incident management and coordination are fit-for purpose, and that Government should conduct post-incident review and consequence management following major cyber incidents. Additionally, it posits that Government should share the root cause findings from investigations of major cyber incidents so that everyone can benefit from these learnings.
The Discussion Paper calls for submissions to be made by 15 April 2023 to email@example.com.
International appraisal: MIT Technology Review
Shortly after the release of the Discussion Paper, MIT Technology Review released the Review. The Review is the first annual comparative ranking of the world’s 20 largest and most digitally forward economies (excluding Russia and including Poland) on their preparation against, and response and recovery from, cybersecurity threat. The Review assessed countries on the basis of four categories:
- critical infrastructure – whether a country has a robust and secure digital and telecommunications networks and computing resources that underpin primary economic activity;
- cyber security resources – a country’s technological and legal enforcement for cybersecurity assets;
- organisational capacity – a country’s cybersecurity maturity and digital experience of businesses and other institutions; and
- policy commitment – a measurement of government effectiveness and quality of cybersecurity regulation, and the robustness and completeness of regulation, to gauge regulatory efforts promoting resilient cybersecurity practices.
The Review found that Australia was first in the world among countries showing the greatest progress and commitment to enhancing cyber security. It ranked Australia first in 3 of 4 assessment criteria – critical infrastructure, organisational capacity and policy commitment. The Review also highlighted that Australian business leaders have high confidence in the Government’s cyber security stance, a trait which is likely being bolstered by the Government’s continued interaction with business through things like the cyber security roundtable and the Discussion Paper.
Australia's commitment to cyber security reform
Australia is taking numerous steps to reform its’ cyber security landscape. The recently released Discussion raises a number of interesting points for consideration, and invites collaboration from the industry to help shape Australia’s next steps forward. The Australian Government has made clear that it wants to be at the forefront of leading Australia’s cyber security reform, working with business to create a nationally cohesive cyber security framework. This has garnered international attention and praise, with MIT ranking Australia as the number one country showing the greatest progress and commitment to enhancing cyber security. It will be interesting to see what steps the Australian Government takes next in its goal of making Australian the most cyber secure nation by 2030.
Authors: Michael Caplan and Astan Ure