Last month, the Australian Government released its highly anticipated Cyber Security Strategy 2020 (2020 Strategy), with the stated aim of creating a “more secure online world for Australians, their businesses and the essential services upon which we all depend”.
The 2020 Strategy could not come at a better time. Individuals and businesses are now more connected through technology than ever before (and indeed, even more than 6 months ago). But while COVID-19 has turbo-charged Australia’s move towards a digital world and forced individuals and businesses to become much more digitally literate in a very short period of time, the digital shift has been a consistent and growing (long-term) trend. No sector has been immune from its inexorable pull – even traditionally manual industries (e.g. construction and infrastructure) have begun to embrace digital solutions and practices with a view to guarantee their future competitiveness and ability to remain fit for purpose - the rapidly evolving ‘Infratech’ space is a great example of this.
Of course, increased opportunities have come with increased threats. As the 2020 Strategy points out, “Well-equipped and persistent state-sponsored actors are targeting critical infrastructure and stealing our intellectual property” – and “Cyber criminals are also doing great harm, infiltrating systems from anywhere in the world, stealing money, identities and data from unsuspecting Australians”. In the face of such multifaceted threats, there is a growing need for robust and agile regulatory regimes to manage cyber threats and risks.
The 2020 Strategy, which involves a $1.67 billion investment over 10 years into Australian cyber security initiatives, signals the Government’s recognition of this need. This marks a significant increase in investment from the 2016 Cyber Security Strategy (2016 Strategy), which invested only $230 million to protect Australia’s cyber interests. The 2020 Strategy builds on the 2016 Strategy, and sets out a number of initiatives that demonstrate how government, businesses and the community must work collaboratively to strengthen Australia’s cyber interests.
We have outlined some key initiatives from the 2020 Strategy that you should know about:
1. The critical infrastructure regulatory framework will be enhanced and uplifted
Currently, the Telecommunications Sector Security Reforms and the Security of Critical Infrastructure Act 2018 (SCI Act) protects Australia’s telecommunication, electricity, water, gas and maritime port assets against cyber threats. The 2020 Strategy will expand the sectors subject to the critical infrastructure framework and enhance the framework to further secure and protect such critical infrastructure. These changes will be delivered through amendments to the SCI Act.
The Government has highlighted that it will be using a ‘principles-based’ approach to uplift the framework, as it recognises that each sector will need different approaches to cyber, physical, personnel and supply chain protections. The principles-based obligations will sit in the SCI Act and will be accompanied by sector-specific guidance and advice tailored to the risks and circumstances of each sector. The uplifted framework will apply to both owners and operators of critical infrastructure.
These reforms will impose security obligations on the following sectors: banking and finance; communications; data/Cloud; defence; education, research and innovation; energy; food; health; space; transport; and water.
The enhanced regulatory framework will include:
- enhanced cyber security obligations for entities that are considered to be involved with critical infrastructure of national significance. These entities will have information providing obligations to assist the Government to respond to threats in real-time. Entities will also be obliged to take steps to prepare themselves against threats;
- an enforceable positive obligation which sets out baseline protections that will apply to all critical infrastructure entities; and
- Australian Government assistance for businesses against cyber attacks.
2. New laws will set a minimum cyber security baseline across the entire economy
The Government flagged that it will consider a number of different reform options during consultation with businesses, including delivering this reform through:
- privacy, consumer and data protection laws;
- director duties; and
- obligations on manufacturers of internet connected devices.
Baseline laws would introduce consistency to today’s fragmented cyber security regulatory landscape. Current cybersecurity laws and regulations include those contained in the Criminal Code Act 1995 (Cth), privacy laws generally and the Notifiable Data Breach Scheme, the Consumer Data Right regime, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), and sector specific standards such as the APRA Prudential Standard CPS 234 (Information Security). Consultation on baseline laws should include careful consideration on how such laws will interact with the existing regulatory landscape.
3. New powers to allow Government to act against sophisticated cyber attacks
The extent of these powers are not outlined in detail, but the 2020 Strategy suggests that they will be accompanied by safeguards and oversight mechanisms. The Government will develop these new powers in consultation with owners and operators of critical infrastructure. The 2020 Strategy lists expert advice, direct assistance or the use of classified tools as examples of the assistance that may be provided.
The Government will also provide the Australian Federal Police with further powers to allow it to investigate and prosecute cyber criminals.
4. A voluntary code of practice for Internet of Things released for consultation
The Government has released a voluntary “Code of Practice: Securing the Internet of Things” (the Code) in acknowledgement of the expectation that by 2030 there will be more than 21 billion IoT devices. The Code has 13 principles and will support businesses in protecting themselves and customers in relation to internet-connected devices. The Government has flagged that if the Code is not sufficient to drive change amongst business and the community, it will consider additional steps beyond a voluntary code.
We have examined the Code in further detail here.
5. Government will strengthen its own networks
The network of Government IT systems will be made more secure and centralised to protect against cyber attacks.
The Government has also flagged that standard cyber security clauses will be included in government IT contracts. Updated policies and procedures to manage cyber risks will also be given a renewed focus.
6. Government will consider whether it can legislate to block threats automatically
The Government has flagged that legislation may prove to be a suitable way to assist telecommunications providers to implement threat-blocking technology to protect businesses and citizens.
Interestingly, the 2020 Strategy is based on a working assumption that effective cyber security can only be achieved through a close working relationship between Government, businesses and the community. This, however, further erodes the traditional separation between Government and business. This erosion was recently thrown into the spotlight with the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), which allows government agencies to access applicable telecommunications and mandates industry cooperation with law enforcement and security agencies. The tension between Government/business cooperation and the independence of businesses will likely continue to feature as the 2020 Strategy’s ambitious agenda is implemented.
We will keep you updated as the legislative and regulatory changes anticipated by the 2020 Strategy start to take shape.
Authors: Mike Caplan, Nikhil Shah and Catherine Gamble