Australian Cyber Strategy: how it will impact you

The Clayton Utz team
12 Dec 2023
Time to read: 9 minutes

Introduction

Sensible and pragmatic initiatives to build awareness and cyber capabilities are at the core of the Federal Government's Australian Cyber Security Strategy, which sets the ambition of Australia being the most cyber secure nation by 2030.

The Strategy presents a multi-pronged approach to lifting the resilience of Australian businesses and government agencies against cybercrime and nation-state level cyberattacks. At its core, there is a clear appreciation that large enterprises and government institutions need to lead by example, and that smaller enterprises require assistance both from the government and their peers to appropriately protect Australian infrastructure and data.

The Strategy is broken down into six cyber shields and three horizons to make Australia one of the most cyber secure nations:

  • Horizon 1 "Strengthen our foundations" (2023-2025), which will address critical gaps in Australia's cyber shield and build better protections for its most vulnerable citizens and businesses;
  • Horizon 2 "Expand our reach" (2026-2028), where the Federal Government will scale cyber maturity across the economy; and
  • Horizon 3 "Lead the frontier" (2029-2030), where the Federal Government envisions it will become global leader in cyber security and Australia will be one of the most cyber secure nations.

The Strategy appears to acknowledge that the real solution lies in addressing fundamental understanding and capability issues, particularly with SMEs, and also at the executive level, rather than a pure regulatory response. This is particularly apparent with the creation of free cyber health checks and the "Small Business Cyber Security Resilience Service". These will offset much of the cost barriers SMEs face in taking steps to build their resilience in the face of increased cyber-attacks.

Critical Infrastructure regulation

Further reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) have been identified as an early priority in the Strategy. At a high level, the proposed reforms include:

  • to ensure it is protecting the right entities and assets;
  • to enhance the cyber security obligations for Systems of National Significance;
  • to ensure critical infrastructure is compliant with its cyber security obligations; and
  • to help critical infrastructure manage the consequences of a cyber incident.

While not stated expressly in the action plan that has been released, it appears changes to the SOCI Act will take place as part of Horizon 1, which is due to be implemented over the course of the next two years.

Mandatory ransomware reporting obligations

The Strategy proposes the introduction of a no-fault, no-liability, ransomware reporting obligation for businesses. The rationale behind the reporting obligation, the proposed limits on the use of that information by the Australian Signals Directorate and Cyber Coordinator and anonymised ransom trend reporting, forms part of a broader "information sharing" theme underlying the strategy. Precisely what information will need to be reported is yet to be specified, with the scope of the ransomware reporting obligation to be co-designed with industry before it is legislated.

The approach to the payment of ransomware demands is similarly pragmatic: while these payment will continue to be strongly discouraged, the government has opted not to press for a general prohibition on them. This is perhaps an acknowledgement that an outright ban (while undermining the economics of the ransomware industry) may be unrealistic in practice, and that a more nuanced approach is warranted. We expect a ransomware payment will remain illegal where it offends proceeds of crime laws or amounts to financing terrorism, but a degree of flexibility will be retained to balance the need to respond to exigent circumstances, allowing the operators critical infrastructure or vital healthcare services to consider payment as an option for restoring services or providing life-saving care.

This "information sharing" theme focuses on encouraging greater openness and transparency, in part by decreasing the risk to a business of disclosing incidents it suffers, with the aim of enabling lessons learned to be publicly shared and national resilience against cyber-crime to be developed. Other measures include:

  • a no-fault post-incident review mechanism for major cyber incidents, which will seek to uplift cyber security without interfering with incident response or regulatory, intelligence or law enforcement functions;
  • the Department of Home Affairs and Treasury working to provide industry with additional information on cyber governance obligations to which they are currently subject, together with a "Ransomware Playbook" for handling such an attack. It is hoped that this playbook will provide some much-needed clarity for boards and directors as to the nature and extent of their obligations, and those of the organisations they lead; and
  • a single reporting portal for cyber security incidents. However, how this will interact with existing reporting obligations (such as the Notifiable Data Breaches scheme) and whether it will fragment the operation of those other reporting obligations remains to be seen.

Data governance and retention requirements

The Federal Government intends to review its legislative data requirements for non-personal data, with the Privacy Act 1988 (Cth) currently being reviewed from a personal information/data perspective.

There is currently little detail on where this broader review may go or how it may impact businesses. We expect there to be a greater focus on ensuring organisations do not collect and retain data where it is reasonably necessary for a specific function or purpose, as opposed to warehousing data as a "nice to have" in the hopes it may ultimately generate value. Such a shift would be consistent with other jurisdictions which have sought to constrain the mass collection and retention of data by ensuring that it is necessary and proportionate. This balancing act will be no easy task, as the digital economy and data are intimately entwined, and the costs of establishing systems, policies and procedures to comply with such restrictions may be significant.

Developing and implementing data governance frameworks will be a key component to the long-term success of the Strategy. Organisations will be encouraged to conduct reviews of their data holdings and develop plans to prioritise and protect sensitive and critical data, particularly as the nation prepares for the possible disruptive impact of quantum computing, which is likely to render current cryptography insecure, and other emerging technologies potentially reducing the difficulty of executing complex cyber attacks. Maintaining visibility of the types of data handled by the business and where that data is located at any given point in time allows the business to ensure that this information is appropriately protected both in storage and transit, as well as enabling more timely and effective incident response efforts. Organisations will be assisted in this through the provision of a standardised data classification model, which can be voluntarily used by businesses to perform such classification in a normalised fashion.

Other proposed measures, such as continuing to develop the Digital ID program and the National Strategy for Identity Resilience, are intended to reduce the need for people to share their sensitive personal information with Government and businesses to access online services. We expect these strategies will help blunt the impact of data breaches on individuals by limiting the useable data and information for identify theft. The ultimate effectiveness of these measures relies on co-ordination and co-operation between the Commonwealth, States and Territory Governments. There has been no commitment to work together to achieve these outcomes together to date.

Device and software security

Consistent with the Strategy's root and branch approach to the six cyber shields, there are a number of proposals which seek to uplift device and software security to protect Australia. The aim of these proposals is to set clear cyber security expectations and increase transparency.

Specific proposals include:

  • A set of mandatory cyber security standards for Internet of Things devices, which we expect to align with international standards to avoid the risk of creating a barrier to entering the Australian market.
  • A voluntary labelling scheme for consumer-grade smart devices. Such a labelling scheme would be similar to the six star energy or water rating labels we are now familiar with on white goods.
  • The development and adoption of international software security standards with industry and international partners. These standards will focus on "secure-by-design" and "secure-by-default" practices and aim to incorporate cyber security considerations into the design and structure of new software.
  • A voluntary code of practice for app stores and app developers, to be co-designed with industry and international partners, to clearly outline community expectations for cyber security in software development.
  • To harmonise software standards for government procurement with Australia's Quad partners (the United States of America, Japan and India) to align procurement standards and set strong IT security standards.

Legislating mandatory cyber security standards for IoT devices has been proposed, but their effectiveness may be undermined by merely voluntary labelling schemes and voluntary codes of practices for app stores and app developers. Given the plethora of internet-enabled devices on the market now (and likely to emerge in the future), it will also be interesting to see how broadly these standards are cast.

Key takeaways for governance and board oversight

The Government's vision is for Australia to be a global leader in cyber security and technologies by 2030. This vision forms part of a broader and joint strategy by the Government and its regulators (such as the OAIC, ASIC, ACCC and APRA) to strengthen Australia's laws to bring them into the digital age and meet community expectations, and its wheels are already in motion.

These potential changes highlight a number of issues for organisations from a governance and board oversight perspective:

  • Boards and directors: The Government's and regulators' expectations have increased in the wake of a number of cyber attacks. Cyber security risks should not be considered an "IT problem", but a "whole of business risk". Boards and directors need to be proactive in the cyber security, data and privacy space to help protect the organisation from financial, reputational and operational harm from cybercriminals, regulators, disgruntled shareholders and the public, as part of discharging their duties. They will also need to ensure that the organisation is ready, and able, to respond to a cyber security incident. The Strategy flags the publication of further guidance on cyber best-practice and lessons learned from cyber incidents, with the objective of uplifting understanding in this area.
  • Implementation of Cyber security, data and privacy policies: While having these policies are important, regulators (and potentially soon individuals who provide their personal information and data) are looking past the policies an organisation has in place to whether and how those policies are operationalised (ie. complied with and continually practiced within an organisation). The cyber security, data and privacy spheres are rapidly evolving, as should an organisation's policies.
  • Data Governance: Senior management and the board need to know what the key systems and data are of the organisation, in order to assess the risks involved in choices regarding their protection. Developing and implementing a data governance framework is a critical means of reducing cyber risk.
  • Regulatory, consumer and shareholder scrutiny: Australia's regulators have been emboldened in recent years and the number of regulatory investigations and proceedings is rapidly increasing. Similarly, there is a growing number of class actions arising from cyber breaches as a reflection of community expectations. We expect these forms of scrutiny to increase in line with heightened community expectations, and to be empowered by the broader cyber security, data and privacy law reforms.
  • Big business and the Government to lead by example: A key part of the Strategy is for the Government and big business to lead by example, with the Strategy stating overtly that the Government is "shifting more of the cyber risk to those who are most capable". It seems likely that big business will be held to a higher standard to protect our nation, critical infrastructure, economy and devices in an effort to help uplift the approach of medium and small business. How this plays out in practice remains to be seen.

Each of these changes can be expected to drive additional direct and indirect costs for business, whether to adequately protect the organisation, respond to regulators, in the form of additional or increased fines or exposure to compensation claims, or additional administrative costs. Of course, these costs must be balanced against the potential, and significant, financial, reputational and operational harms associated with having inadequate cyber security measures in place.

Future-proofing your business

While the Strategy lays out an approach and roadmap to elevate Australia's cyber security posture in the coming years, it will take some time for the initiatives described to materialise. While there is some time before material changes are made, increasing activity by regulators in the cyberspace arena mean that it is prudent to begin serious efforts to uplift security posture if such efforts have not yet been undertaken. Based on recent claims in this space, the following key actions can be highlighted at the board and senior management level:

  • Qualified leaders: The process of lifting an organisation's security posture to an appropriate level for the business risk appetite is a complex task, and in many cases is a journey that takes a number of years. Such an effort requires a solid understanding of cybersecurity fundamentals, excellent understanding of the business, and the ability to communicate effectively with non-security stakeholders to empower the business to make informed decisions about investment in their cyber security capability. In order for this process to be successful, it is critical that a cyber security professional with experience in governance, risk and compliance be explicitly hired and assigned to the task in the form of a CISO or other similar position. Historically where such duties have been assigned to leaders without a cyber security background, we have seen a slower journey to maturity and less effective outcomes for the business.
  • Cover the basics: Ensure that a cyber security framework is implemented and used as a basis for periodic maturity assessments by qualified third parties to validate internal uplift efforts. Ensure that bare minimum technical controls are in place using ASD's Essential 8 as a guide.
  • Know your environment: Ensure that known security risks are tracked and treated as appropriate, and that the current risk profile is visible to senior decision makers and the board. Limit "unknown unknowns" by performing maturity assessments and penetration testing of the environment. Identify your "Crown Jewel" systems, without which the business cannot function. Begin mapping out data holdings in your environment and classifying them, leverage technical solutions to assist in this mapping effort as required.
  • Be ready: Regardless of the level of investment in the cyber security capability, the business must be ready to react to a breach. Ensure you have incident response processes developed for the most common abuse scenarios and that these are properly tuned to your environment, organisational structure and technology stack. It is important that these incident response processes include cooperation with the ACSC and OAIC as appropriate, and that such interactions are aligned with legal requirements. It is likewise prudent that these processes incorporate predefined communications plans and legal advice in the event of a serious breach. Such processes should be stress tested on a regular basis through simulated tabletop exercises to ensure that personnel know how to act in an emergency, and that any deficiencies in process or communications are ironed out well ahead of time.
  • Know yourself: The level of internal cyber security capability will depend heavily on the needs of the business and subsequent investment. For areas where a mature in-house capability may not exist, such as specialised incident responders and digital forensics experts, it is prudent to arrange partnership agreements well ahead of time so that such capabilities can be called upon at short notice. Ensure that any external providers engaged by the business have a solid industry track record and qualified staff.

Consultation and next steps and timeframes

The Strategy proposes further consultation in a range of areas, canvassing broad changes. In the short term, the changes may not be significant. However, businesses should be vigilant in seizing opportunities to participate in consultation to shape the medium- to long-term regulatory landscape.

If you would like to discuss your cyber security and data privacy obligations more generally, please do not hesitate to reach out your contacts at Clayton Utz. Together with the cyber security experts in our Forensic and Technology Services team, we have both the legal and technological expertise to support you across the full lifecycle of your cyber security and data privacy needs.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.