Australian Cyber Strategy: how it will impact you

Introduction

Sensible and pragmatic initiatives to build awareness and cyber capabilities are at the core of the Federal Government's Australian Cyber Security Strategy, which sets the ambition of Australia being the most cyber secure nation by 2030.

The Strategy presents a multi-pronged approach to lifting the resilience of Australian businesses and government agencies against cybercrime and nation-state level cyberattacks. At its core, there is a clear appreciation that large enterprises and government institutions need to lead by example, and that smaller enterprises require assistance both from the government and their peers to appropriately protect Australian infrastructure and data.

The Strategy is broken down into six cyber shields and three horizons to make Australia one of the most cyber secure nations:

• Horizon 1 "Strengthen our foundations" (2023-2025), which will address critical gaps in Australia's cyber shield and build better protections for its most vulnerable citizens and businesses;
• Horizon 2 "Expand our reach" (2026-2028), where the Federal Government will scale cyber maturity across the economy; and
• Horizon 3 "Lead the frontier" (2029-2030), where the Federal Government envisions it will become global leader in cyber security and Australia will be one of the most cyber secure nations.

The Strategy appears to acknowledge that the real solution lies in addressing fundamental understanding and capability issues, particularly with SMEs, and also at the executive level, rather than a pure regulatory response. This is particularly apparent with the creation of free cyber health checks and the "Small Business Cyber Security Resilience Service". These will offset much of the cost barriers SMEs face in taking steps to build their resilience in the face of increased cyber-attacks.

Critical Infrastructure regulation

Further reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) have been identified as an early priority in the Strategy. At a high level, the proposed reforms include:

• to ensure it is protecting the right entities and assets;
• to enhance the cyber security obligations for Systems of National Significance;
• to ensure critical infrastructure is compliant with its cyber security obligations; and
• to help critical infrastructure manage the consequences of a cyber incident.

While not stated expressly in the action plan that has been released, it appears changes to the SOCI Act will take place as part of Horizon 1, which is due to be implemented over the course of the next two years.

Mandatory ransomware reporting obligations

The Strategy proposes the introduction of a no-fault, no-liability, ransomware reporting obligation for businesses. The rationale behind the reporting obligation, the proposed limits on the use of that information by the Australian Signals Directorate and Cyber Coordinator and anonymised ransom trend reporting, forms part of a broader "information sharing" theme underlying the strategy. Precisely what information will need to be reported is yet to be specified, with the scope of the ransomware reporting obligation to be co-designed with industry before it is legislated.

The approach to the payment of ransomware demands is similarly pragmatic: while these payment will continue to be strongly discouraged, the government has opted not to press for a general prohibition on them. This is perhaps an acknowledgement that an outright ban (while undermining the economics of the ransomware industry) may be unrealistic in practice, and that a more nuanced approach is warranted. We expect a ransomware payment will remain illegal where it offends proceeds of crime laws or amounts to financing terrorism, but a degree of flexibility will be retained to balance the need to respond to exigent circumstances, allowing the operators critical infrastructure or vital healthcare services to consider payment as an option for restoring services or providing life-saving care.

This "information sharing" theme focuses on encouraging greater openness and transparency, in part by decreasing the risk to a business of disclosing incidents it suffers, with the aim of enabling lessons learned to be publicly shared and national resilience against cyber-crime to be developed. Other measures include:

• a no-fault post-incident review mechanism for major cyber incidents, which will seek to uplift cyber security without interfering with incident response or regulatory, intelligence or law enforcement functions;
• the Department of Home Affairs and Treasury working to provide industry with additional information on cyber governance obligations to which they are currently subject, together with a "Ransomware Playbook" for handling such an attack. It is hoped that this playbook will provide some much-needed clarity for boards and directors as to the nature and extent of their obligations, and those of the organisations they lead; and
• a single reporting portal for cyber security incidents. However, how this will interact with existing reporting obligations (such as the Notifiable Data Breaches scheme) and whether it will fragment the operation of those other reporting obligations remains to be seen.

Data governance and retention requirements

The Federal Government intends to review its legislative data requirements for non-personal data, with the Privacy Act 1988 (Cth) currently being reviewed from a personal information/data perspective.

There is currently little detail on where this broader review may go or how it may impact businesses. We expect there to be a greater focus on ensuring organisations do not collect and retain data where it is reasonably necessary for a specific function or purpose, as opposed to warehousing data as a "nice to have" in the hopes it may ultimately generate value. Such a shift would be consistent with other jurisdictions which have sought to constrain the mass collection and retention of data by ensuring that it is necessary and proportionate. This balancing act will be no easy task, as the digital economy and data are intimately entwined, and the costs of establishing systems, policies and procedures to comply with such restrictions may be significant.

Developing and implementing data governance frameworks will be a key component to the long-term success of the Strategy. Organisations will be encouraged to conduct reviews of their data holdings and develop plans to prioritise and protect sensitive and critical data, particularly as the nation prepares for the possible disruptive impact of quantum computing, which is likely to render current cryptography insecure, and other emerging technologies potentially reducing the difficulty of executing complex cyber attacks. Maintaining visibility of the types of data handled by the business and where that data is located at any given point in time allows the business to ensure that this information is appropriately protected both in storage and transit, as well as enabling more timely and effective incident response efforts. Organisations will be assisted in this through the provision of a standardised data classification model, which can be voluntarily used by businesses to perform such classification in a normalised fashion.

Other proposed measures, such as continuing to develop the Digital ID program and the National Strategy for Identity Resilience, are intended to reduce the need for people to share their sensitive personal information with Government and businesses to access online services. We expect these strategies will help blunt the impact of data breaches on individuals by limiting the useable data and information for identify theft. The ultimate effectiveness of these measures relies on co-ordination and co-operation between the Commonwealth, States and Territory Governments. There has been no commitment to work together to achieve these outcomes together to date.

Device and software security

Consistent with the Strategy's root and branch approach to the six cyber shields, there are a number of proposals which seek to uplift device and software security to protect Australia. The aim of these proposals is to set clear cyber security expectations and increase transparency.

Specific proposals include:

• A set of mandatory cyber security standards for Internet of Things devices, which we expect to align with international standards to avoid the risk of creating a barrier to entering the Australian market.
• A voluntary labelling scheme for consumer-grade smart devices. Such a labelling scheme would be similar to the six star energy or water rating labels we are now familiar with on white goods.
• The development and adoption of international software security standards with industry and international partners. These standards will focus on "secure-by-design" and "secure-by-default" practices and aim to incorporate cyber security considerations into the design and structure of new software.
• A voluntary code of practice for app stores and app developers, to be co-designed with industry and international partners, to clearly outline community expectations for cyber security in software development.
• To harmonise software standards for government procurement with Australia's Quad partners (the United States of America, Japan and India) to align procurement standards and set strong IT security standards.

Legislating mandatory cyber security standards for IoT devices has been proposed, but their effectiveness may be undermined by merely voluntary labelling schemes and voluntary codes of practices for app stores and app developers. Given the plethora of internet-enabled devices on the market now (and likely to emerge in the future), it will also be interesting to see how broadly these standards are cast.

Key takeaways for governance and board oversight

The Government's vision is for Australia to be a global leader in cyber security and technologies by 2030. This vision forms part of a broader and joint strategy by the Government and its regulators (such as the OAIC, ASIC, ACCC and APRA) to strengthen Australia's laws to bring them into the digital age and meet community expectations, and its wheels are already in motion.

These potential changes highlight a number of issues for organisations from a governance and board oversight perspective:

• Boards and directors: The Government's and regulators' expectations have increased in the wake of a number of cyber attacks. Cyber security risks should not be considered an "IT problem", but a "whole of business risk". Boards and directors need to be proactive in the cyber security, data and privacy space to help protect the organisation from financial, reputational and operational harm from cybercriminals, regulators, disgruntled shareholders and the public, as part of discharging their duties. They will also need to ensure that the organisation is ready, and able, to respond to a cyber security incident. The Strategy flags the publication of further guidance on cyber best-practice and lessons learned from cyber incidents, with the objective of uplifting understanding in this area.
• Implementation of Cyber security, data and privacy policies: While having these policies are important, regulators (and potentially soon individuals who provide their personal information and data) are looking past the policies an organisation has in place to whether and how those policies are operationalised (ie. complied with and continually practiced within an organisation). The cyber security, data and privacy spheres are rapidly evolving, as should an organisation's policies.
• Data Governance: Senior management and the board need to know what the key systems and data are of the organisation, in order to assess the risks involved in choices regarding their protection. Developing and implementing a data governance framework is a critical means of reducing cyber risk.
• Regulatory, consumer and shareholder scrutiny: Australia's regulators have been emboldened in recent years and the number of regulatory investigations and proceedings is rapidly increasing. Similarly, there is a growing number of class actions arising from cyber breaches as a reflection of community expectations. We expect these forms of scrutiny to increase in line with heightened community expectations, and to be empowered by the broader cyber security, data and privacy law reforms.
• Big business and the Government to lead by example: A key part of the Strategy is for the Government and big business to lead by example, with the Strategy stating overtly that the Government is "shifting more of the cyber risk to those who are most capable". It seems likely that big business will be held to a higher standard to protect our nation, critical infrastructure, economy and devices in an effort to help uplift the approach of medium and small business. How this plays out in practice remains to be seen.

Each of these changes can be expected to drive additional direct and indirect costs for business, whether to adequately protect the organisation, respond to regulators, in the form of additional or increased fines or exposure to compensation claims, or additional administrative costs. Of course, these costs must be balanced against the potential, and significant, financial, reputational and operational harms associated with having inadequate cyber security measures in place.