The Cyber Threat: Is Australia ready?

By Robert Ishak and Shreeya Pandey

Earlier this year, more than 180,000 New South Wales residents were caught up in a major cybersecurity breach after a state government department was compromised. In the last decade, Australians have seen a rapid increase in cybercrime and cyber breaches, so is Australia ready? We are witnessing a revolution and a change in the frontline, where the cyber battlefield is becoming more dangerous, and the value of data protection and data privacy is becoming more evident.

On 6 August 2020, The Australian Government released its Cyber Security Strategy 2020 Report in the midst of increasing incidences of state-sponsored and criminal cyber-attacks affecting both the public and private sector in Australia. Following this release, the Department of Home Affairs published a consultation paper seeking submissions on proposed reforms to enhance the security and resilience of Australia's critical infrastructure and to introduce new cybersecurity rules, ranging in severity across three groups: ‘systems of national significance’, ‘regulated critical infrastructure entities’ and ‘critical infrastructure entities’.

In summary, the following are the key takeaways from the report and paper:

  • Through amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the Act), the proposed laws will expand the current definition of critical infrastructure from only the physical protection of the gas, water, electricity and ports sectors to include healthcare, banking and finance, food and grocery, data and the cloud, defence, transport, space, energy and communications, education, research and innovation sectors. The Australian Government, however, will in the longer term expect all businesses to take part in Australia's cybersecurity resilience;
  • The Act will be expanded to cover additional sectors to introduce new government assistance and direct action powers and will apply to owners and operators, regardless of ownership arrangements;
  • The Australian government proposes to have the power to impose obligations on companies to employ encrypted cyber defences under a three-tiered ranking system of commercial assets and systems. In addition to the enhanced cybersecurity obligations, owners and operators of systems of national significance, as well as critical infrastructure entities regulated by the Act, will also be subject to a positive security obligation (PSO). The PSO will set and enforce baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk;
  • A voluntary code of practice will be implemented on the Government's expectations for Internet of Things (IoT) consumer devices;
  • Legislative change may also have the potential to impact privacy, consumer and data protection law; and directors' duties;
  • A standing 'Industry Advisory Committee' will be established;
  • Significant funding commitments - specified in the Appendix of the Strategy Plan; and
  • The Strategy proposes the adoption of an approach, similar to that of the UK, where the government will work with the private sector to increase 'security by design'.

What does this mean for the industry?
The Strategy and proposed reforms remain a framework and series of plans at this stage. Public submissions to the consultation paper closed on 16 September 2020. However, given the significance of the consequences of the proposed reforms and how it will impact Australia’s long term cyber security and economical position there is still much to be discussed.  The Australian Government is seeking further consultation on the proposed reforms and on any amendments of the Act. Once the proposed amendments have been handed, regulators will continue to work with critical infrastructure entities to develop and implement sector-specific obligations to give effect to the legislative regime.