Insight,

Australia’s 2020 Cyber Security Strategy – Call for Views

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

This article was written by Michael Swinson, Cheng Lim and Sean Field.

Australia's 2020 Cyber Security Strategy

What is it & why should I be interested?

The Commonwealth Government has recently published a discussion paper inviting comment on potential changes to Australia's cyber security regime, as part of a 2020 strategy to ensure Australia's digital defences.

Three ideas raised in the paper will be of critical interest to businesses and individuals engaged in the digital economy:

  • Risk allocation - Industry may be held responsible for a greater portion of cyber risk.
  • Regulatory change - The strategy could see businesses in the digital economy subject to new regulations covering consumer protection and cyber security standards.
  • Cost burden - Industry may be required to contribute to the cost of Government improving its cyber security capacity.

Who will be affected?

The issues canvassed in the Government's paper are wide-ranging and hold the potential for significant change affecting the Information and Communications Technology (ICT) sector, including Internet Service Providers (ISPs) and operators of data centres, social media and online market places.

The paper is an opportunity for industry voices to be heard on these topics in the context of the Commonwealth shaping its cyber security strategy.

Key issues

Are responsibilities and liabilities appropriately allocated between consumers, business and government?

The paper considers Government's role to-date as focussed on protecting 'critical' systems, while suppliers have restricted their liability through 'complex contractual terms'. It says this situation has seen end users (consumers) typically bear the burden of risk.

The paper notes that "it is unclear" whether statutory protections, such as consumer protection and privacy laws, provide adequate coverage.  And the paper suggests that an alternative would be to "prioritise cyber security by transferring responsibility for managing a greater proportion of cyber risks away from end users and onto industry and business".

The paper considers that currently cyber security requirements can in some industry sectors be "minimal or highly variable" and that "[a] better approach may be consistent but flexible cyber-security laws for critical systems" perhaps along the lines of the existing industry-specific requirements imposed on the telco industry under the Telecommunications Sector Security Reforms. The paper clearly signals that Government is considering the need to expand its focus to cover more digital infrastructure, such as data centres and online market places.

What might this mean?

One option might be for Government to impose compliance requirements on industry, mandating standards such as the NIST Cyber Security Framework, the ISO270001 and related standards and the Australian Signals Directorate's own mitigation strategies.  This could mean legislation or mandated supply chain standards.

However, these approaches also raise questions around how regulatory standards would maintain pace with technological developments and the impact they may have on the ability of Australian businesses to compete or adapt to changing market conditions?

The paper also flags the prospect that the cost could fall directly onto the ICT sector, noting that:

If Government needs to provide ongoing and sustainable services to owners of critical systems, then the cost may need to be recovered through direct charges or other alternative funding models, rather than relying on general taxation revenue.

What's next for industry?

Noting that the paper is simply calling for input from interested parties with no clear policy direction yet decided, potential outcomes that are of interest to the ICT sector could include the following:

  • increased legal, regulatory and compliance risk;
  • a more directive role for government in setting cyber security standards for industry; and
  • increased costs for industry.

We would recommend that all organisations dealing with valuable data assets consider the Government's paper carefully to determine the potential impact a change in approach to the management of cyber security risks may have on them.

The deadline for submissions in response to the paper is 1 November 2019.  KWM's Tech Law team can assist you in making submissions.  Please contact one of our team below should you wish to discuss further this or any related cyber security issues


LATEST THINKING
Insight
The MYEFO just released by the Treasurer shows that an end to the surpluses the Government has enjoyed over the last two year is fast approaching, with slowing revenues and the promise of new policies such as the Build to Rent tax incentives announced in the last Budget beginning to bite.

19 December 2024

Insight
The Australian Food and Agricultural Taskforce (AFAT) has released a position paper, “Land of Plenty – Transforming Australia into a food superpower” (the Position Paper), which highlights that ‘there is a clear opportunity for Australia to become a food superpower and build a second engine of economic growth that mirrors the resources sector’.

19 December 2024

Insight
Employment disputes commonly have confidential or sensitive information front and centre of the matters in issue. Information such as personal details, medical conditions, disciplinary records, family circumstances, commercially sensitive information and workplace dynamics including harassment, bullying or discrimination, or scandalous material seemingly deployed for the purpose of damaging individual reputations – to highlight a few.

19 December 2024