Australia’s 2020 Cyber Security Strategy – Call for Views

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

This article was written by Michael Swinson, Cheng Lim and Sean Field.

Australia's 2020 Cyber Security Strategy

What is it & why should I be interested?

The Commonwealth Government has recently published a discussion paper inviting comment on potential changes to Australia's cyber security regime, as part of a 2020 strategy to ensure Australia's digital defences.

Three ideas raised in the paper will be of critical interest to businesses and individuals engaged in the digital economy:

  • Risk allocation - Industry may be held responsible for a greater portion of cyber risk.
  • Regulatory change - The strategy could see businesses in the digital economy subject to new regulations covering consumer protection and cyber security standards.
  • Cost burden - Industry may be required to contribute to the cost of Government improving its cyber security capacity.

Who will be affected?

The issues canvassed in the Government's paper are wide-ranging and hold the potential for significant change affecting the Information and Communications Technology (ICT) sector, including Internet Service Providers (ISPs) and operators of data centres, social media and online market places.

The paper is an opportunity for industry voices to be heard on these topics in the context of the Commonwealth shaping its cyber security strategy.

Key issues

Are responsibilities and liabilities appropriately allocated between consumers, business and government?

The paper considers Government's role to-date as focussed on protecting 'critical' systems, while suppliers have restricted their liability through 'complex contractual terms'. It says this situation has seen end users (consumers) typically bear the burden of risk.

The paper notes that "it is unclear" whether statutory protections, such as consumer protection and privacy laws, provide adequate coverage.  And the paper suggests that an alternative would be to "prioritise cyber security by transferring responsibility for managing a greater proportion of cyber risks away from end users and onto industry and business".

The paper considers that currently cyber security requirements can in some industry sectors be "minimal or highly variable" and that "[a] better approach may be consistent but flexible cyber-security laws for critical systems" perhaps along the lines of the existing industry-specific requirements imposed on the telco industry under the Telecommunications Sector Security Reforms. The paper clearly signals that Government is considering the need to expand its focus to cover more digital infrastructure, such as data centres and online market places.

What might this mean?

One option might be for Government to impose compliance requirements on industry, mandating standards such as the NIST Cyber Security Framework, the ISO270001 and related standards and the Australian Signals Directorate's own mitigation strategies.  This could mean legislation or mandated supply chain standards.

However, these approaches also raise questions around how regulatory standards would maintain pace with technological developments and the impact they may have on the ability of Australian businesses to compete or adapt to changing market conditions?

The paper also flags the prospect that the cost could fall directly onto the ICT sector, noting that:

If Government needs to provide ongoing and sustainable services to owners of critical systems, then the cost may need to be recovered through direct charges or other alternative funding models, rather than relying on general taxation revenue.

What's next for industry?

Noting that the paper is simply calling for input from interested parties with no clear policy direction yet decided, potential outcomes that are of interest to the ICT sector could include the following:

  • increased legal, regulatory and compliance risk;
  • a more directive role for government in setting cyber security standards for industry; and
  • increased costs for industry.

We would recommend that all organisations dealing with valuable data assets consider the Government's paper carefully to determine the potential impact a change in approach to the management of cyber security risks may have on them.

The deadline for submissions in response to the paper is 1 November 2019.  KWM's Tech Law team can assist you in making submissions.  Please contact one of our team below should you wish to discuss further this or any related cyber security issues

On 2 August 2022, the Aged Care and Other Legislation Amendment (Royal Commission Response) Bill 2022 was passed (Aged Care Bill), introducing important regulatory changes to Australia’s aged care sector. The Bill makes numerous legislative amendments, including to the Aged Care Act 1997 (Cth) (Aged Care Act) and the Aged Care (Transitional Provisions) Act 1997 (Cth) (Transitional Provisions Act), and responds to various recommendations made by the Royal Commission into Aged Care Quality and Safety (Royal Commission) Final Report (Report). The Report identified the provision of substandard aged care services and perceived systemic failures in the aged care sector.[1]

08 August 2022

The Federal Court has refused an application to stay proceedings to quantify compensation for patent infringement (quantum proceedings) pending the outcome of separate parallel proceedings challenging the validity of the infringed patent on new grounds. The case is significant as intellectual property cases are regularly bifurcated with liability determined separately damages or an account of profits. A patentee may also bring consecutive infringement cases and therefore have two separate cases considering invalidity issues for the same patent running in parallel.

03 August 2022

Since the introduction of a nationwide Marketing Authorization Holder (MAH) system in 2019, licenses have linked directly to therapeutic products rather than manufacturers.

03 August 2022