This article was written by Michael Swinson, Cheng Lim and Sean Field.
Australia's 2020 Cyber Security Strategy
What is it & why should I be interested?
The Commonwealth Government has recently published a discussion paper inviting comment on potential changes to Australia's cyber security regime, as part of a 2020 strategy to ensure Australia's digital defences.
Three ideas raised in the paper will be of critical interest to businesses and individuals engaged in the digital economy:
- Risk allocation - Industry may be held responsible for a greater portion of cyber risk.
- Regulatory change - The strategy could see businesses in the digital economy subject to new regulations covering consumer protection and cyber security standards.
- Cost burden - Industry may be required to contribute to the cost of Government improving its cyber security capacity.
Who will be affected?
The issues canvassed in the Government's paper are wide-ranging and hold the potential for significant change affecting the Information and Communications Technology (ICT) sector, including Internet Service Providers (ISPs) and operators of data centres, social media and online market places.
The paper is an opportunity for industry voices to be heard on these topics in the context of the Commonwealth shaping its cyber security strategy.
Key issues
Are responsibilities and liabilities appropriately allocated between consumers, business and government?
The paper considers Government's role to-date as focussed on protecting 'critical' systems, while suppliers have restricted their liability through 'complex contractual terms'. It says this situation has seen end users (consumers) typically bear the burden of risk.
The paper notes that "it is unclear" whether statutory protections, such as consumer protection and privacy laws, provide adequate coverage. And the paper suggests that an alternative would be to "prioritise cyber security by transferring responsibility for managing a greater proportion of cyber risks away from end users and onto industry and business".
The paper considers that currently cyber security requirements can in some industry sectors be "minimal or highly variable" and that "[a] better approach may be consistent but flexible cyber-security laws for critical systems" perhaps along the lines of the existing industry-specific requirements imposed on the telco industry under the Telecommunications Sector Security Reforms. The paper clearly signals that Government is considering the need to expand its focus to cover more digital infrastructure, such as data centres and online market places.
What might this mean?
One option might be for Government to impose compliance requirements on industry, mandating standards such as the NIST Cyber Security Framework, the ISO270001 and related standards and the Australian Signals Directorate's own mitigation strategies. This could mean legislation or mandated supply chain standards.
However, these approaches also raise questions around how regulatory standards would maintain pace with technological developments and the impact they may have on the ability of Australian businesses to compete or adapt to changing market conditions?
The paper also flags the prospect that the cost could fall directly onto the ICT sector, noting that:
If Government needs to provide ongoing and sustainable services to owners of critical systems, then the cost may need to be recovered through direct charges or other alternative funding models, rather than relying on general taxation revenue.
What's next for industry?
Noting that the paper is simply calling for input from interested parties with no clear policy direction yet decided, potential outcomes that are of interest to the ICT sector could include the following:
- increased legal, regulatory and compliance risk;
- a more directive role for government in setting cyber security standards for industry; and
- increased costs for industry.
We would recommend that all organisations dealing with valuable data assets consider the Government's paper carefully to determine the potential impact a change in approach to the management of cyber security risks may have on them.
The deadline for submissions in response to the paper is 1 November 2019. KWM's Tech Law team can assist you in making submissions. Please contact one of our team below should you wish to discuss further this or any related cyber security issues