Written by Kirsten Bowe, Soeun Hong and Daniela Lai.
Cyber attacks have rapidly become an alarming and more frequent issue around the world.
The increasing importance of cyber security
According to the data compiled by the Centre for Strategic and International Studies, Australia is the 6th highest targeted country for cybercrime in the world, with 16 significant cyber attacks between May 2006 and June 2020.[1] During the financial year 2019/20, there were 2,266 cyber security incidents responded by the Australian Cyber Security Centre (which is at a rate of almost 6 incidents per day).[2] The true volume of malicious activity in Australia is likely to be much higher.[3]
The COVID-19 pandemic has, in many ways, accelerated the use of digital technologies and the digital economy. Due to COVID-19, more people are working from home and learning remotely than ever before. It has also increased focus on online business delivery and fast adaptation of supply chains using digital technologies.[4] According to the Australia's Digital Trust Report 2020, it is estimated that digital infrastructure-related industries will see a significant increase of 17.4 per cent (or $58.5 billion revenue increase) in 2020.
However, the COVID-19 pandemic and the increased use of digital technologies (sometimes deployed more rapidly than usual) has also created opportunities for cyber criminals. The cyber risks and exploitation of vulnerabilities have intensified even further in recent months. Many Australian office workers are now reliant on using their home Wi-Fi network and non-hardened work devices to perform their work functions. Some collaboration applications and productivity application tools also pose potential cyber risks. According to the Australian Cyber Security Centre, there has been an increasing number of COVID-19 related scams, online frauds and phishing campaigns that have targeted individuals, businesses and government departments in Australia.[5]
In recent times, we have seen an increase in cyber-attacks on our clients in Australia, including from State actors and cyber criminals.
The impact of cyber attacks can be huge, not just on individual businesses and consumers, but on the economy as a whole. The Digital Trust Report 2020 indicates that a 1-month digital disruption could cost the Australian economy $30 billion, representing around 163,000 jobs. Further, according to one expert cited in the 2020 Strategy, cyber incidents targeting small to large businesses could cost up to $29 billion per year or 1.9% of Australia's GPD.[6]
The case for a strong cyber security strategy and a coordinated response to the cyber threats is clear.
Australia's 2020 Cyber Security Strategy
On 6 August 2020, the Australian Government released the Cyber Security Strategy 2020 with its investment of $1.67 billion to be spent over 10 years in cyber security (2020 Strategy).
The 2020 Strategy builds on the 2016 Cyber Security Strategy set by the Australian Government to advance and protect Australian's interests online. The 2020 Strategy was developed following the Industry Advisory Panel (IAP)'s consultation process which led to its final report released in July 2020. The IAP's report provided 60 recommendations to the Government that address the full ambit of cyber security issues and proposed a coordinated approach adopted within the 2020 Strategy.
Key strategies
The 2020 Strategy focuses on the role different parts of the community play in building strong cyber security: namely, actions by governments, businesses and the community. [7]
A key pillar of the 2020 Strategy is around protecting critical infrastructure and systems of national significance to secure essential services of Australia. The Department of Home Affairs has already published a consultation paper seeking submissions on proposed reforms to the critical infrastructure regulatory framework. See our article for more details.
The internet of things and security of consumer devices is another area highlighted in the 2020 Strategy. It is estimated that 64 billion devices are likely to be connected to the internet globally by 2025[8], and many of these devices have poor cyber security settings. The Government will release the final voluntary "Code of Practice: Securing the Internet of Things for Consumers". The Code of Practice will set out the Australian Governments' security expectations for all internet connected consumer devices to ensure that businesses produce secure products and services wherever possible.
Another key strategy is for government and large businesses to help small and medium business to grow and increase their cyber security awareness and capability by integrating security products into other services and providing security bundles to help SMEs build strong cyber security. Education and capability building is another area of focus with a number of initiatives targeting workforce skill building in cyber security.
Following the IAP's recommendations, the Government intends to strengthen cooperation amongst all levels of government and private sector organisations. For instance, the Government will invest $67.9 million to expand the Joint Cyber Security Centres program to enhance collaboration amongst governments, industry partners and academia. A standing Industry Advisory Committee will also be established to continue the cooperation between government and industry in the long term. The Government will deliver an enhanced threat-sharing platform to increase the two-way flow of cyber security information. Further, the Government will bolster its law enforcement powers including on the dark web to counter cyber crime capabilities and target the profits of cyber criminals.
At this stage, aside from the critical infrastructure legislation, the Government has not announced significant regulatory changes for business. However, the Government has indicated that it intends to undertake consultation to establish laws that set a minimum cyber security baseline. The consultation will consider possible reforms to the role of privacy, consumer and data protection laws, duties for company directors and other business entities and obligations on manufacturers of internet connected devices.
Where to from here?
The 2020 Strategy emphasises the importance of the private sector and broad community sharing accountability in managing cyber security in Australia. As illustrated above, businesses will likely face stricter cyber security obligations. As part of the 2020 Strategy, the Government encourages businesses to sign up to the voluntary Code of Practice on the security of the IoT once available. Further, large companies will be encouraged to help small and medium enterprises to improve their cyber security and provide them with cyber security toolkits as part of a secure bundle of services (such as threat blocking, antivirus and cyber security awareness training).
The 2020 Strategy has set the strategy to achieve its vision – 'a more secure online world for Australians, their businesses and the essential services upon which we all depend'. However, a lot of details are yet to be confirmed including legislative changes.
In the meantime, organisations should regularly be reviewing their preparedness for, and protection against, the risks of cyber attacks. Some of the recommended measures are:
- taking steps to improve the security of all systems and software, including installation of firewalls and performance of vulnerability testing, using secure authentication methods and safeguards and regularly backing up data;
- implementing a thorough working-from-home policy to guide employees accessing workplace systems remotely and incident response plan;
- revising an effective robust disaster recovery and business continuity plan that is regularly tested and can be invoked if there is a cyber attack;
- obtaining cyber insurance which covers immediate expenses of a data breach and cybercrime including the restoration of systems, crisis management and loss of profits resulting from the incident;
- when entering into contracts with IT service providers, imposing strict security requirements and data protection obligations and implementing remediation processes; and
- reviewing and considering uplifting contracts with IT service providers to ensure that there are adequate obligations on service providers regarding cyber security. Where service providers are handling the organisation's data, there should be strict obligations upon the service providers to protect the data and cyber security. It includes a prompt notification obligation if there is a suspected or actual cyber security attack.
The digital economy certainly provides incredible new opportunities for businesses. However, without robust cyber security practices, growth cannot be sustainable and will likely be eroded.
If you would like to discuss how this may impact your business or any related cyber security issues, please contact one of our Tech Law team.
And for more information on responding to a ransomware attack, see our related article on 'Cyber attacks: is it legal to pay a ransom in Australia?' here.
[1] https://specopssoft.com/blog/countries-experiencing-significant-cyber-attacks/.
[2] Australia's 2020 Cyber Security Strategy, p.10.
[3] Ibid.
[4] Australia's Digital Trust Report 2020, p.2.
[5] https://www.cyber.gov.au/acsc/view-all-content/advisories/threat-update-covid-19-malicious-cyber-activity-20-april-2020.
[6] Australia's 2020 Cyber Security Strategy, p.10.
[7] Australia's 2020 Cyber Security Strategy, Figure 2, p.18.
[8] Australia's 2020 Cyber Security Strategy, p.31.
