08 October 2019

Australia’s 2020 Cyber Security Strategy – Call for Views

This article was written by Michael Swinson, Cheng Lim and Sean Field.

Australia’s 2020 Cyber Security Strategy

What is it & why should I be interested?

The Commonwealth Government has recently published a discussion paper inviting comment on potential changes to Australia’s cyber security regime, as part of a 2020 strategy to ensure Australia’s digital defences.

Three ideas raised in the paper will be of critical interest to businesses and individuals engaged in the digital economy:

  • Risk allocation - Industry may be held responsible for a greater portion of cyber risk.
  • Regulatory change - The strategy could see businesses in the digital economy subject to new regulations covering consumer protection and cyber security standards.
  • Cost burden - Industry may be required to contribute to the cost of Government improving its cyber security capacity.

Who will be affected?

The issues canvassed in the Government’s paper are wide-ranging and hold the potential for significant change affecting the Information and Communications Technology (ICT) sector, including Internet Service Providers (ISPs) and operators of data centres, social media and online market places.

The paper is an opportunity for industry voices to be heard on these topics in the context of the Commonwealth shaping its cyber security strategy.

Key issues

Are responsibilities and liabilities appropriately allocated between consumers, business and government?

The paper considers Government’s role to-date as focussed on protecting ‘critical’ systems, while suppliers have restricted their liability through ‘complex contractual terms’. It says this situation has seen end users (consumers) typically bear the burden of risk.

The paper notes that “it is unclear” whether statutory protections, such as consumer protection and privacy laws, provide adequate coverage.  And the paper suggests that an alternative would be to “prioritise cyber security by transferring responsibility for managing a greater proportion of cyber risks away from end users and onto industry and business”.

The paper considers that currently cyber security requirements can in some industry sectors be “minimal or highly variable” and that “[a] better approach may be consistent but flexible cyber-security laws for critical systems” perhaps along the lines of the existing industry-specific requirements imposed on the telco industry under the Telecommunications Sector Security Reforms. The paper clearly signals that Government is considering the need to expand its focus to cover more digital infrastructure, such as data centres and online market places.

What might this mean?

One option might be for Government to impose compliance requirements on industry, mandating standards such as the NIST Cyber Security Framework, the ISO270001 and related standards and the Australian Signals Directorate’s own mitigation strategies.  This could mean legislation or mandated supply chain standards.

However, these approaches also raise questions around how regulatory standards would maintain pace with technological developments and the impact they may have on the ability of Australian businesses to compete or adapt to changing market conditions?

The paper also flags the prospect that the cost could fall directly onto the ICT sector, noting that:

If Government needs to provide ongoing and sustainable services to owners of critical systems, then the cost may need to be recovered through direct charges or other alternative funding models, rather than relying on general taxation revenue.

What’s next for industry?

Noting that the paper is simply calling for input from interested parties with no clear policy direction yet decided, potential outcomes that are of interest to the ICT sector could include the following:

  • increased legal, regulatory and compliance risk;
  • a more directive role for government in setting cyber security standards for industry; and
  • increased costs for industry.

We would recommend that all organisations dealing with valuable data assets consider the Government’s paper carefully to determine the potential impact a change in approach to the management of cyber security risks may have on them.

The deadline for submissions in response to the paper is 1 November 2019.  KWM’s Tech Law team can assist you in making submissions.  Please contact one of our team below should you wish to discuss further this or any related cyber security issues

Key contacts

Digital Intelligence

Digital innovation will be a game changer across a wide variety of industries globally. Our Digital Intelligence hub contains a number of resources to help you embrace and face digital disruption head on.

Digital Intelligence
Share on LinkedIn Share on Facebook Share on Twitter Share on Google+
    You might also be interested in

    5G, the next evolution of mobile technology, has already landed in Australia with both Telstra and Optus recently launching 5G products in selected areas. When it is fully rolled out, 5G has the...

    23 September 2019

    Australian businesses in the food, alcohol and agricultural sectors will be impacted by a free trade agreement proposal by the European Union (EU) relating to European Geographical Indications if...

    20 September 2019

    This is the last week in which businesses who license their intellectual property (IP) rights have specific protection from the cartel laws and other Part IV prohibitions in the Competition and...

    10 September 2019

    The CDR is coming to the energy industry and it has the power to fundamentally change the way the energy industry manages and controls consumer data.

    06 September 2019

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.