Tell me in 30 seconds
The Government’s 2023-2030 Cyber Security Strategy aims to make Australia the most cyber secure nation and a global leader in cyber security by 2030. This will be done in phases over 3 horizons, with specific actions over the next 2 years. These actions include mandatory ransom payment reporting, establishing a Cyber Incident Review Board, simplifying incident reporting to Government and regulators, reviewing data retention requirements in legislation and making further change to the Security of Critical Infrastructure Act 2018 (Cth).
Context
On 22 November 2023, Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP, released the highly anticipated 2023-30 Australian Cyber Security Strategy (Strategy) accompanied by an Action Plan detailing key initiatives to be implemented across the next two years. The Strategy charts a path for Australia to achieve its ambitious goal of becoming a global leader in cyber security by 2030.
Overview of Strategy
The Strategy outlines measures for a more cyber resilient Australia. The Strategy is built around six layers of defence (or ‘shields’): (i) strong businesses and citizens; (ii) safe technology; (iii) world-class threat sharing and blocking; (iv) protected critical infrastructure; (v) sovereign capabilities; and (vi) resilient region and global leadership.
The Strategy breaks down these six shields into 20 specific actions (some of which will involve further consultation) scheduled for implementation over the next two years. The Strategy is accompanied by an Action Plan that identifies lead agencies responsible for implementing each action over the next two years, as the Government prioritises strengthening our existing foundations and plugging critical gaps.
This insight focuses on the parts of the Strategy that we think are most relevant to business. We also considered how it stacks up against the recommendations in our submission (see here) to the Government’s public consultation on the Strategy’s Discussion Paper.
Mandatory reporting of ransom payments
At this stage, the Government has not prohibited the making of ransom payments to cyber criminals on the basis that Australia is not yet cyber mature enough (and does not have the appropriate support in place for businesses that do suffer cyber incidents) to be able do so. In our submission, we expressed the view that the payment of ransoms should be made unlawful (subject to appropriate safe harbours) which would give greater clarity for organisations when faced with a decision whether or not to pay a ransom.
Instead, the Strategy proposes to introduce a legislated no-fault, no-liability ransom reporting obligations for businesses, with the aim of building an improved picture of the ransomware threat to develop appropriate responses. The Government will work with industry to co-design the initiative and has suggested that the mandatory reporting mechanisms could potentially facilitate the sharing of anonymised reports on ransomware and cyber extortion trends with both industry and the broader community.
The Strategy also acknowledges that businesses still need clearer guidance on how to deal with ransom demands and affirmed the Government’s commitment to build a ransomware playbook to address this need. The playbook will provide guidance on how to prepare for, deal with and ‘bounce back’ from ransom demands. Over time as Australian businesses become more resilient and better versed in how to respond to cyber threats and extortion, Australia will hopefully become a less attractive target for cyber criminals.
No directors’ cyber security duty but a new Cyber Review Board
One of the questions raised by Government in the consultation paper for the strategy was whether or not there should be a specific director’s duty relating to cyber security. We had opposed this on the basis that it was unnecessary and could divert resources and effort away from developing robust cyber security programs.
The Strategy does not include the imposition of a new cyber security duty upon directors. Despite not being directly addressed in the Strategy, the Australia Securities and Investments Commission (ASIC) has made unequivocal statements that governance of cyber risk already clearly sits within the remit of a board’s statutory duties.
Organisations should pay close attention to ASIC’s clearly articulated expectation that directors will ensure their organisation’s risk management framework adequately addresses cyber security risks, along with ASIC’s readiness to take action against directors who fail to do so. In this context, it is critical to ensure that are alive to these issues and that boards have the right mix of technological and crisis management skills in order to confidently identify, manage and respond to cyber security issues.
The Strategy instead focuses on the importance of education and the sharing lessons learned. To facilitate this, the Government will set up a Cyber Review Board that will conduct no-fault reviews of incidents and share lessons learnt to build our national cyber resilience. The powers of the Board to call for evidence and to investigate, and the ability of regulators, class action lawyers and other to access material provided to the Board is yet to be seen, but could give cause for concern by those suffering a cyber incident.
Simplification of incident reporting obligations
Industry stakeholders consistently express concerns about the lack of clarity around cyber security obligations. For example, businesses in different sectors face reporting obligations under various legislative regimes to different regulators and Government agencies, from the Office of the Australian Information Commissioner, to the Australian Prudential Regulation Authority, the Australian Cyber Security Centre and beyond.
The Strategy broadly acknowledges industry concerns about the complexity of existing regulatory reporting obligations, with businesses often needing to report to multiple different regulators. The Strategy also acknowledges the reluctance for businesses to share detailed information that could be used against them in subsequent enforcement actions, which could be detrimental to the overall management of a cyber incident.
Consistent with our submission, to enhance and streamline incident reporting, the Government has developed a single reporting channel on cyber.gov.au that consolidates links for mandatory reporting. Looking ahead, the Strategy explores options to further facilitate regulatory compliance, potentially involving regulatory change and form simplification, but does not commit to this. However, we were concerned about, and this reporting channel does not include, limits on information sharing between agencies (although the limited use obligation below does help), in order to mitigate the risk that information used to notify one regulator could not be used in subsequent enforcement action by a different regulator.
To encourage more open engagement with Government during an incident, the Government will look into options to legislate a limited use obligation for the Australian Signals Directorate and Cyber Coordinator, which would aim to limit how information that industry shares with those entities may be used by other Government entities, including regulators. It remains to be seen exactly what level of protection this would offer, as the Strategy indicates that this would not impact regulatory or law enforcement actions, or provide an immunity from legal liability. This falls short of the type of ‘safe harbour’ that others have suggested should apply in order to encourage greater openness and collaboration when responding to major cyber incidents.
Focus on data retention requirements
While the Government’s discussion paper did directly not seek input on data retention, the Strategy sets out the Government’s approach to industry concerns on data practices and regulation.
The Strategy indicates that the Government will review Commonwealth legislative data retention requirements, with a focus on non-personal data, to assess the balance and necessity of existing provisions. This complements the existing Privacy Act Review’s examination of personal information retention laws, with the goal of minimising unnecessary burdens and vulnerabilities. Notably, there is no discussion about harmonisation of data retention with State and Territory legislation, which may still leave organisations with a patchwork of data retention obligations.
The Strategy also outlines the Government’s commitment to implement Digital ID to verify identity. This measure is intended to reduce the need for people to share sensitive personal information with government and businesses to access services online, thereby reducing the risks and impact of identify theft and fraud.
Finally, the Government will also develop a voluntary data classification model, to provide guidance for unified and consistent identification, assessment, and communication of the relative value of data holdings. This framework will enable businesses to implement operational controls proportionate to the information’s value, thereby reducing enterprise risk.
Businesses have been crying out for clearer guidance on data retention, as they currently face a Catch-22 situation whereby they may be criticised both for holding data for too long and for not keeping comprehensive business records when required. Any greater clarity that the Government’s review will bring will be welcome. However, no one should underestimate the magnitude of this task and the need to identify and reconcile different retention requirements spread across the statute books.
Changes to critical infrastructure legislation
While many organisations are still grappling with the obligations introduced under the SOCI Act over the last two years, the Strategy proposes a suite of new commitments to enhance and clarify the critical infrastructure framework.
Consistent with our submission, the Government has committed to clarifying the obligations for entities who are MSPs or MSSPs for critical infrastructure assets. While the Strategy doesn’t specify the method for clarifying these obligations, or whether MSPs would be explicitly brought under the SOCI Act regime, it is clear that the Strategy intends for higher standards to be applied in order to strengthen trust in the management and storage of personal and other valuable data. We submitted that managed service providers (MSPs) and managed security service providers (MSSPs) should be as secure as possible, given their importance in the IT ecosystem. Bringing them into the SOCI Act regime could enable Government to require them to adopt an all-hazards approach to their business, adopt a recognised cyber security standard and apply personnel checks to their staff who provide services to other entities.
Another key reform, previously flagged by the Government, will be to consolidate the obligations of telecommunication providers within the SOCI Act (transporting obligations in the Telecommunications Act 1997 (Cth) that were introduced as part of preceding telco sector security reforms some years ago) to simplify oversight and ensure consistency across sectors. Recent network outages have focussed attention on the critical role that telecommunications plays in the functioning of businesses across all sectors, so it is no surprise that the Government intends to pay careful attention to this sector. It will also continue the theme of promoting consistency and eliminating unnecessary duplication, which runs throughout the strategy.
The Strategy also proposes a number of other changes to support the SOCI Act regime, including undertaking further consultation on the application of the regime to data storage systems (focussing on ‘business critical’ data that could impact the availability and reliability of critical infrastructure assets), expediting the implementation of the Systems of National Significance (SONS) framework to enhance measures in place for our most vital infrastructure, developing a compliance and monitoring evaluation framework to ensure that regulated entities are meeting their obligations under the SOCI Act, and helping responsible entities manage the consequences of cyber incidents affecting critical infrastructure (including a ‘last resort’ power to authorise specific actions to control the consequences of an incident where no other legislative levers are available).
