Before deep diving into the privacy laws and cybersecurity in Australia let’s first explore what cybersecurity means and provide a brief overview for some context.
When it comes to cyber security laws, Australia has established strong regulations through the Privacy Act which binds most businesses and organisations when handling personally identifiable data (PII). These laws protect the interests of both the businesses and customers alike.
Cybersecurity Defined
In layman’s terms, cybersecurity involves the protection of computer systems and data, specifically when connected to the Internet. This means cybersecurity is pervasive given almost every business (small and large) along with government and essential services depend on a safe and clean internet connectivity every day.
Global Threats, Local Response
The Australia government’s Australian Cyber Security Centre (ACSC) has stated the largest current and future threat is cyber-espionage by nation states looking to gather information to support state-sponsored activities. Eg; launching cyber-attacks aiming to destroy critical infrastructure of another country or providing access for cyber-criminals that use the Internet to steal other individual identities.
An effective solution against this threat requires action not only from government and business but also from within the academic and scientific communities. In addition, the general public’s cyber-awareness further contributes to this solution as often the public is the first affected by these threats.
This is why small business protection laws whether through the Privacy Act or more general cybersecurity guidelines provided by the government form the backbone of protecting everyone from cyber-attacks.
Offense is Good Defense
Not all countries have an offensive cyber-capability yet Australia is one of the few. However this was not publicly acknowledged until the release of the government’s 2016 Cyber Security Strategy.
And yet no further information about Australia’s cyber-capabilities have been disclosed though it’s main cyber agency, the Australian Signals Directorate (ASD), are now openly recruiting for offensive and defensive cyber specialists.
Why Now?
The changing threat landscape impacts not only local businesses and citizens but the government as well. The changes are global and increasing in speed and scale making now the time to increase the nation’s cyber-capability (and that of individuals and businesses too).
Cybersecurity is a constantly evolving and complex area that affects almost every part of society, both public and private. As technology rapidly evolves, various strategic methods and programs must be implemented to keep up with the threats.
The 2020 Cyber Security Strategy released by the government in August 2020 outlines the urgent need to implement a nationwide strategy that provides a more secure online environment for Australians which includes their businesses and other essential services upon which we all depend.
It is widely accepted that increased opportunities also come with increased threats. And as the 2020 Cyber Security Strategy points out, state-sponsored and well-equipped nation based actors are now targeting vulnerable infrastructure and stealing intellectual property.
Cyber criminals are also causing direct and collateral damage as they infiltrate government and business systems around the world. With this increased and large scale changes in mind, it’s now imperative that governments implement a robust and agile strategy in their regulatory systems that can handle current and future cyber-risks and threats.
Below are the outlined initiatives from the 2020 strategy report that every business and citizen should be aware of:
- Enhancing and uplifting of a critical infrastructure regulatory framework – The government has already committed itself to use a principle-based approach in uplifting the framework. This begins with efforts around internet security legislation and includes guidelines and a voluntary code of practice. The legislative changes will be enacted through amendments to the Telecommunications Sector Security Reforms and the Security of Critical Infrastructure Act 2018 or better known as SCI Act. Both the owners and the operators of critical infrastructure are bound by this uplifted framework.
The strengthened regulatory framework will include the following:
- Enhanced cybersecurity obligations for bodies that are considered to be involved in critical infrastructure. They will be obliged to take necessary steps in the preparation against threats;
- A workable positive obligation that would set out fundamental protections that apply to all critical infrastructure;
- Assistance from the Australian Government for every business vulnerable to cyber-attacks.
- Updated laws to create a cyber security foundation for the entire economy – The government will consider various options during its consultation with different sectors in businesses, including the delivery of legal reforms covering;
- Consumer, data protection, and privacy laws;
- Director duties and;
- Responsibilities on the manufacturers of Internet-able devices.
As these laws spread across different legislative acts (eg; Privacy Act, Corporations Law, etc) and potentially involve new legislation (ie; IoT laws).
This means a considerable amount of consultation amongst all stakeholders will be required to manage how the final amendments interact with each other across all the legislative acts to avoid any unintended consequences.
- New powers enabling the government to act against sophisticated cyber-attacks – although not fully detailed in the report, the extent of government powers will be further enhanced by the security agencies and monitoring mechanisms. The government will consult owners and operators of critical infrastructure (eg; gas, water, electricity) to develop these new powers that will improve its defence against highly sophisticated cyber-attacks.
Furthermore, the government will give the Australian Federal Police enhanced powers in terms of the investigation and prosecution of cyber criminals.
- Code of practice for the Internet of Things (IoT) released for discussion – the voluntary “Code of Practice: Securing the Internet of Things” acknowledges that by 2030 it’s expected there will be more than 21 billion devices connected to the internet. The code contains 13 principles to support businesses in protecting themselves and their customers from threats posed by Internet-enabled devices.
The government has also stated that should the code be insufficient to drive change in businesses and the community, that further steps will be imposed beyond this voluntary code.
- The government will harden and reinforce its own systems – the government’s own IT systems will be enhanced with additional security including more centralisation for protection against large scale cyber-attacks.
The government has also stated that standard cyber security clauses will be incorporated in government IT contracts. There will be also a renewed focus when it comes to updated procedures and policies in managing cyber risks.
- The government will explore the merits and viability of blocking threats automatically – the government has determined that using internet security legislation would be the best way of mandating nationally that all telecommunication providers implement threat-blocking methods for the protection of businesses and the citizens.
Tense Teamwork
Most importantly, the government’s 2020 strategy is based around the idea that efficient and effective cyber security for the nation is best developed through an integrated working relationship between the government, business, and private citizens.
However there are some existing tensions between the private sector and the government that remain. The most recent issue in the national media spotlight were changes made to the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth).
These newly amended laws grant government agencies the freedom to access telecommunications (ie; forcing private companies to decrypt private messages between citizens) and forcing private industry cooperation with security and law enforcement agencies.
So whilst a teamwork based approach will serve the 2020 strategy best, it’s likely that tensions will remain between the government and private sector as the strategy’s agenda is implemented.
