An advisory board led by former Telstra boss Andy Penn is pressing the federal government to consider a Cyber Security Act as part of the Cyber Security Strategy refresh in order to harmonise Australia’s patchwork of cybersecurity laws.
In the wake of last year’s high-profile data breaches against Optus and Medibank, the board has also flagged possible changes to the Security of Critical Infrastructure Act so that customer data and ‘systems’ are covered.
The proposed reforms are contained in a discussion paper released on Monday following a roundtable with industry and government attended by Prime Minister Anthony Albanese and Minister for Cybersecurity Clare O’Neil.
The paper has been drafted by the expert advisory board – which also comprises Cyber Security Cooperative Research Centre chief Rachel Falk and former chief of the Air Force Mel Hupfeld – advising government on the new strategy.
The government has declared a want for Australia to become the world’s most cyber-secure country by 2030, and intends to use the strategy – planned for released later this year – to harden the country’s defences.
“This is a fast-moving, rapidly evolving threat and for too many years, Australia has been off the pace. Our government is determined to change that,” Prime Minister Anthony Albanese said on Monday.
Earlier on Monday, the government announced plans to establish a National Office for Cyber Security, led by a coordinator for cyber security, within the Department of Home Affairs. The office will coordinate the government’s cyber security responsibilities.
Home Affairs is the policy lead for cyber security, while the Australian Signals Directorate and the Australian Cyber Security Centre in Defence, and the Australian Federal Police in the Attorney-General’s Department have operational responsibilities.
While not mentioning the office, the discussion paper said the Optus and Medibank data breaches that each affected almost 10 million Australian in September and October 2022 highlighted that the government was “ill-equipped to respond”.
“It became clear during these incidents that government was ill-equipped, and did not have the appropriate frameworks and powers to enable an effective national response given the number of Australians whose personal information… was compromised,” the paper said.
“These breaches demonstrate why more needs to be done to make sure our laws recognise there is widespread data collection and government and industry both have an essential role to play in hardening networks and securing our economy.”
The expert advisory board has outlined several core policy areas in the paper that it “expects” the government to address in the strategy, including a harmonisation of regulator frameworks after feedback from industry.
The paper suggests that this could include a new Cyber Security Act that draws “together cyber-specific legislative obligations and standards across industry and government” and has called for feedback.
Since the release of the 2020 strategy, the government has introduced a range of new measures aimed at protecting critical infrastructure, including powers to subject certain companies or assets to enhanced cybersecurity obligations.
Businesses have been urging the government to harmonise the regulatory environment for months to help improve understanding of cyber security expectations across both the public and private sectors, which is reflected in the discussion paper.
“We have heard from industry that business owners often do not feel their cyber security obligations are clear or easy to follow, both from an operational perspective and as company directors,” the paper states.
The former Coalition government had already recognised the need for harmonisation, with its data security action plan discussion paper last year calling for reforms to close “existing or emerging gaps”.
Stakeholder feedback to the expert advisory board also reveals a need for more explicit specification of obligations, including “some form of best practice cyber security standards”. The government has already flagged that it intends to impose minimum standards on telcos.
The advisory board said this could include “further developments to the Security of Critical Infrastructure Act”, such as including customer data and ‘systems’ in the definition of critical assets, rather than just operational elements, to ensure data breaches like those experienced by Optus and Medicare are covered.
Other potential areas for action include prohibiting ransoms to cyber criminals, confidentiality obligations for companies that share information with the Australian Signals Directorate while responding to a cyber-attack and building community awareness and skills in cyber security.
The paper also argues that “government should share the root cause findings from investigations of major cyber incidents so that we can all benefit from these learnings” but it does not request feedback on this suggestion.
Do you know more? Contact James Riley via Email.