Australia requires a specific federal Cyber Security Act. It’s too easy to square the blame entirely on the Optus and Medibank data breaches when what these attacks expose is a lack of effective and comprehensive federal legislation.
The Minister for Home Affairs Clare O’Neil – who is also Minister for Cyber Security – was right when she declared that Australia is a decade behind the rest of the world.
The good news is that we have a successful working international example – Europe’s General Data Protection Regulation (GDPR), that we can iterate upon. There is no need to ‘reinvent the wheel’.
The bad news is the urgency with which we must enact this legislation. We urgently need frameworks that encourage corporations and government agencies to enhance their cyber security capabilities – cyber defences and data protection in the event that defences fail.
And we need stiff penalties that deter them from acting irresponsibly with customers’ and any other sensitive data.
The big picture
The Optus and now Medibanks’ data breaches and the community outrage that follow should not be confined to issues of citizens’ privacy alone. There is a much bigger picture at stake necessitating a single comprehensive federal Cyber Security Act.
Cyber-attacks are not simply acts of criminals seeking financial gain through stolen identities.
They are also used as weapons of national and economic harm – even warfare – designed to bring down critical national infrastructure; cause catastrophic harm to business and government IT systems; and render defence and military systems ineffective. The war in Ukraine and Russian cyber-attacks upon both Ukraine and its allies are proof of that.
Equally cybersecurity effectiveness must not be confined to failures of cyber-defence systems alone. The Optus and Medicare breaches highlight organisations’ failure protect their sensitive customer data with encryption – ensuring it is useless when stolen by cyber-criminals.
So, when our federal Minister for Cyber Security (facing a national data breach affecting a third of our population’s personal identities) reached for Australia’s cyber security legislation only to discover it was “absolutely useless”, we have a much bigger problem than simply protecting the privacy of Australian citizens.
The Australian government and intelligence agencies’ swift responses to the Optus breach highlighted the fact that cyber security is not an IT issue – it is a national security issue. Cyber security legislation must get the same treatment.
Currently, cyber security responsibilities are fragmented across a myriad of privacy, national infrastructure security and corporations legislation.
A confusing assortment of legal rabbit holes makes it hard to get a consistent level of transparency from organisations, let alone a unified set of standards that everyone adheres to.
To see sweeping legislation in cyber security there needs to be a consensus between the states and territories and the federal government, otherwise we risk repeating the mistakes of the United States.
Frustrated with the Federal Cybersecurity Act, the Biden Administration is only able to deal with federal responsibilities such as health, telecommunications or financial services, the rest is done by individual states.
In Australia, some of our most sensitive data lies in our health and education sectors, which are state run.
If we are to enact comprehensive laws, these areas need to be front and centre of a collaborative government approach. It cannot be allowed to be fertile ground for lobbyists’ negotiations that result in a self-interest driven result.
Europe set the standard of a specific overarching cyber security act with the GDPR. It has a mandate for the protection of sensitive information, so if you’re holding information that can reveal identities then executives and the corporations themselves are responsible.
For example – if an email exchange server is shown to be vulnerable, and its owner doesn’t apply an available patch to prevent the attacker from using this vulnerability, if that organisation is then breached it will be noncompliant.
On the other end of the spectrum, if it is breached but the data within is protected by “strong encryption” it’s deemed to not be a breach as you’ve effectively protected that data from nefarious use. It is sensible, easy to understand and motivating without requiring executives to become cyber security experts to ensure compliance.
The key to creating legislation that maintains a healthy balance between prevention technology (which works to keep attackers out) and protection technology (which keeps data safe when attackers inevitably find a way in) lies in setting similar non-technical standards.
This way we can ensure cyber security is being done and it’s effective but doesn’t prescribe a method.
That said, a simple copy and paste of the GDPR would be insufficient. An Australian cyber security act needs to address more than citizen privacy as shown in the GDPR. It’s been four years since GDPR was proclaimed and there are areas in which time has shown it can be enhanced.
However, it does act as a great example for how to clearly assign responsibilities and should be considered in the development of our own frameworks.
During the two years the EU nation states drafted and agreed upon the GDPR, Australia’s Notifiable Data Breaches Scheme 2018 amendments to the Privacy Act took nearly five years.
A decade of relative inaction on cyber security has one lesson; penalties that cause both financial and reputational pain are one way to make an example of poor behaviour but they don’t help solve the underlying issues.
In the US, breaches of federal cyber security legislation can be a criminal matter, not just civil. A breach of Europe’s GDPR can see a maximum penalty of €20m or 4% annual international turnover, whichever is greater.
What these harsh penalties do not address is corporate apathy, particularly at the executive level.
Liability after a breach may give customers a sense of justice, but positive behaviour change within an organisation may be better attained by additionally penalising on the failure to listen or action the advice of organisations’ cyber security employees.
This may address both the need to empower cyber security staff and nullify the ‘she’ll be right’ philosophy of some commercial and government organisations.
Whatever motivators are chosen, Australia needs clear and all-encompassing cyber security legislation with sharp teeth. It must set the highest legislative standard required for a national security issue, whilst providing organisations the freedom to find their own solutions.
The Optus breach was horrific for all involved, but from it we have an unprecedented opportunity.
We must avoid the mistakes of the US and gain from Europe’s GDPR to create a cyber security Act that will help keep our citizens, intellectual property, government and business secrets safe for the long term.
Francis Galbally is the founder and chairman of the ASX-listed cybersecurity company Senetas Corporation Ltd. Senetas is a global leader in the development of high-performance encryption security solutions.
Do you know more? Contact James Riley via Email.