Australia and New Zealand need an Anzac cyber incident review board
22 May 2024|

Many cyber attacks now straddle the Tasman Sea, such as last year’s data breach against Latitude, an Australian financial services provider, which affected more than 14 million people across Australia and New Zealand. As both nations focus on how to recover better from such large-scale incidents, they should combine their efforts by setting up an Anzac cyber incident review board.

A joint board would have several key functions enhancing the cybersecurity posture of both nations. It would review technical details of an incident, its root cause, actions taken by industry and government, effectiveness of coordination between stakeholders during a response, and the impacts on the affected entity, sector, and communities in both nations.

Upon completion of a review, findings and best practices learnings could be made public through a report to enhance collective cyber security and help prevent recurrences.

A joint board, unlike two national ones, would have the strength of the shared resources and expertise of Australia and New Zealand. Having just one board for both countries would also help industry, which would not have to engage with two reviews about a single incident.

Seamless trans-Tasman cooperation on cybersecurity is a stated priority. New Zealand Prime Minister Chris Hipkins and Australian Prime Minister Anthony Albanese emphasised ‘the importance of both countries continuing to work together to strengthen cyber security and rules and norms in cyberspace’ at their annual meeting in May 2023.

The two nations have a long history of creating trans-Tasman institutions to confront national security threats. A prime example is the Australia-New Zealand Counter-Terrorism Committee (ANZCTC), which promotes cooperation among law enforcement and policy officials in both countries. It played a pivotal role in helping Australian officials understand the challenges faced by their New Zealand counterparts after the 2019 Christchurch massacre. Now it’s time to build on the institutional framework of ANZCTC to create a joint cybersecurity taskforce.

Setting up a joint cyber incident review board would formalise collaboration that Australia and New Zealand already have. After the Latitude data breach, the Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) launched a joint investigation into the company’s practices in handling personal information. As a joint investigation, it will efficiently exploit both agencies’ resources and maybe reduce the regulatory effect on Latitude. Importantly, it won’t preclude the OAIC and OPC from reaching separate regulatory outcomes or making separate decisions on regulatory responses.

In any new institution that confronts digital risks, a genuine partnership model with industry must be built in. Both Canberra and Wellington are trying to adapt national institutions and frameworks, or even design them from scratch, but the issue can’t be solved through government actions alone.

Australia is further along in the process of collaborating with industry on cyber risk. Its 2023–2030 Cyber Security Strategy seeks to re-shape public-private partnership, and one of its aims is to create a cyber incident review board. The board would deliver no-fault, no-liability reports on cyber incidents following investigations conducted by government in conjunction with industry, similar to the United States’ Cyber Safety Review Board. The US version is made up of government and private sector members and sends recommendations directly to the Secretary of Homeland Security and the President.

Exactly what authority Australia’s review board would have—for example, whether it could compel companies, through subpoena, to provide information for an investigation—is being decided following a recent consultation with the public and industry.

As New Zealand considers an update to its 2019 Cyber Security Strategy, it should explore how the Australian model could be translated. New Zealand officials should engage with the results from Australia’s public consultation process and envisage a new approach to industry partnership.

A joint board between Australia and New Zealand would not apportion blame or recommend liability against any company. Instead, it would focus on lessons learned and provide non-binding recommendations to the public. Additionally, if a significant incident were to affect Australia and not New Zealand, representatives from New Zealand could be observers rather than active reviewers. As observers, they could still draw lessons from an incident.

In addition to establishing a smooth collaboration across the Tasman, an Anzac cyber incident review board would be a valuable resource for the broader region. In particular, it would be an asset for the Pacific Cyber Security Operational Network (PaCSON), which brings together government-designated cybersecurity incident response officials from across the Pacific. Australian and Kiwi officials could stand together at future PacSON meetings to offer updates and joint recommendations.

The time is right to modernise tran-Tasman cooperation on cyber security and to digitise the Anzac spirit to tackle cyber threats together.