Australia’s cyber strategy, version 2.0

Back in 2016, Australia launched a new national cybersecurity strategy.* The strategy covers a four-year period to 2020, and given the changes in the security environment, an update is now clearly warranted. To that end, the government has just released a discussion paper to kick off the public consultation. The closing date for submissions on the discussion paper is 1 November.

To complement the public submission process, ASPI’s International Cyber Policy Centre is initiating a public debate on what should be included in the next cybersecurity strategy. Contributions will be compiled into a report that we will deliver to the Department of Home Affairs to inform the strategy’s development.

The overarching themes are what the strategy should focus on and how the government can achieve maximum impact in a resource-constrained environment.

The last strategy had 33 initiatives and a funding package of $230 million for four years. That was a huge number of initiatives and a pretty modest budget given what was proposed. The next strategy needs to be a lot more focused, given significantly greater resourcing seems unlikely.

There are, of course, lots of things that could be included in the strategy, and the government’s discussion paper poses plenty of questions for contributors to explore. But to kick things off, I wanted to propose three areas of focus.

The first is the safety of physical systems as we connect more and more of them to the internet. We’re rapidly shifting from a world that connected things that couldn’t physically hurt us if compromised (like phones, laptops and PCs) to a world where we’re connecting lots of things that could seriously injure or kill us if compromised (cars, machinery, aeroplanes). We’ve already seen several near misses at factories and fatal crashes involving driverless cars (although not yet due to a malicious cyber compromise).

Injuries and deaths from cyberattacks will dramatically increase political attention. But in the case of social media companies, we’ve seen how problematic it can be to retrospectively regulate in a hurry, especially when it involves writing new legislation over the weekend. A top priority for the strategy has to be narrowing down the types of systems that pose a real risk of causing injury and/or death and ensuring a high level of cybersecurity for those connected devices (noting the many pitfalls of regulation).

The second proposal is to make greater use of the government’s procuring power to drive improved standards within government and for firms that sell to government. There are several ways the government could do this. It could, for example, mandate minimum cybersecurity standards in its tender documents (at present, it mostly doesn’t do this)—for example, when purchasing new hardware and software for the public service.

It could also mandate that contractors that sell to government meet minimum cybersecurity standards themselves. At present, there’s lots of potential for contractors to handle government data using less secure systems. The Department of Human Services has done some good work leveraging its purchasing power to extend the secure supply chain, and the Australian Prudential Regulation Authority’s draft standard on information security looks at extending obligations on regulated entities to third parties.

The third proposal is to expand the scope of the rules for mandatory reporting of data breaches. There are two key aspects to this. First, the law needs to be expanded beyond personal data to breaches in general. At present, a company could lose all of its intellectual property without any obligation on it to disclose what in reality would be a major breach. Companies also don’t need to disclose a breach that affects their customers (for example, in the case of Cloud Hopper, it seems that at least some managed service providers did not notify their clients that they had been compromised).

One argument commonly used against compulsory disclosure is that notification laws could perversely discourage companies from searching for breaches. But that’s the situation that exists already—compromises are rife, security is poor, and it’s past time for overlapping direct measures that ensure all organisations take security seriously.

The second change to the law that’s needed is the imposition of fines. At present, there’s no incentive for some sectors to respond to the current ‘name and shame’ tactics. Without fail, every quarter, the health sector is the worst offender under Australia’s notifiable data breach scheme. Even though data on people’s health is the most sensitive information anyone holds, the sector has no incentive to improve because consumers have no choice but to go to their doctors and hospitals and there is no single brand on which consumers can target their frustration. So bad behaviour persists. Fines would help sharpen the focus on dealing with this current failure.

That is by no means an exhaustive list. The government’s paper poses 26 questions to start the discussion. Over the coming weeks, we look forward to hearing a wide range of views. Please send your contribution to ASPI’s International Cyber Policy Centre at [email protected].

* An earlier version of this post referred to the 2016 cybersecurity strategy as the first one for Australia. The inaugural cybersecurity strategy was released in 2009 by the Attorney-General’s Department. Many thanks to the reader who brought this error to our attention.