Getting regulation right to improve Australia’s cybersecurity
15 Aug 2023|

Poor cybersecurity is a risk to the interconnected digital systems on which we all increasingly rely, while improved security is an opportunity to build trust and advantage by enabling further digital transformation.

The Australian government has recognised the challenge and is developing a new national cybersecurity strategy, expected in the next few months. The strategy will need to cover a diverse range of digital infrastructure, with a mixture of private and public ownership and responsibility.

While it’s become clear from recent failures that the free market isn’t consistently driving all of the required behaviours and actions, the government needs to be careful in how it approaches regulation. Even if it were inclined to try to secure everything directly itself, it lacks the necessary budgets, skills and resources. Therefore, the upcoming strategy will need a collective approach, combining direct government action with a range of measures to ensure other stakeholders also act to improve security.

Reading the tea leaves from recent government statements and announcements, it seems likely that regulation will be a strong feature of the new strategy. That might mean mandating specific measures and—if recent Privacy Act changes are a guide—backing them up with stiff financial penalties for non-compliance.

Certainly, regulation can be a powerful mechanism to modify incentives and change behaviour. But going from writing a regulation to practically improving cybersecurity is a rocky path, depending on many technical, social and economic factors. Assumptions must be validated and knock-on effects considered to ensure the necessary impact is achieved, without being offset by unintended consequences on the behaviour of companies and organisations.

In my new report for ASPI, I examine the landscape in Australia and find that regulations are a patchwork of general, cyber-specific and sector-specific measures with a lack of cohesion that causes overlaps and gaps. There are also many regulatory initiatives underway at the federal level, such as the eSafety legislation and broader Privacy Act review, that will add to this complexity, even before adding proposals by some states to implement their own regulations. If the government decides to introduce a new cybersecurity act, it should simplify regulations by replacing existing ones rather than introducing additional ones that sit over the top. Simplification makes compliance easier and cheaper, which makes it more likely the regulations will be effective.

However, we need to go further. Any proposed new regulation must start with a clear purpose. What aspect of the cybersecurity challenge does it seek to address? What is its desired impact? Why is regulation the best solution? And what is the appropriate target—the provider, the end user or some other party? Regulation should target the party best placed to manage the risk, at the point where behaviour modification will be most effective. For example, instead of telling a small business to implement a complex set of controls, regulation might better ensure that the technology service providers it will rely on provide such features as standard.

Compulsion—telling the affected party that it must, or must not, do a certain thing—is just one form of regulation. The government should remember other options such as facilitation, enabling frameworks and direct intervention. Compulsion has an important role, but it should be used carefully and strategically. It imposes cost on organisations for compliance, while encouraging them to do the bare minimum and putting a burden on the government for enforcement. It could be appropriate to use compulsion for setting the minimum for cyber hygiene, but we will need other measures to encourage and facilitate organisations to go further.

Regulatory design must define the metric it seeks to directly influence and how they can achieve the intended benefits. In cybersecurity, these measures should, where possible, be risk based, ensuring potential vulnerabilities are understood and managed according to the situation and potential impact rather than specific technical measures such as ‘implement ZYX firewall’ or ‘change your password every 90 days’. This is because the actual technical measures required will depend on the situational context, will change as technology changes, and will only work in combination with measures related to people and processes. We also need to ensure those metrics are measurable—so the regulations can be readily enforced, and we can actually tell how well they are working.

Regulatory design should also involve all stakeholders, drawing on the perspectives, experiences and knowledge they can add. It should take into account the international climate. Our allies and partners are addressing the same challenges; we can learn lessons from them. And by avoiding approaches that are specific to Australia except when strictly necessary, we can increase the likelihood that companies operating globally will be able to comply. We should also be ready to leverage the clout of larger markets like the US and the EU, influencing global operators in a way that Australia couldn’t do alone.

Finally, regulation cannot be set and forget. An iterative approach is needed, measuring impact and working out how to improve. Even if we get it right on day one, the pace of technology change means the regulatory approach needs to evolve to avoid becoming irrelevant after even a few months. An obvious example is recent rapid developments in artificial intelligence that are raising awareness of new security risks.

The approach I’ve outlined here, of designing and implementing regulation using a considered framework and thinking more broadly than just ‘implement XYZ or face a big fine’, will give the government’s cybersecurity strategy a strong chance of being relevant and effective.