Australia's cyber strategy – a bold regulatory reform agenda
24 November 2023
24 November 2023
The 2023-30 Australian Cyber Strategy is a comprehensive blueprint for a more cyber resilient Australia. It demonstrates how the Australian Government intends to deliver on its bold commitment to be a world leader in cyber security by 2030. The Strategy is supported by an Action Plan that is not limited to simply regulatory changes but describes a complex web of measures designed to uplift Australia’s cyber security workforce, lift cyber defences, drive better collaboration, and build cyber resilience into the fabric of our economy.
The Strategy and Action Plan break the six cyber shields into 20 strategic initiatives, with 60 specific actions scheduled to launch over the next two years alone. Many of these are integrated strategic and tactical interventions that build on one another – so that the whole is greater than the sum of its parts.
We have drawn out below some key measures that are likely to impact business in the short term. Read on for a deeper dive into a few of these issues.
"Both government and industry have an interest in ensuring that not paying a ransom is always the most viable option for an organisation … We need a policy response that will allow Australian businesses to survive in circumstances where they do not pay."
The Government has recognised that Australia is not yet ready to ban ransom payments outright. While this remains an "end goal" for the country, the Strategy puts in place measures aimed at making not paying a ransom the most viable option, and to help businesses survive if they don't pay a ransom.
While the Government will develop specific guidance to help organisations make better decisions about ransom payments, we continue to advise clients to develop a comprehensive risk-based approach to ransom incidents and decision making.
"Reporting will enable the Government to effectively monitor, and respond to, the changing risk profile of the cyber threat environment over time"
We expect that mandatory "no-fault, no-liability" reporting of ransom demands and payments will be an early measure, along with anonymised ransomware and cyber extortion trend information sharing.
The success of mandatory reporting obligations will depend on whether organisations can expect to receive meaningful assistance and support, the simplicity of the reporting process (such as the new single cyber incident reporting portal), and the type and quality of information captured.
Understanding how reports will be managed and shared will be vital and organisations will need to trust that information will not be used against them. Tight reporting timeframes might encourage early intervention but might keep ransom targets from coming forward if they miss reporting windows. Worst case, strict reporting obligations may provide leverage for attackers – at least one threat actor has reportedly disclosed its own attack to US authorities, apparently to apply leverage against a target.
"In our experience, the risk of prejudicing future regulatory action, together with reputational and media management risks, currently discourages open cooperation and engagement during a cyber incident. This risk dynamic places additional strain on organisations during the immediate crisis, and can be an unhelpful distraction when organisations need to focus on more critical harm reduction measures."
Government will legislate a “limited use obligation” – new laws to provide "clarity and assurance" on how information shared with the Australian Signals Directorate (ASD) and National Cyber Security Co-ordinator can be used by other government entities, including regulators.
However, this "limited use" will not provide any form of immunity and will not impact regulatory and law enforcement actions. While the exact scope of the "limited use" is to be determined, it is clear this regime is not intended to be any form of safe harbour. A reasonable compromise may be that information will be held by the ASD on a confidential basis but may be provided to other regulators exercising regulatory powers to gather information.
It is also not clear whether this information could be accessed as part of litigation or under freedom of information laws.
We expect that information held by the ASD or the National Cyber Security Coordinator would be accessible to the Cyber Incident Review Board to conduct post-incident "no fault, lessons learned" investigations – which begs the question of whether information collected by the new Cyber Incident Review Board would be covered by a similar "limited use" restriction. Information may be subject to a regime similar to that of the Australian Transport Safety Bureau, which places strict limits on how certain restricted information collected during investigations may be disclosed.
Accompanying the significant areas of regulatory uplift, the Strategy envisages guidance, lessons learned and information sharing, including:
Cyber-capable organisations will already have carefully designed and tested cyber governance and incident response strategies, and will need to take into account additional guidance and information. Additional guidance and information might also be used by regulators, litigants and courts as a tool to gauge if an organisation is meeting expectations.
With heightened expectations from both Government and regulators, we may see a growing gap between regulatory expectations and the practical capabilities of organisations. For example, the Australian Prudential Regulation Authority (APRA) recently reviewed cyber capabilities in Australia's financial system, identifying important deficiencies including in information asset management, control assurance (including over third parties) and incident management and response – and is looking to close cyber gaps as part of the new Operational Risk Management Prudential Standard CPS 230. Similarly, government auditors consistently identify gaps in public sector cyber capabilities.
In our experience, all organisations – big or small – are asking for guidance to align with regulatory expectations and clearly identify best practice. While the proposed guidance will help, its primary target will be to support small and medium enterprises. Large, complex organisations will need to continue to stay ahead of the curve and develop their own, risk based, approaches to cyber and readiness that are appropriate to their complexity and scale, including in supply chains.
The global trend towards intervening at the most impactful point in the ecosystem is reflected in moves to place more responsibility of software developers, including:
Reforms to critical infrastructure legislation are an early priority, with a consultation due to launch imminently.
The Government will:
The Government will also look to drive cyber security in critical infrastructure by:
A shift from pure capacity building to introducing compliance monitoring and evaluation has been previously flagged as the next step in building cyber capability in critical infrastructure. This thinking may have been informed by the Commonwealth Joint Committee of Public Accounts and Audit observations of a "persistent optimism bias" in Commonwealth agencies self-reporting cyber security compliance – and calling for a "robust external assurance process" to ensure an accurate picture of cyber capabilities.
Self-assessments in industry may suffer from the same optimism bias. Independent external evaluations and reviews are an important way keeping optimism bias in check and maintaining a self-critical culture – in all organisations, but most particularly in critical infrastructure sectors which will soon face closer scrutiny.
"We need to pivot away from the historical approach that asked 'how can the data be retained', to ask 'should the data be retained'."
The Government will review Commonwealth laws requiring retention of data, other than personal information (personal information will be addressed as part of the Government's response to the Privacy Review Report, and retention of identity information will be considered under the National Strategy for Identity Resilience, informed by moves to expand Digital ID across the economy).
Policy objectives of retaining information must now be balanced against the risks of retaining it – and the costs of keeping it secure. Private and public sector bodies with lived experience of data retention challenges and risks can help regulators and lawmakers strike the right balance.
While various measures in the Strategy and Action Plan call for coordination with or contribution from state and territory governments, there is notably no mention of state and territory data retention obligations. The National Strategy for Identity Resilience includes a commitment from Commonwealth and state and territory governments to support private and public sectors to collect and retain less identity information – but no commitment to work together on a coordinated review.
"Future reform should pivot towards building systemic cyber resilience into the ecosystem”
Consistent with global trends, particularly coming out of the US, Australia's strategy looks to:
This is most clear in the Government's strategy to:
The National Cyber Intel Partnership of 12 major corporates and regulators is currently piloting automated, real-time machine-to-machine communications to block bank phishing scams, aiming to overcome current challenges in rapidly responding to threat information at scale.
This ecosystem level cooperative investment demonstrates the trusted connective tissue role that government can provide – and, if successful, will mean organisations don't need to re-invent the wheel, driving down the cost and improving the effectiveness of threat blocking at scale.
Alongside initiatives like Digital ID, the Government is under increasing pressure to drive short-term progress on ecosystem level protections. While the Government will continue its consultative, co-design approach, organisations (particularly larger ones in critical sectors) will need to plan for how these initiatives will fit in to their technology roadmaps and capabilities earlier rather than later.
While participation in these initiatives is currently voluntary, to build ecosystem level resilience we may see, in time, legal requirements or mandatory standards for organisations to ensure they are able to, and do, act on threat information.
The Government recognises that the Strategy is not "fire and forget" – that it will need to adapt in response to changes in the cyber landscape over time, with an updated Action Plan expected every two years. As the threat environment is constantly evolving, expect the regulatory environment to do the same.
In a changing world, our vision at Ashurst is to be a highly progressive global law firm. For over 200 years we have advised corporates, financial institutions and governments on their most complex transactions, disputes and projects. We offer the reach and insight of a global network, combined with our knowledge and understanding of local markets. At Ashurst, we help our clients build cyber resilience and effective cyber risk management through a combination of legal, risk advisory and programme delivery teams. We provide end-to-end, whole-of-life-cycle expertise across cyber, data and privacy issues. Having advised on some of Australia’s most high-profile cyber incidents, we have unique insights and expertise that can improve how organisations prepare for and respond to high-impact cyber incidents, at executive and Board level.
Read more about our cybersecurity services.
Authors: John Macpherson, Partner, Ashurst Risk Advisory; Amanda Ludlow, Partner; Emma Butler, Partner; John Moore, Director, Ashurst Risk Advisory; Andrew Hilton, Expertise Counsel; Geoff McGrath, Partner; Philip Aquilina, Senior Associate and Robert Todd, Partner.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 24 November 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.