The development of the 2023 – 2030 Australian Cyber Security Strategy (Strategy) is now well under way, after a Discussion Paper was released this week by the Expert Advisory Board appointed by the Minister for Cyber Security, the Hon. Claire O’Neil MP.
|To discuss key issues relevant to the Strategy, we hosted the Minister for Cyber Security, the Expert Advisory Board (Andrew Penn AO, Mel Hupfeld AO DSC and Rachael Falk) and a small number of our clients at our Sydney HSF office. We were also joined by industry advisors and key members of the Department of Home Affairs, including the Secretary of the Department of Home Affairs, Michael Pezzullo AO, and Head of the Australian Cyber and Infrastructure Security Centre, Hamish Hansford.
KEY QUESTIONS TO CONSIDER
The Discussion Paper specifically delineates between:
- Core Policy Areas to be addressed in the Strategy (specifically: enhancing and harmonising regulatory frameworks; strengthening Australia’s international strategy on cyber security; and securing government systems); and
- Potential Policy Areas, which may be addressed in the Strategy subject to industry and community feedback (specifically: improving public-private mechanisms for cyber threat sharing and blocking; supporting Australia’s cyber security workforce and skills pipeline; national frameworks to respond to major cyber incidents; community awareness and victim support; investing in the cyber ecosystem; designing and sustaining security in new technologies; and implementation governance and ongoing evaluation).
We have listed the specific questions for consultation below. The questions are self-explanatory in many respects and bring necessary specificity to the relatively broad set of policy areas. The body of the Discussion Paper provides more context if required (accessible here).
Enhancing and harmonising regulatory frameworks
- What ideas would you like to see included in the Strategy to make Australia the most cyber secure nation in the world by 2030?
- What legislative or regulatory reforms should Government pursue to enhance cyber resilience across the digital economy?
- What is the appropriate mechanism for reforms to improve mandatory operational cyber security standards across the economy (e.g. legislation, regulation, or further regulatory guidance)?
- Is further reform to the Security of Critical Infrastructure Act required? Should this extend beyond the existing definitions of ‘critical assets’ so that customer data and ‘systems’ are included in this definition?
- Should the obligations of company directors specifically address cyber security risks and consequences?
- Should Australia consider a Cyber Security Act, and what should this include?
- How should Government seek to monitor the regulatory burden on businesses as a result of legal obligations to cyber security, and are there opportunities to streamline existing regulatory frameworks?
- Should the Government prohibit the payment of ransoms and extortion demands by cyber criminals by: (a) victims of cybercrime; and/or (b) insurers? If so, under what circumstances? i. What impact would a strict prohibition of payment of ransoms and extortion demands by cyber criminals have on victims of cybercrime, companies and insurers?
- Should Government clarify its position with respect to payment or non-payment of ransoms by companies, and the circumstances in which this may constitute a breach of Australian law?
Strengthening Australia’s international strategy on cyber security
- How can Australia, working with our neighbours, build our regional cyber resilience and better respond to cyber incidents?
- What opportunities exist for Australia to elevate its existing international bilateral and multilateral partnerships from a cyber security perspective?
- How should Australia better contribute to international standards-setting processes in relation to cyber security, and shape laws, norms and standards that uphold responsible state behaviour in cyber space?
Securing Government Systems
- How can Commonwealth Government departments and agencies better demonstrate and deliver cyber security best practice and serve as a model for other entities?
Improving public-private mechanisms for cyber threat sharing and blocking
- What can government do to improve information sharing with industry on cyber threats?
- During a cyber incident, would an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) improve engagement with organisations that experience a cyber incident so as to allow information to be shared between the organisation and ASD/ACSC without the concern that this will be shared with regulators?
- Would expanding the existing regime for notification of cyber security incidents (e.g. to require mandatory reporting of ransomware or extortion demands) improve the public understanding of the nature and scale of ransomware and extortion as a cybercrime type?
- What best practice models are available for automated threat-blocking at scale?
Supporting Australia’s cyber security workforce and skills pipeline
- Does Australia require a tailored approach to uplifting cyber skills beyond the Government’s broader STEM agenda?
- What more can Government do to support Australia’s cyber security workforce through education, immigration, and accreditation?
National frameworks to respond to major cyber incidents
- How should the government respond to major cyber incidents (beyond existing law enforcement and operational responses) to protect Australians?
- Should government consider a single reporting portal for all cyber incidents, harmonising existing requirements to report separately to multiple regulators?
- What would an effective post-incident review and consequence management model with industry involve?
Community awareness and victim support
- How can government and industry work to improve cyber security best practice knowledge and behaviours, and support victims of cybercrime?
- What assistance do small businesses need from government to manage their cyber security risks to keep their data and their customers’ data safe?
Investing in the cyber security ecosystem
- What opportunities are available for government to enhance Australia’s cyber security technologies ecosystem and support the uptake of cyber security services and technologies in Australia?
- How should we approach future proofing for cyber security technologies out to 2030?
- Are there opportunities for government to better use procurement as a lever to support and encourage the Australian cyber security ecosystem and ensure that there is a viable path to market for Australian cyber security firms?
Designing and sustaining security in new technologies
- How should the Strategy evolve to address the cyber security of emerging technologies and promote security by design in new technologies?
Implementation governance and ongoing evaluation
- How should Government measure its impact in uplifting national cyber resilience?
- What evaluation measures would support ongoing public transparency and input regarding the implementation of the Strategy?
“Recent breaches demonstrate why more needs to be done to make sure our laws recognise there is widespread data collection and governments and industry both have an essential role to play in hardening networks and securing our economy.”
– Expert Advisory Board, 2023-2030 Australian Cyber Security Strategy Discussion Paper, page 7:
Submissions are due to [email protected] by 15 April 2023.
While this provides us all with 6 weeks to review and prepare feedback, the issues raised are broad and complex.
We will continue to actively engage in industry roundtables and discussions and will be working with many of our clients, preparing responses to the Discussion Paper.
As this process unfolds, we are available to further share with you the sentiment from industry and the key themes coming out of those various fora.
If you have any questions about the Discussion Paper or the 2023 – 2030 Australian Cyber Security Strategy more generally, please do not hesitate to reach out to us.