On 15 April 2023, the consultation period for the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper (Discussion Paper) closed. What key themes have we seen?
It has been 7 weeks since the Minister for Cyber Security, Clare O’Neil MP, attended our office in Sydney to engage with various leaders in the legal profession. On the same day, the Minister announced the launch of the consultation period.
Since this time, we have had the privilege of engaging with a large number of our clients and various other industry participants as they considered the questions raised in the Discussion Paper.
To bring you up to speed…
The Discussion Paper was divided into two parts:
- Part A set out ‘core policy areas to be included in the 2023-2030 Australian Cyber Security Strategy’ (Cyber Strategy), specifically legislative and regulatory reform, ransom payments and international cooperation / collaboration.
- Part B looked at ‘areas for potential action’, including threat intelligence sharing, improvements to breach response, cyber awareness, the need to uplift cyber skills and managing technology evolution to maintain a sustainable strategy.
The delineation between Parts A and B surprised many of us. The Discussion Paper appeared to prioritise the ‘core policy areas’ set out in Part A. Over the course of the consultation period, we observed a noticeable difference in prioritisation from corporate Australia. Issues raised in Part A (for example, the proposal to ban the payment of ransom demands) were often deprioritised in favour of issues raised in Part B (for example, threat intelligence sharing and regulator coordination).
As the consultation period unfolded, it became clear that the Expert Advisory Panel (appointed by the Minister in December 2022) was open to proposals on all aspects of the Cyber Strategy. There was a lot of blue sky in the Discussion Paper, and the themes were broad and generated a diverse range of opinion. However, a number of consistent themes (and points of view) bubbled to the surface. We set out some of these below.
Many want to ensure the Cyber Strategy:
- removes regulatory complexity and impost (rather than create more complexity);
- provides clarity on what ‘good’ looks like;
- provides clarity on director / board expectations without a change to directors’ duties;
- gives everyone a better understanding of what Government and law enforcement is doing; and
- seeks to encourage cyber resilience throughout the economy, especially in small and medium enterprise.
There was general consensus that we all play an important role in building a ‘cyber-secure’ nation and the scourge of cyber crime can only be adequately addressed if we all coalesce around cyber resilience uplift. However, risk allocation discussions are necessarily complex. All agree that cyber risks should not be simply shifted to the consumer.
In this regard, we expect to see a shift in rhetoric away from the ‘corporate victim’ to the ‘end user / consumer victim’ and for reform to be guided by this shift. We expect that this will include increased scrutiny on corporates and upstream software providers, following the lead of the United States (noted in its National Cybersecurity Strategy announced in March 2023).
Somewhat surprisingly, many of those we spoke to did not consider the banning of ransom payments to be a high priority, particularly given the lack of data available and the need to concentrate on cyber resilience more generally.
We acknowledge the allure of a ban, given it is a fundamental part of the extortion “business model”. However, in our experience, the number of companies paying ransom demands is materially lower than many think. In fact, we believe the payment of a ransom demand is likely to occur in fewer than 50% of all attacks. If the extortion relates to a data exfiltration (theft) only, we believe that a relatively small minority pay ransoms.
What’s more, a prohibition is not simple. Current extortion methodologies involve attempted encryption (compromising operational / asset integrity) coupled with data theft. Some attacks concentrate on data theft alone.
We believe that a ban on payment could work if an attack only involves data exfiltration (and no encryption). In this circumstance, data has ‘left the building’ and any organisation would essentially be paying for a criminal threat actor’s commitment not to disclose (or misuse) the data. Cold comfort.
We do not, however, see a case for prohibiting ransom payments if the attack successfully deploys ransomware and the impact threatens life, health or the safety of individuals. Putting aside expectations around cyber resilience, it would be a potentially disastrous outcome if organisations were forbidden from payment in these circumstances.
In any respect, we remain in an information vacuum at this time. The payment statistics remain unreliable at best and we believe it would be inappropriate to legislate without accurate data.
Most agree that regulatory intervention may be effective in driving an uplift in cyber resilience. Some have also noted that market forces and self-regulation have not delivered an acceptable level of cyber resilience to date (or indeed, quickly enough). As observed in the US National Cybersecurity Strategy, market forces often reward entities that ‘rush’ to introduce vulnerable products or services into our digital ecosystem.
Regulatory measures need to be commensurate with the risk and impost. We believe that additional regulation (in an already complex regulatory environment) should remain a last resort. This is particularly so given many organisations (particularly our small and medium sized businesses) do not fully appreciate their current cyber maturity and do not know how to prioritise cyber investment. They are also struggling to find guidance on ‘what good looks like’. Large swathes of the economy are calling out for clear and consistent guidance (not regulation), and we believe ‘guidance’ would be the right ‘first step’ in most circumstances.
Many are concerned about the proposed extension of the existing security of critical infrastructure regime (to cover those holding data), but not for the reasons you may expect. While most companies accept that they should focus on cyber resilience and the need to prepare for potential cyberattacks, many consider the recently reformed security of critical infrastructure regime to be overly complex.
They are concerned to ensure that the regime is not expanded without consideration for a more simplified model. Ultimately, the question of expanding the security of critical infrastructure legislation may be a distraction from the broader issues that should be addressed as part of the Cyber Strategy.
Further, many organisations believe that clarity on the outcome of long-awaited privacy reforms is required before we introduce another layer of data protection obligations.
There appears to be little support for any reform of existing laws regarding directors’ duties. In many respects, cyber risk is analogous to all other emerging material risks that remain difficult to define or manage (for example, climate change or ESG-related risks). Many agree that it is not necessary to introduce a specific duty of care owed by directors of companies that have suffered a cyber incident or which would impose further impost on directors.
There was also concern that this could add more confusion to an already overly prescriptive regulatory regime for directors, leading some directors to question why they should accept the role and others to consider the regulatory maze to be all too hard.
Importantly, while boards must exercise ‘proactive supervision’, it should be acknowledged that a board’s role during an incident can often be limited given the nature and pace of an attack.
During our industry engagement there was strong support for timely and accessible threat intelligence. We certainly acknowledge the great work of the Australian Cyber Security Centre (ACSC) in this regard. However, many organisations (and advisers) do not share valuable threat intelligence and often seek to monetise the information (i.e. selling the intelligence as part of a consulting service).
Given that threat intelligence sharing is in everyone’s interest, we query whether the existing model is conducive to achieving the Minister’s ambition. Sharing information would improve public understanding of the nature and scale of ransomware and extortion as a cybercrime type.
So how does the Government collect the data it needs to effectively disseminate threat intelligence with industry? And what (if any) comfort can the Government provide industry to facilitate threat intelligence sharing?
Finally, we observe that many remain concerned about the current regulatory complexity associated with incident response. Many companies have to navigate a myriad of regulatory stakeholders. Some have endorsed a central notification portal with appropriate protections for those notifying (to encourage accurate and prompt notification).
We favour a regime that simplifies the current notification obligations and/or communicates a clear prioritisation of regulatory engagement in the immediate aftermath, so businesses may confidently focus on recovery and the protection of impacted individuals, rather than regulatory notifications and duplicative investigations.
The Discussion Paper demonstrates a very ambitious plan to address immediate concerns about Australia’s cyber resilience and to make Australia a world-leader in cyber security by 2030. We expect the Expert Advisory Panel is now working through a large number of submissions across a broad cross-section of the economy.
While the official consultation period for the Discussion Paper has ended, we expect robust discussion and constructive debate to continue. The threat landscape is changing dramatically and at this rate, it may well outpace some of the Discussion Paper initiatives in the short term.
We note that many companies are currently investing materially in cyber resilience uplift, including assessing the size, sensitivity and age of their data holdings. The strategy to minimise the attack surface (by reducing data holdings) is a positive step in the right direction.
We do not expect a finalised Cyber Strategy until later this calendar year and we continue to encourage active engagement on all aspects of the Discussion Paper.
|To discuss key issues relevant to the Strategy, we hosted the Minister for Cyber Security, the Expert Advisory Board (Andrew Penn AO, Mel Hupfeld AO DSC and Rachael Falk) and a small number of our clients at our Sydney HSF office. We were also joined by industry advisors and key members of the Department of Home Affairs, including the Secretary of the Department of Home Affairs, Michael Pezzullo AO, and Head of the Australian Cyber and Infrastructure Security Centre, Hamish Hansford.