Themes from the consultation period: 2023 – 2030 Australian Cyber Security Strategy Discussion Paper

Many want to ensure the Cyber Strategy:

• removes regulatory complexity and impost (rather than create more complexity);
• provides clarity on what ‘good’ looks like;
• provides clarity on director / board expectations without a change to directors’ duties;
• gives everyone a better understanding of what Government and law enforcement is doing; and
• seeks to encourage cyber resilience throughout the economy, especially in small and medium enterprise.

There was general consensus that we all play an important role in building a ‘cyber-secure’ nation and the scourge of cyber crime can only be adequately addressed if we all coalesce around cyber resilience uplift. However, risk allocation discussions are necessarily complex. All agree that cyber risks should not be simply shifted to the consumer.

In this regard, we expect to see a shift in rhetoric away from the ‘corporate victim’ to the ‘end user / consumer victim’ and for reform to be guided by this shift. We expect that this will include increased scrutiny on corporates and upstream software providers, following the lead of the United States (noted in its National Cybersecurity Strategy announced in March 2023).

Somewhat surprisingly, many of those we spoke to did not consider the banning of ransom payments to be a high priority, particularly given the lack of data available and the need to concentrate on cyber resilience more generally.

We acknowledge the allure of a ban, given it is a fundamental part of the extortion “business model”. However, in our experience, the number of companies paying ransom demands is materially lower than many think. In fact, we believe the payment of a ransom demand is likely to occur in fewer than 50% of all attacks. If the extortion relates to a data exfiltration (theft) only, we believe that a relatively small minority pay ransoms.

What’s more, a prohibition is not simple. Current extortion methodologies involve attempted encryption (compromising operational / asset integrity) coupled with data theft. Some attacks concentrate on data theft alone.

We believe that a ban on payment could work if an attack only involves data exfiltration (and no encryption). In this circumstance, data has ‘left the building’ and any organisation would essentially be paying for a criminal threat actor’s commitment not to disclose (or misuse) the data. Cold comfort.

We do not, however, see a case for prohibiting ransom payments if the attack successfully deploys ransomware and the impact threatens life, health or the safety of individuals. Putting aside expectations around cyber resilience, it would be a potentially disastrous outcome if organisations were forbidden from payment in these circumstances.

In any respect, we remain in an information vacuum at this time. The payment statistics remain unreliable at best and we believe it would be inappropriate to legislate without accurate data.

Most agree that regulatory intervention may be effective in driving an uplift in cyber resilience. Some have also noted that market forces and self-regulation have not delivered an acceptable level of cyber resilience to date (or indeed, quickly enough). As observed in the US National Cybersecurity Strategy, market forces often reward entities that ‘rush’ to introduce vulnerable products or services into our digital ecosystem.

Regulatory measures need to be commensurate with the risk and impost. We believe that additional regulation (in an already complex regulatory environment) should remain a last resort. This is particularly so given many organisations (particularly our small and medium sized businesses) do not fully appreciate their current cyber maturity and do not know how to prioritise cyber investment. They are also struggling to find guidance on ‘what good looks like’. Large swathes of the economy are calling out for clear and consistent guidance (not regulation), and we believe ‘guidance’ would be the right ‘first step’ in most circumstances.

Many are concerned about the proposed extension of the existing security of critical infrastructure regime (to cover those holding data), but not for the reasons you may expect. While most companies accept that they should focus on cyber resilience and the need to prepare for potential cyberattacks, many consider the recently reformed security of critical infrastructure regime to be overly complex.

They are concerned to ensure that the regime is not expanded without consideration for a more simplified model. Ultimately, the question of expanding the security of critical infrastructure legislation may be a distraction from the broader issues that should be addressed as part of the Cyber Strategy.

Further, many organisations believe that clarity on the outcome of long-awaited privacy reforms is required before we introduce another layer of data protection obligations.

There appears to be little support for any reform of existing laws regarding directors’ duties. In many respects, cyber risk is analogous to all other emerging material risks that remain difficult to define or manage (for example, climate change or ESG-related risks). Many agree that it is not necessary to introduce a specific duty of care owed by directors of companies that have suffered a cyber incident or which would impose further impost on directors.

There was also concern that this could add more confusion to an already overly prescriptive regulatory regime for directors, leading some directors to question why they should accept the role and others to consider the regulatory maze to be all too hard.

Importantly, while boards must exercise ‘proactive supervision’, it should be acknowledged that a board’s role during an incident can often be limited given the nature and pace of an attack.

During our industry engagement there was strong support for timely and accessible threat intelligence. We certainly acknowledge the great work of the Australian Cyber Security Centre (ACSC) in this regard. However, many organisations (and advisers) do not share valuable threat intelligence and often seek to monetise the information (i.e. selling the intelligence as part of a consulting service).

Given that threat intelligence sharing is in everyone’s interest, we query whether the existing model is conducive to achieving the Minister’s ambition. Sharing information would improve public understanding of the nature and scale of ransomware and extortion as a cybercrime type.

So how does the Government collect the data it needs to effectively disseminate threat intelligence with industry? And what (if any) comfort can the Government provide industry to facilitate threat intelligence sharing?

Finally, we observe that many remain concerned about the current regulatory complexity associated with incident response. Many companies have to navigate a myriad of regulatory stakeholders. Some have endorsed a central notification portal with appropriate protections for those notifying (to encourage accurate and prompt notification).

We favour a regime that simplifies the current notification obligations and/or communicates a clear prioritisation of regulatory engagement in the immediate aftermath, so businesses may confidently focus on recovery and the protection of impacted individuals, rather than regulatory notifications and duplicative investigations.