Department for Home Affairs releases discussion paper on Australia's 2020 Cyber Security Strategy

Australia’s Department for Home Affairs ("DHA") has released a discussion paper on Australia’s 2020 Cyber Security Strategy ("Discussion Paper"), updating the inaugural 2016 Cyber Security Strategy.

The evolution of Australia’s Cyber Security Strategy

The 2016 Cyber Security Strategy led to the implementation of a number of key cyber security measures, including the opening of the national Australian Cyber Security Centre and Joint Cyber Security Centres in five key capital cities; a 24/7 Global Watch for serious cyber incidents; and the appointment of an Ambassador for Cyber Affairs. However, the Discussion Paper notes that since the 2016 Strategy, the “threat environment has changed significantly and we need to adapt our approach”.

In particular, the DHA is concerned about cyber incidents undermining Australia’s:

• essential services (given water, electricity and transport services are increasingly enabled by online networked technologies);
• “enduring institutions”, such as parliamentary networks, universities and hospitals (the recent cyber-attacks on Victorian regional hospitals highlight the validity of these concerns); and
• democratic processes and media (including through unlawful or malicious influencing of public opinion online).

The 2020 Discussion Paper

The Discussion Paper is broad in scope, and requests submissions from interested parties on a total of 26 questions. Below, we set out some of the key topics covered by the Discussion Paper.

The role of businesses and Government in cyber security and protecting consumers

The Discussion Paper notes that the negative effects of cybercrime are often felt by end-users, such as small businesses and individuals. It asks whether the current division of responsibility for cyber security between Government, businesses and individuals is appropriate, or whether it should be realigned.

In relation to industry, it asks whether businesses that help customers access and benefit from the internet (such as Internet Service Providers, hardware manufacturers and software developers) should bear more responsibility for protecting end-users from cyber risks (given that they have the relevant expertise to do so). Conversely, the Discussion Paper also queries whether increased responsibility for these providers could have adverse effects, such as stifling innovation, or, as raised in open forums held during September 2019 ("Open Forums"), imposing onerous compliance costs on small businesses.

The DHA’s (and other government bodies’) role has traditionally been limited to protecting government networks, enforcing the law, and offering advice. The Discussion Paper asks whether this role should be expanded, by requiring the DHA to use its cyber security capabilities more broadly and pro-actively. If so, it may follow that there should be enhanced or mandatory notification obligations, so that the DHA is kept informed of all significant incidents. It might be that the DHA should also be permitted to take immediate action (without the permission of network owners) if it judges that certain situations are “national emergencies”. However, the prospect of a more active DHA raises concerns about how to ensure that the civil liberties and human rights of Australians are protected (in particular, their privacy rights). This uncertainty as to the future scope of the DHA’s role was mirrored by an overarching complaint at the Open Forums regarding the lack of a comprehensive framework for cyber security in Australia (with health and safety legislation given as an example that could serve as a model).

Instilling trust in the cyber security marketplace

The Discussion Paper states that a “trusted market of secure technologies, products, services and professionals” is critical. It questions whether consumers (both individuals and businesses) are adequately protected by laws and regulations when it comes to purchasing cyber goods and services, or whether the current regulatory environment needs to be strengthened. Ideally (and in alignment with trending community expectations) “digital products and services should have security built-in ‘by-design’, so that users do not need to have any expert knowledge”.

It remains to be seen how adopting Australia-specific security requirements would work in practice, given that most large manufacturers of cyber goods are based overseas. Feedback from some industry players at Open Forums was that while they see cyber “trust marks” or accreditation systems as being generally beneficial, these measures are limited by the fact that they can only provide a “point in time” assessment.

The Discussion Paper also queries whether the liability of suppliers is often limited too far by “complex contractual clauses”. The Discussion Paper therefore hints at the possibility of cyber security-specific amendments to consumer protection laws (particularly in relation to unfair contract terms and non-excludable warranties).

There are also ongoing difficulties with ensuring that ICT supply chains are trusted and transparent, and that there is a market of high quality cyber security professionals in Australia. Following the 2016 Cyber Security Strategy, two new national cyber security qualifications were introduced at Box Hill Institute. However, the Discussion Paper notes that there is still potential confusion about what qualifications are needed for what cyber security jobs, and concerns about whether the available education and training is meeting the needs of the sector.

Creating a hostile environment for malicious cyber actors

The Discussion Paper notes the existence of a range of cyber security tools, from low-risk passive measures that are already largely standard practice, to certain tightly-regulated tools that the DHA has exclusive access to, that can be used offensively to disrupt, deny or degrade computers and computer networks of Australia’s adversaries.

It notes that while the DHA will always play a part in countering the most sophisticated attacks, there will be increasing reliance on partnerships and collaboration with industry (particularly in relation to privately-owned critical infrastructure). At Open Forums, it was suggested that the DHA should delegate some of its cyber security powers to the owners of critical infrastructure. Conversely, the Discussion Paper states that if the DHA needs to provide ongoing support to enhance the cyber security capabilities of these owners, then it will need to consider whether to introduce some kind of cost-recovery mechanism.

Submissions

Consultation on the Discussion Paper is open until 1 November 2019, and submissions can be made here. Submitters can answer as many or as few questions as they like. We strongly encourage anyone with an interest in this area, or whose activities may be affected by the 2020 Cyber Security Strategy, to make a submission. We will be following the progress of the new strategy and providing regular updates.