Watch Out - Cyber Security Overhaul Incoming

The Australian government has announced plans to reform Australia’s cyber security framework following several serious data breaches in the last year, including Optus and Medibank. The Australian government’s 2023-2030 Australian Cyber Security Strategy Discussion Paper is available for download here.

On 27 February 2023, Home Affairs Minister Claire O’Neil told ABC Radio that the current laws “are not fit for purpose at the moment, and I do think they need reform”. O’Neil criticized the former Government’s cyber security laws and said that they were “bloody useless” in the wake of the serious Optus and Medibank data breaches.

Current Framework

Australia’s current cyber security framework is governed largely by the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act, among other things, imposes obligations on responsible entities for certain critical infrastructure assets to comply with certain risk management programs, including providing an annual report to the Australian government on those measures. However, it has been criticized as the SOCI Act ostensibly gives the Australian government the power to take over compromised business systems, and businesses are almost always resistant to granting the government any system access.

Reform

In February this year, the Government released a discussion paper to explore reform of Australia’s “patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age” with a goal to “make Australia a world-leader in cyber security by 2030”. The Australian government has also announced that it will appoint a Coordinator for Cyber Security, supported by a national office within the Department of Home Affairs. Their role will be to ensure a “centrally coordinated approach” to cyber security threats and incidents.

The government’s discussion paper indicates that Australia’s cyber security strategy will be developed in partnership with industry academia, state and territory governments and the Australian and the international community. The Expert Advisory Board has already commenced consultation on the strategy through a series of roundtables focused on core policy themes, including:

  1. Enhancing and harmonising regulatory frameworks, including clarifying for Australian businesses and non-government entities, their cyber security obligations, and establishing “best practice cyber security standards”.
  2. Strengthening Australia’s international strategy on cyber security, by taking tangible steps to shape global thinking in relation to new and emerging technologies.
  3. Securing government systems and establishing a framework which accounts for, among other things, best practice standards and the appropriate support for individual government departments to manage their cyber security risk profile.

The discussion paper also identifies specific areas for potential action, including:

  1. improving public-private mechanisms for cyber threat sharing and blocking;
  2. supporting Australia’s cyber security workforce and skills pipeline;
  3. national frameworks to respond to major cyber incidents;
  4. community awareness and victim support; 
  5. investing in the cyber security ecosystem;
  6. designing and sustaining security in new technologies; and
  7. implementation governance and ongoing evaluation.

Lavan comment

According to the 2021-22 Threat Report by the Australian Cyber Security Centre, on average, one cyber incident is reported every 7 minutes, with over 76,000 cyber crime reports in 2021-2022. Perhaps the most disastrous examples of cyber threats in Australia, over a three week period in 2022, the personal data of over 9.8 million Optus customers and 9.7 million Medibank customers was stolen by cyber criminals.

It is clear, then, that measures need to be in place to improve Australia’s cyber security resilience and protect Australians and their personal data.

What those measures look like, how they are implemented, and how they affect Australian individuals and businesses remains to be seen. So watch this space, and if you have any questions arising from this update, please do not hesitate to contact Iain Freeman, Partner in Lavan’s Litigation and Dispute Resolution Team.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.