Cyber security by design: Australia's (future) Cyber Security Strategy

By Gavin Smith, William Coote, Fletcher Stewart, Winnie Ma
Cybersecurity & Privacy Data Technology

In brief 7 min read

The Federal Government released its much anticipated Cyber Security Strategy 2020 Report on 6 August. The Strategy builds on the foundations of its 2016 predecessor and closely follows the recommendations made by the 2020 Cyber Security Strategy Industry Advisory Panel in its July report.

The new Strategy arrives in the midst of increasing incidences of state-sponsored and criminal cyber attacks affecting both the public and private sectors in Australia. That risk profile, and the recognition that cyber attacks represent a growing facet of the current chilling in global relations, has translated into a significant increase to the funding envelope for cyber defence-related activities. The Government has committed $1.79 billion (compared to $230 million in the 2016 Strategy) to improve Australia's cyber security through a number of measures.

Other measures include important proposed legislative changes to expand the current critical infrastructure legislation, a consultation on potential new directors' duties, the introduction of voluntary codes and the establishment of a standing 'Industry Advisory Committee'.

The new strategy lays the foundation for further industry engagement ahead of what is likely to be an important and ambitious legislative and regulatory agenda. Watch this space.

Key takeaways

  • Responsibility for Australia's cyber security falls on all of the governments, business and the community.
  • There is likely to be an emphasis on the need to strengthen the cyber security of entities in the healthcare, education, banking, water, communications, transport and energy sectors. Longer term, the expectation is that all businesses have a role to play in the development of Australia's cyber security resilience.
  • The existing Security of Critical Infrastructure Act 2018 (Cth) will be expanded to cover additional sectors upon which Australians rely, will introduce new government assistance and direct action powers, and will apply to owners and operators, regardless of ownership arrangements.
  • Legislative change is foreshadowed which may also have the potential to impact privacy, consumer and data protection law; and directors' duties.
  • A voluntary code of practice will be developed and set out the Government's expectations for Internet of Things (IoT) consumer devices.
  • The Strategy proposes adoption of an approach, similar to that of the UK, where government will work with the private sector to increase 'security by design'.
  • A standing 'Industry Advisory Committee' will be established.
  • Significant funding commitments are set out in some detail in the Appendix to the Strategy document.

Changes to the security of critical infrastructure legislation

The Strategy highlights the importance of critical infrastructure to Australia's cyber security strategy, given that 35% of cyber security incidents involved attacks either on critical infrastructure or government by nation states and state-sponsored actors.

In response, the Government is proposing an enhanced regulatory framework for critical infrastructure and systems of national significance, to be delivered through amendments to the Security of Critical Infrastructure Act 2018 (Cth). The framework will:

  • expand the range of sectors currently covered by the existing Security of Critical Infrastructure Act 2018 (Cth) and the Telecommunication and Other Legislation Act 2017 (Cth) (known as the TSSR);
  • be principles based;
  • be developed in a consultative process; and
  • include:
    • enforceable security obligations for certain designated critical infrastructure entities;
    • enhanced cyber security obligations;
    • new government assistance and direct action powers in response to cyber attacks; and
    • voluntary measures to strengthen engagement between business.

The details of these changes are not yet clear, but it's likely the Government will include sectors that have been deemed to have particular public significance during the COVID-19 pandemic, including logistics supply chains, health infrastructure, food supply chains, retailers and others.  

As part of the Strategy's theme of information sharing, critical infrastructure operators will be able to share intelligence about cyber attacks through the Government's $35 million cyber threat-sharing platform.

Given the Foreign Investment Review Board's imposition of data and security conditions on foreign entities, it is unsurprising that the Strategy states the framework should apply to owners and operators of relevant critical infrastructure regardless of ownership arrangements or the location of the ultimate owner.

Of note, the Strategy states that:

Australian Government agencies will also put a renewed focus on policies and procedures to manage cyber security risks. Standard cyber security clauses will be included in Australian Government IT contracts.

These standard security clauses may well evolve into a baseline for contracting requirements and extend beyond government to the subcontracting supply chains which provide services to government agencies, and to the private sector operators of critical infrastructure and essential services.

While the Strategy does not set out the obligations which will be included in the framework, critical infrastructure entities should continue to ensure that any contractual arrangements with service providers include change management provisions which will ensure that obligations under relevant agreements can be adapted to comply with any new framework or legislative changes.

Other legislative changes

The Strategy has flagged that the Government will work with businesses to consider other legislative changes that set a minimum cyber security baseline across the economy. While the Strategy does not specify what these legislative changes will entail, it notes that such change could lead to:

  • changes in privacy, consumer and data protection law; and
  • additional obligations on company directors.
Privacy, consumer and data protection

Businesses will be aware that changes to the Privacy Act 1988 (Cth) are already in the pipeline following the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry Report (the DPI) (see our analysis here). It is expected that a first tranche of amendments, to enhance the penalties to align with the Competition and Consumer Act 2010 (Cth), will be consulted on later this year. A further, broader review of the Privacy Act is also anticipated in 2021.

The Office of the Australian Information Commissioner (OAIC) stated in its submission to the consultation process on the new Strategy that 'the effective prevention, mitigation and responses to cyber-related threats are fundamentally linked with effective privacy protection'.

The OAIC also stated that cyber security compliance can be addressed through the auspices of APP 11 and that an accreditation or certification scheme may assist entities to meet their Privacy Act obligations and provide consumers with evidence-based information about the cyber credentials of entities with which they may engage. We expect that any scheme of this nature would require significant engagement with relevant parties prior to its implementation.

Directors' duties

The Strategy states that one potential reform option might also be to introduce specific duties for company directors relating to cyber security. No further detail is provided, but it is possible this could follow the introduction of express provisions in the Australian Prudential Regulatory Authority (APRA) Prudential Standard 234 on Information Security, which provide that:

  • a board of regulated entities is ultimately responsible for the information security of the entity; and
  • the board must ensure the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

Internet of Things

We have previously highlighted in relation to IoT devices that 'failure to give appropriate consideration to their potential vulnerability to cyber attack could have serious implications' (see our Insight here). The Strategy has identified IoT devices as critical to ensuring Australia's cyber security due to the increasing number in use.

While the Strategy does not go into full detail as to how IoT devices will be protected, it does propose the following:

  • there will a voluntary Code of Practice with 13 principles which will signal to manufacturers the importance of protecting consumers;
  • associated guidance material will be produced by the Australian Cyber Security Centre; and
  • the Government will provide consumers with information about what to take into consideration when purchasing IoT devices.

The Strategy states that 'if voluntary advice and guidance like the Code of Practice is not enough to drive change, then additional steps may need to be considered'. We will keep you updated as further details come to light.

Supply chain

The Strategy has called out the importance of supply chains in the economy-wide approach of uplifting business' cyber security capabilities. As part of this uplift, the Strategy aims to:

  • adopt a security by design approach with decision makers and suppliers (similar to the steps taken in the United Kingdom);
  • monitor and build on existing government initiatives that promote innovation in sovereign cyber security research and development; and
  • establish a 'Cyber Security Best Practice Regulation Task Force' to work with businesses and international partners to ensure security is built into digital products, services and supply chains.

Stemming from the Panel's recommendations, the Government will encourage large businesses and services providers to provide small business with cyber security information and tools as part of ‘bundles’ of secure services. This will likely lead to business supporting their supply chains in an effort to uplift security as a whole.

While these efforts aim to encourage security-by-design, transparency, and autonomy and integrity in investment, procurement and security, the Strategy fails to touch on the specific recommendations of the Panel relating to supply chains, including the adoption of dynamic accreditation, mandatory product labelling and/or certification.

How does this affect you?

Given the Strategy remains a framework and series of plans at this stage, it is not yet possible to assess precisely who will be affected and how – again watch this space. However, businesses can act now to ensure that:

  • their supply chain contracts have sufficient flexibility to push through new recommended or mandatory requirements;
  • cyber security-related policies and procedures are up to date and reflect actual business practices; and
  • particularly for critical infrastructure entities, directors and relevant stakeholders are actively informed about their organisation's measures and engaged in the overall strategy relating to their organisation's cyber security program.

We will continue to keep you informed as the Strategy, and legislative changes, are rolled out.