The Cybersecurity Strategy 2023-2030 (the Strategy) is Australia’s blueprint for cyber-safety by 2030, with three horizons to get there. The Action Plan for the first horizon (2023-2025) sets the foundations for the rest of the strategy to follow, and unsurprisingly includes a lot of legal and regulatory elements to support horizons two and three. For the legal community, there is something for everyone: migration law, procurement, consumer, corporate and commercial, in-house, and of course government.
For those hoping the Strategy would provide the answers to many questions and uncertainties around regulatory changes, there is still a long wait ahead. The detail is still to be worked through, much of it in consultation with industry. Many months, if not years, will pass before new regulation takes effect.
The Strategy does flag some big changes from a legal and regulatory perspective, which are spread across the 6 ‘Shields’: 1. Strong Business and Citizens, 2. Safe Technology, 3. World-Class Threat Sharing and Blocking, 4. Protected Critical Infrastructure, 5. Sovereign Capabilities, and 6. Resilient Region and Global Leadership.
SHIELD 1: STRONG BUSINESS AND CITIZENS
Under this Shield the government has flagged 6 major changes that will have regulatory or legal implications:
International regulatory frameworks (section 3.2):
the government will be working on global efforts to create enforceable and meaningful legal frameworks to combat cybercrime including adoption and implementation of the Council of Europe Budapest Convention on cybercrime. The challenge of cybercrime is that it is borderless. Actually disrupting it requires international collaboration, backed by regulation allowing law enforcement to take action against criminals in one country who are committing crimes on the other side of the world. These changes will need to balance human rights, fundamental freedoms, and the rule of law against the practicality of catching criminals on the other side of the world within the borders of hostile states.
Mandatory ransomware reporting (section 3.1) :
this Shield also proposes a targeted program on ransomware that will include a ‘no-fault, no-liability ransomware reporting obligation.’ Details on this obligation are still to be developed, but it will likely use another major piece of the Strategy – the single reporting portal – to implement it. What ‘no-liability’ means in this context is still unclear. What ‘safe-harbour’ protection the government is considering will likely provide immunity only from government fines and actions, not class actions and litigation under other heads of loss such as breach of contract, breach of confidentiality, IP infringement, and so on.
It’s not clear if there will be a threshold for mandatory ransomware reporting. Any thresholds imposed tend to simply reshape the threat actor’s behaviour and ‘business model’. For example, any new ransomware attacks are likely to simply ask for a ransom under the reporting threshold, knowing it is attractive for an organisation to avoid having to publicly report an attack if they can simply make it go away.
Cryptocurrency and the legality of paying ransoms (section 3.3):
the government will also regulate cryptocurrency as they are the most common form of ransom demand. The reforms will also review anti-money laundering and counter-terrorism financing laws and how they apply to digital currency transactions. Long held out as ‘technically legal’, ransomware payments will likely, technically, become illegal. They are already illegal where they involve money laundering, financing terrorism, and payments in furtherance of a crime. However, where they use digital (unregulated) currency, the law is murky. The regulatory changes will aim to clear that up.
Cyber Incident Review Board and lessons learned (section 5.2):
a ‘no-fault’ post-incident review mechanism will allow a new Cyber Incident Review Board to learn lessons from major incidents. What ‘no-fault’ means is unclear, other than the review board itself won’t ‘find fault’. To have organisations participate and share information fully there will need to be significant cooperation and information sharing by impacted parties. Unless mandated under law, organisations may be reticent to participate where the information shared could expose them to investigations by other regulatory bodies and subsequent civil lawsuits. Given the findings will be “shared with the business community and the wider public”, there will be serious questions around confidentiality and legal privilege as the government’s plans for how this will work in practice are developed. There is no doubt that the idea is sound, and based on best practices for Incident review and threat intelligence sharing. Under section 6.2 there is a proposed ‘limited use’ on information that is shared with ASD and the Cyber Coordinator – but it isn’t linked to the Cyber Incident Review Board. Perhaps just a drafting oversight? Regardless, how information is shared but still protected in the long tail litigation consequences of cyber breaches will need careful consideration.
Single reporting portal (section 6.1):
to simplify the overlapping and complex regulatory reporting obligations imposed by OAIC, ASIC, APRA, ASX, and others, there will be a ‘one-stop shop’ for reporting a breach to Australian government at ACSC’s cyber.gov.au site. This is a relief for all in-house counsel, but won’t replace obligations to notify customers, shareholders, non-government stakeholders, and international government reporting.
Digital ID and PSPF (section 7.1):
the Protective Security Policy Framework may be reviewed to include specific security requirements for Digital ID. This will have flow-on consequences for all agencies, and suppliers to government who are contractually required to comply with the PSPF.
SHIELD 2: SAFE TECHNOLOGY
Internet of Things (IOT) standard (section 8.1):
legislation to implement a mandatory cybersecurity standard for IOT devices sold in Australia will aim to ensure that Australian consumers are protected from un-secure devices in their homes and businesses. (What’s an IOT? Anything that is connected to the internet, which these days includes your fridge and your lightbulbs).
Datasets of National Significance (section 9.1):
regulation may be updated to cover sensitive and critical datasets not otherwise covered by SOCI Act and other regulations. The datasets will be assessed for storage, governance, data protection measures, and potentially brought under new control requirements (potentially like SOCI).
Legislated Data Retention (section 9.2):
currently, organisations are required to keep data for various and often long periods of time. Retention of personal data is already considered under the Privacy Act Review and planned reforms. The government will now also focus on non-personal data retention obligations, with a view to removing unnecessary data retention that makes organisations more attractive cyber targets.
Responsible and safe AI (section 10.1):
while specific regulatory changes weren’t flagged in the Strategy, it did flag that it was working with other governments and the tech sector on what guardrails are appropriate for AI, including security by design.
Post-Quantum Cryptography standards and the Information Security Manual (ISM) (section 10.2):
the government will make changes to the ISM to reflect new standards for post-quantum cryptography, which will impact all Commonwealth entities and suppliers to the Commonwealth who are contractually bound to comply with the ISM.
SHIELD 3: WORLD-CLASS THREAT SHARING AND BLOCKING
Threat Intelligence Sharing (section 11.2):
the government wants to facilitate threat sharing across the economy, particularly for vulnerable sectors that currently have poor sharing mechanisms, such as health. From a legal perspective, this will mean threat intelligence sharing agreements. In-house counsel should seek advice when reviewing and considering these highly specialised agreements involving sharing and receiving sensitive threat intelligence.
SHIELD 4: PROTECTED CRITICAL INFRASTRUCTURE
Telecommunications regulation changes (section 13.1):
in an effort to consolidate security regulation and reduce complexity and duplication, the Government has flagged moving the Telecommunication Sector Security Reforms from the Telecommunications Act 1997 into the SOCI Act. Businesses operating under existing telecommunications legislation will need to engage with the government as these changes are made to ensure this ‘housekeeping’ doesn’t result in unintended consequences. The changes announced last week following Optus’s major outage to bring telcos under the SOCI Act, have already been flagged as an unreasonable additional burden on those doing the right thing because of the actions of one who was not.
Maritime and Aviation Sector security (section 13.1):
under a flagged ‘reform agenda’, the government will be updating existing legislation to proactively manage cyber-related risks. While the DP World attack makes the need for action in this space obvious, it’s unclear what the government expects this proactive management would actually involve, and what legal, commercial and operational obligations it will place on the sector to bring it into being.
Further clarification of the SOCI Act (section 14.2):
the Government has flagged further changes to the SOCI Act around the protection of ‘business critical’ data storage systems (section 13.2) as well as powers to ‘direct’ entities to uplift risk management plans where they are deficient, as well as ‘enhanced’ review and remedy powers. The biggest change may in fact be a new ‘power to ‘manage’ nationally significant incidents. How this ‘management’ power would work is not detailed, but it may look like old-fashioned ‘step-in’ powers from Commonwealth outsourcing contracts. The government is yet to spell out how it will manage liability for damage caused, consequences for confidentiality, cost and governance of organisations where the Commonwealth ‘steps in’ to ‘manage.
Security of Commonwealth Government (Section 15):
lawyers working for the Commonwealth should expect to see a significant increase in procurement activity and advice related to uplifting the Commonwealth’s own cybersecurity maturity. New controls will also be defined in the ISM and PSPF which will have flow-on consequences for all agencies and providers to the Commonwealth. This uplift is much needed, as this time last year, only 11% of Commonwealth agencies met the Commonwealth’s own standards for cybersecurity. The Government flagged adopting a ‘federated approach’ to growing and managing in-house cyber capabilities. This sounds like a centralised government cybersecurity capability similar to the way some State governments manage their cyber teams – but no further details were set out. Removing functions from across the government and putting them in a single repository could have significant regulatory and governance impacts for projects and contracts across the Commonwealth’s activities and procurements.
Systems of Government Significance (Section 15.2):
Government systems that are ’critical to our national interest’ will have new security standards. This will naturally flow into the procurement and management of these systems, including legal aspects. Providers to government will need to be closely involved in consultation around these standards to ensure they can be met in practice and still allow the government to receive the services it seeks. Providers may also find themselves with a higher set of cybersecurity standards to meet in the delivery of services and systems as a consequence. The flow on costs in delivery and governance will need to be factored in to any contract renewals and service offerings.
SHIELD 5: SOVEREIGN CAPABILITIES
Migration law amendments (Section 17.1):
modifications to migration policy will focus on cybersecurity-skilled migrants. While there is no doubt Australia lacks the workforce to meet today’s cybersecurity challenges, let alone tomorrow’s, it’s an open question about whether that workforce exists offshore in sufficient numbers to be enticed here. It’s also unclear how the government plans to manage the tension inherent in relying on newly arrived migrants to fill national security sensitive jobs. It will be difficult for the government to require ‘sovereign capabilities’ if that capability is made up of non-sovereign workers.
SHIELD 6: RESILIENT REGION AND GLOBAL LEADERSHIP
International standards for technology development (section 20.1):
setting standards to ensure technology accessed and used in Australia is consistent with international standards. Having Australian standards which are out of step with international standards would have left Australia with an unsustainably small market for many technologies, and this change will be welcomed by product lawyers for technology companies across the country.
Actions to uphold international law (20.4):
implementation of existing international law and norms to cyberspace, including participation in international discussions on how to apply international law in cyberspace. The government has recognised that having strong locks is not enough to keep you safe in the long run. For sustainable security you need a strong community of safety, and this measure signals that Australia will put effort into bringing that community into being.
There is no clear plan for a ‘Cybersecurity Act’ to bring all Australian cybersecurity legislation into one place. The Government is using its newest legislation, the SOCI Act, as the home for loose ends. However, like a patchwork quilt too small for the bed it only covers part of the Australian economy. While this strategy will certainly keep us warmer than we were before, by the time the next strategy comes around I’m sure everyone will have noticed how cold our toes are getting. The Government may also add patches, piece by piece, over time.
The strategy also notably lacks provisions for safe-harbour or amendments to the Commonwealth Criminal Code, which would allow security researchers to operate without fear of prosecution or lawsuits. Perhaps it will follow in the next Strategy.
There is an enormous amount of work ahead of the Government, and their legal advisors, in implementing this strategy through regulatory reform. Many of the legal implications for the private sector will depend on specifics not spelled out in the Strategy. In most areas of reform industry will need to actively contribute to the ‘collaborative’ development of standards and regulations the government repeatedly flagged. While the government’s aims are worthy and necessary, they will only be effective and workable if industry helps shape the change, particularly making clear how emerging technologies and business models can combine with new regulation to have the outcomes government, business and the community all want for a cybersecure Australia.