Australia's cyber strategy – a bold regulatory reform agenda

Key takeaways

• Government will implement some quick wins – Many initiatives have already launched (for example, the single portal with links and guidance for the many reporting obligations was already online the day the strategy was released, the new Cyber Executive Council already convened, and the National Cyber Intel Partnership already operating).
• An ambitious, ongoing legislative reform agenda – Legislative reform is in the spotlight – beginning with a consultation to address gaps in existing laws and to strengthen security of critical infrastructure legislation (closing March 2024). Various initiatives relate to specific legislative reforms or will require nuanced supporting legislation. The Government is already working on related initiatives including an overhaul of Australia's privacy laws, new laws to help expand Digital ID economy-wide, and a recently announced comprehensive review of online safety laws.
• Big business is the new “front-line" of defence – As with the US National Cybersecurity Strategy, the Government expects big business to shoulder more of the burden of keeping Australia secure. It is no longer enough for large businesses to manage their own cyber risks – they are expected to build resilience and harm minimisation throughout supply chains and the broader ecosystem, unlocking security at scale. Initiatives like the National Anti-Scam Centre and the National Cyber Intel Partnership look to pro-actively block scams and cyber threats, and the Government will increasingly rely on internet and telecommunications providers, app stores, banks and other potential "risk choke points" to share threat information, block threats, and drive better cyber practices throughout the economy.
• Collaboration, consultation, co-design, and cooperation – The Government wants to work hand in glove with industry to get cyber right. Industry will have the opportunity to help shape the rules – through co-design or consultation processes, or the development of voluntary or mandatory codes or standards. Organisations need to engage now with industry and other representative groups, assessing impacts and consequences – take the opportunity to draw attention to your own risks and opportunities. 

Mandatory ransom reporting

"Both government and industry have an interest in ensuring that not paying a ransom is always the most viable option for an organisation … We need a policy response that will allow Australian businesses to survive in circumstances where they do not pay."

Ashurst response to the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper

The Government has recognised that Australia is not yet ready to ban ransom payments outright. While this remains an "end goal" for the country, the Strategy puts in place measures aimed at making not paying a ransom the most viable option, and to help businesses survive if they don't pay a ransom.  

While the Government will develop specific guidance to help organisations make better decisions about ransom payments, we continue to advise clients to develop a comprehensive risk-based approach to ransom incidents and decision making.

Mandatory reporting for ransomware threats and payments

"Reporting will enable the Government to effectively monitor, and respond to, the changing risk profile of the cyber threat environment over time" 

Ashurst response to the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper

We expect that mandatory "no-fault, no-liability" reporting of ransom demands and payments will be an early measure, along with anonymised ransomware and cyber extortion trend information sharing.

The success of mandatory reporting obligations will depend on whether organisations can expect to receive meaningful assistance and support, the simplicity of the reporting process (such as the new single cyber incident reporting portal), and the type and quality of information captured.

Understanding how reports will be managed and shared will be vital and organisations will need to trust that information will not be used against them. Tight reporting timeframes might encourage early intervention but might keep ransom targets from coming forward if they miss reporting windows. Worst case, strict reporting obligations may provide leverage for attackers – at least one threat actor has reportedly disclosed its own attack to US authorities, apparently to apply leverage against a target.

"Limited use" of cyber incident information

"In our experience, the risk of prejudicing future regulatory action, together with reputational and media management risks, currently discourages open cooperation and engagement during a cyber incident. This risk dynamic places additional strain on organisations during the immediate crisis, and can be an unhelpful distraction when organisations need to focus on more critical harm reduction measures."

Ashurst response to the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper

Government will legislate a “limited use obligation” – new laws to provide "clarity and assurance" on how information shared with the Australian Signals Directorate (ASD) and National Cyber Security Co-ordinator can be used by other government entities, including regulators.

However, this "limited use" will not provide any form of immunity and will not impact regulatory and law enforcement actions. While the exact scope of the "limited use" is to be determined, it is clear this regime is not intended to be any form of safe harbour. A reasonable compromise may be that information will be held by the ASD on a confidential basis but may be provided to other regulators exercising regulatory powers to gather information.

It is also not clear whether this information could be accessed as part of litigation or under freedom of information laws.  

We expect that information held by the ASD or the National Cyber Security Coordinator would be accessible to the Cyber Incident Review Board to conduct post-incident "no fault, lessons learned" investigations – which begs the question of whether information collected by the new Cyber Incident Review Board would be covered by a similar "limited use" restriction. Information may be subject to a regime similar to that of the Australian Transport Safety Bureau, which places strict limits on how certain restricted information collected during investigations may be disclosed.

Guidance, advisories and lessons learned

Accompanying the significant areas of regulatory uplift, the Strategy envisages guidance, lessons learned and information sharing, including:

• An overview of corporate obligations for critical infrastructure and best-practice principles for good cyber governance.
• A ransomware playbook to help businesses and individuals prepare for, deal with, and recover from ransom attacks – including how to access government support.
• A National Cyber Exercise Program, putting critical infrastructure incident response to the test across all sectors to share best practice across sectors, building on existing exercises for designated Systems of National Significance.
• A playbook for incident response, developed by the National Cyber Security Coordinator and informed by lessons from the National Cyber Exercise Program.
• Lessons learned from Cyber Incident Review Board investigations – providing "no fault, lessons learned" reviews of significant cyber incidents, modelled on similar safety-oriented bodies such as the US Cyber Safety Review Board and the Australian Transport Safety Bureau.
• Strategic threat intelligence sharing by a new government and industry Executive Cyber Council, enhancements to existing threat sharing platforms and a new Threat Sharing Acceleration Fund to support an Intelligence Sharing and Analytic Centre (with an initial pilot for the health care sector).
• A focus on encouraging and incentivising industry to share threat information, particularly those able to do so at scale (e.g., critical infrastructure sectors) – this reflects an underlying international trend to intervene at the points in the ecosystem most able to shift the dial on risk across the economy.

Cyber-capable organisations will already have carefully designed and tested cyber governance and incident response strategies, and will need to take into account additional guidance and information. Additional guidance and information might also be used by regulators, litigants and courts as a tool to gauge if an organisation is meeting expectations.

With heightened expectations from both Government and regulators, we may see a growing gap between regulatory expectations and the practical capabilities of organisations. For example, the Australian Prudential Regulation Authority (APRA) recently reviewed cyber capabilities in Australia's financial system, identifying important deficiencies including in information asset management, control assurance (including over third parties) and incident management and response – and is looking to close cyber gaps as part of the new Operational Risk Management Prudential Standard CPS 230. Similarly, government auditors consistently identify gaps in public sector cyber capabilities.

In our experience, all organisations – big or small – are asking for guidance to align with regulatory expectations and clearly identify best practice. While the proposed guidance will help, its primary target will be to support small and medium enterprises. Large, complex organisations will need to continue to stay ahead of the curve and develop their own, risk based, approaches to cyber and readiness that are appropriate to their complexity and scale, including in supply chains.

Software security

The global trend towards intervening at the most impactful point in the ecosystem is reflected in moves to place more responsibility of software developers, including:

• A new mandatory cyber security standard for Internet of Things (IoT) devices, aligned with international standards. Aligned standards will simplify procurement and have a particular impact on Australia's ability to adopt technologies likely to become ubiquitous, essential services of the future such as autonomous vehicles and recent innovations in distributed energy (such as interconnected management of batteries and home solar). It will also help manage the rising threat to industrial IoT, with the ASD Cyber Threat Report 2022-2023 recognising that Australian critical infrastructure has been targeted through operational technology connected to the internet and into corporate networks.
• A continued push for the adoption of international software and security standards, including secure-by-design and secure-by-default practices that shift the burden of setting up software security away from users. This will begin in the short term with a voluntary code of practice for app stores and app developers – a convenient intervention point due to the impact app store policies have across a large number of app developers.
• Software standards for government procurement will be harmonised with India, Japan, and the United States as Quad partners – leveraging government purchasing power to drive secure practices across global markets and making it simpler for industry to sell across government markets.
• Framework to help business assess national security risks in supply chains and procurement. The Government will also consult on options to "limit the availability" of non-secure products – we expect this to focus on specific products or suppliers identified by the Government as presenting unacceptable security risks.

Critical infrastructure reform

Reforms to critical infrastructure legislation are an early priority, with a consultation due to launch imminently.

The Government will:

• Consult to clarify cybersecurity obligations for managed service providers. A limited set of data storage and processing services delivered on a commercial basis are regulated as critical infrastructure assets in their own right. Managed service providers (that may store data or process data, but also provide other value add services) might not be captured by the current regime. Whether or not a critical managed service is captured by the regime, critical infrastructure operators need to continue to manage risks in their supply chains. Importantly, critical infrastructure laws don't apply to assets located outside of Australia – which may mean managed services (if captured) may be subject to different rules depending on whether they are onshore or wholly or partly offshore.
• Consult to clarify data storage systems. In earlier consultation the Government asked whether customer data and systems should be considered critical infrastructure assets in their own right. The Strategy talks more broadly about protecting business critical data storage systems that could impact other critical infrastructure assets. This signals a potentially very different scope, that could capture technical or operational systems such as configuration management, design, patch management and asset management. We don't yet know what obligations will extend to business-critical data storage systems – but the due diligence required to identify and keep up to date the responsible entities (such as owners and operators) and direct interest holders of complex computer systems should not be underestimated.
• "Switch on" telecommunications "all hazards" critical infrastructure risk management programme obligations. While telecommunications is already a designated critical infrastructure sector, risk management program obligations for the sector were not "switched on" alongside other sectors. The expectation was that security and risk management would be managed under telecommunications laws. Instead, the Government has indicated it intends to shift telecommunications security obligations into the critical infrastructure regime in order to simplify oversight and enforcement and to drive consistency across sectors. But this is likely to add significant complexity for the telecommunications industry (and their service providers) to navigate multiple regulatory regimes. This is a challenge faced by a range of industries, but most felt keenly by finance institutions who are currently working to uplift capabilities to comply with the new Operational Risk Management Prudential Standard CPS 230 while also meeting critical infrastructure requirements.

The Government will also look to drive cyber security in critical infrastructure by:

• introducing Enhanced Cyber Security Obligations for designated Systems of National Significance;
• scaling up hands on assistance with the Critical Infrastructure Uplift program – which allows Australian Signals Directorate experts to partner with critical infrastructure providers to harden cyber security;
• introducing a compliance monitoring and evaluation framework for critical infrastructure, including for risk management program obligations; and
• expanding “assistance" powers – enabling Government to step-in to manage secondary consequences of an incident (while current rules only extend to managing the incident itself). 

A shift from pure capacity building to introducing compliance monitoring and evaluation has been previously flagged as the next step in building cyber capability in critical infrastructure.  This thinking may have been informed by the Commonwealth Joint Committee of Public Accounts and Audit observations of a "persistent optimism bias" in Commonwealth agencies self-reporting cyber security compliance – and calling for a "robust external assurance process" to ensure an accurate picture of cyber capabilities.

Self-assessments in industry may suffer from the same optimism bias. Independent external evaluations and reviews are an important way keeping optimism bias in check and maintaining a self-critical culture – in all organisations, but most particularly in critical infrastructure sectors which will soon face closer scrutiny. 

Data retention

"We need to pivot away from the historical approach that asked 'how can the data be retained', to ask 'should the data be retained'."

Ashurst response to the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper

The Government will review Commonwealth laws requiring retention of data, other than personal information (personal information will be addressed as part of the Government's response to the Privacy Review Report, and retention of identity information will be considered under the National Strategy for Identity Resilience, informed by moves to expand Digital ID across the economy).

Policy objectives of retaining information must now be balanced against the risks of retaining it – and the costs of keeping it secure. Private and public sector bodies with lived experience of data retention challenges and risks can help regulators and lawmakers strike the right balance. 

While various measures in the Strategy and Action Plan call for coordination with or contribution from state and territory governments, there is notably no mention of state and territory data retention obligations. The National Strategy for Identity Resilience includes a commitment from Commonwealth and state and territory governments to support private and public sectors to collect and retain less identity information – but no commitment to work together on a coordinated review.

Big business – the new front line of defence

"Future reform should pivot towards building systemic cyber resilience into the ecosystem”

Ashurst response to the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper

Consistent with global trends, particularly coming out of the US, Australia's strategy looks to:

• share risk, with more cyber risk allocated to those who are most capable of addressing them;
• intervene at the most impactful points in the ecosystem – such as software suppliers, or operators of critical infrastructure; and
• give larger organisations greater responsibility to protect not only their own digital infrastructure, but to help to protect those less able to do so.

This is most clear in the Government's strategy to:

• build stronger threat-blocking capabilities through the existing National Anti-Scam Centre working with telecommunications and internet service providers;
• develop cutting edge automated threat blocking at scale through the recently launched National Cyber Intel Partnership; and
• more broadly though its plan to encourage threat blocking across the economy by entities most capable of blocking threats (with specific reference to internet, telecommunications, and financial services providers). 

The National Cyber Intel Partnership of 12 major corporates and regulators is currently piloting automated, real-time machine-to-machine communications to block bank phishing scams, aiming to overcome current challenges in rapidly responding to threat information at scale.  

This ecosystem level cooperative investment demonstrates the trusted connective tissue role that government can provide – and, if successful, will mean organisations don't need to re-invent the wheel, driving down the cost and improving the effectiveness of threat blocking at scale.

Alongside initiatives like Digital ID, the Government is under increasing pressure to drive short-term progress on ecosystem level protections. While the Government will continue its consultative, co-design approach, organisations (particularly larger ones in critical sectors) will need to plan for how these initiatives will fit in to their technology roadmaps and capabilities earlier rather than later. 

While participation in these initiatives is currently voluntary, to build ecosystem level resilience we may see, in time, legal requirements or mandatory standards for organisations to ensure they are able to, and do, act on threat information.

Plan for change

The Government recognises that the Strategy is not "fire and forget" – that it will need to adapt in response to changes in the cyber landscape over time, with an updated Action Plan expected every two years. As the threat environment is constantly evolving, expect the regulatory environment to do the same.

Want to know more?

• Ashurst response to the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper
• Australia's blueprint for privacy reform– what you need to do today
• ASIC warns directors to address third party cyber risk or face enforcement action
• Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive

About Ashurst

In a changing world, our vision at Ashurst is to be a highly progressive global law firm. For over 200 years we have advised corporates, financial institutions and governments on their most complex transactions, disputes and projects. We offer the reach and insight of a global network, combined with our knowledge and understanding of local markets. At Ashurst, we help our clients build cyber resilience and effective cyber risk management through a combination of legal, risk advisory and programme delivery teams. We provide end-to-end, whole-of-life-cycle expertise across cyber, data and privacy issues. Having advised on some of Australia’s most high-profile cyber incidents, we have unique insights and expertise that can improve how organisations prepare for and respond to high-impact cyber incidents, at executive and Board level.

Read more about our cybersecurity services.

Authors: John Macpherson, Partner, Ashurst Risk Advisory; Amanda Ludlow, Partner; Emma Butler, Partner; John Moore, Director, Ashurst Risk Advisory;  Andrew Hilton, Expertise Counsel; Geoff McGrath, Partner; Philip Aquilina, Senior Associate and Robert Todd, Partner.