08 October 2019

Australia’s 2020 Cyber Security Strategy – Call for Views

This article was written by Michael Swinson, Cheng Lim and Sean Field.

Australia’s 2020 Cyber Security Strategy

What is it & why should I be interested?

The Commonwealth Government has recently published a discussion paper inviting comment on potential changes to Australia’s cyber security regime, as part of a 2020 strategy to ensure Australia’s digital defences.

Three ideas raised in the paper will be of critical interest to businesses and individuals engaged in the digital economy:

  • Risk allocation - Industry may be held responsible for a greater portion of cyber risk.
  • Regulatory change - The strategy could see businesses in the digital economy subject to new regulations covering consumer protection and cyber security standards.
  • Cost burden - Industry may be required to contribute to the cost of Government improving its cyber security capacity.

Who will be affected?

The issues canvassed in the Government’s paper are wide-ranging and hold the potential for significant change affecting the Information and Communications Technology (ICT) sector, including Internet Service Providers (ISPs) and operators of data centres, social media and online market places.

The paper is an opportunity for industry voices to be heard on these topics in the context of the Commonwealth shaping its cyber security strategy.

Key issues

Are responsibilities and liabilities appropriately allocated between consumers, business and government?

The paper considers Government’s role to-date as focussed on protecting ‘critical’ systems, while suppliers have restricted their liability through ‘complex contractual terms’. It says this situation has seen end users (consumers) typically bear the burden of risk.

The paper notes that “it is unclear” whether statutory protections, such as consumer protection and privacy laws, provide adequate coverage.  And the paper suggests that an alternative would be to “prioritise cyber security by transferring responsibility for managing a greater proportion of cyber risks away from end users and onto industry and business”.

The paper considers that currently cyber security requirements can in some industry sectors be “minimal or highly variable” and that “[a] better approach may be consistent but flexible cyber-security laws for critical systems” perhaps along the lines of the existing industry-specific requirements imposed on the telco industry under the Telecommunications Sector Security Reforms. The paper clearly signals that Government is considering the need to expand its focus to cover more digital infrastructure, such as data centres and online market places.

What might this mean?

One option might be for Government to impose compliance requirements on industry, mandating standards such as the NIST Cyber Security Framework, the ISO270001 and related standards and the Australian Signals Directorate’s own mitigation strategies.  This could mean legislation or mandated supply chain standards.

However, these approaches also raise questions around how regulatory standards would maintain pace with technological developments and the impact they may have on the ability of Australian businesses to compete or adapt to changing market conditions?

The paper also flags the prospect that the cost could fall directly onto the ICT sector, noting that:

If Government needs to provide ongoing and sustainable services to owners of critical systems, then the cost may need to be recovered through direct charges or other alternative funding models, rather than relying on general taxation revenue.

What’s next for industry?

Noting that the paper is simply calling for input from interested parties with no clear policy direction yet decided, potential outcomes that are of interest to the ICT sector could include the following:

  • increased legal, regulatory and compliance risk;
  • a more directive role for government in setting cyber security standards for industry; and
  • increased costs for industry.

We would recommend that all organisations dealing with valuable data assets consider the Government’s paper carefully to determine the potential impact a change in approach to the management of cyber security risks may have on them.

The deadline for submissions in response to the paper is 1 November 2019.  KWM’s Tech Law team can assist you in making submissions.  Please contact one of our team below should you wish to discuss further this or any related cyber security issues

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Through examining both the CBDC and its use, Project Atom demonstrates the potential to improve operational efficiency, risk management and innovation in wholesale funding.

    08 December 2021

    On 8 September 2021, the High Court handed down its highly anticipated judgment in the case of Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News...

    14 September 2021

    .au Domain Administration Limited (auDA), the entity responsible for developing and administering rules for .au domain names, has announced that from 24 March 2022, entities will be able to register ...

    06 September 2021

    On 30 July 2021, Justice Jagot handed down her decision in Porter v Australian Broadcasting Corporation [2021] FCA 863.

    12 August 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.