As the cyber threat landscape continues to evolve, the key message of the 2023-2030 Australian Cyber Security Strategy (Strategy) is clear: business cyber resilience is an urgent national priority.

The Strategy seeks to strike a balance been fostering close collaboration between government and industry but, at the same time, cracking down on businesses that are not cyber-ready. While certain legislative reforms have been proposed, including to the Security of Critical Infrastructure Act 2018 (SOCI Act), no economy-wide cyber laws have been proposed at this stage. Further industry consultation will be conducted prior to the introduction of substantive reforms.

Overview and implementation

On 22 November 2023, the Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP, released the Strategy. The Government has an ambitious goal of making Australia ‘the most cyber secure nation by 2030’ by putting almost $600 million towards implementing six ‘Cyber Shields’:

  1. Strong businesses and citizens.
  2. Safe technology.
  3. World-class threat sharing and blocking.
  4. Protected critical infrastructure.
  5. Sovereign capabilities.
  6. Resilient region and global leadership.

The Strategy directly responds to Government concerns following significant data breaches that have occurred over the past 18 months, including gaps in regulations as well as a lack of industry reporting and consultation. Initial indications are that the Strategy is being well received by business and the broader cyber security community as a comprehensive response to the evolving threat landscape. The different layers of the Strategy deal with everything from protecting critical infrastructure and growing Australia’s skilled cyber security workforce to working with international partners and introducing new regulatory reforms with a focus on close collaboration between government and industry.

The Strategy will be implemented across three stages or ‘horizons’:

  • Horizon 1: The strengthening of foundations from 2023-2025.
  • Horizon 2: Scaling of cyber maturity across the whole economy from 2026-2028.
  • Horizon 3: Becoming a world leader in cyber security by 2030.

Core law reforms on new cyber obligations, streamlined reporting processes, improved incident response and better sharing of lessons learned after cyber incidents is slated to occur as part of ‘Horizon 1’ between 2023 and 2025. Beyond this, the Strategy has not proposed any specific timeframes for reforms, however the Government will conduct in-depth industry consultation prior to introducing any further reforms.

Alongside the Strategy, the Government has developed the Cyber Security Strategy Action Plan (Action Plan) (which supplements the Strategy and details the key initiatives that will commence over the next two years) and will release an updated Action Plan every two years. The Executive Cyber Council, comprising of industry leaders who will guide the consultation process, will convene twice a year.

The six ‘Cyber Shields’

Source: Commonwealth of Australia, 2023–2030 Australian Cyber Security Strategy, p 6.

Shield 1: Strong businesses and citizens

Shield 1 aims to provide more widespread protection for businesses and citizens by:

  • implementing a ‘health-check’ program offering free tailored assessments of cyber maturity for small and medium sized businesses;
  • implementing mandatory no-fault, no liability ransomware reporting;
  • implementing the Counter Ransomware Initiative to discourage the payment of ransoms, however, the initiative does not prohibit the payment of ransoms; and
  • continuing to develop the Digital ID program and the National Strategy for Identity Resilience to reduce the need for people to share sensitive personal information with government and businesses to access services online.

Shield 2: Safe technology

Shield 2 aims to increase the safety of technology through:

  • legislating a mandatory cyber security standard for Internet of Things (IoT) devices;
  • implementing a voluntary labelling scheme for consumer-grade smart devices;
  • reviewing data retention requirements to consider any unnecessary burden and vulnerabilities that arise from entities holding significant volumes of data for longer than necessary; and
  • reviewing the data brokerage industry with a focus on the transfer of data through data markets to malicious actors.

Shield 3: World-class threat sharing and blocking

Shield 3 aims to increase the scale of threat-sharing and blocking through:

  • establishing a coalition of government and industry leaders under the Executive Cyber Council to share strategic threat intelligence;
  • enhancing the ASD’s existing threat sharing platform through an Acceleration Fund; and
  • developing next-generation threat blocking capabilities through the National Anti-Scam Centre.

Shield 4: Protected critical infrastructure

Shield 4 aims to ensure Australia’s critical infrastructure and essential government systems can withstand and recover from cyber-attacks by:

  • moving security regulation of the telecommunications sector from the Telecommunications Act 1997 to the Security of Critical Infrastructure Act 2018;
  • implementing scenario-based pressure testing of critical infrastructure sectors to identify vulnerabilities through a National Exercise Program; and
  • developing playbooks to guide incident responses.

Shield 5: Sovereign capabilities

Shield 5 aims to grow and professionalise Australia’s cybersecurity workforce through:

  • more effective education and training systems in collaboration with Jobs and Skills Australia and the Jobs and Skills Council;
  • encouraging the pursuit of cybersecurity careers at a primary, secondary and tertiary level; and
  • accelerating investment in the domestic cyber industry and research capabilities.

Shield 6: Resilient region and global leadership

Shield 6 aims to build regional cyber resilience and uphold international law standards by:

  • strengthening collective cyber resilience in the Pacific and Southeast Asia by establishing a regional cyber crisis response team;
  • harnessing private sector innovations to improve regional security; and
  • deploying all arms of statecraft to deter and respond to malicious actors.

Governance

The Strategy recognises that corporate governance is critical to mitigating risk of cyber-attacks. While stopping short of proposing new obligations on business or giving more teeth to regulators, the Government has instead proposed new measures to support enterprises (including SMEs) in their cyber governance, as well as developing general cyber security guidance for business.

As a first step, the Government will publish an overview of corporate obligations for critical infrastructure owners and operators, detailed under the SOCI Act. Next, the Government will consider how best to collaborate with industry to design best-practice principles to guide good cyber governance. This guidance is not expected to be detailed or sector-specific but will be principles-based and technology neutral.

Importantly, there is no proposal to introduce new directors’ duties specifically related to cyber security, as had previously been floated by the Government. That is not to say that more general directors’ duties will not be relevant. Directors must ensure that in responding to cyber threats they discharge their duties with care and diligence and in good faith in the best interests of the corporation. When a court looks to consider whether directors have failed in their duties in relation to a cyber incident, it would likely give substantial weight to the steps directors took and their preparedness. The directors will need to exercise a degree of care and diligence that a reasonable person would have exercised in her or his position to ‘prevent a foreseeable risk of harm to the interests of the company’. This may involve an evaluation of the extent to which the directors have:

  • upheld cyber security best practices, including any new cyber security guidance issued by Government or sector-specific regulators;
  • reasonably informed themselves of risks (they cannot merely ‘do as advised’ by cyber security experts);
  • addressed vulnerabilities (including through proper communication with shareholders); and
  • implemented frameworks to both address foreseeable risks and respond to them.

As part of reviewing the effectiveness of cyber resilience frameworks following a cyber incident, businesses may soon be required to attend post-incident reviews overseen by the Government. These reviews will be conducted by the newly established Cyber Incident Review Board, who will share the ‘lessons learned’ with the broader business community and wider public. While the Government describes this as a ‘no-fault’ review, it is not clear whether sensitive information shared in these forums will be kept confidential and the implications for legal privilege over the review in respect of any potential litigation.

Regulatory reforms

The Strategy has not proposed as much upfront regulatory reform as initially anticipated. That said, as outlined below, the Government has committed to co-designing a suite of ‘landmark legislative reforms’ that will help Australia strengthen its cyber shields.

SOCI Act

Organisations are still coming to terms with the obligations introduced under the SOCI Act over the past two years. As such, it is encouraging to see that the Strategy focuses on building on the existing powers and obligations rather than subjecting the SOCI Act to even more reforms. As expected, the SOCI Act regulatory reforms announced in the Strategy appear to be targeted at the owners and operators of critical infrastructure and the scope of entities and assets regulated as critical infrastructure. Notably, the Strategy does not propose to expand the sectors regulated under the SOCI Act, with the existing 11 sectors to remain unchanged.

With the reforms proposed in the Strategy, the Government is seeking to close an unintended regulatory gap whereby the SOCI Act does not cover business-critical data storage systems of critical infrastructure owners and operators. This is concerning given that vulnerabilities in such data storage systems could impact the availability, integrity, reliability or confidentiality of critical infrastructure assets.

Another reform, which has previously been flagged by the Government, will be to move the security regulation of the telecommunications sector to the SOCI Act. The telecommunications sector is currently regulated by the Telecommunications Act 1997 (as amended by the Telecommunications Sector Security Reforms (TSSR) which largely mirror the SOCI Act obligations), except that the Telecommunications Act does not currently require critical infrastructure operators to have appropriate risk management frameworks in place. This was a key point of government frustration over the recent Optus network outage, and there is a growing recognition that significant cyber incidents have a whole-of-sector and whole-of-economy impact.

Additional obligations will also be imposed on operators of critical infrastructure assets which the Government has nominated as being Systems of National Significance (SONS) due to their criticality to Australia’s social and economic interests. Operators of SONS are already subject to enhanced obligations to maintain cyber incident response plans, undertake cyber security exercises and vulnerability assessments and report system information to the Government. Following the Strategy, operators of SONS will also be required to have measures in place to ensure they can quickly bounce back from cyber-attacks. Aside from cyber incident reporting obligations, this would be the first post-incident obligation imposed on operators of SONS, demonstrating the Government’s concerns as to the lasting consequences of a cyber incident.

Accordingly, the Government has proposed a new National Cyber Exercise Program, as part of which Government will conduct cyber incident exercises with industry to test and identify gaps in cyber incident response processes. There is also the proposal for a broad last resort ‘all-hazards consequence management’ power. While the precise scope of the proposed power is not detailed in the Strategy, it appears to be intended to empower Government to be able to order specific actions to manage consequences of nationally significant cyber incidents. There is no detail as to whether businesses would be given safe harbour from any legal liabilities arising from complying with the Government’s directions or whether business would have to bear the associated costs.

Cyber reporting obligations

One of the key concerns from industry stakeholders has consistently been that cyber security obligations are not clear or easy to follow. For example, businesses may have reporting obligations under a number of legislative regimes to a number of different regulators such as the Office of the Information Commissioner and the Australian Prudential Regulation Authority. To ease the regulatory burden for business, Government has developed a single reporting portal on cyber.gov.au that brings together key reporting links and will further explore options to simplify regulatory compliance.

Data retention

The Government has responded to industry concerns, confirming a review of the data retention requirements under various laws. Australia has disparate patchwork of sector specific statutory obligations that require businesses to retain data, under which entities are exempted from Privacy Act requirements to delete or de-identify data that is no longer necessary. These retention obligations are seen to be in conflict with the Government’s overarching aim of creating a culture where businesses will delete data and personal information when it is no longer required.

The Government is concerned by practices among some Australian businesses which seek to leverage data assets by collecting and holding greater amounts of information for longer than is necessary. These data records can be a high-value target for malicious actors. Earlier this year the Government announced it would review laws requiring the retention of personal information as part of the broader privacy reforms. This new review is expected to be focused on non-personal data such as operational information. The parallel reviews might see a raft of changes to various pieces of legislation, like the Archives Act 1983, National Consumer Credit Protection Act 2009 and Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

The Government is also promising to implement Digital ID to verify identity. This measure is intended to reduce the need for people to share sensitive government identifiers with businesses like driver licence and passport numbers. Recent data breaches have highlighted the disruption caused by the unauthorised disclosure of these government identifiers and the potential for misuse of such information.

Ransomware payments

Prior to the release of the Strategy, an issue that was subject to hot debate within the business community was whether the Government should prohibit the payment of ransoms. While the Government has not gone as far as prohibiting ransomware payments at this stage (noting that Minister O’Neil has said that the prohibition is inevitable), the Strategy proposes to enhance the visibility of ransomware threats through legislating a mandatory no-fault, no-liability ransomware reporting obligation and implementation of the Counter Ransomware Initiative to discourage the payment of ransoms. The Government will also develop a ransomware playbook to provide clear guidance to businesses on how to prepare for, deal with, and bounce back from ransom demands.

Pending co-design with industry, the Government has proposed that this mandatory ransomware reporting initiative could be used to share anonymised reports of ransomware and cyber extortion trends with industry and the community (including other regulators). The Government had previously confirmed that it is considering creating a safe harbour and immunity to ensure that information provided to law enforcement and intelligence agencies as part of the reporting could not be used against the businesses in regulatory enforcement actions. This would bring Australia closer to the position in the United States, where mandatory ransomware payment reports cannot be used as the basis for any civil suit or regulatory enforcement proceedings against reporting entities or introduced as evidence in court.

That said, while the Government has acknowledged that businesses may still choose to pay ransoms, counsel should be mindful of the fact that it is still not entirely clear how such a mandatory reporting scheme would work with other legal and regulatory obligations that may apply to businesses, such as anti-money laundering and counter-terrorism financing laws which prohibit the payment of money to terrorist organisations or organisations that will use it for criminal activity.

While the Australian Cyber Security Centre advises to 'never pay a ransom', some relevant questions that businesses should ask in making that decision are:

  • What do you know about the perpetrator?
  • Is the perpetrator part of a known criminal outfit?
  • Is it a State actor?
  • Is the perpetrator an organisation listed as either a terrorist organisation, or on the UN or Australian sanctions lists?

The answers to these questions will help determine whether it is legal to pay a ransom, and a thorough forensic investigation will allow businesses to defend the decision. If the perpetrator is unknown after such an investigation, the payment is less likely to constitute an offence.

Mandatory cyber security standard for IoT devices and voluntary labelling scheme for smart devices

The Government has proposed to encourage the adoption of international standards for secure-by-design in digital technologies by legislating a mandatory cyber security standard for IoT devices and, to help consumers make informed choices about the security of devices on the market, implement a voluntary labelling scheme for consumer-grade smart devices. It is worth noting that Standards Australia (the nation’s peak standard development organisation) is partnering with the Internet of Things Alliance Australia to develop a Smart Devices Cybersecurity Labelling Scheme that improves safety for Australian consumers so it will be interesting to see whether this scheme will be leveraged by the Government. The Government will also work with industry and international partners to shape the development and adoption of international software security standards, including secure-by-design and secure-by-default practices

Further industry consultation will be conducted on each of the above reforms.

Key takeaways for directors, C-suite and General Counsel

While the anticipated directors’ ‘cyber duty’ has not been implemented as part of the Strategy, this is only because it is not necessary. Governance of cyber risk is clearly within the existing statutory duties of the board, and directors who do not take their obligations seriously risk regulatory enforcement action. Directors should seek the appropriate advice and training to enable them to discharge these duties.

Looking ahead, the Government will consult with industry in relation to a number of proposed law reforms, including proposed changes to Federal Government-mandated data retention obligations and further cyber resilience measures to be taken by operators of critical infrastructure. Affected companies would be well advised to participate in such consultations to ensure both that the resulting legislation is fit for purpose, and that the costs borne by business are reasonable in the context of the cyber risk environment.