Australia demands a specific federal government Cyber Security Act. It’s all too easy to blame the Optus and Medibank data breaches entirely when what these attacks reveal is a lack of effective and comprehensive federal legislation.
Home Secretary Clare O’Neil – who is also cybersecurity minister – was right when she said Australia was a decade behind the rest of the world.
The good news is that we have an example of successful international work – the European General Data Protection Regulation (GDPR), which we can iterate on. There is no need to reinvent the wheel’.
The bad news is the urgency with which we must pass this bill. We urgently need frameworks that encourage businesses and government agencies to build cybersecurity capabilities – cyber defense and data protection in case defenses fail.
And we need tough penalties that deter them from acting irresponsibly with customers and other sensitive data.
The big picture
The Optus and now Medibanks data breaches and ensuing community outrage should not be limited to citizen privacy concerns alone. The issue is much larger and requires one comprehensive federal cybersecurity law.
Cyberattacks are not simply acts of criminals seeking financial gain through stolen identities.
They are also used as weapons of national and economic destruction – even of war – designed to destroy critical national infrastructure; cause catastrophic damage to corporate and government computer systems; and render defense and military systems ineffective. The war in Ukraine and the Russian cyberattacks against Ukraine and its allies are proof of this.
Similarly, the effectiveness of cybersecurity should not be limited to failures of cyber defense systems alone. The Optus and Medicare breaches highlight organizations’ failure to protect sensitive customer data with encryption, ensuring it is useless when stolen by cybercriminals.
So when our Federal Cybersecurity Minister (faced with a nationwide data breach affecting a third of our population’s personal identities) turned to Australia’s cybersecurity legislation to find it was “absolutely unnecessary”, we we have a much bigger problem than simply protecting the privacy of Australian citizens.
The Australian government’s and intelligence agencies’ swift responses to the Optus breach highlighted the fact that cybersecurity is not an IT issue – it’s a national security issue. Cybersecurity legislation should receive the same treatment.
Currently, cybersecurity responsibilities are fragmented into a myriad of laws covering privacy, national infrastructure security, and corporations.
A confusing assortment of legal rabbit holes makes it difficult for organizations to achieve a consistent level of transparency, let alone a unified set of standards that everyone adheres to.
To see sweeping cybersecurity legislation, there needs to be consensus between the states and territories and the federal government, or we risk repeating the mistakes of the United States.
Frustrated with federal cybersecurity law, the Biden administration can only take care of federal responsibilities such as health, telecommunications or financial services, the rest is done by individual states.
In Australia, some of our most sensitive data is in our state-run health and education sectors.
If we are to enact comprehensive laws, these areas must be at the center of a collaborative government approach. It cannot be allowed to be a breeding ground for lobbyist negotiations leading to a self-interested outcome.
Europe has set the standard for a specific global cybersecurity law with the GDPR. Its mandate is to protect sensitive information. Therefore, if you have information that could reveal identities, the managers and the companies themselves are responsible.
For example, if an email exchange server is found to be vulnerable and its owner does not apply an available patch to prevent the attacker from using that vulnerability, if that organization is then breached, it will not be compliant. .
On the other end of the spectrum, if it is breached but the data in it is protected by “strong encryption”, it is considered not to be a breach because you have effectively protected this data against misuse. It’s sensible, easy to understand, and motivating without requiring executives to become cybersecurity experts to ensure compliance.
The key to creating legislation that maintains a healthy balance between preventative technology (which works to keep hackers out) and protective technology (which protects data when hackers inevitably find a way in ) lies in the establishment of similar non-technical standards.
This way we can ensure that cybersecurity is ongoing and effective, but does not prescribe a method.
That said, a simple copy-paste of the GDPR would be insufficient. An Australian cybersecurity law must address more than citizens’ privacy, as the GDPR shows. It has been four years since the GDPR was proclaimed and there are areas where time has shown it could be improved.
However, it acts as an excellent example of how to assign responsibilities clearly and should be considered in the development of our own frameworks.
In the two years that EU nation states drafted and approved the GDPR, changes to Australia’s 2018 Notifiable Data Breach Regime to the Privacy Act took nearly five years .
A decade of relative inaction on cybersecurity has a lesson; sanctions that cause both financial and reputational problems are a way to set an example of bad behavior, but they do not help solve the underlying problems.
In the United States, violations of federal cybersecurity laws can be a criminal matter, not just a civil one. A violation of the EU GDPR can result in a maximum penalty of €20 million or 4% of annual international turnover, whichever is greater.
What these harsh penalties do not address is corporate apathy, especially at the management level.
Accountability after a breach can give customers a sense of justice, but positive behavior change within an organization can be best achieved by additionally penalizing failure to listen to or follow the advice of cybersecurity employees. organizations.
This can address both the need to hold cybersecurity personnel accountable and negate the “she’ll be right” philosophy of some commercial and government organizations.
Whatever motivating factors are chosen, Australia needs clear and comprehensive cybersecurity legislation with sharp teeth. It must set the highest legislative standard required for a national security issue, while allowing organizations the freedom to find their own solutions.
The Optus Breach was horrific for everyone involved, but we have an unprecedented opportunity.
We must avoid the mistakes of the United States and take advantage of the European GDPR to create cybersecurity law that will help protect our citizens, intellectual property, government and long-term trade secrets.
Francois Galbally is the founder and chairman of the ASX-listed cybersecurity company Senetas Corporation Ltd. Senetas is a world leader in the development of high performance encryption security solutions.
Do you know more? Contact James Riley by email.