The federal government is looking to introduce a range of cybersecurity-focused reforms and voluntary standards, with a new discussion paper revealing a number of policies under consideration.
On the back of last year’s Cyber Security Strategy, Home Affairs minister Karen Andrews on Tuesday morning unveiled a discussion paper covering a number of policies and strategies announced in the 2020 strategy.
The discussion paper calls for public feedback, but also reveals the direction the federal government is leaning in terms of each of the reform options.
The Coalition is favouring the introduction of voluntary cyber standards for large businesses, a cybersecurity code under the Privacy Act for personal information, a mandatory expiry date label for Internet of Things devices, efforts to increase awareness around vulnerability disclosures, and voluntary cyber health checks for SMEs.
The discussion paper is focused on how the government can incentivise Australian businesses to invest in cybersecurity, with three areas of action: setting clear cybersecurity expectations, increasing transparency and disclosure and protecting consumer rights.
“The government is taking action to mitigate the real and present danger that cybercrime presents to Australians and our economy. We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” Ms Andrews said.
“I want to make sure Australian businesses – big and small – are secure, and consumers are protected. Through this period of consultation, I’m keen to hear from businesses, the critical infrastructure sector, IT experts and the wider public about the solutions and mitigations they proposed.”
The Coalition is planning to set clear minimum expectations for large Australian businesses around cybersecurity. This will be through either voluntary or mandatory standards laying out the responsibilities and processes for managing cyber risk, co-designed with industry.
The government appears to be leaning towards leaving this minimum standards voluntary, with the discussion paper saying that this would “communicate to industry that government and public expectations regarding the management of cybersecurity risks are increasing, without creating unnecessary regulatory burden”.
This voluntary standard could also be referenced by a court when determining whether the failures relating to the oversight of cyber risk by a company director constituted a breach of their duties, the government paper said.
But leaving the code voluntary risks the status quo remaining, it said.
“The main drawback is that industry may not substantially adopt the standards and could continue to manage cyber risk as it currently does. Care needs to be taken to ensure that a voluntary standard does not promote a ‘tick-a-box compliance culture’ where businesses rely too heavily on standards and do not critically assess their security requirements,” the paper said.
But implementing mandatory standards would lead to high costs and would require a new regulator, the government said.
“Currently, there is no regulator with the relevant skills, expertise and resources to develop and administer a mandatory standard that applies to all large businesses. Any process to assign these responsibilities to a current regulator would take significant time and cost, which would ultimately be borne by industry and the Australian public,” it said.
“On balance, a mandatory standard may be too costly and onerous given the current state of cybersecurity governance, and in the midst of an economic recovery, compared to the benefits it would provide.”
There are also plans to introduce a cybersecurity code for personal information under the current Privacy Act, which may “drive meaningful improvements in Australia’s cybersecurity”.
“Establishing a code under the Privacy Act could drive the adoption of cybersecurity standards across the economy by creating regulatory incentives for uptake,” the paper said.
Such a policy would be achievable, cost effective and high impact, the government said.
There will also be reforms made to the regulation of IoT products, with the government considering making its voluntary code of practice for manufacturers of these devices mandatory.
“A mandatory standard may result in reduced product availability or increased costs for consumers if industry cannot or chooses not to absorb the costs of a mandatory standard,” the paper said.
The government is also deciding between a voluntary star rating label, which would be voluntary and display the cyber strength of a device, and a mandatory expiry date label, which would display the length of time that security updates will be provided for the product.
The government paper said that both options are low cost and low-risk, and could be implemented simultaneously.
Other policy reforms being considered by the government include incorporating vulnerability disclosure into existing regulatory frameworks and a voluntary cybersecurity health check program for SMEs, which “could have real benefits, but only if feedback indicates that there are realistic ways to encourage time-constrained small businesses to participate”.
Submissions on the discussion paper are being accepted until 27 August.
Do you know more? Contact James Riley via Email.