Australia’s patchwork of cyber regulations, lack of standards, a mishmash of regulators and poorly implemented technical controls in government and business are exposing the nation to a cyber attack, according to expert submissions to the cyber strategy review.
Submissions also highlighted the need for a dedicated cyber security minister and a single regulatory authority to harmonise regulation and standards for both the private and public sector.
Paul Fletcher oversees cyber security as part of his communications and arts responsibilities, within the mega infrastructure portfolio.
Noting the need for government leadership, experts also highlighted the need for federal and state governments to get their own houses in order.
“Trust from business and the general public will only be strengthened if the government is seen to be taking cyber security seriously for its own entities across the whole government space, not only at the federal level, but also state and territories,” PWC wrote in its submission.
“The government’s low cyber security maturity presents a challenge for it to assert a leadership position.”
This comes as Labor’s cyber spokesman, Tim Watts, has highlighted the numerous audits which have shown lax accountability for the poor cyber practices of many federal agencies.
The review comes four years after the initial cyber strategy was developed, a first attempt to create a national approach to building greater cyber resilience.
The new strategy has become more significant after Prime Minister Scott Morrison revealed an ongoing cyber campaign against Australia by a “sophisticated state entity.”
The strategy was due to be released earlier this year, but has been delayed and is expected to be released in the next couple of months.
Unlike say, Germany, Australia does not have a specific overarching cyber security act.
Deloitte’s submission to the review noted the regulatory environment is made up of a group of industry-specific regulations and guidelines, including specialist financial, energy, telecommunication and health regulations.
There are also privacy, cyber crime and interception laws which relate to cyber security.
PwC called for critical infrastructure regulation to be expanded to cover other sectors such as transport, manufacturing, telecommunications, agriculture / food production, mining, health and pharmaceuticals.
Noting the interplay between a variety of standards and regulation UNSW’s Allens technology hub said the new strategy should integrate all of these initiatives to be effective.
“Failure to consider these interactions may result in overlap and confusion, and further contribute to the piecemeal approach to the appropriate legal framework for cyber security in Australia.”
Identity provider Vero Guard Systems told the review “policies and standards used today are outdated. “
Vero manufactures dedicated identity hardware offering identity solutions for government and business that avoids the use of multifactor verification and biometrics.
“Rapid changes to and in technology obsolete frameworks and protocols in relatively short cycles. Cyber-criminals exploit these gaps because policy focus is on detect and mitigate rather than prevention,” Vero founder Daniel Elbaum said.
Vero joined other submitters noting the variety of regulators overseeing cyber
“Currently there is no evidence that a government, association or organisation is responsible for managing cyber risks in the economy,” Vero wrote.
EY called out the lack of a standardised approach to cyber security. EY said there is no overarching framework or standard, with the federal government security manual (the ISM) not used much beyond government.
EY noted the five pillars approach used by the US Department of Home Security had created an economy-wide approach for cyber security management.
“A standardised approach provides strategic direction, identifying what mature risk and control environments look like.”
“The difference between a regulatory approach and a standards-based approach is about an enforcement regime around the standards,” EY APAC cyber partner, Richard Watson told The Australian Financial Review.
“You’re not creating a new set of standards for regulation, you’re just enforcing the global best practice.
Did You See This CB Softwares?
37 SOFTWARE TOOLS... FOR $27!?Join Affiliate Bots Right Away
“What they’ve done in the US – and is now being raised here by the Federal Government – is to have regulators specify the minimum maturity score and begin to fine people if they fall short of that,” Mr Watson said.
Deloitte observed that cyber enforcement is dealt with by “multiple regulatory bodies that have differing touchpoints with cyber issues, with each agency and regulatory body having varying enforcement priorities, functions and powers.“
“For example, the Australian Crime Commission and Australian Federal Police may deal with cyber crimes, while the Office of Australian Information Commissioner (OAIC) may deal with breaches involving personal information.”
Deloitte noted this meant penalties may vary significantly and be disproportionate.
“The OAIC can seek penalties of up to $2.1m for breaches of the Privacy Act, which only covers personal information, but there is a gap for system breaches that do not involve personal information but may still affect the Australian community and businesses through issues such as operational disruption.”
Tom Burton has held senior editorial and publishing roles with The Mandarin, The Sydney Morning Herald and as Canberra bureau chief for The Australian Financial Review. He has worked in government, specialising in the communications sector. He has won three Walkley awards. Connect with Tom on Twitter. Email Tom at email@example.com
- Coronavirus pandemic
Scott Morrison is speaking live; With 317 new cases, Victoria has registered the biggest spike of any state or territory since the pandemic began; Ten new cases in NSW over the last 24 hours Follow updates here.
- Joanna Mather, Rohan Sullivan, Lauren Vadnjal, Natasha Rudra and Timothy Moore