The Australian Government released the 2023-2030 Australian Cyber Security Strategy (the Strategy) on 22 November 2023. According to the Department of Home Affairs:
“The Strategy is the roadmap that will help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030. To achieve this vision, we need to protect Australians. Through the Strategy we seek to improve our cyber security, manage cyber risks and better support citizens and Australian businesses to manage the cyber environment around them. We will do this with six cyber shields.”
The six shields set out in the Strategy are:
- Strong businesses and citizens
- Safe technology
- World-class threat sharing and blocking
- Protected critical infrastructure
- Sovereign capabilities
- Resilient region and global leadership
We will be providing summaries and commentary on each of the 6 shields. We set out our summary and commentary in relation to shield 1 and we set out our take on shield 2 below.
Shield 2 – Safe technology
The vision behind shield 2 is twofold:
- the safety of digital assets: adopting uniform cyber security standards across technology and software markets (so that digital products and services are safe and fit for purpose), as well as the safe adoption of emerging technologies (such as AI and quantum), and
- the protection of valuable datasets: creating guidance for the protection of commercial, sensitive or critical datasets that fall outside of the scope of existing regulations.
The Government aims to achieve this by:
- encouraging the adoption by industry of international security standards for digital technologies such as IoT devices and legislating mandatory cyber security standards for IoT devices
- developing a framework for assessing national security risks associated with certain digital products and services
- implementing a voluntary labelling scheme for consumer smart devices (aligned with similar schemes overseas) and co-designing with industry a voluntary code of practice for app stores and app development covering software security standards and secure-by-design and secure-by-default practices
- identifying datasets in the Australian economy that are the most sensitive, critical and crucial to national interests and assessing whether the applicable existing data protections and settings are proportionate and effective
- reviewing, and exploring options to minimise, legislative data retention requirements with a view to reducing the burden on businesses associated with an obligation to hold vast datasets for lengthy time periods, and the resulting risk of businesses becoming a target for malicious actors, and
- developing a voluntary data classification model to guide industry in assessing in a consistent manner their data holdings’ value.
The introduction of a national security risk assessment framework for assessing risks associated with technology vendors’ products and services would be a positive step, given the current lack of guidance available. We also welcome steps being taken to minimise data retention requirements, which most businesses should already be looking at in the face of the current cyber threat. However, how a number of measures set out in shield 2 will be implemented (and how they will remain current or relevant as technology develops) remains a challenge for shield 2 to be successfully actioned. In particular:
- A number of the proposed initiatives rely on either industry buy-in or effective co-operation with international partners. For example, in relation to the adoption of international security standards to technology products and services, the Government commits to ‘working with industry to encourage’ such adoption, but the risk is that the technology product and service providers may not welcome Government input or intervention into how their technologies are designed. The same is true with the consumer devices labelling scheme, the security-related code of practice for apps and app stores and the data classification model, which are all voluntary. Consequently, a lack of buy-in or poor take-up of these initiatives by relevant parties could largely thwart the objectives behind them.
- In relation to new and emerging technologies, the Strategy acknowledges that ‘innovations are near impossible to predict’ and that ‘it will become increasingly difficult for the average person to distinguish legitimate communication from malicious attacks and fraud’. However, there is little detail in the Strategy on the measures that will be taken to counter the increased cyber threats and security risks posed by new and emerging technologies. In relation to the cryptography risk posed by quantum computing, W+K welcomes the important work to be undertaken in relation to setting standards for post-quantum cryptography which we hope will ensure the long-term viability of this important weapon in the security arsenal.
- Regulation of datasets will cause additional costs of compliance and bring new risks and liability for businesses and requires careful consultation with all industries to ensure the desire to minimise and regulate data doesn’t impact business operations and continuity or lead to unforeseen liability risks if data is no longer available.