The Australian government has announced plans to reform Australia’s cyber security framework following several serious data breaches in the last year, including Optus and Medibank. The Australian government’s 2023-2030 Australian Cyber Security Strategy Discussion Paper is available for download here.
On 27 February 2023, Home Affairs Minister Claire O’Neil told ABC Radio that the current laws “are not fit for purpose at the moment, and I do think they need reform”. O’Neil criticized the former Government’s cyber security laws and said that they were “bloody useless” in the wake of the serious Optus and Medibank data breaches.
Australia’s current cyber security framework is governed largely by the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act, among other things, imposes obligations on responsible entities for certain critical infrastructure assets to comply with certain risk management programs, including providing an annual report to the Australian government on those measures. However, it has been criticized as the SOCI Act ostensibly gives the Australian government the power to take over compromised business systems, and businesses are almost always resistant to granting the government any system access.
In February this year, the Government released a discussion paper to explore reform of Australia’s “patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age” with a goal to “make Australia a world-leader in cyber security by 2030”. The Australian government has also announced that it will appoint a Coordinator for Cyber Security, supported by a national office within the Department of Home Affairs. Their role will be to ensure a “centrally coordinated approach” to cyber security threats and incidents.
The government’s discussion paper indicates that Australia’s cyber security strategy will be developed in partnership with industry academia, state and territory governments and the Australian and the international community. The Expert Advisory Board has already commenced consultation on the strategy through a series of roundtables focused on core policy themes, including:
The discussion paper also identifies specific areas for potential action, including:
According to the 2021-22 Threat Report by the Australian Cyber Security Centre, on average, one cyber incident is reported every 7 minutes, with over 76,000 cyber crime reports in 2021-2022. Perhaps the most disastrous examples of cyber threats in Australia, over a three week period in 2022, the personal data of over 9.8 million Optus customers and 9.7 million Medibank customers was stolen by cyber criminals.
It is clear, then, that measures need to be in place to improve Australia’s cyber security resilience and protect Australians and their personal data.
What those measures look like, how they are implemented, and how they affect Australian individuals and businesses remains to be seen. So watch this space, and if you have any questions arising from this update, please do not hesitate to contact Iain Freeman, Partner in Lavan’s Litigation and Dispute Resolution Team.