The Australian government is drawing up plans to revamp cybersecurity laws and regulations in the wake of a series of high-profile damaging data breaches that have rocked the country.
Government officials recently released a so-called consultation document that outlines specific proposals and solicits private sector input in what it calls a strategy to position the nation as a world leader in cybersecurity by 2030.
As well as closing gaps in existing cybercrime laws, Australian lawmakers hope to amend the country’s Security of Critical Infrastructure (SOCI) Act 2018 to place greater emphasis on threat prevention, information sharing and cyber incident response.
Weaknesses in Australia’s response to cyber incidents were laid bare in the September 2022 cyber attack on telecoms provider Optus, followed in October by a Ransomware-based attack against health insurance company Medibank.
Millions of sensitive data were subsequently exposed, including biometric data in driving licenses and passport photos the attackers scraped an Optus database containing consumer records; THE Medibank breach exposed millions of patient records.
“Both breaches occurred due to basic errors and poor cyber hygiene, so were avoidable,” says Richard Sorosina, technical security manager for Qualys Australia and New Zealand.
Australia’s cyber resilience came under a painful scrutiny in November 2023, when a The nationwide outage left Optus’ landline and mobile customers without internet access. The outage was attributed to a problem with updating the Border Gateway Protocol (BGP) routing table.
Then, days later, came a massive cyberattack on the maritime sector that led to long disruptions in four Australian ports.
IT strategy reform
The cyberattacks on Optus, Medibank and the nation’s ports were highly public incidents that affected citizens and businesses, and pushed cybersecurity higher on the nation’s political agenda. In response, the Australian government revised its cybersecurity strategy and launched it the consultation process on legislative and regulatory reforms.
Clare O’Neil, Australian Minister for Cyber Security, said in a statement that the Government is committed to working with the private sector to usher in a “new era of public-private partnership to improve Australia’s cybersecurity and resilience”.
Australia’s new cybersecurity legislation covers a wide range of measures, including imposing secure-by-design standards for Internet of Things (IoT) devices, establishing a ransomware reporting rule, creating a “limited use” requirement for incident information sharing and the establishment of a national cyber incident review board.
Also on the agenda are reforms to the Security of Critical Infrastructure Act 2018, aimed at addressing cybersecurity deficiencies highlighted by recent breaches.
These revisions include providing more prescriptive guidance for critical industries such as utilities and telecommunications, simplifying information sharing, providing guidance for risk management programs, and strengthening security requirements for telecommunications sector pursuant to the SOCI law for critical infrastructures.
Casey Ellis, founder, president and chief strategy officer of Bugcrowd, says the Australian government is making the right moves. “THE [Cyber Security Strategy] The consultation document addresses IoT security, ransomware reporting, incident sharing and critical infrastructure management, reporting and accountability, which are certainly all areas of weakness in Australian policy,” Ellis says.
Big country, big challenges for cybersecurity
The size and size of Australia makes it difficult to protect critical infrastructure, especially for strategic sectors such as mining, which is highly dispersed and has sites in remote locations.
Meanwhile, mining, marine and other utilities are abandoning legacy technologies and embracing Internet-connected and IoT technologies to more efficiently manage and monitor their infrastructure. But this embrace of digital transformation has often left legacy equipment exposed to cyber threats.
“To ensure attacks like the one on Australian ports remain isolated rather than a common occurrence, the Government is rightly examining how to legislate a national policy on critical infrastructure and looking to other countries for lessons on how to protect the major attack surfaces endured outside the IT/OT convergence,” says Shane Read, CISO at Goldlock, a physical cybersecurity startup.
However, Australia has neither the size nor the population to tackle the problem on its own, so referring to known global standards where possible makes sense, according to independent experts.
“Australia has looked to the UK/US/EU for guidance on cybersecurity policy,” notes Qualys’ Sorosina.
Like many other countries, Australia is struggling to close the cybersecurity skills gap.
Phillip Ivancic, head of APAC solutions at Synopsys Software Integrity Group, says that due to the small population compared to the size of the economy, there is a “huge shortage of qualified engineers and cybersecurity experts” in Australia.
“That’s why the government’s move to be more prescriptive and provide true standards-based guidance, as well as enforce change through mandates, should be welcomed,” Ivancic says. “We simply don’t have the scale to go it alone, and imposing international standards that are already widely used is the right approach.”
According to Ivancic, the government’s policy proposals lack key elements such as controls over software supply chains, such as software bills of materials that list the components that make up applications. It’s a “glaring gap,” she says.
Major investments in cybersecurity
The path to becoming a cyber-secure nation is not just a government responsibility. Recognizing their interest in improving cybersecurity practices, the private sector in Australia is also making significant investments in improving cybersecurity practices.
Australian organizations will spend more than A$7.3 billion on information security and risk management products and services in 2024, an increase of 11.5% compared to 2023, according to Gartner. Cloud security will enjoy the largest increase, reaching A$248 million (up 26.9% year-on-year).
According to Gartner, the increase in spending is driven by a combination of high-profile cyberattacks and increased regulatory obligations.
BugCrowd’s Ellis believes Australia’s effort to become a leader in cybersecurity is achievable. “Australia has always been a nation of innovators and rule-breakers and I believe the goal of becoming a world leader in cybersecurity, while ambitious, is achievable.”