This week, Prime Minister, the Hon Scott Morrison MP, was able to gain international support at the G7 meetings for measures to tackle online content that promotes terror and hate speech.
This is not the first time Mr Morrison has shown a significant interest on cyber security, with the Prime Minister announcing several measures, including substantial funding for the Australian Cyber Security Centre, to ensure that Australians are better protected online.
Given this, what should business and industry know about cyber security in Australia?
For large-scale change to occur in any area, including cyber security, there are typically catalyst events that cause Government and their departments to heed a ‘call to action’. In Australia, the cyber security space has had three such events this year.
Firstly, 2019 has seen large-scale public Australian institutions become the victims of high-profile and elaborate cyber breaches, including the breach of staff and student data at Australian National University in June 2019 and a cyber-attack on the Federal Parliamentary computer network in February 2019.
This string of cyber breaches has prompted Mr Morrison and the outgoing Director-General of the Australian Signals Directorate (ASD), Mr Mike Burgess, to make commitments to strengthen cyber security capabilities, with significant funding announcements made throughout the election period. However, most pertinent for business and industry is that ASD has made a concerted effort to ensure private organisations are aware that their organisation is responsible to take all reasonable measures to make the any information they store cyber resilient.
Secondly, the existing roadmap for cyber security policy, Australia’s Cyber Security Strategy, was intended to fund initiatives across five identified themes for period until 2020. This means that with the existing strategy reaching the conclusion of its initial investment it is likely that the Government and the Department of Defence will be refreshing the strategy in the near future to account for the wide-scale change that continues to occur in the cyber space.
A positive for business and industry is that the Government is typically viewed as pragmatic when it comes to its policy agenda and is unlikely to enact large-scale changes or ‘tear up the book’ in the process of refreshing Australia’s cyber security policy.
Finally, Australia’s chief cyber security public servant, Mr Mike Burgess was recently announced as the new Director-General of the Australian Security and Intelligence Organisation (ASIO) and will be departing his role as Director-General of the Australian Signals Directorate in mid-September 2019. This means that there will likely be a new Director-General taking over at the Australian Signal Directorate before the end of 2019.
In his time as the head of ASD, Mr Burgess was credited for bringing cyber security in Australia out of the darkness and allowed stakeholders to engage in frank and open discussions with ASD. With little information known about who Mr Burgess’ successor will be, it is unclear whether they will follow with his more transparent and consultative approach to policy development and implementation or whether ASD will once again become shroud in mystery.
These three main events in the cyber security space will likely serve as the catalyst for the Government to place a greater focus on cyber security policy towards the end of the calendar year.
With this in mind, what does this focus on cyber security mean for business going forward?
Firstly, business and industry should be evaluating how reliant are they on cyber infrastructure. The answer to this question will heavily dictate what action you will need to take going forward should there be any changes in cyber security policy.
If your business is heavily reliant on cyber infrastructure, now may be the time to have a ‘cyber security stocktake’ and consider whether your business is resilient to a cyber threat. This is a particularly pertinent point if your business retains a high level of personal data, given that the Government is looking to give individuals greater access and rights to their data.
As part of this, business and industry may wish to be proactive and engage with the Government and Public Service in order to clarify if there are any further measures that you can take to ensure that your cyber infrastructure is attack resilient as is the expectation of ASD.