Australia’s government has issued a white paper as part of its initiative to remake cybersecurity regulation. Last year, the government in Canberra published a handful of cybersecurity documents, including draft legislation, that would impose mandatory cybersecurity standards for critical infrastructure and mandatory reporting of cyber incidents. As has been the case over the recent past, Canberra has considered and enacted cutting edge policy in the fields of technology, a trend that appears ongoing. This newest white paper considers the problem of cybersecurity across the Australian economy (i.e., beyond so-called critical infrastructure) and seeks input from those who will be regulated and other stakeholders. Some of these proposals would be mandatory and some would be voluntary. Before I start with the new white paper, some background would be helpful.
In August 2020, Australia issued a new Cyber Security Strategy to replace its 2016 strategy and proposed to change incrementally how the nation would approach cybersecurity and data protection paired with more funding for these activities (see here for more detail and analysis.) Notably, the government of Prime Minister Scott Morrison seemed to be proposing a set of binding cybersecurity standards on certain sectors of critical infrastructure and a program of offensive cyber operations as a means of fending off threats from malicious nation state and criminal actions. Canberra also floated a voluntary code of conduct for the manufacturers and developers of Internet of Things (IoT) and a rewrite of privacy and data protection laws. In preparation for this strategy, Australia released a call for views in September 2019 on a discussion paper and received more than 200 comments.
In November 2020, the Department of Home Affairs (Home Affairs or Department) drafted and released for feedback legislation based, in large part, on input from a white paper published over the summer (see here for more detail and analysis.) In its press release, Home Affairs contended “[t]he Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure and systems of national significance.” Home Affairs stated “[a]s part of the next stage of development of these reforms, we are seeking views on:
- the Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill)
- the Bill’s accompanying draft Explanatory Document
- the Exposure Draft of the Intelligence Services Regulations 2020 (the Regulations)
- the Regulations’ accompanying Explanatory Statement.
The Department explained “[t]he Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure…[and] [t]he Regulations support the operation of the Bill’s assistance and cooperation measures.”
In December 2020, the Liberal–National Coalition introduced the “Security Legislation Amendment (Critical Infrastructure) Bill 2020” in the House of Representatives, but it has not been acted upon. The government said in its explanatory memorandum it will:
…introduce an enhanced regulatory framework, building on existing requirements under the SOCI Act. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 gives effect to this framework by introducing:
- additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;
- enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and
- government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure
Turning to the government’s new white paper, “Strengthening Australia’s cyber security regulations and incentives,” Home Affairs explained its new proposal builds upon the government’s thinking and white papers but also a private-sector body:
This paper seeks your views about how the Australian Government can incentivise businesses to invest in cyber security, including through possible regulatory changes. This work is an initiative of Australia’s Cyber Security Strategy 2020 (the Cyber Security Strategy) and progresses recommendations of the 2020 Cyber Security Strategy Industry Advisory Panel. It will build on the Government’s security of critical infrastructure reforms by uplifting the cyber security of all digitally enabled businesses, and will ultimately support the Government’s goal of being a leading digital economy by 2030.
In July 2020, Australia’s 2020 Cyber Security Strategy Industry Advisory Panel issued its report and recommendations “to provide strategic advice to support the development of Australia’s 2020 Cyber Security Strategy.”
Having laid that foundation, let us turn back to the government’s call for views. After a chapter detailing the harms that insufficient or ineffective cybersecurity has wreaked on Australia, Home Affairs summarized what it saw as the key points of the chapter covering what action, if any, the government should take:
- Businesses don’t always make the right investments in cyber security because of weak commercial incentives.
- There is evidence that businesses find it difficult to compete on the basis of cyber security and that cyber risks are often transferred to third parties like customers and suppliers.
- Government intervention could be effective in encouraging businesses to better manage cyber risk and promoting ‘secure by design’ principles.
Home Affairs identified key or common points those who submitted comments made:
- A number of stakeholders we consulted for the Cyber Security Strategy told us that market forces alone haven’t, won’t or aren’t able to uplift the cyber security of the economy at scale. Many parties told us that ‘until there’s regulation and consequences it’s hard to drive change’.
- Stakeholders told us that technology and threats are advancing faster than regulation and law reform. Many stakeholders asked us to implement a ‘secure by design’ principle in law or to ensure that basic controls like patching are implemented consistently. Businesses told us that without this action it is very difficult for an organisation to know if third-party suppliers are adequately controlling risks.
- We heard consistent calls for some kind of baseline cyber security standards or regulations outside of those applying to critical infrastructure, either for digital goods and services in general or in specific areas like smart consumer devices.
And so, according to the Department, the consensus is that the current approach of a largely voluntary scheme does not work, and Canberra needs to step in to change the incentive structure. However, for some, a solution may be as simple as identifying acceptable cyber standards Australian forms must meet and failing to do so could result in penalties.
Going back to the summary of this chapter, the Department elaborated on the first point (“weak commercial incentives”):
Two key market failures act against more widespread adoption of effective cyber
risk management by business: negative externalities and information failures.
In this instance the negative externalities “happens in cyber security when a decision by a business to underinvest in cyber security negatively impacts that business’ customers and suppliers.” This has been seen the world over. For example, if the allegations that SolarWinds failed to maintain the most basic cybersecurity are true, that massive supply chain hack would qualify as a classic example of the type of negative externalities flowing from poor security. Home Affairs was careful in pointing out that there may not be malice or recklessness in failing to consider negative externalities; businesses may simply not appreciate how underinvestment or failure to maintain security affects other parties and customers. Home Affairs nailed this consideration in one sentence: “[i]gnoring cyber security advice and doing nothing is rational where the expected cost of investing in cyber security (including the cost of working out what to do) is greater than the likely loss to the business from a cyber incident.” Consequently, it stands to reason that changing this equation will change cybersecurity through making the likely loss to the business greater than the expected cost of investing in cybersecurity.
The Department also looked at large technology companies’ negative externalities:
Sometimes negative externalities result in cyber security risk being passed down the supply chain, from suppliers of technology to end users (both businesses and individuals). Unfortunately, end users almost always have less capability to manage cyber security
risk compared to the technology companies that supplied the software or device.
Perhaps Canberra, or another government, would be wise to extend the financial services liability model to all developers and manufacturers of technology such that weak or lax security would result in financial losses in making users whole. This could rearrange the incentive structure for technology companies to drive better security through their supply chains and, by extension, for their customers, which is often most of the business and personal sectors.
Home Affairs flagged another problem with incentives: “technology companies may prioritise their own reputation and commercial interests over the interests of their customers.” This could manifest in a number of ways, including tech firms lobbying governments to focus on the cybersecurity of the buyers and users of their products instead of the products themselves. In their public remarks and advertising, technology companies could also foster this message. It would appear this incentive structure would need changing, too.
The Department then turned to another misaligned market incentive. Buyers and users of technology lack a reliable, transparent, and trusted means of comparing technology products in terms of security. Home Affairs noted “[e]ven with technical capability, it is costly and time-consuming for buyers to independently verify the security of products.” Consequently, because technology companies do not generally need to worry that shoddy and insecure products will be exposed, there is the lack of an incentive to offer the best possible products.
In the United States (U.S.), and likely elsewhere, too, legislators have proposed the establishment of a federal ratings for cybersecurity along the lines of the Environmental Protection Agency’s Energy Star program that informs buyers about the energy efficiency of appliances. Admittedly, Senator Ed Markey (D-MA) and Representative Ted Lieu’s (D-CA) bill would only “create a voluntary cybersecurity certification program for Internet of Things (IoT) devices.”
Home Affairs did not offer legal or policy solutions and is instead asking for input on these questions:
- What are the factors preventing the adoption of cyber security best practice in Australia?
- Do negative externalities and information asymmetries create a need for Government action on cyber security? Why or why not?
Home Affairs proceeded to examine Australia’s current laws and how effectively cybersecurity is regulated through them. The Department identified three economy-wide statutes: the “Privacy Act 1988,” the “Australian Consumer Law,” and the “Corporations Act 2001.” However, Home Affairs recognized the sector-specific laws in Australia for certain critical infrastructure. The Department noted the government is proposing a “Positive Security Obligation” under the “reforms to the “Security of Critical Infrastructure Act 2018”(SOCI Act) introduced to Parliament on 10 December 2020.” The Department added it “is currently working with industry peak bodies, existing regulators, state and territory governments, and critical infrastructure entities to co-design sector-specific Rules to underpin the Positive Security Obligation, which could include cyber security standards.”
Home Affairs concluded:
- Despite current limitations, there is opportunity to use Australia’s legal framework to support the Government’s goal of being a leading digital economy by 2030. We know that when we get the policy settings right investment confidence and economic activity increase. The risk of poor regulatory settings is that regulatory burden makes it difficult for businesses to operate in Australia, which costs our economy.
- This paper provides specific suggestions about how to avoid unnecessary regulatory burden and realise the economic benefits of strong cyber security. We welcome your views about how to get the balance right, and how we can make things simple for all businesses in Australia.
The Department posed these questions for feedback on possible changes to Australian law, regulations, or policy:
- What are the strengths and limitations of Australia’s current regulatory framework for cyber security?
- How could Australia’s current regulatory environment evolve to improve clarity, coverage and enforcement of cyber security requirements?
Home Affairs proposed a three-part framework:
- Set clear minimum expectations: Clear minimum expectations for businesses to manage cyber security risks
- Increase transparency and disclosure: Clear information for businesses and households about the security of technology products
- Protecting consumers: Clear legal remedies for consumers after a cyber security incident occurs
Under the first prong, Home Affairs addressed first large businesses. The Department asserted:
We are seeking your feedback about the best way to encourage stronger cyber security risk management within large businesses. This could include setting voluntary or mandatory standards for large businesses, further education and capability raising, or both. Any action we take in this area would seek to be proportionate, achievable, and internationally consistent….
Home Affairs offered three options and discussed the benefits and costs of each: 1) the “Status quo;” 2) “Voluntary governance standards for larger businesses;” and 3) “Mandatory governance standards for larger businesses.”
The Department next discussed “Minimum standards for personal information” as being part of “Set clear minimum expectations.” Home Affairs stated:
During previous industry engagement, you told us that established and cost effective technical controls could mitigate a significant proportion of unsophisticated cyber-attacks. Your advice was to prioritise adoption of controls such as encryption of data in transit and at rest, strong passwords, multi-factor authentication and timely application of critical patches.
The Department remarked that “[o]ur desktop research supports this advice.” It bears note that Australia is among those western nations pressuring technology companies against using encryption of data, especially on popular platforms like WhatsApp and Telegram, and also against the use of default end-to-end encryption on devices like iPhones and Androids. Australia, the U.S., the United Kingdom (UK) and others have argued that without the means to access encrypted communications, criminals, terrorists, and those victimizing children cannot be surveilled and apprehended. Home Affairs does not discuss how the use of encryption to drive better cybersecurity across the Australian economy would comport with technical means to access encrypted content.
Home Affairs then quoted statistics showing the poor uptake among forms in the U.S. with basic cyber hygiene, the likes of which Google and Microsoft claim would address 99% of automated attacks.
Canberra’s apparent solution is the development of technical standards entities would presumably start using even though there are a plethora of internationally recognized technical standards Australian businesses could be using right now. The Department asserted:
- One way to encourage the uptake of these cyber security best practices is through technical standards, which has been a consistent theme of stakeholder feedback, including the Cyber Security Strategy Industry Advisory Panel (see below). There is evidence that Australia has been slow to adopt cyber security standards. 38 Common barriers to standards adoption include uncertainty about which standards to adopt, low commercial and regulatory incentives for adoption, and
- costs (particularly for technical changes and third party audits). Another barrier is that if standards are overly prescriptive they can have the unintended consequence of driving ‘tick-a-box compliance culture’. This may result in organisations becoming complacent and not critically assessing their cyber security requirements.
- We are seeking your feedback on whether cyber security resilience could be raised across the economy by accelerating the adoption of technical standards, and how this would work in practice.
The Department offered two options: 1) “Status quo” or 2) “Cyber security code for personal information,” which may have some mandatory components. Home Affairs stated:
- Creating an enforceable code under a federal piece of legislation is one option to increase the adoption of cyber security standards across the economy by providing a strong regulatory incentive and directly addressing some of the common barriers identified above. However, there is no single existing act that governs cyber security expectations across the whole economy.
- Our intent would be for a code to specify minimum, rather than best practice approaches, and could be a combination of specific and principles-based requirements. This will ensure the code strikes the right balance between clarity and flexibility
- The code could target specific kinds of technology, sectors or kinds of data. We are particularly interested in your feedback about high-impact lower-cost cyber security controls that could be included in a code. We are also interested in whether a code could be targeted towards higher risk entities or technology providers that service large numbers of other businesses.
Home Affairs considered next “Standards for smart devices” (aka IoT). The Department said:
- On 3 September 2020, the Australian Government released the voluntary Code of Practice: Securing the Internet of Things for Consumers (Code of Practice). The Code of Practice contains thirteen principles that signal Government expectations to manufacturers about the security of smart products.
- These principles align with international approaches, such as the UK’s Code of Practice and the European Telecommunication Standards Institute (ETSI) baseline standard on smart devices (ESTI EN 303 645).
- The Australian Cyber Security Centre has also developed complementary IoT guidance to help individuals, families and small and medium businesses buy, use and dispose of IoT devices securely.
Home Affairs added:
Major manufacturers we interviewed told us that voluntary, principles-based guidance has a limited impact on business decision-making and that they would prefer Australia to point to internationally aligned standards. While major brands we spoke to had good intentions to implement strong cyber security, we were able to identify some high priority, low cost parts of the Code of Practice that had not been implemented consistently (see callout box below). We found it very difficult to engage manufacturers from the lower-cost end of the market in our research, which suggests that our voluntary guidance is likely to have had less impact on that part of the market.
Nonetheless, the Department used another do-nothing or do something substantial framework, and in the case of IoT, the do something is a mandatory standard for smart devices:
- The standard would require manufacturers to implement baseline cyber security requirements for smart devices. To ensure international consistency and adoption of best practice, we propose that Australia consider adopting ETSI EN 303 645.
- The whole of the ETSI standard could be mandated or we could follow the footsteps of the UK and mandate only its top 3 requirements. The former would ensure that all aspects of cyber security are captured through the standard, while the latter would capture the highest priority principles but would place less burden on industry in the short-term.
- The standard would need to be established in legislation. Our analysis is that there is no convenient way to implement a standard for smart devices under current Australian laws and that new legislation would likely be required. An existing (yet to be determined) regulator would be responsible for educating manufacturers about the standard and taking enforcement action if needed.
To sum up, Home Affairs is spelling out a scenario to legislate both a mandatory standard smart devices sold in Australia would need to meet that would be harmonized with some existing international schemes. Moreover, a new regulator would need to be created or these responsibilities added to the portfolio of an existing agency.
In the second part, “Increase transparency and disclosure,” the Home Affairs commences with discussion about “Labelling for smart devices.” The Department contended:
Labelling schemes can be effective in changing consumer behaviour (see case study below) and are widely used in Australia for nutritional information and energy, water and fuel efficiency. There is evidence that consumers think that cyber security is an important buying consideration and worth paying for. For these reasons, we think that a cyber security labelling scheme could be successful in Australia.
Home Affairs proposed the status quo, a voluntary “star rating system,” or a mandatory “expiry date label.” The Department spelled out its thinking on a star rating system:
The practical details of how a voluntary labelling scheme would work in Australia could be based on an existing scheme or shaped by industry through a co-design process. For discussion purposes, we suggest that a label have the following features:
- Coverage — any consumer smart device intended to be connected to the internet or a home network. This would include devices such as children’s toys, smart home devices, smart appliances and wearables. Mobile phones could be excluded, depending on your feedback.
- Labels — labels could be used in online marketing material and/or physical packaging. There is evidence that star rating labels (like Singapore’s) are the most effective in guiding consumers through complex choices.
- Requirements and enforcement — an existing international framework would be used, such as Singapore’s scheme which aligns with the requirements of ESTI standard EN303 645. Self-certification and/or independent testing could be used to ensure compliance. Any self-assessments would be approved by an administration body. The Australian Consumer Law would deter manufacturers from making misleading or deceptive claims about security.
- Complement standards — a voluntary labelling scheme could complement mandatory standards for smart devices (Chapter 6) because it would allow businesses to highlight where they have chosen to go above minimum requirements. This is an approach that is adopted for other products like road vehicles, where mandatory safety standards and voluntary labelling complement each other.
Under the expiry date label approach, Home Affairs explained:
This option considers a mandatory label for smart devices, which would meet a recommendation of the Cyber Security Strategy Industry Advisory Panel. A mandatory label could take the form of an expiry date label, which would display the length of time that security updates will be provided for the smart device (as a proxy indicator for the device’s overall level of security). This kind of label would not require independent security testing, and therefore would be a lower cost approach compared to a star rating label.
The Department moved onto the next part of increasing transparency and disclosure: “Responsible disclosure policies:”
Responsible vulnerability disclosure is a process where security researchers find and report vulnerabilities to software developers, businesses or agreed third parties, including Government. This allows the software owner to develop a patch before the vulnerability is discovered by a malicious actor. Ordinarily, vulnerabilities and mitigations are disclosed to the public after patches are developed. In some cases, a public disclosure after between 45 and 90 days may be considered to encourage a reluctant vendor to patch systems or software. This process provides benefits to businesses, security researchers and end users.
What Home Affairs does not discuss, however, is that the U.S., UK, People’s Republic of China, the Russian Federation and other governments (possibly including Australia) collect and use vulnerabilities to enable espionage and for other purposes. Some of these governments have processes by which they determine which vulnerabilities are shared with the technology companies whose hardware or software has the vulnerability. The Department is proposing a system that would create incentives (both voluntary and mandatory) for researchers and hackers to turn over vulnerabilities to companies with no recognition of the market for vulnerabilities security services and more malicious actors use.
The Home Affairs Department next turns to “Health checks for small businesses,” which could take the form of “a voluntary cyber security health check program.” The Department stated:
On completion of the health check, the small business would be awarded a trust mark which they could use in marketing their business (see example in Figure 4). We anticipate that a health check would be most relevant in situations where a business’ customers are concerned about cyber security, for example where sensitive data is involved or to address supply chain risk.
In the third part (“Protecting consumers”), the Department begins with “Clear legal remedies for consumers.” Home Affairs stated:
- Currently, there are limited legal options for consumers to seek remedies or compensation for cyber security incidents. Existing laws, such as the Tort of Negligence and the Australian Consumer Law (ACL), have played a prominent role in legal action for physical goods. However, to our knowledge they have not been used to compensate consumers for cyber security incidents.
- Earlier in this discussion paper, we discussed the need to increase transparency and disclosure, and explored options for providing consumers with information to make better purchasing decisions. Building on this principle, we believe that stronger rights of recourse for cyber security could provide appropriate compensation after an incident and incentivise technology companies to maintain acceptable levels of cyber security.
The Department provided an overview of the actions Australia is considering to provide people with redress as part of the solution for driving better cybersecurity:
- Commonwealth, state and territory ministers responsible for Australia’s consumer law have requested the development of a regulatory impact assessment of specific options to improve compliance with the ACL consumer guarantees. Importantly, the regulatory impact statement will examine whether a civil prohibition should be introduced for failing to provide a consumer guarantee remedy. This would provide the Australian Competition and Consumer Commission (ACCC) with more options to directly enforce consumer guarantees in certain circumstances. This would help address some of the barriers described above (including identifying the responsible business, determining what went wrong and improving access to justice).
- Treasury is leading this work on behalf of all states and territories and will undertake a consultation process in the coming months.
- Separately, Treasury will also consult state and territory officials on exploring whether the ACL’s application to digital products should be clarified to ensure there are no unintended gaps in the operation of the law. This could include consideration of existing product recall powers to treat physical recalls and software updates equally.
- A direct right of action for privacy breaches is currently being explored as part of the Privacy Act Review. This would mean that in certain circumstances victims of cyber security incidents involving personal information could take businesses who have not taken reasonable steps to protect this personal information (which may include through implementing adequate cyber security practices) to court and seek damages.
- In 2019, the ACCC published its findings from the Digital Platforms Inquiry and recommended that individuals should be given a direct right to bring actions and class actions in court to seek compensation for an interference with their privacy under the Privacy Act. The Government has indicated that it supports this recommendation in principle, subject to consultation and design of specific measures.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.