On 21 April 2016 the Federal Government released Australia’s Cyber Security Strategy. We had reported in our last edition that this was just around the corner.
The Government says that the strategy seeks to enhance Australia’s cyber security capability by delivering certain new initiatives. To do so, the Government has pledged $230 million over the course of the next four years in order to achieve those initiatives. Over that period, the Government plans on framing Australia’s cyber security improvement around the following five broad themes:
- A national cyber partnership: bringing governments, business and the research community together to advance Australia’s cyber security through a national cyber partnership;
- Strong cyber defences: ensuring that Australia’s networks and systems are hard to compromise and resilient to cyber attacks;
- Global responsibility and influence: promoting an open, free and secure cyberspace by taking global responsibility and exercising international influence;
- Growth and innovation: allowing Australian businesses to grow and prosper through cyber security innovation; and
- A cyber smart nation: ensuring that Australians have the cyber security skills and knowledge to thrive in the digital age.
Within each broad theme, the Government has proposed specific actions that it will undertake. These cut across areas as broad as foreign policy, defence, criminal law enforcement, government structures, research and development and more. For present purposes, we focus on a few key actions proposed which we think have potential implications for corporate governance and managing cyber risk in the private sector:
Voluntary guidelines: A particularly strong theme throughout the strategy relates to the interconnectedness of governments, business and academia alike to produce a strong national cyber partnership. The Government recognizes that the most effective way to manufacture that partnership is through the voluntary participation of all those involved.
The Government thus proposes implementing national voluntary cyber security guidelines, co-designed with the private sector, that will specify good practice, the introduction of voluntary cyber security ‘health checks’ for ASX100 listed entities and supporting small businesses to have their cyber security tested.
Information sharing: The Government proposes joint cyber threat sharing centres and an online cyber threat sharing portal. The Government comments that by securely sharing sensitive information and working together, in real time where possible, a stronger collective understanding and ability to analyse and predict cyber security threats can be developed.
Addressing the shortage of cyber security professionals in the workforce: We previously reported on the Government’s commitment to establishing the Cyber Security Growth Centre aimed at growing and strengthening Australia’s cyber security industry in our previous Cyber Bytes article. The strategy expands on this initiative further.
The proposal outlined in the strategy to address the shortage of cyber security professionals in the workforce is essentially twofold in focus: at an academic level and a workforce level. The Government will implement targeted actions at all levels of Australia’s education system, starting with academic centres of cyber security excellence in universities, both at an undergraduate and postgraduate level. The Government also proposes to introduce programs for people at all levels in the workforce to improve their cyber security skills and knowledge (starting with those in executive level positions).
The Government anticipates that, by utilizing this twofold approach, Australia will develop a workforce with the right skills and expertise that can help take full advantage of the opportunities in cyberspace.
So what are the take away messages for business arising out of these initiatives? We draw out the following key implications:
- Information sharing / disclosure – with the long anticipated data breach notification legislation still not introduced into Parliament (and with a federal election now looming), Australia remains without any mandatory disclosure regime with respect to data breaches. Even if and when that legislation is introduced, the focus of it will be limited to data breaches relating to personal information, which will cover many cyber incidents but certainly not all. A system of disclosing and sharing information in relation to known cyber threats, albeit on a voluntary basis, is undoubtedly a positive step in the interests of the business community as a whole and a means to enabling companies to be well equipped to defend against such threats;
- Complying with guidelines – again, this is being mooted as another voluntary initiative, rather than a mandatory one. However, there will no doubt be potential implications for both a risk management perspective and a liability perspective if, in the face of such voluntary guidelines, companies do not adopt measures which are widely accepted as best practice;
- Upskilled workforce – with a greater emphasis on training the workforce and increasing the number and quality of cyber security professionals, there will likely be a greater expectation on businesses to hire people with the right skills and ensure existing employees are properly trained in the area. Again, this is a risk management issue where businesses may leave themselves exposed by not availing themselves of that more specialised skill set as it becomes more readily accessible; and
- Management and executive cyber literacy – the fact that the Government has prioritised introducing programs to improve the cyber security skills and knowledge of those in executive positions demonstrates that there will be an increasing level of scrutiny on the ability of boards and management to handle cyber risk issues. We expect there to be an increased expectation that those in senior governance positions, and not just those in IT related roles, will have at least a minimum level of cyber literacy and are actively managing cyber risk in their organisations.
This article was written by Andrew Miers, Partner, Matthew Hunter, Senior Associate and Patrick Byrne, Trainee Solicitor.