Cybersecurity reform in Australia

With the hack of Optus Telecommunications on 22 September 2022, where the personal information of up to 11.5 million Australians (nearly half of all people in Australia) was stolen, this has highlighted the need for cybersecurity reform in Australia. Unlike other countries, there are no mandated fines and penalties for a company being hacked, only penalties for not adequately disclosing the incident and advising customers on what has occurred. Under the Office of the Australian Information Commissioner (OAIC), the Notifiable Data Breach scheme (NDB) provides a structured approach to disclosing the cybersecurity incident, investigating the incident and preserving information about the attack for future investigation. There are also the Australian Privacy Principles (APPs) that outline how personal information should be protected and handled, but cyber-crime laws date back to 1995, and are not up to date.

It is evident that Australia has a few general cybersecurity related laws but it is missing some of the major industry specific regulations such as Health Insurance Portability and Accountability Act (HIPAA) and North American Energy Reliability Corporation’s critical Infrastructure Protection (NERC-CIP) controls. For these missing regulatory frameworks in Australia, it is recommended that Australian organizations adopt some of the regulatory frameworks from the United States or Europe.

From  https://www.appknox.com/blog/glance-australias-cyber-security-laws

Australia lags behind in cybersecurity protections

As with many legal issues within Australia, there is finger-pointing between the Commonwealth (Cth) and the States – each expecting that this is the responsibility of the other. I believe that because cybersecurity issues do not stop at borders, that this is a global issue, and the Federal Government needs to set controls and frameworks which are compatible with the rest of the world. There is no equivalent to HIPAA, GDPR, NIST or FIPS 140-2 in Australia, and measures are industry-specific, such as PCI-DSS for anyone holding credit card information and Defence’s (Australian Signals Directorate) ISM only fill the gap in those industries. The Essential 8 is widespread in Australia, but it has some obsolete measures and hard to execute controls. Broadly, there is nothing mandatory in Australia.

Missing Controls

Whilst there are fines and penalties for not disclosing breaches, there are no Federal penalties for not having the appropriate controls and protections in place to prevent hacks and leaks happening in the first place. Whilst it can be difficult for small businesses to have yet more compliance and red-tape to deal with, there should be measures for medium to large businesses and enterprises, backed with penalties and fines for non-compliance.

Many of the measures and controls in standards are ‘common sense’ and as an IT professional in cybersecurity, to me they are second-nature to implement. There needs to be more cybersecurity reform in Australia, which takes into account the changing and evolving nature of IT, the asymmetrical nature of hackers, and how our security skills are obsolete. Cybersecurity reform in Australia is required to be a constantly reviewed capability, and should never be considered to be “completed”.

New measures and controls

Based on the recent Optus hack, there need to be standard responses for identity theft and data leakage. Some measures already exist, but should be extended;

• Credit blocks – alerting credit reference agencies that your identity has been stolen and that they should refuse to provide a credit rating for you – effectively blocking new credit from being taken out in your name
• Unique identifier replacement – improving the ease of generating new passport numbers, Medicare cards, driving licenses and other identifiers in the instance that an identity theft has occurred
• Financial and registration companies (telcos, councils, government, etc.) being alerted that your identity has been compromised, and so challenging for more proof of identity before completing actions – such as flagging your account as requiring in-person requests, or additional MFA challenges
• Divisions and departments within Police and other enforcement agencies to allow them to better understand and support victims of hackers, identity theft and identity disclosure.