Earlier this year I mentioned that in 2015 and 2020, I submitted recommendations for the Government’s Cyber Security Strategy. At the time, I argued that there was a serious lack of vision and strategy attached to the policy. A key element was that a range of knee-jerk decision were over the years piled upon each other by a arrange of minister and government agencies. As a result, we ended up with a myriad of policies and regulations made by many State and Federal agencies.
With a new government in place this issue was addressed with announcement of the formation of the National Office For Cybersecurity.
The government asked for submission and in theirs the Communications Alliance, a telecommunications industry body, has called for the consolidation of federal and state cybersecurity strategies and requirements into a single framework.
As our reliance on technology continues to grow, so does the importance of cybersecurity. However, with so many government departments and agencies involved in cybersecurity, businesses can find it challenging to comply with various security regulations.
In its submission to the Department of Home Affairs, which has been seeking public input for the development of a new national cybersecurity strategy, the association noted that businesses are currently faced with multiple overlapping, inconsistent, and sometimes redundant security requirements spread across several federal and state government frameworks sitting in different departments and agencies. This makes it difficult for businesses to manage and comply with cybersecurity regulations.
The association has suggested that consolidating federal and state cybersecurity strategies and requirements into a single framework would help reduce the burden on businesses. It would make it easier for businesses to comply with cybersecurity regulations, especially those that operate globally.
However, harmonisation should not only happen at the national level. The Communications Alliance has also called for international and domestic harmonisation to reduce overlap between global frameworks and those of the Australian Governments. The association argued that there are opportunities to reduce overlap. When there are clear gaps between Australian security requirements and global frameworks, the Australian government should collaborate with partner nations to ensure that these Australian-specific requirements are addressed in the larger globally recognised cybersecurity frameworks.
In addition to harmonisation, the Communications Alliance has pointed out that a significant part of the regulatory burden is the interpretation of vaguely worded legislative requirements. For instance, the definitions of “critical infrastructure” and “asset” in the Security of Critical Infrastructure Act are not clear enough. Comms Alliance urged the government to provide clearer guidance for industry to help address the uncertainty caused by these vague definitions. Such guidance ought to specifically address the uncertainty caused by vague definitions, e.g., with illustrative case studies.
The Home Affairs minister, Clare O’Neil, has announced that the government would establish a new national cybersecurity coordinator within her department and was also considering a Cyber Security Act. However, the Communications Alliance has expressed concern about the potential opacity of the act and its effectiveness in enforcing cybersecurity resilience or harmonising the current extensive and broad mechanisms that already aim to address cybersecurity in Australia.
There are already many cybersecurity mechanisms in place in Australia, such as the Essential Eight developed by the Australian Cyber Security Centre and Australian Signals Directorate, the Digital Transformation Agency’s Hosting Certification Framework, the Protective Security Policy Framework overseen by the Attorney-General’s Department, the ACSC’s Information Security Manual, and the Information Security Registered Assessors program. Additionally, there are state security frameworks and strategies, as well as specific regulations for some industries.
The Communications Alliance has also noted that mapping and managing these various security compliance requirements is particularly difficult for entities that operate globally, as Australian domestic standards either only partly overlap and/or veer from global security standards. This highlights the importance of international and domestic harmonisation.
In summary, harmonising federal and state cybersecurity strategies and requirements into a single framework, along with international and domestic harmonisation, would help reduce the regulatory burden on businesses. Clarity on vague legislative requirements, such as the definitions of “critical infrastructure” and “asset,” would also help businesses comply with cybersecurity regulations. However, there is a need for transparency about the proposed Cyber Security Act’s effectiveness and how it would harmonise with the current cybersecurity mechanisms already in place in Australia.
Paul Budde