By -

The Federal Government plans to overhaul the country’s cybersecurity agenda in the wake of last year’s disastrous data breaches on Optus and Medibank, which compromised the personal information of almost 10 million Australians in two of the largest attacks in the nation’s history.

The hackers were able to access information including names, dates of birth, driver licence numbers, and, in the case of Medibank, highly sensitive medical details including instances of mental health and drug addiction.

A burden was placed on State and Federal Government departments to replace large amounts of identification, calling into question the relationship between government and business in responding to cyber incidents and igniting an intense public discussion about the vulnerability of data.

On 27 February, Home Affairs Minister Claire O’Neil slammed the former Government’s cyber security laws as “useless and flawed” after finding themselves unable to effectively respond to the Optus and Medibank incidents in September and October.

“In those events, we were meant to have at our disposal a piece of law that was passed by the former Government to help us engage with companies under cyber-attack, and that law was bloody useless, like not worth being printed on paper when it came to usually using it in a cyber incident,” O’Neil told ABC radio.

“[The laws] are not fit for purpose at the moment, and I do think they need reform.”

Her comments came as Prime Minister Anthony Albanese led a cyber security roundtable with leaders from the public service and intelligence agencies, and independent experts from business and industry to discuss stepping up defences in public and corporate systems.

The Government this week announced it will appoint a Coordinator for Cyber Security, supported by a new National Office within the Department of Home Affairs, to ensure a “centrally coordinated approach”.

“Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age. Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030,” O’Neil said.

O’Neil also released a discussion paper to canvass new laws and seek views from industry on how to streamline current legislation and policy. The paper is also seeking answers to the role governments should play in improving Australia’s cyber resilience.

There are 21 questions in the paper, including whether payment of ransoms and extortion demands by cyber criminals should be banned; the scope of the powers of intelligence agencies to intervene; and whether a standalone Cyber Security Act should be considered.

Rob Nicholls, Associate Professor of Regulation and Governance at UNSW Business School Rob Nicholls, Associate Professor of Regulation and Governance at UNSW Business School

O’Neil comes into Government, she has this fabulous piece of legislation that has taken years to negotiate, has support from the 11 sectors that it covers, and then finds it doesn’t help.

System overload

In Australia, data protection and privacy are principally regulated by the Federal Privacy Act 1988 that is currently under review. However, there are a host of laws on a State and Federal level that touch on cyber security, including within the Criminal Code Act 1995, the Telecommunications Sector Security Reforms (TSSR) and the recently amended Security of Critical Infrastructure (SOCI) Act 2018.

The latter is the primary law being spotlighted by the Government’s recent announcements and in the discussion paper, as it imposes obligations on organisations operating in critical infrastructure sectors to ensure the cyber resilience of their assets.  Within the Act, there are also stringent reporting obligations to Government.

The SOCI Act was introduced in 2018 in response to the growing threat of attacks against the country’s most important systems, impacting those in the electricity, gas, water, and maritime sectors.

In 2020, the Act went through 18 months of robust community and industry consultation and was amended at the end of 2021, expanding from four to a total of 11 sectors including health care and medical, the defence industry, higher education and data storage and processing.

However, the recent discussion paper asks whether further reform is necessary, to extend the existing definition of “critical assets” so that customer data and “systems” are included.

Rob Nicholls, Associate Professor of Regulation and Governance at UNSW Business School, explains this is why the SOCI Act has been receiving heat, through the lens of what happened with the Optus and Medibank hacks.

Despite having the legislation at their disposal, the Government was unable to use it in practice, he said.

“O’Neil comes into Government, she has this fabulous piece of legislation that has taken years to negotiate, has support from the 11 sectors that it covers, and then finds it doesn’t help,” Nicholls said.

“SOCI is basically associated with systems in terms of the definition of critical assets, and those systems don’t necessarily include the data which is protected by the systems… If our data is caught in a breach, it doesn’t matter what the systems are. If they had taken a photocopy of the 100 points of ID and left those in a paper file, my personal data would be safe still.

“Not only did SOCI allow Optus to have this breach, but it also didn’t require Optus to work with the Government to analyse the breach to try and ensure it didn’t happen again. This is a trigger to Minister O’Neil’s ‘useless’ comments.”

image description
The Government will appoint a Coordinator for Cyber Security, supported by a new National Office within the Department of Home Affairs

Melissa Fai, partner at Gilbert + Tobin with expertise in cyber security, told LSJ that the discussion paper is also looking to broaden the exisitng legal scope for the country’s top cyber agency, the Australian Signals Directorate (ASD) to step in when businesses are under significant attack.

The SOCI Act does already contain an ‘intervention request power’ for the Government to ‘step in’ in the wake of a serious cyber security incident, but Minister O’Neil has suggested  those powers are currently too limited and “very, very narrowly defined” and, hence, did not assist the Government practically. The suggestion appears to be that an expansion of these powers is necessary but a review of the SOCI Act itself does not convey these limitations.

“Indeed, the definition of ‘asset’ under the SOCI Act is really very broad – it includes a system, a device, a computer program, data and “any other thing”… The Minister seems to be alluding to the fact the Government felt the need to step in but could not for some reason based on limitations in the Act’s scope and powers,” Fai said.

“It is difficult with incidents that are almost instantaneous; they happen and systems have been compromised and the data is gone, so there is often little time for the Government to be able to step in to mitigate or remedy the breach.”

An incoming new regime?

Whether Australia should consider a standalone Cyber Security Act is also a key consideration of the discussion paper. Both Nicholls and Fai welcome attempts to streamline legislation but say they need more information to determine how a new Act would work practically.

Fai told LSJ the Government seems to be concentrating on building legislation that deals with the fallout from cyber incidents. However, she says, many businesses need more help with prevention.

“If they create a new Act or piece of legislation, and if one of the objectives is to streamline processes (indeed industry and business would appreciate that because at the moment you could be reporting to, depending on sector or listed status, at least three different agencies), then the Government would also need to deal with appropriate amendments to existing Acts to make sure there is no further duplication and overlap,” Fai said.

“There is also the mandatory data breach reporting under the Privacy Act, that is more about reporting of data breaches. That focus is different from the SOCI Act in terms of what it covers. The SOCI Act is not really about responding and how to deal with the response as a coordinated approach, which I think is the Government’s main criticism at the moment; that there isn’t a legislative avenue for it to deal with data breaches on a coordinated basis.”

Melissa Fai, Partner at Gilbert + Tobin Melissa Fai, Partner at Gilbert + Tobin

If the Government creates a new Act or piece of legislation, and if one of the objectives is to streamline processes, then the Government would also need to deal with appropriate amendments to existing Acts to make sure there is no further duplication and overlap.

Fai noted that clients are only just coming to terms with the recent amendments to the SOCI Act and are preparing to respond to the current Privacy Act reform which spans the whole Australian economy.

“Most businesses that are covered by the SOCI Act would sigh at the fact the Government is talking again about more changes to that Act. I think clients had just started to get a grip with the amendments to that Act and commenced rolling out compliance regimes,” Fai said.

“If the Government decide to reform this area again, we will need to advise clients on what the consequences of that might mean.

“Potentially we might assist clients on their submissions to the Government on the Discussion Paper. And also clarify the nuances on how defined terms work in these Acts, as to whether the Act might apply to a particular breach and how it affects them, and generally their compliance risk profile. It is a constantly developing area for legal advisors to get their heads around the different reforms and keep pace with them.”

Nicholls also said the best preparation solicitors can do if they are working in this space, is to remember that potential changes will “flow to all businesses, big and small”.

“These reforms won’t just apply to the big clients. Just in the same way that the Privacy Act changes are likely to cover small business. Small businesses which supply services to critical infrastructure businesses are likely to be subject, either by contract or by law, to the same obligations as the bigger businesses under SOCI,” he said.

“For a solicitor in practice, their pro bono clients may actually have the riskiest cyber security profile … This will definitely give an opportunity to streamline obligations.”