Strengthening Australia’s cyber security regulations and incentives
The submission to the Department of Home Affairs in repsonse to its Discussion Paper titled Strengthening Australia’s cyber security regulations and incentives (Discussion Paper) was prepared by the Law Council of Australia. The matters raised in the Discussion Paper are of critical importance, and the Law Council commends the broad ranging and fundamental nature of the issues canvassed.
Australia’s existing cyber security regulatory and legal frameworks do not adequately protect consumers. Governments and businesses of all kinds use personal information to secure and control access to essential services, often without another authentication layer. This normalises disclosure of such information.
On a practical level, many of the current arrangements provide neither market advantage nor incentive for small to medium enterprises to invest in cyber security.1 However, too much regulation risks further disadvantaging this already under pressure part of the economy.
The scope of the challenge cannot be understated. Securing one network and the organisation using it is difficult. Securing a shared digital environment accessed by multiple organisations is even more difficult due to the exponential increase in the size of the attack surface. Current artificial intelligence (AI) security investigation systems are promising, but are still considered emergent technology. Further development is required before they can provide sufficient confidence.
Unfortunately, in a classic ‘arms versus armour’ technology race, it is likely that AI enabled attacks will progress as rapidly as AI enabled defences. Even with AI removed from the equation, increasing sophistication and resources available to cybercriminals means that the definition of ‘good’ or ‘adequate’ security for many organisations is constantly evolving.
The mistaken belief that technology can solve the security challenge is widespread. As Schneier has noted, ‘If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology’. 2 Whilst security technology plays an important role, the human interface remains a major vulnerability.
Against this context, policy initiatives should avoid the same technology trap. Information security is an organisational and often industry-wide challenge which requires consistent application of ‘people, process and technology’ levers.
You can read the full submission below.
1 For example, there is no incentive to minimise the amount of high value personal information retained by a business, to control the distribution of such data in their networks nor to minimise attack surface.
2 Bruce Schneier, Secrets & Lies Digital Security in a Networked World (John Wiley & Sons, 15th Anniversary, 2000).