The recent news about new cybersecurity measures in response to the ransomware menace have shown that Australia is now acting to world standards when it comes to cybersecurity.
An interview and presentation that I wrote up about in 2011 about cybersecurity in the cloud computing era called out Australia’s lax attitude to cybersecurity. This is very much based on the “She’ll Be Right” laissez-faire attitudes traditionally associated with Australian society. This included not having proper data-protection legislation set in stone that is compliant with international expectations such as mandating businesses, governments and other entities to disclose to a central authority if they have faced a data-security incident.
But there have been recent high-profile ransomware attacks in Australia including some that have attacked significant health infrastructure. This has caused the Federal Government to wake up and pass legislation regarding mandating the reporting of ransomware incidents that businesses and similar entities are victim of.
As well, the proposed Federal-level legislation will criminalise all forms of cyber-extortion and include criminalising dealing in data stolen as part of a cyberattack or other separate offence. It will also encompass having the trade of malware, something that takes place on the Dark Web, dealt with as a criminal offence. There will also be the ability for the Australian governments to seize or freeze crypto transactions because of this being the currency of cyber attacks.
What Australia may have to do is take a holistic look at the issues of data-protection, data sovereignty and end-user data privacy for data collected by both the public and private sectors.
Legislation and regulation that is risk-specific or data-collection specific like either the cyber-extortion laws being tabled by the Federal Government or the recent laws being tabled by governments to limit law-enforcement access to those QR-code-based contact-tracing platforms created by state governments won’t cut it any more if other risks aren’t addressed. This includes issues like distributed denial-of-service attacks against IT systems that can be masqueraded as a system facing peak usage by many end-users or foreign entities raiding data-rich IT systems like these above-mentioned platforms for the movements of exiled dissidents.
Australia then also has the added complexity of itself being a federation of states and territories where state and territory governments regulate certain aspects of life while the federal government regulates other aspects. In this case, the federal government regulates cybersecurity issues encompassing private-sector and federal-government public-sector systems. Then the state and territory governments regulate cyber issues encompassing their own public-sector systems. It could look towards what Canada, Germany or Switzerland are doing in this field because these countries have similar federation structures. This is especially where Canada and Switzerland were among the countries who called out the data-security and user-privacy weaknesses within Zoom, Skype and other popular videoconference platforms that came in to vogue in 2020 thanks to the COVID-19 plague.
Here, Australia and New Zealand could look at best-practice data-protection, data-sovereignty and end-user privacy legislation and regulation like some of the laws on the UK’s and European Union’s books and build up a strong cybersecurity regime within the Asia Pacific. This will have to encompass both public-sector and private-sector data-processing environments along with all risks that these environments and their end-users will face.
There will also have to be questions raised regarding the role of other jurisdictions when dealing with cyber-security issues and incidents due to such incidents having an international dimension. It will also include data sovereignty and allied issues where data is handled or stored in other countries or by companies based in other countries.
The ransomware issue and, to some extent, the COVID-19-driven data processing requirements may be the kind of wake-up call for Australia to face when it comes to data security and end-user privacy.