Decoding the future of Australian critical infrastructure: The Australian Government’s 2023-2030 Cyber Security Strategy

The Australian Federal Government has set itself the ambitious target (in its 2023-2030 Australian Cyber Security Strategy) to see Australia as a global leader in cyber security and the most cyber secure country on Earth by 2030. The Strategy incorporates establishing a Cyber Incident Review, streamlining incident reporting to Government and regulators (including mandatory ransom payment reporting), reviewing data retention requirements in legislation and amending the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

These priorities respond to Government and public concern from recent data breaches. Australia’s technology regulatory framework is highly diversified in terms of legislation and regulators, which is proving to challenge entities’ abilities to identify compliance standards. Breaches and subsequent regulatory investigations have brought to light wide insufficiencies across legislation and industry reporting. Australia is resultantly facing major legislative reforms at varying stages, including upcoming an overhaul of the Privacy Act 1988 (Cth). The pace and complexity of this legislative landscape promotes the increasing importance for entities to remain across their bespoke legal requirements, considering the increasing regulatory and reputational risks from non-compliance.

The Government’s subsequent focus now is to encourage sustained consultation with industry throughout the Strategy's operation. The Strategy adopts six levels of protection known as ‘Cyber Shields’:

1. Strong businesses and citizens
2. Safe technology
3. World-class threat sharing and blocking
4. Protected critical infrastructure
5. Sovereign capabilities
6. Resilient region and global leadership

Australia’s Protected Critical Infrastructure

In a digital world, mechanisms must exist for the Government to ensure that “critical” infrastructure is secure and meeting expected standards. Critical infrastructure in Australia encompasses wide sectors including banking, telecommunications, electricity, water and airports. The SOCI Act proves to be a new, rapidly evolving but unfortunately, often, poorly understood landscape. The Government has subsequently agreed to better distinguish requirements for affected entities including Managed service providers (MSPs) and Managed Security Service Providers (MSSPs) in respect of critical infrastructure assets. MSPs address IT infrastructure and focus on maintaining its performance. Whereas MSSPs work to protect digital assets from various cyberthreats. Legislative clarity to better delineate MSPs and MSSPs enhances compliance certainty while defining security standards. Incorporating cyber security details into the SOCI Act framework is likely to encourage the Government to mandate a comprehensive risk management strategy, enforce recognised cybersecurity protocols, and implement personnel screening measures for individuals working across multiple entities. It is imperative for MSPs and MSSPs to prioritise security given their significant role in Australia’s IT landscape and resultant heightened compliance thresholds.

SOCI Act updates will also impact data storage systems, with a focus on data deemed ‘business critical’ and systems that can influence the availability and reliability of critical infrastructure assets. It proposes expediting the implementation of the Systems of National Significance framework to strengthen existing measures for safeguarding Australia’s most essential infrastructure. It also advocates for the development of a compliance and monitoring evaluation framework to ensure that regulated entities fulfil their obligations under the SOCI Act. This further aims to assist responsible entities in managing the repercussions of cyber incidents impacting critical infrastructure, potentially including a ‘last resort’ power to authorise specific actions to mitigate the consequences of an incident when no other legislative mechanisms are available.

The Strategy suggests additional alterations to bolster the SOCI Act framework. A further reform highlighted by the Government involves streamlining responsibilities for telecommunications providers under the SOCI Act. This will transfer certain obligations from the Telecommunications Act 1997 (Cth), which aims to streamline oversight and maintain uniformity across different sectors. Recent network outages in Australia underscore the importance of telecommunications in the operations of businesses across various industries, which promotes Government plans to closely monitor this sector. This initiative also aligns with the overarching strategy of fostering legislative consistency and removing redundant duplication.

Four key takeaways to prepare for the Strategy

Sweeping reforms and varying enforcement powers urge entities to proactively manage Australian technology compliance. The Strategy and SOCI Act reforms will grant Government wider enforcement authority while imposing stricter cyber security obligations for critical infrastructure owners and operators. We recommend considering the following takeaways to optimise readiness in Australia’s rapidly reforming technology environment.

1. Cultivating internal mechanisms that address their individual cybersecurity landscape and diagnosing any existing organisational limitations.
2. Establishing or enhancing a risk management framework capable of identifying, assessing, and mitigating cyber risks is imperative. Entities should invest in threat intelligence and predictive analytics to proactively anticipate and counter emerging cyber risks.
3. Implementing dynamic data protection measures through incident response playbooks and organisational training. This promotes expertise and a culture of cyber hygiene among industry to direct future readiness.
4. Transparent collaboration within industry has become critical to enable the maturity of best practices that align with the Strategy. Many corporate stakeholders are seeking to influence policy outcomes through consultation.

Bird & Bird Australia’s team harnesses its global reach and domestic regulatory expertise to assist entities with a presence in Australia.

For more information, please contact Hamish Fraser, Belyndy Rowe and Mia Herrman.

SIGN UP TO OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM