Cyber security is front of mind for businesses across Australia and has been for a number of years.
In 2021, 95 per cent of local CEOs said cyber is a top threat to growth.
Business concerns have continued to rise as the threat environment has worsened, with malicious cyber activity increasing in frequency, scale, and sophistication.
It has been matched with an increasing level of focus on the part of regulators, including internationally, such as through the SEC’s Cybersecurity Regulations and likely amendments in future.
Unfortunately, the risks Australia faces are not static.
The Australian Cyber Security Centre’s (ACSC) annual threat reports have repeatedly highlighted the evolving nature of the threats faced by Australians and Australian businesses.
Our responses must remain similarly agile. As the Minister for Cyber Security, the Hon Clare O’Neil MP has noted, Australia’s ‘patchwork’ of approaches has not kept up.
While recent high-profile breaches have heightened concerns for Australian citizens and businesses, they have also drawn into stark relief the flaws and limitations in the current structures and systems.
A new cyber security strategy is an opportunity to ensure our systems and bureaucracies not only match the new world but keep pace with changes we know are coming.
To underpin new structures, a clear goal is needed for a refreshed cyber security strategy.
A new cyber security strategy must work towards protecting all Australians against the threats that have come with a digitised economy and society. This means having positive incentives for all stakeholders – individuals, businesses (small, medium, and large), community and not-for-profit groups, and government agencies and departments – to do the right thing.
Equally, the strategy must support Australia becoming frontier economy – a country that is diversified, competitive, and outward looking. This will be the only way Australians can get high wage, secure jobs, and a continuing improvement in the standard of living.
If Australia is going to be a top five digital economy, we must ensure there are the maximum incentives for businesses and the community to embrace digital technology, while protecting privacy and data integrity.
To get there, Australia must avoid punitive or inflexible responses to cybersecurity risks save for circumstances which demonstrate gross negligence and recklessness which meet a criminal standard of proof.
Further it is important to keep a clear distinction between privacy and cybersecurity frameworks. There will be significant confusion in the Australian economy if these are somehow merged.
Responding to cyber threats must be a shared, ‘team’ responsibility: businesses should be seen as partners for government, along with working with the Australian community and customers. Government or regulator responses should not re-victimise organisations or individuals who are already trying to cope with a crime committed against them.
Instead, government should set out a plan to construct bidirectional, timely information sharing.
In an environment where business investment as a share of GDP is at 30-year lows and capital is leaving Australia on a scale not seen since World War II, Australia can’t afford to throw more sand in the wheels.
Instead, we should seize the opportunity to not just protect our existing assets and people, but also to grow a new services sector and cross-economy capability.