Report No. 73/2023
What’s the problem?
As well as having a global impact, Cybersecurity is one of the most significant issues affecting Australia’s economy and national security. On the one hand, poor cybersecurity presents a risk to the interconnected digital systems on which we increasingly rely; on the other hand, well-managed cybersecurity provides an opportunity to build trust and advantage by accelerating digital transformation. Cyber threats can originate from a diverse range of sources and require a diverse set of actions to effectively mitigate them. However, a common theme is that much better cyber risk management is needed to address this critical threat; the current operation of the free market isn’t consistently driving all of the required behaviours or actions.
Regulation can provide a powerful mechanism to modify incentives and change behaviours. However, securing cyberspace depends on the intersection of many factors—technical, social and economic. Current regulations are a patchwork of general, cyber-specific and sector-specific measures with a lack of cohesion that causes overlaps and gaps. That makes the environment complex, which means that finding the right approach that will truly improve overall security and minimise unwanted side effects is difficult. It’s necessary to analyse the interconnected factors that determine the net effectiveness of cybersecurity regulations.
Furthermore, the pace of technological change is so fast today that, even if regulation is successful when first implemented, it needs to be appropriately futureproofed to avoid becoming irrelevant after even a few months. Recent rapid developments in artificial intelligence are an example of the risks here that will need to be anticipated in any changes to the regulatory regimes.
What’s the solution?
Regulatory interventions have an important role to play as one part of a strategy to uplift Australia’s cybersecurity, if done in the right way. This paper presents a framework for the government to make appropriate decisions about whether and how to regulate. That must start with defining which aspect of the cybersecurity challenge it seeks to address and the specific intended long-term impact. In cybersecurity, the most appropriate metrics or measures that regulation seeks to influence should, where possible, be risk-based, rather than specific technical measures. This is because the actual technical measures required are dependent on the individual context of each situation, will change over time, and are effective only when combined with people and process measures. The impact of the interventions on those metrics needs to be readily measurable in order to enable reliable enforcement at acceptable cost—both direct financial cost and indirect opportunity costs.
There’s often a focus on regulation to compel entities to do or not do something. However, compulsion is only one form of regulation, and others, such as facilitation or encouragement, should be considered first, treating compulsion as only one possible approach, which should used carefully and strategically.
Detailed implementation of cybersecurity regulations should use a co-design process with the relevant stakeholders, who will bring perspectives, experiences and knowledge that government alone does not have. It should also draw upon relevant experience of international partners, not only to benefit from lessons learned, but also to minimise the compliance burden for global companies and operators. Finally, in recognising the complexity of the problem, an iterative approach that measures impact and adjusts approaches to enhance effectiveness, incorporate lessons learned and absorb technological advances needs to be planned from the outset.
Today, so much of Australia’s economic prosperity and national security is critically dependent on digital infrastructure and assets. Increasingly, everyday activities such as banking, communication and navigation are wholly dependent on the availability of internet connectivity, so those networks are underpinning virtually all exchanges of sensitive and critical data. At the same time, cyberattacks on digital infrastructure have become more commonplace and sophisticated. The sources of the attacks include a diverse range of groups with different motivations and approaches; however, a common theme is that Australia needs much stronger cyber risk management in order to address what’s becoming a critical threat to the nation’s security and prosperity.
The Australian Government has recognised this challenge and is in the process of developing a new national cybersecurity strategy, which is due out later this year.1 The digital infrastructure and assets that the strategy will need to cover are many and diverse and are a mixture of private and public ownership and responsibility. Even if the government had the inclination to take responsibility for securing everything, it lacks the budgets, skills and resources to directly do so. Therefore, the upcoming strategy will need to take a collective approach, combining direct government action with measures that encourage action by other stakeholders to drive security improvements. Regulation will be a key potential lever to modify the behaviour of stakeholders, encouraging them to implement the desired actions that will uplift the overall cybersecurity of the nation.
There’s no doubt that regulation can be a powerful lever, but effective pull-through is complex, requiring a number of stages from implementation through to modifying the directly targeted outputs, to delivering initial outcomes, to making the desired long-term impact. There are many assumptions and dependencies to be validated and managed by government in the design and implementation of the regulations in order to deliver that pull-through. There’s always a significant risk of modifying the behaviour of stakeholders in unintended ways, leading to unwanted consequences that can offset or even eliminate any direct benefits delivered.
The aim of this paper is to analyse the interconnected factors that determine the net effectiveness of cybersecurity regulations. The analysis draws upon research of open-source material, interviews with key stakeholders in government, local industry and multinational technology providers, and a roundtable discussion convened by ASPI of a cross-section of stakeholders. Those inputs and analysis are used to provide recommendations for where and how such regulations can be used as part of an integrated strategy, to help maximise the cybersecurity benefits while minimising costs and other unwanted impacts.
This paper starts with a consideration of the current Australian context, including some of the regulatory initiatives already underway, and then consider the broader international context. It then introduces a framework for defining different potential approaches and use it to identify issues and propose recommendations for government.
For the full report, please download here.
14 Aug 2023