Please enable javascript to access the full functionality of this site

Getting regulation right: approaches to improving Australia’s cybersecurity

Submitted by nathanhaslam@a… on Thu, 08/10/2023 - 14:40
PB73_Getting regulation right_banner
Dark
ASPI_ORG

Policy Brief
Report No. 73/2023

What’s the problem?

As well as having a global impact, Cybersecurity is one of the most significant issues affecting Australia’s economy and national security. On the one hand, poor cybersecurity presents a risk to the interconnected digital systems on which we increasingly rely; on the other hand, well-managed cybersecurity provides an opportunity to build trust and advantage by accelerating digital transformation. Cyber threats can originate from a diverse range of sources and require a diverse set of actions to effectively mitigate them. However, a common theme is that much better cyber risk management is needed to address this critical threat; the current operation of the free market isn’t consistently driving all of the required behaviours or actions.

Regulation can provide a powerful mechanism to modify incentives and change behaviours. However, securing cyberspace depends on the intersection of many factors—technical, social and economic. Current regulations are a patchwork of general, cyber-specific and sector-specific measures with a lack of cohesion that causes overlaps and gaps. That makes the environment complex, which means that finding the right approach that will truly improve overall security and minimise unwanted side effects is difficult. It’s necessary to analyse the interconnected factors that determine the net effectiveness of cybersecurity regulations.

Furthermore, the pace of technological change is so fast today that, even if regulation is successful when first implemented, it needs to be appropriately futureproofed to avoid becoming irrelevant after even a few months. Recent rapid developments in artificial intelligence are an example of the risks here that will need to be anticipated in any changes to the regulatory regimes.

What’s the solution?

Regulatory interventions have an important role to play as one part of a strategy to uplift Australia’s cybersecurity, if done in the right way. This paper presents a framework for the government to make appropriate decisions about whether and how to regulate. That must start with defining which aspect of the cybersecurity challenge it seeks to address and the specific intended long-term impact. In cybersecurity, the most appropriate metrics or measures that regulation seeks to influence should, where possible, be risk-based, rather than specific technical measures. This is because the actual technical measures required are dependent on the individual context of each situation, will change over time, and are effective only when combined with people and process measures. The impact of the interventions on those metrics needs to be readily measurable in order to enable reliable enforcement at acceptable cost—both direct financial cost and indirect opportunity costs.

There’s often a focus on regulation to compel entities to do or not do something. However, compulsion is only one form of regulation, and others, such as facilitation or encouragement, should be considered first, treating compulsion as only one possible approach, which should used carefully and strategically.

Detailed implementation of cybersecurity regulations should use a co-design process with the relevant stakeholders, who will bring perspectives, experiences and knowledge that government alone does not have. It should also draw upon relevant experience of international partners, not only to benefit from lessons learned, but also to minimise the compliance burden for global companies and operators. Finally, in recognising the complexity of the problem, an iterative approach that measures impact and adjusts approaches to enhance effectiveness, incorporate lessons learned and absorb technological advances needs to be planned from the outset.

Introduction

Today, so much of Australia’s economic prosperity and national security is critically dependent on digital infrastructure and assets. Increasingly, everyday activities such as banking, communication and navigation are wholly dependent on the availability of internet connectivity, so those networks are underpinning virtually all exchanges of sensitive and critical data. At the same time, cyberattacks on digital infrastructure have become more commonplace and sophisticated. The sources of the attacks include a diverse range of groups with different motivations and approaches; however, a common theme is that Australia needs much stronger cyber risk management in order to address what’s becoming a critical threat to the nation’s security and prosperity.

The Australian Government has recognised this challenge and is in the process of developing a new national cybersecurity strategy, which is due out later this year.1 The digital infrastructure and assets that the strategy will need to cover are many and diverse and are a mixture of private and public ownership and responsibility. Even if the government had the inclination to take responsibility for securing everything, it lacks the budgets, skills and resources to directly do so. Therefore, the upcoming strategy will need to take a collective approach, combining direct government action with measures that encourage action by other stakeholders to drive security improvements. Regulation will be a key potential lever to modify the behaviour of stakeholders, encouraging them to implement the desired actions that will uplift the overall cybersecurity of the nation.

There’s no doubt that regulation can be a powerful lever, but effective pull-through is complex, requiring a number of stages from implementation through to modifying the directly targeted outputs, to delivering initial outcomes, to making the desired long-term impact. There are many assumptions and dependencies to be validated and managed by government in the design and implementation of the regulations in order to deliver that pull-through. There’s always a significant risk of modifying the behaviour of stakeholders in unintended ways, leading to unwanted consequences that can offset or even eliminate any direct benefits delivered.

The aim of this paper is to analyse the interconnected factors that determine the net effectiveness of cybersecurity regulations. The analysis draws upon research of open-source material, interviews with key stakeholders in government, local industry and multinational technology providers, and a roundtable discussion convened by ASPI of a cross-section of stakeholders. Those inputs and analysis are used to provide recommendations for where and how such regulations can be used as part of an integrated strategy, to help maximise the cybersecurity benefits while minimising costs and other unwanted impacts.

This paper starts with a consideration of the current Australian context, including some of the regulatory initiatives already underway, and then consider the broader international context. It then introduces a framework for defining different potential approaches and use it to identify issues and propose recommendations for government.

Full Report

For the full report, please download here.

Getting regulation right
Thu, 08/10/2023 - 13:53
nathanhaslam@a…
Attachment
ADF

Australian Defence Force

ACSC

Australian Cyber Security Centre

IEC

the International Electrotechnical Commission

IEEE

Institute of Electrical and Electronics Engineers

IoT

Internet of Things

IoTAA

Internet of Things Alliance Australia

ISO

International Organisation for Standardization

USB

universal serial bus

IIOT

Industrial Internet of Things

ASD

Australian Signals Directorate

CCP

Chinese Communist Party

MERICS

Mercator Institute for China Studies

PRC

Peoples Republic of China

VPN

virtual private network

AI

Artificial Intelligence

SCS

Social Credit System

BRI

One Belt, One Road initiative

CETC

China Electronics Technology Group Corporation

NGO

nongovernment organisation

RFID

radio-frequency identification

CFIUS

Committee on Foreign Investment in the US

SVAIL

Silicon Valley Artificial Intelligence Laboratory

UTS

University of Technology Sydney

ATO

Australian Taxation Office

COAG

Council of Australian Governments

DHS

Department of Human Services

DTA

Digital Transformation Agency

FIS

Face Identification Service

FVS

Face Verification Service

TDIF

Trusted Digital Identity Framework

NUDT

National University of Defense Technology

PLAIEU

PLA Information Engineering University

RFEU

Rocket Force Engineering University

STEM

science, technology, engineering and mathematics

UNSW

University of New South Wales

ZISTI

Zhengzhou Information Science and Technology Institute

AFP

Australian Federal Police

ACIC

Australian Criminal Intelligence Commission

A4P

Action for Peacekeeping

ASEAN

Association of Southeast Asian Nations

C-34

Special Committee on Peacekeeping Operations

CTOAP

Peacekeeping Training Centre (Timor-Leste)

F-FDTL

Timor-Leste Defence Force

MFO

Multinational Force and Observers

MINUSCA

UN Multidimensional Integrated Stabilization Mission in the Central African Republic

MINUSMA

UN Multidimensional Integrated Stabilization Mission in Mali

MONUSCO

UN Stabilization Mission in the Democratic Republic of the Congo

PNGDF

Papua New Guinea Defence Force

PNTL

National Police of Timor-Leste

RAMSI

Regional Assistance Mission to Solomon Islands

RFMF

Republic of Fiji Military Forces

RPNGC

Royal Papua New Guinea Constabulary

RSIPF

Royal Solomon Islands Police Force

UNAMI

UN Assistance Mission for Iraq

UNAMID

UN–African Union Mission in Darfur

UNAMIR

UN Assistance Mission for Rwanda

UNAVEM

UN Angola Verification Mission

UNDOF

UN Disengagement Observer Force

UNIFIL

UN Interim Force in Lebanon

UNIKOM

UN Iraq–Kuwait Observation Mission

UNIOGBIS

UN Integrated Peacebuilding Office for Guinea-Bissau

UNISFA

UN Interim Security Force for Abyei

UNOSOM

UN Operation in Somalia

UNMHA

UN Mission to Support the Hodeidah Agreement

UNMIBH

UN Mission in Bosnia and Herzegovina

UNMIK

UN Interim Administration Mission in Kosovo

UNMIL

UN Mission in Liberia

UNMIS

UN Mission in Sudan

UNMISET

UN Mission of Support to East Timor

UNMISS

UN Mission in South Sudan

UNMIT

UN Integrated Mission in East Timor

UNOTIL

UN Office in East Timor

UNSMIS

UN Supervision Mission in Syria

UNTAC

UN Transitional Authority in Cambodia

UNTAES

UN Transitional Administration for Eastern Slavonia, Baranja and Western Sirmium

UNTAET

UN Transitional Administration in East Timor

UNTSO

UN Truce Supervision Organization