Prime Minister Turnbull announced a significant restructure of Australia’s national security community and Australia’s set to get a new Office of National Intelligence with a yet-to-be-named director. The Australian Signals Directorate will be elevated to a statutory authority within Defence. And longstanding rumours of a ‘mega-department’ have come to fruition, with Immigration, the AFP and ASIO to be amalgamated into a ‘Home Office’. The special adviser to the PM on cybersecurity, Alistair MacGibbon, is slated to head the Australian Cyber Security Centre, which is poised to receive a 24/7 response capability.

Further details of the restructure, let alone its implications for cybersecurity, aren’t yet clear—but the changes have been described as the most significant in 40 years. Some of the changes are in line with the recently published report of the Independent Intelligence Review (a summary of the review’s recommendations is available here), but critics have noted that the review didn’t consider or provide a recommendation for or against the amalgamation of agencies into a home affairs department, fueling concern about such a systemic change occurring without due diligence. The US also is about to get a shake-up, with US Cyber Command reportedly being split off from the National Security Agency.

The Australian government has announced that it will be introducing a new cybersecurity law that would compel tech companies and communications service providers to provide access to terrorist messaging. It’s not the first time this issue has come up, and the law comes after more than a month of foreshadowing, following the London Bridge attack earlier this year. The move has again stirred controversy over whether such cooperation is a ‘back door’ or not, and whether it can be provided without compromising security as a whole. There have been some communication issues around the issue, and one of Prime Minister Turnbull’s responses has earned the ire of most commentators, who’ve described the quip as either poorly informed, willfully ignorant or Orwellian.

On the sunnier side of cybersecurity, the NSW government is looking to invest $35 million in innovation, launching a start-up hub near Wynyard Park designed to accommodate 2,500 people. Similarly, the Government Communications Headquarters is accepting applications for the second round of its start-up accelerator program, and Dimension Data and Deakin University have launched a six-month accelerator program in Melbourne, which is hosting a series of roadshow events around the country. Sydney-based software company Atlassian has opened up its bug bounty program to the public, offering open-source researchers up to $3,000 for each vulnerability they find. And the Japanese government has announced that it will be forming a new Cybersecurity Response Center to protect critical infrastructure over the course of the Tokyo Olympic Games in 2020.

Returning to cyber law, Singapore is promulgating a new cybersecurity bill for public consultation. The new bill will introduce a new commissioner of cybersecurity, and provide measures to identify and protect critical information infrastructure across 11 essential services sectors. The Netherlands passed a new Intelligence and Security Act, introducing new powers in international intelligence-sharing and compelling service providers to retain data for three years. And well into its implementation phase is China’s new cybersecurity law—at only two months in, Apple has begun building its first data centre in China in line with data sovereignty requirements. China’s also looking at compelling communications service providers to prevent the use of virtual private networks, or VPNs, which are routinely used to evade the ‘Great Firewall’. Whether that will be a blanket ban or a permissions-based system remains unclear.

Health insurance provider Bupa suffered a major data breach after an aggrieved employee illegally copied and removed customer information from company servers. The leaking employee has been dismissed, but information about 547,000 of Bupa’s international policyholders has been leaked, including nearly 20,000 Australians. The details taken include names, dates of birth, nationalities, Bupa membership numbers, and some contact details, leading to concern that the highly valuable information will be posted for sale on the dark web. Bupa could be facing some hefty legal penalties. A similar data breach dating back to 2015 cost the parent company of Ashley Madison US$11.2 million in a settlement with 37 million affected users.

In June, false quotes from Qatar’s emir ignited an ongoing diplomatic crisis between Qatar and neighbouring states. Unnamed US intelligence officials are said to have now found evidence that the operation to plant those quotes, previously thought to have been conducted by Russia, was conducted by the United Arab Emirates government as part of a long ongoing dispute between the two countries. If that’s true, the case demonstrates the disproportionate impact a cyber offensive campaign can have, and the difficulty that defenders face in trying to identify or ‘attribute’ the attacker and respond appropriately.

LastPass, a popular password management software service, has published an infographic presenting the findings of a survey it conducted on cybersecurity practice across generations. Bangkok Post published a surprisingly close and philharmonic look at the motivations of Australia’s Cyber Ambassador and ASPI alumnus Tobias Feakin, talking about the importance of strategy and responsibility ownership in managing cybersecurity investments and tech.