• Hannah Phillips

Cyber: Will it be Right?


The Australian government has been slow to act in creating effective defences to attacks in cyberspace.


There have been regular announcements and motherhood statements over the past decade but little effective action.

The Notifiable Data Breaches Scheme that’s been introduced by the Commonwealth government requires mandatory reporting of serious data breaches.

This is worthy of applause except that the onus lies with the potential victims to make the disclosures: the government is washing its hands of direct responsibility for attacks on companies, including small and medium enterprises.

These companies now have to introduce arrangements to identify and disclose cyber-attacks or they risk being in breach of the legislation.

This imposes considerable stress on business in addition to the stress imposed by the NBN and prescribed vendors who have made the network more expensive, albeit it is slow by OECD standards.

To add insult to injury the so called cyber centres that have been established by the government are little more than complaint registries rather than useful active resources to help the victims and potential victims secure themselves or fight back effectively against cyber-attacks.

Through the Notifiable Data Breaches Scheme, the government is setting new standards of accountability and transparency to protect individuals’ personal information.

By not taking any direct responsibility for the network safety, the government is setting individuals and businesses up to fail as the cost of effective protection is considerable and it is not clear whether these costs can be passed on to the consumer.

The Russian and Chinese governments seem to be doing a better job for their citizens without burdening them with obligations few have the resources to properly cover.

Entities subject to the Privacy Act 1988, including most Australian government agencies, businesses with an annual turnover of more than $3 million, and specific categories of smaller businesses, such as health providers, are now required to notify individuals if their personal data has been involved in a serious breach.

Under the Scheme individuals may be fined up to $420,000 for non-compliance, and corporations up to $2.1 million.

Data breaches that might increase the risk of serious harm include the release of sensitive information about an individual’s health, Medicare card information, driver’s licences, passport details or financial information.

Attorney General Christian Porter said the new Scheme sent a clear message that the government was taking the security of personal information seriously.

This means that Australians will know if their personal information has been breached and will be empowered to protect themselves and, by being able to act quickly, to minimise damage, Minister Porter said.

Minister for Law Enforcement and Cyber Security Angus Taylor said that not knowing how to protect client or customer data was becoming a poor excuse.

There is a lot of information now available on cyber security.

The onus is on business operators, with organisations and with government agencies, to put measures in place to reduce the risk of data breaches, Minister Taylor said.

These statements from the ministers appear somewhat starry eyed.

It is possible to agree with their sentiments but it is difficult to envisage real life scenarios that would end up with Australia coming out on top.

An example of breaching defences has been the ‘NotPetya’ saga.

The Australian government has joined the governments of the United States and the United Kingdom in condemning Russia’s use of the ‘NotPetya’ malware to attack critical infrastructure and businesses in June 2017.

Based on advice from Australian intelligence agencies, and through consultation with the United States and United Kingdom, the Australian government judged that Russian state-sponsored actors were responsible for the incident which infected computers with a sophisticated piece of malware (or malicious software) that masqueraded as ransomware.

‘NotPetya’ interrupted the normal operation of banking, power, airports and metro services in Ukraine.

While the brunt of the impact was felt in Ukraine, the malware spread globally, affecting a number of major international businesses and causing hundreds of millions of dollars in damage.

The Australian government has condemned Russia’s behaviour which posed grave risks to the global economy, to government operations and services, to business activity and the safetyand welfare of individuals.

The government is also further strengthening its international partnerships through an International Cyber Engagement Strategy to deter and respond to the malevolent use of cyberspace.

However the new data breach legislation, had it applied then, would have left huge liabilities for Australians as individuals, businesses and public institutions, including most governments.

At the moment Australia has a cyber-security deficit so it is good know that two new tertiary qualifications to help protect businesses from cyber-crime and drive a national industry of cyber-security professionals have been released onto the market.

The Australian cyber-security industry has the potential to triple in size, with revenues projected to climb to at least $6 billion by 2026 from just over $2 billion now.

However, the actual productivity impact is as yet hard to quantify and qualify.

Roger Hausmann