What are the implications of the new legislation on Australia’s cyber security space?

Following The Telecommunications and other legislations Amendment (Assistance and Access) Bill 2018 (Assistance and Access Act) that took effect as of 6 December 2018, many cyber security and broader technology-based organisations have voiced their opinions on the validity and the real effectiveness of the Act. Under this new law, companies would have to modify their software and services to enable law enforcement bodies such as state, federal, foreign law enforcement bodies and the Australian Security Intelligence Organisation (ASIO) to access end-to-end encrypted messaging upon the issue of a warrant. Failure to comply would result in large financial penalties up to $10 million in fines.

 

What prompted the Australian government to introduce this law?

Australia is the first member of the Five Eyes Intelligence Alliance to pass this law. The intelligence alliance including the U.S., the U.K., Canada and New Zealand, is based on a global surveillance multinational agreement. The increase in cyber crime costing the Australian economy approximately $1 billion every year, has prompted the government to launch the Cyber Security Strategy in 2016 in order to make the Australian market more resilient to online threats. According to a new study conducted by Cisco, 81% of Australian companies face more than 5,000 threats daily whilst 33% receive between 100,000 to 150,000 threats per day. In 2018 alone, the Office of the Australian Information Commissioner (OAIC) reported that Australian businesses have been affected by more than 300 cyber security breaches.

Just a few weeks ago, Australian broadcaster Nine News and Fairfax Media’s investigations uncovered that China’s intelligence services have hacked into large scale software services providers such as Hewlett Packard and IBM, that liaise with Australian companies with the aim of acquiring commercial intellectual property and personal data. CNBC reported that this action was conducted on behalf of China’s Ministry of State Security (MSS) through a global hacking campaign called ‘Cloud Hopper’ in a move to make China more economically competitive. Another example of a data breach is the recent Page Up hack that exposed confidential recruitment records of major Australian companies affecting over 100,000 job seekers.

 

What is currently being done to introduce the importance of cyber security?

Australia’s cyber security market is still in its infancy and policy advocacy on this subject is therefore not very prominent. This is why AustCyber – an independent, not-for-profit organisation working on the federal government’s Australia’s Cyber Seurity Strategy, along with The Australian Strategic Policy Institute (ASPI) have produced a report titled Perceptions survey: Industry views of the economic implications of the Assistance and Access Bill 2018 (Perception Survey) on 20 December 2018. The report is based on the industry’s views on the Assistance and Access Act including potential challenges for Australian businesses and economic implications that may affect the growth of the cyber security industry in Australia. 

 

What are the key concerns expressed by the industry towards the Assistance and Access Act?

Based on the survey carried out by AustCyber – out of a sample size of 512 industry stakeholders, 81% of the 63 completed survey responses indicated that there is a lack of clarity in the legislation. The majority felt that the legislation is too broad and can be subject to interpretation. In addition, many expressed their concern that the new law could make their technology products less competitive. In fact, 71% of respondents have voiced their concerns that the perception of their company’s product may seem less secure as an Australian product or simply having products with Australian encryption embedded in them. According to SBS News, tech companies such as Telstra, Google and Apple may consider leaving the Australian market to avoid being forced to comply with the government’s notices and having to install spyware on their devices and networks. The report also advises that the new law could strain Australia’s commercial relationships with global companies and would instead be more economically challenging for Australian exporters.

Another area of concern that companies have voiced is the ‘costs related to complying with notices’ as 95% of respondents stated that they do not expect the government to be able to cover all the costs in complying with the law. A notice could be either a technical assistance or technical capability order that is issued by either the head of an interception agency, ASIO or by the Attorney-General at the request of the head of an interception agency. Whilst the act made provision for ‘reasonable cost’ recovery for companies that provide compulsory assistance, there is a widespread perception from survey respondents that costs would not be recovered and would in fact largely differ to the actual costs of meeting the requirements in a notice. This is in spite of the government stating in the act that they would reimburse the provider “the amount equivalent to the expenditure that would have been reasonable to satisfy requirements in the advent that a provider’s expenditure is higher than the notice’s requirements”. However, to-date it is unclear how companies would be able seek reimbursement of expenses related to compliance with notices and it is yet to be determined what costs could be incurred and whether any of these would be recoverable.

 

What are the key economic impacts observed from the Perception survey?

Based on the results received from The Perception Survey, the following key economic impacts were observed: 

• Companies may incur high costs and may inadvertently create a wider vulnerability for the other businesses if a technical capability has been implemented poorly.
• Further clarification is required around what type of information can be shared between an employer and employee as well as external parties where commercial arrangements are in place.
• Survey respondents have commented that the legislation needs to cater for different roles in the organisation such as managers and IT practitioners as the term ‘employee’ is too broad.
• In relation to technical capability notices, the Act imposes strict limitations on the type of assistance that can be provided to a notice. The government further confirmed that this is so it does not undermine cyber security.
• A key limitation of the legislation is that it cannot prevent a provider from rectifying a systematic weakness and also cannot require a provider to make systemic methods of authentication or encryption less effective.

 

How does this impact the cyber security job market in Australia?

The shortage of cyber security skills in Australia is on the rise and it is becoming more difficult for Australian firms to adequately find talent to support their IT team against cyberattacks. According to Gai Brodtmann, Shadow Assistant Minister for Cyber Security and Defence, Australia urgently requires more than 19,000 cyber security specialists. To put this into perspective, Telstra reported that Australia currently produces only 1,200 new software engineers as opposed to 44,000 in India.

One way for organisations to meet the requirements for more cyber security analysts would be to develop their own in-house cyber security training – especially if such skills are scarce on the market. Whilst this can be a costly option upfront, the return on investment will definitely be significant in the long run with a highly-skilled cyber security team protecting the firm’s business intelligence. To help existing employees branch out into cyber security and be re-trained, companies can also partner with universities and Technical and Further Education (TAFE) institutes offering cyber security courses. An example is how Box Hill Institute has partnered with AustCyber to offer nationally-recognised certification and diploma-level qualifications in cyber security.

Aligned with the increase in the demand for cyber security specialists, the federal government has also launched the final step of its Australian Cyber Security Strategy, i.e. the Cyber Security Small Business Program. The program includes a $10 million initiative designed to provide financial support to eligible small businesses by way of individual grants of up to $2,100 over the next two years. The aim is to cover 50% of the cost in having their cybersecurity tested by service providers approved by the Council of Registered Ethical Security Testers Australia New Zealand (CREST ANZ). The program also includes a $2 million grant to CREST ANZ to boost its capacity to help small businesses with their cybersecurity needs.

 

Looking for cyber security talent or want to find out more about the talent landscape in Australia?

At Progressive Recruitment, we specialise in placing the best cyber security specialists on the market with our clients. If you are looking to hire cyber security experts or looking for an opportunity within the cyber security space, please don’t hesitate to contact us at +61 2 9285 1000 for a confidential discussion.