Australia has created a complex, interlocking web of legislation and regulations that impacts directly on the competitiveness of the local cyber security sector, according to AustCyber CEO Michelle Price.
Price told a press event hosted earlier this week by Aura Information Security that she had “quite significant and deep concern” about the legislative landscape facing the industry both domestically and at an international level.
“Right now, what we are facing is a whole series of legislation, regulation standards and guidance that is causing extreme confusion across the economy,” Price said. That confusion is having a broad cross-industry impact because “cyber security, and therefore cyber resilience, is the true horizontal sector of the economy”.
“We're not conceiving of legislation, regulation, standards and guidance with that in mind,” Price said. “So that does mean that all of the sector-specific legislation and regulation, standards and guidance have impacts for cyber security, and vice versa.”
From a federal government perspective cyber is typically viewed through the prism of national security, the AustCyber CEO said. “We’ve got a whole series of legislation that has emerged over the past two years, and there will be more to come, that is... adding and compounding that confusion for organisations who are really at the very, very beginning of their cyber security journey in Australia,” Price said.
The most high-profile piece of legislation that has had an impact on the industry is last year’s Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA Act), which was the government’s response to the increased use of communications services with built-in encryption.
The Department of Home Affairs recently acknowledged that the legislation had had a detrimental impact on Australia’s cyber security industry.
“Consumers, international companies and investors are concerned domestically produced or located products and services have been undermined by the legislation, and that the industry assistance framework increases the costs of doing business in Australia,” the department earlier this year told a parliamentary inquiry, although it argued the problem was the perception of the legislation, not the reality.
AustCyber revealed in January that a survey it conducted found wide-spread fear among Australian cyber security companies about the effect of the legislation. The concern was particularly pronounced among export-focused businesses in the sector.
But while the TOLA Act “attracted a huge amount of attention at the end of last year and still continues to do so” it is “but one of a series of 10 pieces of legislation and regulation that impact directly Australia’s cyber security,” Price said.
A recent example of regulation is CPS 234, issued by Australian Prudential Regulation Authority (APRA). Price said in her view CPS 234 is a “positive example” of cyber-focused regulation. The APRA standard sets out the regulator’s expectations of how banks and other financial services organisations approach information security.
Price that in the broader Australian economy cyber security and cyber resilience are “highly contextual”: “The way in which cyber security plays out is different from one moment to the next, from one incident to the next, from one sub sector and sector to the next.”
She decried the lack of a “whole of economy” approach. “It's not just the politicians or the bureaucrats: It's also industry and academia are not taking a holistic picture, in my view, of what all the interdependencies and intersections of all of this landscape [are],” she said.
“How much are we losing from the innovation side of things and commercialisation opportunities by having unknown and untold unintended consequences that are coming from what is a train smash of a legislative landscape?” Price said.
She said the environment that had been created was “not intentional”. “Our legislators and regulators don't want to provide an environment that makes us less competitive globally, and undermines the security of our nation,” she said. “That is not of course, what they're intending on doing.”
However, she added: “We are in such a rapidly moving and evolving space in technology, with cyber security at its very heart, that we are not taking a breath to understand what the broad implications are.”
Price said there was a need for a strategic approach to the issues. “I do believe that we need to take a pause and understand the legislative, regulatory standards and guidance environment that we've created for cyber security, but also for the rest of the economy, knowing that cyber security is the true horizontal,” she said.
As part of that it needs to be recognised that “we have made a few mistakes” as well as “had some really good wins”. “But let's evolve it because we actually can't continue the way it is now,” the CEO said.