CYBERSECURITY
Governing cybersecurity: Critical infrastructure, spies and consumers ROBERT CHALMERS, LECTURER, COLLEGE OF BUSINESS, GOVERNMENT AND LAW, FLINDERS UNIVERSITY
C
ybersecurity issues are running hot. Hacking is becoming more pervasive and impactful, naturally following the expansion of computing into every aspect of our lives. Now our ‘Internet of Things’ (IoT) devices, wearables and other consumer devices are part of the “attack surface” that we project into the world. Businesses and organisations are devoting significant effort to managing the risks in response to constant probing for vulnerability and attacks seizing up their systems or stealing and exposing their information (and that of their consumers and partners). Lawyers are called on to advise and assist in relation to prevention, recovery and associated contracts and litigation, but they themselves (and the IT providers they rely on) are hardly immune to these same problems.1 Governments too are subject to intrusions, from state and non-state actors. They have also been issuing more strident calls for individuals and organisations to protect themselves and steadily introducing additional legislative controls to try to regulate cyber risks. Further reforms are now proposed in fields including private and public infrastructure, electronic surveillance and consumer protection. What are these, what impact will they have on the law, and what do they tell us about future trends?
‘ALL YOUR BASE ARE BELONG TO US’2 Much of the current legislative push comes from the Department of Home Affairs, which has been steadily layering up controls and powers in recent years. One of its priorities is to increase the security and resilience of critical infrastructure and systems of national significance. Following the introduction of the Security of Critical Infrastructure Act 2018 (Cth) and the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act), consultations have recently closed on
30 THE BULLETIN April 2022
exposure draft of further amendments: the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022. You would be forgiven for thinking that the scope of ‘critical infrastructure and systems of national significance’ might be fairly restricted. However it is expansive: the SLACI Act expanded the coverage of the framework from four to eleven sectors (communications, data storage or processing, financial services and markets, water and sewerage, energy, healthcare and medical, higher education and research, food and grocery, transport, space technology, defence industry) and 22 asset classes. So huge swathes of the economy are covered and now obliged to report cyber incidents and give owner and operator information to the Register of Critical Infrastructure Assets. The new Bill would enact a framework for risk management programs, declarations of systems of national significance and further enhance obligations on cyber security.
SPIES LIKE US Electronic surveillance is also lined up for further reform, adding to already considerable changes in recent years. The legislation in this area is extensive and includes the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), the Surveillance Devices Act 2004 (Cth) (SD Act), the Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act), the Telecommunications Act 1997 (Cth), and elements of state and territory laws. Powers for electronic surveillance have been steadily growing, and this increase has often been linked to the need to counter the growing sophistication of technologies in communication and cryptography. As the recent discussion paper itself said: [t]o keep pace with technology and the criminals who seek to exploit it, the Government has amended the TIA Act more than 100 times,
with most amendments occurring in the past 15 years. As a result, the powers currently in the TIA Act, SD Act and parts of the ASIO Act and Telecommunications Act span more than 1,000 pages of legislation and contain more than 35 different warrants and authorisations.3 Government is proposing further powers for the Australian Federal Police and the Australian Criminal Intelligence Commission ‘to combat dark web and anonymising technologies’ and is considering repeal of the legislation referred to above, replacing it with ‘one single Act that is clearer, more coherent and better adapted to the modern world’.4 It points to similar reforms in the UK and NZ: also members (along with the US and Canada) of the so called “5 eyes” security alliance. Expect an exposure draft in late 2022.
PROTECTING THE CYBER CONSUMER In the brave new world of pervasive computing, everything is connected. In response fields of regulation once separate and more static are being drawn together and subjected to a much higher rate of change. National security, privacy, digital identity, rights to personal communication, and consumer protection converge, but are also in tension. One example where these issues converge is in IoT devices: everything from wearables5 to home infotainment hubs, robotic vacuum cleaners6, toys and surveillance cams (with sometimes the latter two being one and the same). 7 In support of this over the last few years government has been considering and implementing various measures. In 2020 it introduced a Voluntary Code of Practice: Securing the Internet of Things for Consumers’.8 This covers smart products such as lights, TVs, watches, baby monitors, and connecting routers and sets out 13 principles for manufacturers
