8 minute read
Governing Cybersecurity: critical infrastructure, spies & consumers
Governing cybersecurity: Critical infrastructure, spies and consumers
ROBERT CHALMERS, LECTURER, COLLEGE OF BUSINESS, GOVERNMENT AND LAW, FLINDERS UNIVERSITY
Advertisement
Cybersecurity issues are running hot. Hacking is becoming more pervasive and impactful, naturally following the expansion of computing into every aspect of our lives. Now our ‘Internet of Things’ (IoT) devices, wearables and other consumer devices are part of the “attack surface” that we project into the world. Businesses and organisations are devoting significant effort to managing the risks in response to constant probing for vulnerability and attacks seizing up their systems or stealing and exposing their information (and that of their consumers and partners). Lawyers are called on to advise and assist in relation to prevention, recovery and associated contracts and litigation, but they themselves (and the IT providers they rely on) are hardly immune to these same problems.1
Governments too are subject to intrusions, from state and non-state actors. They have also been issuing more strident calls for individuals and organisations to protect themselves and steadily introducing additional legislative controls to try to regulate cyber risks. Further reforms are now proposed in fields including private and public infrastructure, electronic surveillance and consumer protection. What are these, what impact will they have on the law, and what do they tell us about future trends?
‘ALL YOUR BASE ARE BELONG TO US’2
Much of the current legislative push comes from the Department of Home Affairs, which has been steadily layering up controls and powers in recent years. One of its priorities is to increase the security and resilience of critical infrastructure and systems of national significance. Following the introduction of the Security of Critical Infrastructure Act 2018 (Cth) and the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act), consultations have recently closed on exposure draft of further amendments: the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.
You would be forgiven for thinking that the scope of ‘critical infrastructure and systems of national significance’ might be fairly restricted. However it is expansive: the SLACI Act expanded the coverage of the framework from four to eleven sectors (communications, data storage or processing, financial services and markets, water and sewerage, energy, healthcare and medical, higher education and research, food and grocery, transport, space technology, defence industry) and 22 asset classes. So huge swathes of the economy are covered and now obliged to report cyber incidents and give owner and operator information to the Register of Critical Infrastructure Assets. The new Bill would enact a framework for risk management programs, declarations of systems of national significance and further enhance obligations on cyber security.
SPIES LIKE US
Electronic surveillance is also lined up for further reform, adding to already considerable changes in recent years. The legislation in this area is extensive and includes the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), the Surveillance Devices Act 2004 (Cth) (SD Act), the Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act), the Telecommunications Act 1997 (Cth), and elements of state and territory laws. Powers for electronic surveillance have been steadily growing, and this increase has often been linked to the need to counter the growing sophistication of technologies in communication and cryptography. As the recent discussion paper itself said:
[t]o keep pace with technology and the criminals who seek to exploit it, the Government has amended the TIA Act more than 100 times, with most amendments occurring in the past 15 years. As a result, the powers currently in the TIA Act, SD Act and parts of the ASIO Act and Telecommunications Act span more than 1,000 pages of legislation and contain more than 35 different warrants and authorisations.3
Government is proposing further powers for the Australian Federal Police and the Australian Criminal Intelligence Commission ‘to combat dark web and anonymising technologies’ and is considering repeal of the legislation referred to above, replacing it with ‘one single Act that is clearer, more coherent and better adapted to the modern world’.4 It points to similar reforms in the UK and NZ: also members (along with the US and Canada) of the so called “5 eyes” security alliance. Expect an exposure draft in late 2022.
PROTECTING THE CYBER CONSUMER
In the brave new world of pervasive computing, everything is connected. In response fields of regulation once separate and more static are being drawn together and subjected to a much higher rate of change. National security, privacy, digital identity, rights to personal communication, and consumer protection converge, but are also in tension. One example where these issues converge is in IoT devices: everything from wearables5 to home infotainment hubs, robotic vacuum cleaners6, toys and surveillance cams (with sometimes the latter two being one and the same). 7
In support of this over the last few years government has been considering and implementing various measures. In 2020 it introduced a Voluntary Code of Practice: Securing the Internet of Things for Consumers’. 8 This covers smart products such as lights, TVs, watches, baby monitors, and connecting routers and sets out 13 principles for manufacturers
to abide by, based on consultations led by the Department of Home Affairs and the Australian Signals Directorate. Further research in 2021 indicated difficulties in implementing the voluntary, principlesbased guidance. Firms called for clearer guidance and internationally aligned standards, but even simple measures such as vulnerability disclosure policies were not being adopted. Government is now considering moving from voluntary to mandatory cyber security standards for smart devices and/or cyber security labelling.9 With the exception of the Privacy reforms dealt with below, specific reform detail has not yet been tabled. However, it seems very likely that additional measures will be introduced. Government specifically flagged it was considering changes to the Australian Consumer Law to enhance consumer guarantees and bring clearer application to digital products, and many of these IoT devices are connected to, or sold and supported by, the digital platforms that are the subject of broader enquiries and activities by the Australian Competition and Consumer Commission.10
Turning to the subject of privacy reform, late in 2021 the Government unveiled an exposure draft for a new Online Privacy Bill,11 which would enable binding online privacy codes applicable to digital platforms, in addition to strengthening general penalties12 and enforcement under the Privacy Act 1988 (Cth). The online privacy codes could go beyond standard privacy code measures and introduce more granular consent requirements and age verification measures, as well as the capacity for consumers to withdraw consent. Government has also released a discussion paper contemplating additional reforms based on international data and consumer protection law, including the European General Data Protection Regulation.13 There has been extensive academic exploration of the trends and possible direction for regulation of IoT devices, which provides guidance as to likely options, and further suggests additional regulation is likely.14
A CYBER EYE TO THE FUTURE
The immediate future looks even more crowded with reform than the recent past. Even if there is then a lull on some of those fronts, other related fields are already the subject of regulatory attention: not least that of digital identity. This connects to issues of age verification, recently introduced director ID, and broader government and private developments in pursuit of a ‘Trusted Digital Identity Framework’.15
It is important that in designing appropriate regulatory frameworks we are not distracted by the ever shifting sands of technical standards, but rather maintain a clear focus on the underpinning principles and human rights that need to be maintained. Lawyers have a critical and ongoing role to play in securing that future and designing appropriate regulatory frameworks. Turning a blind eye to cyber issues as simply ‘technical’ matters is not an option. B
Endnotes 1 For example, Allens and the Australian Securities and Investments Commission were both hit by a cyber-attack mediated by software they were reliant on: The Australian Financial Review (online, 25 January 2021) <https://www.afr.com/politics/ federal/asic-says-it-was-hit-by-cyber-attack20210125-p56wsc>. 2 Internet ‘engrish’ meme derived from a computer game involving battles with cyborgs, used here with reference to the extension of regulation over a very broad field. 3 Department of Home Affairs, Reform of Australia’s electronic surveillance framework (online, 2021
Discussion Paper) 5 <https://www.homeaffairs. gov.au/reports-and-pubs/files/electronicsurveillance-framework-discussion-paper.pdf>. 4 Ibid 4. 5 In this regard note the security breaches connected to the Strava app: Thomas Brewster, ‘Why Strava’s
Fitness Tracking Should Really Worry You’ (online, 29 January 2018) Forbes <https://www.forbes. com/sites/thomasbrewster/2018/01/29/stravafitness-data-location-privacy-scare/?>. 6 Note that the terms of service for ‘roomba’ vacuum cleaners permit them to map your home and send this data to irobot: <https://www. irobot.com.au/legal/privacy-policy>. 7 Amelia Tait, ‘Are smart toys spying on children?’
The New Statesman (online, 6 December 2016) <https://www.newstatesman.com/sciencetech/2016/12/are-smart-toys-spying-onchildren>. 8 Department of Home Affairs, Voluntary Code of
Practice - Securing the Internet of Things for Consumers <https://www.homeaffairs.gov.au/reports-andpublications/submissions-and-discussion-papers/ code-of-practice>. 9 Department of Home Affairs, Strengthening
Australia’s cyber security regulations and incentives
An initiative of Australia’s Cyber Security Strategy 2020 <https://www.homeaffairs.gov.au/reports-andpublications/submissions-and-discussion-papers/ cyber-security-regulations-incentives>. 10 ACCC, Digital Platforms <https://www.accc.gov. au/focus-areas/digital-platforms>. 11 Attorney General’s Department, Online Privacy
Bill Exposure Draft <https://consultations.ag.gov. au/rights-and-protections/online-privacy-billexposure-draft/>. 12 up to 10% of an organisation’s turnover. 13 Attorney General’s Department, Privacy Act Review – Discussion paper <https://consultations.ag.gov. au/rights-and-protections/privacy-act-reviewdiscussion-paper/>. 14 See e.g. Jeannie Marie Paterson, Yvette Maker ‘AI in the Home: Artificial Intelligence and Consumer
Protection’ - to be published in Ernest Lim and
Phillip Morgan (eds), The Cambridge Handbook of
Private Law and Artificial Intelligence (Cambridge
University Press, Forthcoming) and available at <https://papers.ssrn.com/sol3/papers. cfm?abstract_id=3973179>; Kayleen Manwaring,
Roger Clarke, ‘Is your television spying on you? The Internet of Things needs more than self-regulation’ Computers and Law: Journal for the
Australian and New Zealand Societies for Computers and the Law (2021) 93, 31-36 available at <http:// www8.austlii.edu.au/cgi-bin/viewdoc/au/ journals/ANZCompuLawJl/2021/9.html>. 15 Australian Government, Trusted Digital Identity
Framework (TDIF) <https://www.digitalidentity. gov.au/privacy-and-security/trusted-digitalidentity-framework-tdif>.
