Getting regulation right: approaches to improving Australia’s cybersecurity
What’s the problem?
As well as having a global impact, Cybersecurity is one of the most significant issues affecting Australia’s economy and national security. On the one hand, poor cybersecurity presents a risk to the interconnected digital systems on which we increasingly rely; on the other hand, well-managed cybersecurity provides an opportunity to build trust and advantage by accelerating digital transformation. Cyber threats can originate from a diverse range of sources and require a diverse set of actions to effectively mitigate them. However, a common theme is that much better cyber risk management is needed to address this critical threat; the current operation of the free market isn’t consistently driving all of the required behaviours or actions.
Regulation can provide a powerful mechanism to modify incentives and change behaviours. However, securing cyberspace depends on the intersection of many factors—technical, social and economic. Current regulations are a patchwork of general, cyber-specific and sector-specific measures with a lack of cohesion that causes overlaps and gaps. That makes the environment complex, which means that finding the right approach that will truly improve overall security and minimise unwanted side effects is difficult. It’s necessary to analyse the interconnected factors that determine the net effectiveness of cybersecurity regulations.
Furthermore, the pace of technological change is so fast today that, even if regulation is successful when first implemented, it needs to be appropriately futureproofed to avoid becoming irrelevant after even a few months. Recent rapid developments in artificial intelligence are an example of the risks here that will need to be anticipated in any changes to the regulatory regimes.
What’s the solution?
Regulatory interventions have an important role to play as one part of a strategy to uplift Australia’s cybersecurity, if done in the right way. This paper presents a framework for the government to make appropriate decisions about whether and how to regulate. That must start with defining which aspect of the cybersecurity challenge it seeks to address and the specific intended long-term impact. In cybersecurity, the most appropriate metrics or measures that regulation seeks to influence should, where possible, be risk-based, rather than specific technical measures. This is because the actual technical measures required are dependent on the individual context of each situation, will change over time, and are effective only when combined with people and process measures. The impact of the interventions on those metrics needs to be readily measurable in order to enable reliable enforcement at acceptable cost—both direct financial cost and indirect opportunity costs.
There’s often a focus on regulation to compel entities to do or not do something. However, compulsion is only one form of regulation, and others, such as facilitation or encouragement, should be considered first, treating compulsion as only one possible approach, which should used carefully and strategically.
Detailed implementation of cybersecurity regulations should use a co-design process with the relevant stakeholders, who will bring perspectives, experiences and knowledge that government alone does not have. It should also draw upon relevant experience of international partners, not only to benefit from lessons learned, but also to minimise the compliance burden for global companies and operators. Finally, in recognising the complexity of the problem, an iterative approach that measures impact and adjusts approaches to enhance effectiveness, incorporate lessons learned and absorb technological advances needs to be planned from the outset.