Australia can learn from Britain on cyber governance

Australia needs to reevaluate its security priorities and establish a more dynamic regulatory framework for cybersecurity. To advance in this area, it can learn from Britain’s Cyber Security and Resilience Bill, which presents a compelling model for reforming our own cyber governance and standards.

Amid the increasing frequency and sophistication of cyber threats and geopolitical tensions, complacency is no longer an option. The risks of inaction are significant, potentially including economic turmoil, disruption of essential services and threats to national sovereignty.

Australia must transition away from a system of voluntary compliance and instead introduce enforceable regulations. Britain’s cyber bill imposes clear obligations on providers across critical sectors such as transport, energy, health, communications and even extends to digital service providers. In contrast, Australia still relies on sector-led initiatives and non-binding guidelines. As cyber attackers become increasingly adept, our legislative frameworks must evolve. Voluntary standards can no longer serve as a sufficient baseline for national security.

Furthermore, regulatory bodies in Australia lack the authority needed to enforce compliance. Britain’s framework empowers regulators to designate ‘critical suppliers’, demand incident reports and impose penalties for non-compliance. While Australia has established agencies such as the Australian Cyber Security Centre (ACSC) and the Cyber and Infrastructure Security Centre within Home Affairs, they lack the legal authority to conduct audits and enforce regulations across various sectors. Without robust oversight, regulations risk becoming mere formalities.

Australia also must abandon a one-size-fits-all regulatory approach. Different sectors face unique cyber threats; the needs of a hospital differ significantly from those of a logistics company or a power provider. Britain’s sector-specific regulations serve as a useful framework that Australia can adopt, tailoring obligations to reflect sector-specific operational realities and threat profiles.

Cyber regulation is an ongoing process, not a static checklist. A resilient cyber regime is built through continuous refinement guided by experience and international best practices. Australia must remain receptive to insights from global partners, including Britain, and incorporate effective international measures into its domestic model. A siloed approach will only hinder our progress. The Aspen Institute emphasises the importance of interoperable cybersecurity regulations in addressing the interconnected nature of cyber threats and fostering effective cross-border cooperation.

Recent statistics underscore the urgency of reform. In 2023–24, the ACSC reported more than 87,400 cybercrime incidents, averaging one report every six minutes. The financial impact is escalating, with individual self-reported losses averaging around $30,700—17 percent more than a year earlier. High-profile breaches, including the April incident affecting major superannuation funds and prior breaches at Optus and Medibank, highlight the scale of the threat and the ongoing vulnerability of our critical infrastructure.

The economic cost of cybercrime in Australia was estimated at up to $29 billion in 2020, encompassing business disruption, recovery, reputational damage and loss of consumer trust. Beyond the monetary implications, each breach erodes public confidence in government and national resilience.

Fortunately, Australia isn’t starting from scratch. The government has already made strides in enhancing its cyber defences. The 2024 Cyber Security Act introduced significant reforms, including mandatory ransomware reporting and minimum standards for smart devices. Amendments to the Security of Critical Infrastructure Act have expanded coverage and improved information-sharing mandates. Upcoming reforms to the Privacy Act aim to harmonise protections across sectors.

While these initiatives are necessary, they aren’t sufficient.

To strengthen our cyber resilience, Australia must connect these reforms into a cohesive, enforceable framework. Inspired by Britain’s approach, Australia should make six key moves. It should:

—Ensure legislative clarity and mandates by transitioning from recommendations to binding standards for essential service operators, with penalties for non-compliance;

—Introduce proactive regulatory power by equipping agencies such as the ACSC with the legal authority to investigate, audit and enforce compliance;

—Implement mandatory incident reporting including the swift reporting of significant cyber incidents through centralised platforms to enhance cross-sector threat sharing and response;

—Tailor rules to be sector-specific through customised guidelines for critical sectors including healthcare, energy, finance, transport and communications;

—View cyber resilience as a geopolitical priority by coordinating response and recovery plans, public preparedness campaigns and joint exercises with industry; and

—Develop a world-class cyber workforce, by treating the talent gap in cyber security as a strategic priority, funding education and creating attractive career paths.

Australia has taken important first steps. But the gap between policy ambition and practical implementation remains wide. The choices made now regarding our cybersecurity posture will have profound and lasting consequences for our national security, economic prosperity and social stability. Britain’s bill offers a roadmap and lessons that Australia should adopt and adapt with urgency and decisiveness.

You might also like
How vulnerable is Australia’s national identity data?
Cyber wrap
Securing democracy in the digital age
The White House cyber strategy: words must be backed by action
Policy, Guns and Money: Marietje Schaake on technology, democracy and accountability
Like biosecurity, cybersecurity is essential for rural industries