IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image

Australia’s National Cybersecurity Act races against technological advancement

Mon, 3rd Jun 2024

In an era of rapid technological advancements, the necessity for robust cybersecurity measures is paramount. Emerging technologies like AI and quantum computing present both opportunities and challenges - both for productive use and damaging criminal activity.

In response, cybersecurity experts agree there is a pressing need for the Australian government to enact a comprehensive National Cybersecurity Act. This legislation would need to streamline existing laws but, most importantly, emphasise encryption as a critical component of cybersecurity, ensuring the safety of Australian businesses from sophisticated cyber threats. Furthermore, most agree that penalties for non-compliance must be significantly hardened if the act is to have teeth.

Australia's current legislative landscape for cybersecurity is fragmented, lacking in teeth and spread across multiple federal acts such as the Corporations Act, Privacy Act, Telecommunications Act, and Security of Critical Infrastructure Act. This scattered approach can lead to inconsistencies and confusion, making it difficult for organisations to remain compliant and secure. We have already seen this when stevedore DP World admitted it was unsure if it fell under the Security of Critical Infrastructure Act during the hack that held up Australian shipping operations late last year.

One of the pivotal components of any proposed legislation should be an emphasis on encryption as the fundamental to cybersecurity. Only encryption ensures successfully stolen data is useless to criminals. Encryption acts as the ultimate safeguard for data—whether at rest, in motion, or in use. By mandating the encryption of sensitive data across its entire lifecycle, the Act would ensure that even if cyber defences are breached, the data remains secure and indecipherable to unauthorised parties. This approach acknowledges the reality that while preventing attacks is crucial, the focus must also be on data protection. 

One small piece of news this month is worthy of your attention: Microsoft and Quantinuum announced an 800x improvement in quantum error correction technology. In the grand scheme of things, it's another small step towards making quantum computing technology more viable.  

But it's what it means for our cybersecurity that should worry our lawmakers the most. Quantum computers, due to their immense processing power, could potentially break traditional encryption algorithms and public key infrastructure, thereby rendering current encryption obsolete. This makes the integration of specifically quantum-safe encryption security practices an essential provision in the proposed Act, particularly for sectors handling critical infrastructure, defence, intellectual property, and sensitive citizen data. Such regulations are already being legislated in the US.

This might seem like overkill. However, like with the development of AI technology, future technology always appears 'decades away' until a breakthrough makes it used by millions tomorrow. Without these provisions, our act may lose the race against the technology it is set out to regulate and find itself dead on arrival.

The proposed Cybersecurity Act aims to protect more than just individual citizen data; it extends its protective measures to commercial data, including business and government secrets and financial information, recognising it as equally worthy of confidentiality. By treating data as a valuable asset, the Act intends to secure it from unauthorised access and misuse, whether by cyber-criminals or through mishandling by the organisations entrusted with it.

This would (finally) bring us into line with the European Union's General Data Protection Regulation (GDPR) which is the gold-standard of cybersecurity legislation. It has significantly reduced the number of successful cyberattacks and data breaches involving unencrypted data. 

Similarly, the U.S. has seen improvements in quantum-threat readiness and overall cybersecurity performance following the establishment of the Cybersecurity and Infrastructure Security Agency. 

The proposed Australian Cybersecurity Act is a necessity in the digital age. By emphasising data protection (encryption) and including provisions for future quantum threats, the Act will protect critical information but also supports the resilience of the Australian economy as new technologies reach maturity.  We have lived in a world where technological advancement has raced ahead of legislation. It's time we narrowed that gap.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X