Submission for 2023-2030 Australian Cyber Security Strategy Discussion Paper

Abstract

three main points are as follows: 1. Cyber security and cyber resilience require a shared national strategic vision, supported by laws, policies, advocacy, education, skills, training, and funding. The government is asking everyone – individuals, families, communities, regions, cities, businesses, not-for-profits, governments – to opt-in to that vision. To achieve national alignment and clarity, collaboration, communication, and cooperation will be the crucial mechanisms for success and managing complexity. This requires understanding what is already there (the full complexity of the existing legal and policy framework) before adding new components. 2 2. Cyber security, like many other complex fields,1 exists in shared regulatory space.2 Overlapping regulatory frameworks, functions and authority are normal in a complex field such as cyber security. Research in Australia and elsewhere demonstrates that the best strategy for mitigating the known harms, and harnessing the known benefits, of regulatory overlap is the use of enhanced coordination and cooperation tools. A new Cyber Security Act could achieve this by engaging directly with the coordination and cooperation challenges of multiple agencies, regulators, departments, and stakeholders. However, in enhancing cooperation and coordination, strong accountability and transparency mechanisms must be hardwired into the regulation. 3. New mechanisms for reform must aim to improve cyber security outcomes for society, the economy, and the national interest. A new Cyber Security Act and further amendments to the Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI’) provide publicly scrutinised legislative solutions to the problems cyber security policy seeks to solve. While flexibility for government and businesses is important, government must carefully assess the kind of matters that can be decided in delegated legislation (eg, regulations, declarations, notices), or in co-regulatory and self-regulatory mechanisms (eg, codes of practice, guidelines, assessments, standards), and those which belong in the primary legislation due to: their importance to the operation of a legislative scheme; the need for certainty and clarity around obligations; and to support Australia’s underlying democratic values