This was published 1 year ago
Hackers’ honeypot: customer data storage laws set to be wound back
Laws requiring telecommunications companies to store vast troves of customer data are set to be wound back as part of a sweeping $600 million federal government plan to make Australia less vulnerable to crippling cyberattacks.
The government will on Wednesday release its long-awaited cybersecurity strategy, including plans to force companies to reveal when they have been hacked while creating a new system of “health checks” for small and medium-sized businesses.
“Our strategy will make every Australian citizen, business, government agency and organisation a harder target,” said Home Affairs Minister Clare O’Neil, who is responsible for cybersecurity.
“It will enable us to bounce back faster from attacks that we cannot prevent. We will put cybercriminals on notice, and we will fight back against the threat.”
The plan, aimed at making Australia a world leader in cybersecurity by 2030, follows a string of damaging recent cyberattacks, including against Optus and Medibank Private last year and major port operator DP World earlier this month.
As part of the strategy, the government will review federal data retention requirements, using the process to “consider any unnecessary burden and vulnerabilities that arise from entities holding significant volumes of data for longer than necessary”.
“Following the outcomes of this review, the government will explore options to minimise and simplify data retention requirements,” the 64-page strategy says.
Under major changes to data retention laws introduced in 2015, telcos and internet service providers were required to retain customer metadata – such as the date, time and type of communication – for at least two years.
“Our most valuable datasets require adequate protections that keep pace with the current cyber landscape, without imposing unduly burdensome requirements on industry,” the strategy says.
“This includes streamlined data retention requirements that are appropriate and proportionate.”
The report singles out the health sector as a priority for action given hospitals and healthcare professionals store huge amounts of sensitive patient data yet cyber defences in the sector are alarmingly unsophisticated.
The government will spend $9.4 million to build a new threat-sharing platform for the health sector that could then be rolled out to other fields.
The strategy includes $291 million in support for small and medium-sized businesses, including the creation of a cyber health-check program offering free and tailored cybersecurity assessments to business owners.
A new resilience service will provide small businesses with advice to help them recover quickly in the aftermath of a cyberattack.
Describing cybersecurity as an “urgent national problem”, O’Neil said: “The strategy is bold and ambitious, and it has to be, because one thing is abundantly clear from what’s happened to our cyber environment in the last five years: we simply can’t continue as we are.”
Under the changes, the government will introduce a mandatory new no-fault, no-liability reporting obligation for businesses that are the victims of ransomware attacks.
While businesses will not be banned from paying ransoms to hackers and other cybercriminals, a new “ransomware playbook” will provide guidance on how to respond to ransom demands, including strong advice that ransoms should not be paid because they encourage hacking attempts.
The national cyber co-ordinator will lead an expanded series of cyber “wargaming” exercises, following those launched this year to gauge how key players in the aviation, banking and telco sectors would respond to attacks.
The release of the cyber strategy has been complicated by the fact that the inaugural cybersecurity co-ordinator, Air Marshal Darren Goldie, was last week recalled to the Defence Department to deal with what was described as “a workplace matter related to his time in Defence”.
Reports of cybercrime jumped by 23 per cent over the past year, with an Australian reporting an attempted ransomware attack or other crime every six minutes, according to the Australian Signals Directorate’s latest annual cyberthreat report.
The report found the cost of cybercrime had increased by 14 per cent over the past year, with an average cost of $46,000 for small businesses and $71,600 for large businesses.
Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.