The need for strong cybersecurity measures is crucial in an era of rapid technological advancements. Emerging technologies such as AI and quantum computing bring both opportunities and challenges, both in terms of productive use and their negative impact on criminal activity.
In response, cybersecurity experts agree that it is urgent for the Australian government to enact comprehensive national cybersecurity legislation. This legislation should streamline existing laws, but most importantly, it should highlight encryption as a critical component of cybersecurity to protect Australian businesses from advanced cyber threats. Furthermore, most experts agree that to be effective, the legislation must include significantly increased penalties for non-compliance.
Australia's current cybersecurity legislative environment is fragmented and ineffective, spread across multiple Commonwealth laws including the Corporation Act, Privacy Act, Telecommunications Act and Critical Infrastructure Security Act. This scattered approach leads to inconsistencies and confusion, making it difficult for organisations to remain compliant and secure. This was already evident when stevedore DP World admitted it was unsure whether the hack that disrupted Australian shipping operations late last year fell under the Critical Infrastructure Security Act.
One of the key components of the proposed bill is its emphasis on encryption as a cornerstone of cybersecurity. Only encryption can ensure that stolen data is useless to criminals. Encryption serves as the ultimate safeguard for data whether it's at rest, in motion, or in use. By mandating encryption throughout the entire lifecycle of sensitive data, the legislation ensures that data remains secure and unreadable to unauthorized parties, even if cyber defenses are breached. This approach acknowledges the reality that while preventing attacks is important, there must also be a focus on protecting data.
One small piece of news worth noting this month was that Microsoft and Quantinuum announced an 800x improvement in quantum error correction technology. Overall, this is a small step towards making quantum computing technology more feasible.
But what should most concern lawmakers is its impact on cybersecurity. Due to their enormous processing power, quantum computers could break traditional encryption algorithms and public key infrastructure, thereby rendering current encryption obsolete. Therefore, incorporating quantum-safe cryptographic security practices will be a mandatory provision in any proposed bill, especially in sectors that handle critical infrastructure, defense, intellectual property, and sensitive citizen data. In the United States, such regulations are already in place.
This may seem like overkill, but like the development of AI technologies, future technologies always seem “decades away” before a breakthrough leads to them being used by millions of people tomorrow. Without these provisions, our laws may be outcompeted by the very technologies they are meant to regulate and may be stumped from the start.
The proposed Cybersecurity Bill not only protects personal data, but also commercial data such as confidential corporate and government information, financial information, etc., which should be kept equally confidential. It aims to treat data as a valuable asset and protect it from unauthorized access and misuse due to improper handling by cybercriminals or entrusted organizations.
This will enable us to (finally) comply with the European Union's General Data Protection Regulation (GDPR), the gold standard of cybersecurity law, which has significantly reduced the number of successful cyber attacks and data breaches due to unencrypted data.
Similarly, the United States has seen improvements in quantum threat preparedness and overall cybersecurity performance since the establishment of the Cybersecurity and Infrastructure Security Agency.
The proposed Australian Cybersecurity Act is a necessity for the digital age. With a strong focus on data protection (encryption) and including provisions for future quantum threats, the Act will not only protect critical information, but also support the resilience of the Australian economy as new technologies mature. We have lived in a world where technological advances have outpaced legislation; now is the time to close the gap.
