- Autumn 2024
- Implications of the proposed Cyber Incident Review Board
There has been an increased demand among organisations for greater discipline and structure in the way they defend themselves against cyber security breaches.
This is driven by two factors: first, recent high profile cyberattacks on trusted institutions creating an expectation that cyber security breaches be better prevented and managed, and second, proposed government initiatives, including a Cyber Incident Review Board (‘CIRB’) intended to review major breaches (or breach trends). The stakes are higher than ever, and the reputational, operational, and financial risks of getting it wrong are significant.
What’s the CIRB proposal?
The Department of Home Affairs has proposed the CIRB as part of the fifth of six ‘cyber shields’ formulated in the Australian Government’s 2023–2030 Cyber Security Strategy.1 The CIRB would look into major cyberattacks to understand why they occurred, examine the effectiveness of the response to an attack, and share learnings from it to promote improvements. Some suggestions on how the CIRB would operate are set out in a consultation paper by the department.2
The objective of the CIRB is to ‘conduct no-fault, post-incident’ investigations. It can call evidence and witnesses to assist in its objective, and it will publicly share its findings to improve Australia’s overall cyber security stance.
Some issues yet to be resolved are:
a. What type of investigations would it look into? Major breaches such as those recently affecting Medibank and Optus? Or classes of smaller (but more widespread) attacks, for example, breaches of commonly used cloud services or ransomware strikes?
b. How would the CIRB approach its ‘no fault’ goal, especially as it collects evidence and makes findings?
c. How would cooperation of foreign IT companies, which can be disengaged from assisting with Australian legal processes, be achieved?
Potential models that the CIRB may replicate or draw inspiration from include the Australian Transport Safety Bureau (which conducts safety investigations of air, sea and rail incidents) and the USA’s Cyber Safety Review Board.
Trend towards accountability for cyber security
The CIRB and other trends of accountability are part of the public’s growing awareness that the frequency and severity of cyber security breaches can be reduced with a structured, risk-managed approach and that a disciplined response can limit the damage caused by breaches.
That means that what your client does to prevent a breach, and to respond to a breach, may be closely examined by a digital forensic expert if something goes wrong.
Why it matters to Australian business
Not long ago, many people saw cyberattacks as something impossible to avoid, like getting struck by lightning. However, now we expect government and business to be better prepared and to handle issues more effectively when they do happen. A failure to take proper steps to prevent and manage cybercrime events may attract regulatory and civil liability.
Before 2023, there was only one class action for a data breach; now there are at least four filings.3 This change shows that there’s a cost in not protecting data (and providing evidence this was done). There is a real chance actions will be closely scrutinised.
How the CIRB could help improve accountability
The intention of the CIRB is to learn from each cyberattack and publicly share that information. By understanding what went wrong in the context of a cybercrime and sharing these lessons, we can all get better at preventing future attacks.
However, there are challenges – including making sure that incident reviews don’t lead to ‘fixing blame’ without ‘fixing the root problems’.
Additionally, the CIRB’s collection of evidence – even without assigning direct blame – will likely result in further legal actions, as the CIRB will complete a substantial amount of investigatory and evidence collection work, potentially making it easier to launch other actions.4
Your next step
Barristers have a great opportunity to improve our nation’s cyber resilience by driving an increase in accountability of organisations exposed to cyber risk. Even if the CIRB concept doesn’t go ahead, the trend is towards increased societal expectations of organisations in relation to their pre- and post-breach management of cyber security.
In addition, as the Australian Government’s Cyber Shields concept evolves, barristers may be able to contribute knowledge by making submissions to government or writing articles to help Australians discuss the impacts of these changes.
Lastly, barristers should reach out to cyber security professionals for advice on how to help clients start or improve their cyber journey. BN
Rethinking personal cyber security: Balancing caution and convenience
In our daily lives most of us understand that perfection is unattainable, and personal cyber security is no exception. The commonly accepted objective is not to seek flawless security but to significantly reduce risks.
Tailoring cyber security strategies
Cyber security strategies differ markedly between personal and organisational contexts. For individuals, the challenge lies in establishing protocols that effectively reduce cyber risk without imposing excessive restrictions. Individuals should start with three foundational rules for personal cyber security:
1. Stick to trusted devices and services: Only use devices and online platforms that you trust. Avoid using publicly accessible computers for sensitive activities like email access or online banking. Similarly, it’s advisable to refrain from using an untrusted computer for work tasks due to the potential for less stringent security practices (for example, a family member’s computer, a shared computer, and so on).
2. Less is more: Most people are surprised to learn that the effectiveness of antivirus programs is limited. A better approach is to only install trusted software and to take preventative measures against the introduction of less trusted software by limiting what you do with your devices. Keeping your software up to date and securely disposing of devices that no longer receive security updates are critical steps. Additionally, be cautious about leaving your devices in places where their integrity could be compromised.
3. 2FA all the way: Implement two-factor authentication (2FA) for your most sensitive accounts, including email, cloud storage, customer databases, and financial accounts. As the level of risk escalates, so should your security measures, to ensure your most valuable digital assets remain protected. Seek advice for high value data sets.
While these rules provide a solid foundation, personal cyber security often requires more nuanced approaches tailored to individual risk profiles and resources.
It’s advisable to consult with a cyber security professional to develop a strategy that best suits your needs, especially if you manage high value or highly sensitive information. However, these three principles offer a sound starting point for anyone looking to safeguard their digital presence in the vast and sometimes perilous landscape of the internet.
ENDNOTES
1 Department of Home Affairs, Parliament of Australia, 2023–2030 Australia Cyber Security Strategy (Report, 2023) 24 < https://www.homeaffairs.gov.au...subsite/files/2023-cyber-security-strategy. pdf>.
2 Department of Home Affairs, Parliament of Australia, 2023–2030 Australian Cyber Security Strategy: Legislative reforms (Consultation Paper, November 2023), <https://www.homeaffairs.gov.au...subsite/files/cyber-security-strategy-2023–30-consultation-paper.pdf>.
3 Valeska Bloch et al, Takeaways from the Optus and Medibank data breach class actions (Blog Post, 7 June 2023) <https://www.allens.com.au/insi...insights/2023/06/Takeaways-from-the-recent-Optus-and-Medibank-data-breach-class-actions/>.
4 Noting that reports of the Australian Transport Safety Review Board, for example, cannot be used as evidence in any civil or criminal proceedings: s 27 Transport Safety Investigation Act 2003 (Cth).