Commentary from the Troublemaker CISO: The Australian Cyber Security Act – A Step Forward or Just Another Layer of Red Tape?

Well, well, well—looks like Australia is making some serious moves in the cyber realm with the passing of the new Cyber Security Act. While I applaud any efforts to combat those pesky cybercriminals, I can’t help but raise an eyebrow at some of these provisions. Let’s unpack this a bit, shall we?

First up, the big kahuna: the 72-hour reporting window for ransomware payments. Sure, on the surface, it feels like a valiant attempt to arm the Australian Signals Directorate (ASD) with the intel they need to track criminals and bolster national security. But here’s the kicker—what about the organizations scrambling to pick up the pieces after a ransomware attack? As if they aren’t already battling late-night panic attacks, now they have to launch into a full-blown bureaucracy sprint to notify the ASD! Losing data is one thing; juggling compliance with a ticking clock is a whole new level of chaos.

Let’s be real: the advice against paying ransoms is like telling a starving person not to eat. If your sensitive data is on the line—and let’s face it, that shiny data is often the lifeblood of your business—can you really blame an organization for shelling out cash to get it back? Sure, the government wants to discourage this practice to dry up the criminals’ funding streams, but in the heat of the moment, decisions don’t exactly follow a neatly packaged playbook. There may be genuine cases where paying a ransom seems justifiable. It doesn’t send the best message to the black hat community, does it?

And while we’re on the subject of messages, let’s discuss the new security standards for IoT devices. Mandatory unique passwords and secure default settings? Do we really need a law to enforce common sense? The Internet of Things has always been the Wild West when it comes to security. If manufacturers didn’t already know they should prioritize security with their devices, what makes us think that this shiny new legislation will suddenly change their minds? It’s like putting a fancy coat of paint on a rickety old car and expecting it to fly!

Now, having a Cyber Incident Review Board sounds like a grand gesture. But let’s not kid ourselves—if they’re simply reviewing how organizations responded to incidents without assigning fault, what are we really learning here? This board could end up being more like a post-mortem excuse factory than a proactive solution engine. Unless they’re ready to truly dig into the reality of these cyber incidents, we’re left with recommendations that might as well be gathered from a corporate retreat.

You all know I love a good curveball, and here comes a whopper—expanding the Security of Critical Infrastructure Act! More regulations for critical infrastructure? Great! But with increased scrutiny comes increased pressure. Sure, regulators will have more power to assess vulnerabilities, but will the organizations running these infrastructures have the resources to actually comply? We know that budgets are tight, and striking the right balance between compliance and functionality is like dancing on a tightrope. One wrong step, and it’s a free fall.

Now, there’s a silver lining amid the bureaucratic bluster. If organizations heed the call to bolster their cybersecurity protocols in light of these changes, then perhaps we’ll actually see some real progress in national resilience. But let’s be clear: the government can promote all the awareness campaigns it wants. The heavy lifting is still on businesses to refine incident response plans, train staff, and juggle existing regulations along with these new obligations.

In the end, the Cyber Security Act is like a double-edged sword. It has the potential to enhance rigor and, dare I say, instill a sense of accountability in organizations. Still, it could also smother them in regulatory red tape if they aren’t adequately prepared. So, let’s hope folks in the industry rise to the occasion and not get snagged in the web of complexities.

And remember, the fight against cybercrime is like a game of chess—always think several moves ahead. As we navigate these new rules, we must also be ready for the inevitable shifts in the cyber landscape. Stay vigilant out there, my fellow troublemakers, because with the cyber world, things are rarely what they seem!

Keep your eyes peeled for a future episode where we’ll explore how to maintain sanity in a world ruled by compliance.

Top of Form