Gov review of data retention obligations "sounds easier than it is"

A government review of the myriad data retention obligations on companies “sounds easier than it is”, with scope and ambiguous wording of laws complicating efforts, according to Home Affairs’ Peter Anstee.

Speaking at AISA Melbourne CyberCon, Anstee - who is first assistant secretary of cyber and technology security policy - indicated the size of the task would have an impact on any timetable for legislative reform.

The issue of data retention - how long companies should keep data, and what they should keep - became an issue after the Optus data breach.

A line item in last year’s federal cyber security strategy [pdf] pledged to review the numerous and potentially conflicting obligations that saw companies hold data for longer than necessary.

Home Affairs and the Attorney-General’s Department are the lead agencies [pdf] on that review.

Anstee said the government had been approached “in the post-event wash-up” of the Optus incident, in particular, for clarity on retention requirements.

“In looking at that, we’re going through a phased approach,” he told CyberCon.

“First, we’re going through all the Commonwealth statute books trying to work out what the actual obligations we put on companies are. 

“That sounds easier than it is. It’s taking us a little bit of time to understand all the data retention obligations that we have on companies. 

“Once we’ve got that picture, we’ll see if there’s a logic to consolidating or rationalising what those obligations are, because sometimes there are very particular obligations in healthcare or record-keeping for the financial services sector, and those retention periods have often been set for a good reason so we’re looking at whether that rationalisation can take place.”

The challenge associated with the review exercise is principally “scope”, but also clarity.

“Sometimes [the obligations are] not very well-defined,” Anstee said.

“[The law] says you just have to hold onto data but doesn’t define what that data is or break down how it should look, so there’s an absence of clarity. 

“A lot of these laws preceded digital storage, so there’s probably an uplift piece we need to do as well.”

Digital resilience

Another incident - CrowdStrike’s update that bricked Windows machines - is being used by the government as a driver to better understand the make-up of “digital supply chains.”

Anstee said the CrowdStrike incident showed what “a routine upgrade can do, quickly cascading into a global crisis, exposing the fragility of our supply chains” - although he added that, “in many ways, CrowdStrike was … a near-miss or a lucky break.”

“What would that have looked like if it impacted not one percent of Microsoft-affected devices but 10 percent of devices?” he said. “What would it be if it was not just a human making an error in terms of a software patch or a software update, but an intentional state-based actor that was looking to disrupt systems?

“We have to contemplate what the impacts of these kinds of activities are.”

Anstee said the government is working with industry “to create a systems-level view of what we call digital supply chains.”

“CrowdStrike was really the catalyst for this discussion,” Anstee said.

“We’re concerned we don’t have sufficient visibility of our supply chains across the economy and the interconnectedness of our digital systems.”

Anstee noted that the Security of Critical Infrastructure Act - SOCI - did help to shed some light on the component services in supply chains of critical infrastructure operators, but not more broadly.

He also said there wasn’t “sufficient visibility of the global connectivity of their supply chains or their existing interdependencies between those critical infrastructure systems”.

“Whether that’s the connections between the energy and electricity sector, or the health and university sector, and their digital interconnectivity, we’re looking to map that and understand that and exercise and test those dependencies in a way that will make us more digitally resilient,” Anstee said.

Cyber laws

The passage of the first specific cyber security bill into law last week was front-and-centre at CyberCon.

Anstee called it a “foundational piece of legislation that we can build upon.” 

“It’s really a framework document, and it means as the threat landscape evolves, we will have a piece of legislative architecture - as us policy wonks call it - that we can build new cyber security reforms on top of and work with industry to make sure that we’ve got legislation that’s fit-for-purpose to take us into a new and challenging period,” he said.

Initially, one of the key requirements of the law is that ransom payments made to threat actors are disclosed.

Anstee characterised this as “a data collection exercise”, adding that the government wanted to “better understand the cyber landscape”, not punish companies that reported making a payment.

Companies that elect not to disclose paying a threat actor could be fined - but Anstee indicated that was a last resort, and it was “unlikely” to be allowed to reach that point.

He said the government would go through a series of engagement steps first to try to get what it wanted - the disclosure of the payment, and the related data points.

This was the approach more broadly with the legislation.

“I think with any sort of policy or regulatory design, it’s always good to work through a process of often before legislation having a voluntary code, starting the legislation with not much punitive action, and then if you’re seeing non-compliance maybe dialling it up if you see that as necessary,” he said.

Gov review of data retention obligations "sounds easier than it is"

Gov review of data retention obligations "sounds easier than it is"

Gov review of data retention obligations "sounds easier than it is"

Gov review of data retention obligations "sounds easier than it is"

Gov review of data retention obligations "sounds easier than it is"