ºÚÁÏÍø´óʼÇ

Is it possible to use the free market to drive the right incentives for organisations to appropriately prioritise cyber security? This was the subject of a recent discussion hosted by the University of New South Wales Institute for Cyber Security in partnership with , bringing together leaders from government, industry and academia. Many of the discussions, held under Chatham House Rule, were relevant to the development of the 2023–2030 Australian Cyber Security  second horizon, which aims to scale Australia’s cyber maturity across the economy. Market incentives can play a major part in developing two of the strategy’s priorities or ‘shields’: strong businesses and citizens, and safe technology.

Participants agreed that market incentives were important, but the approach needed to be tailored for different audiences. There are some encouraging examples of the use of market mechanisms in other industries. For example, producers of free-range eggs charge a premium for their product, and many customers will actively choose such products because of their perceived benefits.

The government can drive desired behaviour in various ways. This could include defining voluntary standards to inform consumers - such as the labelling regulations currently under development for the Internet of Things - and ensuring that organisations maintain transparency and accountability with stakeholders around how well they are managing cybersecurity risk. Government agencies can also use its procurement rules to encourage specific standards and certifications, including assessments through the for systems that handle government data, as well as Defence Industry Security Program membership for defence supply chain companies.

One of the proposals made during the discussion was to change Australian Stock Exchange listing rules to link bonuses for board members to cyber security outcomes. The Qantas board’s decision to in the wake of a major cyberattack in June could provide a template for this model. The government could also consider how the tax system could be used to encourage certain behaviours though the use of targeted incentives and tax relief, among other measures.

Education was also seen as vital. Generic campaigns could not only teach consumers to ask the right questions but also create a societal expectation to maintain cyber security. The example of free-range eggs also shows us what social pressure can do. There is also a need for more focused guidance for different end-user communities to help them to make appropriate risk-based decisions around how they choose and engage with technology.

Insurance was suggested as another key ingredient, with the expectation that it could encourage investment in cyber security to reduce premiums. A comparable case could be found in the maritime industry, where insurer requirements drove shipping companies to implement effective anti-piracy measures.

However, it was generally felt that the cyber insurance industry was not functioning effectively. This could be due to a lack of appropriate data to allow insurers to price risk, as well as concerns around escalating threats driving premiums up to unaffordable levels. The root causes of this market failure are unclear, and further research would be useful.

Ultimately, it was generally agreed that market incentives had a role but could only go so far. There will be a need for the government to regulate and mandate certain behaviours, backed by the credible threat of strong enforcement and penalties. It was noted that it was the threat of directors going to jail that made companies take workers’ health and safety seriously. We have seen regulators pursuing the imposition of significant financial penalties on organisations after major data breaches. But do we need to go further and pursue criminal charges in cases of gross negligence resulting in major cyber incidents?

When discussing such stronger regulation, some suggested that it should be targeted towards upstream providers. While the Department of Home Affairs has not directly asked about this in its  on the strategy’s second horizon, the consensus from our discussion was that a key goal should be ensuring products and services are secure-by-design as a matter of course. Suppliers need to be incentivised to ensure they do not sell something that is unsafe. Given that this duty of care would need to include vetting onward supply chains, suppliers may not be able to do that all on their own, so there may need to be some flexibility in who we hold accountable.

Cyber security is not just an IT issue; it is a shared responsibility and an economic imperative. Only by ensuring resilience can we confidently adopt new technology and realise its benefits. The discussion underscored that the next horizon of the cyber security strategy would require a mix of incentives - including regulation, market forces and cultural change - to realise the government’s objective of building a secure and resilient digital economy.

• Rajiv Shah is a fellow at ASPI and managing director of MDR Security. Debi Ashenden is director of the Institute for Cyber Security at the University of New South Wales.