September 19, 2023
Australia will use its partnership with the United States, Japan and India to push for rules forcing companies to stop selling “wantonly unsafe” software by the end of the decade.
Home Affairs Minister Clare O’Neil is leading moves to stop technology firms shipping products with security holes that can be exploited by hackers who damage the global economy by tens of billions of dollars a year.
But Ms O’Neil said on Monday that Australia would not introduce a “completely bespoke regime” to force companies to prove their software is safe, arguing that would hamper trade. Instead, she has turned to the grouping of four countries known as the Quad.
“Together, the four countries in the Quad make up 40 per cent of global GDP,” Ms O’Neil said in a speech in Canberra last week. “So these four democracies have enough buying power, which is clearly big enough to transform the dynamics of how technology is invented and developed.
“Not in piecemeal ways but to demand that cybersecurity and national security and the protection of our democracy are built in at the design stage.”
The Quad grouping does not have a central body to create policy, unlike the European Union, which has become a default global legislator on technology questions and is considering fresh cybersecurity rules.
But it includes India, which has a huge workforce in the technology sector and is a leader on digital government. It has also adopted an increasingly authoritarian stance on digital policy, adopting laws that let the state demand the deletion of social media posts, which has alarmed human rights groups.
Quad leaders agreed in May to build “policy frameworks” to make software safer but provided scant detail on how that would operate.
Simon Bush, chief executive of the Australian Information Industry Association, which represents software companies, said including India via the Quad arrangement was sensible because it produced so much software.
“It’s a recognition that India has an important role to play,” Mr Bush said, but added that the Quad should not be the only international forum used by the government because it did not include other close partners such as the UK and Canada.
Overall, Mr Bush welcomed the idea of common cyber standards, with the caveat that small businesses needed rules they could follow without major cost burdens.
Vulnerabilities in major pieces of commonly used software have enabled large-scale cyberattacks, such as the SolarWinds breach of 2020 and the GoAnywhere hack this year. In each case, software created by little-known enterprise software allowed online criminals to get data belonging to many of their much more prominent clients.
Ms O’Neil said that by 2030, Australians would be protected by rules ensuring that developers could not “wantonly sell them something that they know to be unsafe, which we are aware is happening today”.
Major software companies and device sellers Amazon and Microsoft were contacted for comment on the government’s plan, with the former only pointing to its previous submissions on cyber policy. Australia’s technology champion, the work communication software maker Atlassian, welcomed the minister’s move.
“Taking a global view when co-ordinating approaches to embed greater security in software development practice will be critical if we want Australian software companies to continue to grow and export their wares,” said Atlassian public policy boss David Masters.
Mr Masters pointed to other work that Australia has done on designing good software with a wider range of partners including Canada and Germany, saying it “positions Australia well to be a world-leading cybersecurity nation by 2030”.
Opposition cyber spokesman James Paterson said it was good that the minister was thinking about the issue but described her approach as a “thought bubble in a speech”.
“Regulatory harmonisation across the Quad members is hugely ambitious, and it’s not clear any legwork has been done yet by the Albanese government,” Senator Paterson said.
He said the government should immediately establish a technology security policy office to start assessing high-risk technology from authoritarian countries.
