Skip to main content
Cybersecurity

Australia Urged to Empower ACSC as Cybersecurity Regulator

Government building with a stylized network pattern in the foreground, symbolizing cybersecurity regulation.

What is at stake is straightforward and stark: as cyber vulnerabilities reach into critical infrastructure, essential services, the economy and national resilience, the policy choice is whether Australia will rely on voluntary measures or create a formal regulator with powers to compel minimum standards and enforce compliance.

The proposal: ACSC as a formal cybersecurity regulator

The core argument in the piece is that the Australian Cyber Security Centre (ACSC) should evolve into a formal cybersecurity regulator with responsibilities comparable in principle to the Therapeutic Goods Administration in the health sector. Under that model the ACSC would set mandatory minimum cybersecurity standards, certify high‑risk products and services, investigate major cyber incidents, mandate remediation of systemic vulnerabilities and enforce compliance across critical sectors. Regulation, compliance, certification and public accountability would sit with the ACSC while operational cyber defence would remain separate.

How the Cyber Security Act 2024 fits

The Cyber Security Act 2024 is described as an important first step: it introduces new cybersecurity obligations, reporting mechanisms and assurance measures and signals a move away from a purely voluntary approach. The article frames the act not as the end point but as the beginning of a broader regulatory journey — comparable, in historical terms offered by the source, to early health and safety laws that later produced regulators such as the TGA and the Australian Radiation Protection and Nuclear Safety Agency. An empowered ACSC could build on the act to become a dedicated national regulator responsible for certification, compliance, enforcement and public accountability.

Division of labour: ACSC oversight and ASD operations

The piece emphasises a clear separation of roles. The Australian Signals Directorate (ASD) would continue to lead operational cyber defence, intelligence and national cyber operations — including offensive cyber operations, incident response support and national cyber defence — while the ACSC, operating as an independent regulatory authority, would focus on standards, certification, compliance monitoring and public accountability. That separation is presented as mirroring arrangements in other sectors where regulators set and enforce safety standards and distinct operational agencies handle day‑to‑day activities and emergency response.

Certification, mandatory baselines and enforcement powers

Under the proposed regulator, mandatory baseline requirements would be established for critical sectors. The article lists possible elements: secure‑by‑design principles, multi‑factor authentication, vulnerability management programs, incident reporting obligations and supply‑chain assurance measures. High‑risk technologies and services would be subject to independent assessment before deployment — examples named in the piece include industrial control systems, cloud service providers that support government functions, telecommunications equipment and high‑risk artificial intelligence systems. The regulator would also be empowered to investigate major incidents, issue formal findings, require corrective action and, where necessary, impose penalties — turning current post‑incident advice and support into enforceable obligations when systemic vulnerabilities are found.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Expect enforceable minimums rather than voluntary guidance. They would need to design systems to meet secure‑by‑design principles, implement multi‑factor authentication and sustain vulnerability‑management programs, and prepare for independent certification of technologies used in critical environments.
  • Policymakers and regulators: The Cyber Security Act 2024 provides a foundation but the piece urges further institutional reform — specifically, empowering the ACSC to handle certification, compliance and public accountability while leaving operational roles with the ASD.
  • Affected enterprises and procurement leaders: Organisations responsible for essential services would be required to demonstrate compliance, not merely aspire to best practice. The argument notes that market incentives have not consistently produced sufficient investment in security and that the costs of cyber failure are often borne by customers, citizens and the broader economy — creating a rationale for mandatory assurance and, where necessary, penalties for non‑compliance.

The strategic rationale offered is blunt: cyber insecurity has moved beyond an IT problem to a public‑safety and national‑resilience issue. The source argues that governments do not rely on voluntary compliance where failures can cause widespread harm — hence the logic of a regulator tasked with certification, enforcement and public accountability. It concludes that cyber failures already have national consequences and that empowering the ACSC as a cybersecurity regulator would be a significant step toward addressing them.

https://www.aspistrategist.org.au/the-acsc-should-become-australias-cybersecurity-regulator/