Newly appointed Minister for Home Affairs Karen Andrews has singled out cyber as a priority in her portfolio, using Australia’s Critical Infrastructure reforms as an example of how the government has worked to protect the nation.
“I have elevated cyber to big priority in the portfolio,” Andrews said, speaking as part of the CEDA State of the Nation 2021 conference on Thursday.
The reforms, by way of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, would allow, among other things, the government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.
“The Critical Infrastructure legislation is particularly important to us, and I think that what it demonstrates is people’s perception of what is critical infrastructure, which is way beyond the physical bricks and mortar, is crucial to us,” Andrews said.
The Bill brings in the likes of communications, financial services, data storage and processing, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors to the definition of critical infrastructure.
“We do know that there is an increasing threat of cyber attack here in Australia, ransomware, these are significant issues for us. It is also important that we recognise that many businesses who either have been subject to a ransomware attack or are likely to be subject to a ransomware attack are not necessarily going to be forthcoming in providing that information,” Andrews continued.
“If we don’t have the information going through to the Australian Signals Directorate that enables them to come in and provide a level of support, then it means that we can’t assist in trying to re-establish some of the connections that are there to try and assist with recovering the data. It also means that we’re not getting the intelligence that we need that will lead to a more cybersecure environment for us here in Australia.”
Andrews said the legislation needed to “be progressed as a matter of urgency”.
“That is what my plan is,” she added. “I think it actually provides significantly more protections than it does introduce risks.”
Speaking alongside Andrews was Michelle Price, CEO of AustCyber, the organisation charged with growing a local cybersecurity ecosystem. She touted the legislation as “one piece of a very large patchwork of things” that needed to be undertaken.
“People are celebrating that this legislation is occurring, principally because it does level the playing field across industries,” she said.
Of importance to Price, however, was that education on the Bill’s purpose and consequences should occur.
“We need to make sure that that education spreads out, this is where the value chain comes into it, those trusted information-sharing networks that occur organically, as well as in an orchestrated way, to make sure that everyone is aware of this legislation,” she added.
“I think that the government has done a good job of learning some lessons from the encryption legislation and has done extensive consultation of this legislation in spite of the comparatively short period of time that it has been running through, compared to other areas like the Telecommunication Sector Security Reforms and the Notifiable Data Breaches scheme … [that] have taken a lot longer than the critical infrastructure amendments.”
The Senate this week passed two Bills that were not particularly given long consultation periods, either.
The Online Safety Bill 2021 was waved through on Wednesday night with amendments. Among other things, the new Act extends the eSafety Commissioner’s cyber takedown function to adults, giving the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.
The Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the 400-something submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee scrutinising its contents handed down its report.
Debating the Bill last week, Australian Greens co-deputy leader Senator Nick McKim said the government “[rammed] these Bills through this Parliament without adequate consideration and without adequate scrutiny”.
He was unsuccessful with his request for the Bill to be repealed and re-written and upon receiving Royal Assent, eSafety will be nutting out the specifications of how the new scheme will be run six months thereafter.
Also passed this week was the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.
The IPO Bill paves the way for Australia to share communications data with other countries. It allows Australia to obtain a proposed bilateral agreement with the United States, in the first instance, under its Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
The Bill passed both houses, despite the Parliamentary Joint Committee on Intelligence and Security (PJCIS) last month recommending the passage of the Bill only if the government implemented the 23 recommendations it made.
The federal opposition on Monday introduced yet another security-related Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack.
The Ransomware Payments Bill 2021 was introduced in the House of Representatives by Shadow Assistant Minister for Cyber Security Tim Watts, who took the opportunity to say the government’s current position of telling businesses to defend themselves by “locking their doors to cyber-criminal gangs” was “not good enough”.
Responding to the proposed Bill, Andrews said she was open to exploring it.
“From the government’s perspective, we actually would like businesses to reach out, particularly to ACSC, in the event that they have a ransomware attack or they have other threats,” she said.
“[ACSC] is very well placed to be able to support them, but they rely on, in many instances, on businesses reporting or contacting them directly.
“I’ve already had some discussions about mandatory reporting of ransomware attacks and my view at this stage is that there are a range of views about that — it’s very mixed in the response — what I want to do over the coming weeks is explore that much more fully.”
Andrew said she wants the ACSC to be armed with the opportunity to support businesses that have been the subject of ransomware attacks, but that awareness was also important.
“What I don’t want to do is end up with the cart before the horse effectively, and moving directly to the mandatory reporting of ransomware, where we haven’t gone through the process of raising awareness of cybersecurity, raising awareness of ransomware, making sure that we have in place all of the right mechanisms to support businesses,” she said.
“So yes, I want to collect the intelligence, but I want to make sure that we’re doing this in a sensible and rational way.
“But I’m open to exploring this. I am already exploring it.”