by Sophia Brook
Australia’s Cyber Security Overhaul
#2/23
02 March 2023
‘The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty. We need to ensure our critical infrastructure security arrangements keep pace with the evolving threat environment and continue to deliver the essential services we all rely on.’
The Hon. Clare O’Neil
Australian Prime Minister Anthony Albanese and Minister for Home Affairs and Cyber Security Clare O’Neil hosted a special roundtable on cyber security this week, promising an overhaul of the $1.7 billion cyber security plan instituted by the Morrison government. Participants included leaders from intelligence agencies, the public service, and independent experts from industry and civil society groups, highlighting the government’s determination to apply a whole-of-nation approach to cyber security.
Severe cyber-attacks on Australian telecommunications company Optus and Medibank Health Insurance in 2022, re-ignited the debate on the cyber security of Australian businesses and kick-started discussions about companies’ storage of personal data for longer than actually necessary. One result of this increased political interest in cyber security was the government’s legislating amendments to the Security of Critical Infrastructure Act 2018, i.e. the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, to include the so-called Risk Management Program (RMP) obligation.
This came into force on 21 February 2023 and includes an amended list of obligations for businesses and new inclusions in the list of critical assets. Among other things, the RMP ‘requires responsible entities to consider the hazards they may face as a business, and take tangible steps to manage risks to operations of critical infrastructure assets’. It will make ‘board members culpable for failure to properly secure assets’ and covers companies across sectors.
In addition to the RMP, the government launched an updated Critical Infrastructure Resilience Strategy, providing a roadmap for protecting essential services and assets, accompanied by a Critical Infrastructure Resilience Plan, determining how the Strategy’s objectives will be achieved.
In answer to an increased risk of ransomware attacks, the government also announced the setting up of an International Counter Ransomware Task Force that would sit under the umbrella of the US-led Counter Ransomware Initiative, with the aim to ‘disrupt, combat and defend against the increasing ransomware threat’ and ‘enable sustained and impactful international collaboration’. The task force, chaired by Australia, commenced operations in January 2023.
In December 2022, the government further announced the appointment of an expert advisory board to lead the development of strategic advice to the Minister for Home Affairs and Cyber Security regarding the design of a national Cyber Security Strategy 2023-2030. To this end, it appointed three Expert Leads, including Andrew Penn, former CEO of Telstra, Air Marshal Mel Hupfeld AO DSC, former Chief of Air Force, and Rachael Falk, CEO of the Cyber Security Cooperative Research Centre. Once in force, the national strategy, as declared by O’Neil, would aim to make Australia ‘the world’s most cyber secure country by 2030’.
Immediate and Proposed Future Measures
‘Any successful [cyber] strategy must be national in scope, enduring, affordable, achievable, and allow for flexibility to account for changes in the dynamic cyber environment out to 2030.’ – Andy Penn, fmr CEO of Telstra
The expert advisory board released its first findings in a Cyber Security Strategy Discussion Paper this week. Among other things, it recommends further legislation amendments and an expansion of the critical assets list, with Minister O’Neil previously having criticised legislation instituted under Morrison as ‘bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident’ and ‘poorly drafted.’
One such amendment, suggested for consideration in the discussion paper, is reforming ‘the Security of Critical Infrastructure Act to possibly include customer data and “systems” in the definition of critical infrastructure’, as well as the establishment of a ‘new Cyber Security Act that would impose new obligations and standards across industry and government’. Another measure proposed by the paper is the expansion of the Australian Signals Directorate (ASD)’s authority to commandeer businesses’ IT systems in case of a cyber attack.
Other proposals include ‘strengthening Australia’s international strategy on cyber security’ by ‘boosting assistance to south-east Asian and Pacific countries’ and ‘leading by example’, referring to the fact that the majority of government entities currently ‘have a long way to go to properly secure government systems’. After all, a government that is perceived as unable to protect its own systems is not going to be trusted to be able to protect its citizens.
With the release of the discussion paper, the Albanese government also announced a series of measures to be implemented immediately.
The attacks on Optus and Medibank, according to O’Neil, had highlighted the need for an emergency response function within government. Therefore, the government will establish a National Cyber Office under the Home Affairs Department, designed to lead the emergency response to future cyber threats. The office will be led by a newly appointed Coordinator for Cyber Security, who will ‘provide some strategy and structure and spine’ to the work that is being done, including making sure that the billions of dollars that are being invested in cyber security each year are being spent in a ‘strategic and appropriate’ way, and ‘manage cyber incidents in a proper, seamless strategic way across the Australian Government’.
The position is currently being advertised, with the government hoping to fill the role within the next month. Part of the new coordinator’s job will be to establish an emergency response plan.
