The government wants to directly take over critical infrastructure and systems in the event of a major cyber threat to Australia’s “economy, security or sovereignty”, a new paper has outlined.
In a consultation paper for overhauling current critical infrastructure protections, the government said it “sees a role” for expanded emergency powers that would let government entities assist other operators with “technical action to defend and protect their networks and systems” in the event of a cyber emergency.
Home Affairs Minister, Peter Dutton, said security was a “shared responsibility”.
“In an emergency, Australians expect the government to act, which is what we will do,” he said.
“By strengthening and better protecting critical infrastructure from threats, Australians can be assured that Government and industry are working together to do what is necessary to keep Australians safe and protect our economy.”
The government has also proposed creating a cyber alert system. This would be similar to the existing National Terrorism Threat Advisory System with its colour-coded advise on the likelihood of an imminent terrorist attack.
The existing National Terrorism Threat Advisory is currently at 'probable'.
As for what will constitute a national cyber emergency, the government has not yet decided – though it did say it will consider factors like an attack’s potential consequences, how it spread across jurisdictions, and how imminent the threat is.
Under the Security of Critical Infrastructure Act 2018, only resources (energy, water, gas) and maritime port assets are classed as ‘critical infrastructure’ – although the Home Affairs Minister has the power to add other assets to that classification.
The government wants to expand those definitions to include sectors across the whole economy such as banking, communications, data, defence, education, food, health, and transport.
Certain entities classed as ‘critical infrastructure’ will have to adhere to new cyber security obligations which the government seeks to create in reformed legislation.
That may include involvement with a proposed threat intelligence sharing system to give government “a near real-time threat picture” of cyberspace.
Assets classed as “systems of national significance” will have to give the government specific information about their networks as part of this intelligence sharing system.
Newly classed ‘critical infrastructure entities’ will also receive government directions or intervene through “direct action” in the case of an emergency.
Proposed structure of expanded critical infrastructure entities classes.
Stakeholders have until 16 September to make a submission for the critical infrastructure discussion paper.
The process underlies a recent surge in government attention on cybersecurity following the Prime Minister’s warning that Australia was under cyber attack in June.
Since that surprise Friday morning press conference, the government has announced its $1.35 billion Cyber Enhanced Situational Awareness and Response (CESAR) package along with an updated Cyber Security Strategy.
Both developments promote a top-down approach to national cybersecurity through heavy investment in government agencies and law enforcement.