For years Australian authorities have been raising the alarm that foreign adversaries have been sniffing around Australia’s critical infrastructure, performing reconnaissance to identify avenues for future attacks.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 is thus a major step in the right direction, but—depending on how the government implements its measures—it may be a step too far.
As the Colonial Pipeline and JBS Foods ransomware incidents demonstrate, the potential for cyber-attacks against critical infrastructure to disrupt the economy and society is vast.
It is time for Australia to fight back.
This recent legislation affirms the commitment of Australia’s government to help with the constant battle against cyber-criminals and nation state actors.
And while this commitment is necessary, the focus needs to be put on the right initiatives.
The Security Legislation Amendment (Critical Infrastructure) Bill involves many discrete measures.
Some of these are advisory, such as the ‘Positive Security Obligations’ and ‘Enhanced Cyber Security Obligations,’ and some of these take a more boots on the ground approach.
This includes the controversial ‘Government Assistance’ measures for incident response, which allow the government to directly intervene in emergency cyber-attacks against critical infrastructure through methods such as installing software and altering both data and hardware.
While the increased advisory obligations are commendable, there are multiple issues that can come up in direct government intervention for incident response.
For example, tech giants such as AWS and Microsoft have argued that this can do more harm than good in complex and interconnected hyperscale cloud environments in particular.
Government intervention also poses risks in environments with operational technology (OT), that is, the technology that forms the bedrock of most critical infrastructure verticals, from manufacturing to utilities.
OT environments are often proprietary and highly fragile.
This means a single data packet or incorrect protocol sent to a decades old OT device has the potential to down an entire automated process, be that an assembly line or power generation process.
A high degree of caution must be exercised in any OT incident response.
ASD Director-General Rachel Noble pushed back against the criticism of the bill by pointing out that “this sort of idea that ASD is going to run around and put software willy-nilly is a bit of a caricature.”
This point is entirely fair.
However, in addition to the complexity of hyperscale cloud environments and the fragility of OT environments, there are other issues with government intervention in incident response that are worth mentioning.
First, does the Australian government have the resources and the top talent to truly provide incident response that surpasses private organisations?
The government already suffers from a serious skills shortage, and the private sector can pay more and offer more perks.
Private companies which specialise in incident response are also likely much better placed to understand the landscape, and respond quickly and effectively – and can scale better.
Moreover, if the government assumes a role in incident response, it may disincentive companies from investing in these capabilities.
Critical infrastructure organisations see wide variance in levels of cyber maturity, and if less mature organisations trust they can rely on the government, this might hinder their growth.
Ultimately, government needs a big meaningful role to play in protecting critical infrastructure from cyberattacks.
But this role should not be counterproductive, and some of the proposed measures, especially the direct intervention, do have the potential to be counterproductive.
A less active role in incident response need not hinder the government’s information gathering that may be crucial to assessing the national security implications of an attack against critical infrastructure.
Instead of a ‘boots on the ground’ approach, the Australian government could benefit from a policy more like the UK Government’s National Cyber Security Centre’s “Cyber Incident Response” (CIR) program, which certifies private companies who can help critical infrastructure organisations that have suffered a cyberattack.
Hayley Turner is Director of Industrial Security, APAC at cyber security company Darktrace.
This content has been written by a topic area expert. It is not a sponsored post or advertisement.
