A government-appointed expert advisory group has proposed a series of significant reforms to Australia’s “patchwork” cyber policies, including the expansion of the critical infrastructure scheme to include far more local companies.
The government’s expert advisory board, comprising former Telstra CEO Andy Penn, retired Air Marshall Mel Hupfeld and Cyber Security Cooperative Research Centre CEO Rachael Falk, released a discussion paper for Australia’s new cyber security strategy.
The new strategy will run to 2030 and will replace the former Coalition government's $1.7 billion 2020 strategy.
Earlier this week, Home Affairs and Cyber Security Minister Clare O’Neil announced the creation of a cyber coordinator role to lead a new National Office for Cyber Security within the Department of Home Affairs, to act as the “spine and strategy” for future cyber attacks.
Ms O’Neil said the government has a goal to make Australia a global cyber security leader by 2030.
“Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented in the digital age,” O’Neil said in the discussion paper’s forward.
“Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030.”
The reforms will be driven by the recent significant cyber attacks in Australia on Optus and Medibank, which impacted more than 10 million Australians and saw personal information dumped on the dark web.
“The scale and severity of these breaches meant that cyber security became a topic that is now front and centre in board rooms and living rooms,” the paper’s forward said.
“It became clear during these incidents that government was ill-equipped to respond and did not have the appropriate frameworks and powers to enable an effective national response given the number of Australians whose personal information, including identity data, was compromised.
“If we are to lift and sustain cyber resilience and security, it must be an integrated whole-of-nation endeavour. We need a coordinated and concerted effort by governments, individuals and businesses of all sizes.”
The discussion paper says that it is “clear” that a package of regulatory reform is necessary, and this may be in the form of a new Cyber Security Act.
This Act would include “cyber-specific legislative obligations and standards across industry and government”.
It could also see the further development of Australia’s critical infrastructure regime to include customer data and “systems” in the definition of critical assets.
This will “ensure the powers afforded to government under the Security of Critical Infrastructure Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions”.
O’Neil has previously said that the existing powers were “completely useless” when it came to the Optus and Medibank data breaches.
The expert group said these incidents “exposed the gaps in Australia’s existing incident response functions”, and that the new strategy needs to make sure that frameworks for incident management and coordination are fit for purpose.
“It is clear that Australians expect the Commonwealth government to play a role in responding to major cyber incidents,” the discussion paper said.
“We need to clarify what the community and victims of cyber attack can expect from the government following an incident in the context of victim support and post-incident response.”
This proposal has already been controversial, with Tenable ANZ country manager Scott McKinnel saying it is a “dramatic” concept.
“The government’s new proposal to dramatically expand its powers to directly intervene in companies’ IT systems following a cyberattack is an inadequate approach to cyber defence and falls short of addressing the root cause of the problem – failing to patch and mitigate known and exploitable vulnerabilities,” McKinnel said.
“Relying on reactive measures after a cyber attack has occurred is not a thorough cyber security strategy. Instead, more emphasis should be placed on a collaborative approach to preventative and proactive measures that reduce the risk of cyber incidents in the first place.”
Fortinet APAC head of government affairs Nicole Quinn said it’s also critical such measures don’t overburden local companies.
“It is important that any new obligations and standards are introduced in a measured way and small and medium businesses in particular are not overwhelmed by complex regulatory burdens,” Quinn said.
The new strategy also needs to improve awareness among small and medium businesses and the general public on measures that can be taken to mitigate cyber risks.
“There is an opportunity through the strategy to invest further in community awareness and skills building for cyber security, including for SMEs,” the paper said.
Submissions to the discussion paper will inform the advisory group’s ultimate recommendations to the government for the new strategy.
Submissions on the proposals are due by 15 April.