The Department of Home Affairs is canvassing industry feedback into proposed reforms that could give the Federal Government powers to directly intervene to protect “critical infrastructure” – potentially including banks, communications infrastructure and food providers – from cyber threats.
Under the proposed reforms, Home Affairs has opened the possibility of taking “direct action” to protect critical infrastructure where an “immediate and serious cyber threat to Australia’s economy, security or sovereignty (including threat to life)” is detected.
Such power, the Government stressed, would be “exercised with appropriate immunities and limited by robust checks and balances”. However, it is as yet unclear what form such “direct action” may take.
“The primary purpose of these powers would be to allow Government to assist entities take technical action to defend and protect their networks and systems, and provide advice on mitigating damage, restoring services and remediation,” the Cyber Security Strategy paper states.
Beyond immediate threats to the economy, national security or sovereignty, the Government said it may see fit to intervene where threats are deemed “imminent” or where they may “spread across jurisdictions”.
Home Affairs Minister, Peter Dutton said the evolving threat landscape poses ongoing risks to Australia’s critical infrastructure, requiring a more robust Government response that can enable it to act in times of urgent need.
“In an emergency, Australians expect the Government to act, which is what we will do,” Dutton said.
The package of reforms outlines an “enhanced regulatory framework” aimed at protecting “systems of national significance” – this could extend across a number of private industries, including banking and finance, communications, education, research and innovation, energy and even food and grocery providers.
As part of the framework, the Government will also look to establish a near real-time threat-sharing network, building, it said, a “national threat picture” to safeguard entities against “dynamic and potentially catastrophic cascading threats enabled by cyber-attacks”.
The new threat-sharing platform would enable critical infrastructure operators to share and receive intelligence on malicious cyber activity with the Government and other providers at “machine speed, and block emerging threats as they occur”.
Under the cyber threat-sharing scheme, regulated entities would be obligated to provide Government agencies information on their networks and systems, including incident reports.
However, the Government stressed, no identifiable consumer data will be collected through this process.
The cybersecurity reforms would apply only to those industries classified as “critical infrastructure” – a more concrete definition of which will be determined following the industry consultation.
The Government has confirmed that it will seek to expand the number of industries covered under the Security of Critical Infrastructure Act 2018 to include sectors such as banking and finance, communications, cloud providers, the defence industry, education, research and innovation, energy, food and grocery, health, space, transport and water.
At present, the Act applies to around 200 assets in the electricity, gas, water and ports sectors.
The proposed reforms will impose a legal obligation on owners and operators of critical infrastructure “to manage risks that may impact business continuity and Australia’s economy, security, and sovereignty”.
The Australian Government is currently inviting industry, academia, and state and territory governments to review the Consultation Paper. Submissions can be made until 16 September 2020.
