Australian companies that have connections to the country’s critical infrastructure might have no choice but to allow the government to step in during cyber attacks, if new legislation proposed by the Morrison government is approved.
The legislation would require companies in the critical infrastructure category to report in to the Australian Signals Directorate (ASD) when cyber attacks occur; in cases of “last resort,” the agency could directly step in to defend assets.
Government seeks direct hand in defending Australia’s critical infrastructure
The new law, which has bipartisan support and is backed by recommendations from the Parliamentary Joint Committee on Intelligence and Security (PJCIS), would apply to private operators of “critical assets” in Australia considered to be part of critical infrastructure: utilities, food distribution and health care facilities among them. In all cases, these businesses would be required to report cyber attacks to the government upon detecting them. In some cases, the ASD would directly intervene with assistance both during and after an incident.
The measure is part of a broader critical infrastructure bill that the government is struggling to enact, with the main obstacle being pushback from businesses that do not want to deal with extra regulation and expense. But it also raises obvious privacy and autonomy concerns, as the current form does not entirely make clear what constitutes a situation of “last resort” or to exactly what extent the government might commandeer assets or demand access during cyber attacks. For its part, the government says that businesses like supermarkets should not be expected to bear the burden of the IT systems and personnel necessary to fend off cyber attacks that could cripple them financially or shut down operations for an extended period.
The government also says that the measure is necessary due to rising numbers of attacks on critical infrastructure; a recent study from the Australian Cyber Security Centre found that 25% of reported cyber incidents in 2020 involved a private business in a “critical assets” category. The government’s strategy is to first update the country’s legal definition of critical infrastructure to encompass all of these industries, something it looks to do during the current session that ends at Christmas, and then push through the new cyber attacks measure by May of 2022.
Privacy concerns, costs raised as objections to cyber attacks measure
The Australian Information Industry Association, one of the industry groups resisting the new cyber attacks measure, raised concerns about government agents entering private property or accessing computer networks without due process if the proposal becomes law. The association has asked Parliament to take more time reviewing and considering its approach to critical infrastructure protection and national security.
Simon Bush, general manager of and spokesperson for the association, pointed out that the 2019 passage and amendment of the TOLA Act was a similar situation in which the government proposed sweeping new powers (in this case for the telecommunications industry) and then rushed to pass it over substantial objection. A June study found that the TOLA Act’s terms, which include restrictions on encryption and mandatory assistance of law enforcement agencies by service providers, may cause long-term harm to Australia’s economy due to lack of trust in its digital services.
Objection to the measure is not just local to Australia. A collection of the biggest names in tech, including Google and Amazon, has signaled opposition and asked the government for greater clarity. Google threat analysis group director Shane Huntley said that being forced to install ASD software on its systems would lead to “nothing but more problems” and would not do anything to help its internal response to cyber attacks.
Business concerns center not just on potential government intrusion, but on the cost of compliance. The existing language of the measure does not make mention of who will bear the cost for whatever might be deployed if the government steps in and takes some sort of command of a company’s defenses during cyber attacks. The extent of the involvement of partners in the supply chain is also in question. In addition to having to deal with the chaos of government agents suddenly inserting themselves into the company’s defense processes with no prior knowledge of them, organizations might find themselves left with a bill after the whirlwind of confusion clears.
This could be especially damaging to small businesses, which could find themselves bankrupted by the mandatory response if the cyber attacks do not get them first. As Josh Brewton, vCISO of Cyvatar, observes: “It’s interesting that the Government are willing to step in when the response is deemed not adequate. Where is the line drawn? How will they define their triggers? How or who will be paying for the response if the ASD take control. Given the frequency of Cyber Attacks today I wonder how the cost of such a response would be dealt with. It could push smaller businesses over the edge. With a healthy bill from the government and the added financial, operational and reputational impacts from the attack itself.”
The measure also leaps right over more standard risk management measures, going straight into unprecedented territory for a democratic government. Australia only began to implement national standards in 2020 with the Australian Prudential Regulation Authority (APRA) and the Australian Government Information Security Manual (AG-ISM), and these standards do not apply to all businesses.
Saryu Nayyar, CEO of Gurucul, notes that this more recent attempt at securing critical infrastructure may be creating a “cart before the horse” scenario: “Transparency on attacks is important, and formally informing the government is a good way of achieving that, but it’s not clear that having an outside organization come in to take over defense is realistic. The Australian Signals Directorate personnel will be unfamiliar with the organization, the attack, and any existing defenses in place. This will likely result in confusion and an inadequate response. Instead, perhaps the government should direct essential industries to have a cybersecurity risk management program in place and define the minimum standards needed for organizations to protect themselves.”