The Australian Signals Directorate could be given authority to directly commandeer the IT systems of almost every company in the country that suffers a cyberattack under reforms proposed after the Optus and Medibank hacks (http://www.afr.com/category/slug-20180225-p5bqo6.html).
The proposal for a controversial and dramatic potential expansion in the agency’s “step in” powers comes from an expert group established by Labor after the high-profile hacks last year.
Prime Minister Anthony Albanese will also announce, at an industry roundtable on Monday, the creation of a federal coordinator for cybersecurity backed by a National Office for Cyber Security within the Home Affairs department.
The move to sharpen bureaucratic management (http://www.afr.com/category/slug-20180225-p5c4q5.html) and the possible expansion in security agency powers in the face of attacks on companies follows frustration within the Labor government (https://www.afr.com/politics/federal/australia-warned-to-bra...) since the damaging attacks.
Home Affairs and Cybersecurity Minister Clare O’Neil in October described current laws as “bloody useless” in dealing with the Optus breach of 9.8 million customers by an anonymous hacker.
She subsequently tapped former Telstra boss Andy Penn (http://www.afr.com/category/slug-20180225-p5c4zl.html), alongside former Air Force chief Mel Hupfeld and head of the Cyber Security Cooperative Research Centre Rachael Falk to come up with potential solutions.
Speaking on Monday as she releases Mr Penn’s discussion paper, Ms O’Neil will say the case for change is clear.
“Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age,” she will say.
“Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030.”
Expanded definition of critical assets
While security agencies led by the ASD-based Australian Cyber Security Centre already have powers to manage attacks on critical infrastructure such as power stations or energy grids, the discussion paper urges the government to look at shaking up the Security of Critical Infrastructure Act (SOCI), which was passed in 2018 to safeguard key systems.
“This could include adding customer data and ‘systems’ in the definition of critical assets to ensure the power afforded to government under the SOCI Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions,” authors stated in the discussion paper.
The expansion in the definition could potentially impose reporting obligations on any company that holds customer data as well as expose a wider range of directors to penalties if they fail to demonstrate cyber compliance.
Mr Penn’s discussion paper also calls for consideration of a new national cyber security law aimed at unifying corporate legal obligations and standards between government and industry.
Businesses of all sizes
“Our national resilience, economic success, and security rely on us getting our cyber settings right,” Mr Penn writes in the discussion paper.
“If we are to lift and sustain cyber resilience and security, it must be an integrated whole-of-nation endeavour.
“We need a coordinated and concerted effort by governments, individuals, and businesses of all sizes.
“We believe that the development of a new forward-looking St...
1 comment
[ 3.0 ms ] story [ 15.0 ms ] threadAustralian Financial Review
The Australian Signals Directorate could be given authority to directly commandeer the IT systems of almost every company in the country that suffers a cyberattack under reforms proposed after the Optus and Medibank hacks (http://www.afr.com/category/slug-20180225-p5bqo6.html). The proposal for a controversial and dramatic potential expansion in the agency’s “step in” powers comes from an expert group established by Labor after the high-profile hacks last year. Prime Minister Anthony Albanese will also announce, at an industry roundtable on Monday, the creation of a federal coordinator for cybersecurity backed by a National Office for Cyber Security within the Home Affairs department. The move to sharpen bureaucratic management (http://www.afr.com/category/slug-20180225-p5c4q5.html) and the possible expansion in security agency powers in the face of attacks on companies follows frustration within the Labor government (https://www.afr.com/politics/federal/australia-warned-to-bra...) since the damaging attacks. Home Affairs and Cybersecurity Minister Clare O’Neil in October described current laws as “bloody useless” in dealing with the Optus breach of 9.8 million customers by an anonymous hacker. She subsequently tapped former Telstra boss Andy Penn (http://www.afr.com/category/slug-20180225-p5c4zl.html), alongside former Air Force chief Mel Hupfeld and head of the Cyber Security Cooperative Research Centre Rachael Falk to come up with potential solutions. Speaking on Monday as she releases Mr Penn’s discussion paper, Ms O’Neil will say the case for change is clear. “Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age,” she will say. “Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030.” Expanded definition of critical assets While security agencies led by the ASD-based Australian Cyber Security Centre already have powers to manage attacks on critical infrastructure such as power stations or energy grids, the discussion paper urges the government to look at shaking up the Security of Critical Infrastructure Act (SOCI), which was passed in 2018 to safeguard key systems. “This could include adding customer data and ‘systems’ in the definition of critical assets to ensure the power afforded to government under the SOCI Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions,” authors stated in the discussion paper. The expansion in the definition could potentially impose reporting obligations on any company that holds customer data as well as expose a wider range of directors to penalties if they fail to demonstrate cyber compliance. Mr Penn’s discussion paper also calls for consideration of a new national cyber security law aimed at unifying corporate legal obligations and standards between government and industry. Businesses of all sizes “Our national resilience, economic success, and security rely on us getting our cyber settings right,” Mr Penn writes in the discussion paper. “If we are to lift and sustain cyber resilience and security, it must be an integrated whole-of-nation endeavour. “We need a coordinated and concerted effort by governments, individuals, and businesses of all sizes. “We believe that the development of a new forward-looking St...