September 30, 2021
New laws will be urgently passed to help Australian businesses fend off major cyber attacks in a range of new sectors including banking, groceries and universities, while businesses continue to express serious concerns about the government’s proposed overhaul of the critical infrastructure regime.
Federal Parliament’s security and intelligence committee has recommended the government split the critical infrastructure bill in half to allow urgent measures to equip the government with the powers it needs to defend against major attacks on critical infrastructure to pass now while allowing additional time for the government and industry to continue consulting on the other issues.
The first bill would redefine what is deemed “critical infrastructure” with universities, finance and banking, health and the food and grocery sectors, communications, defence industry, energy and transport added to the list. It would also require these companies report cyber attacks and allow agencies such as the Australian Signals Directorate to step in to protect networks during or following a significant cyber attack “as a last resort”.
But the committee recommended that other proposals, such as new “positive security obligations” for businesses – which would include developing risk management plans – be put in a separate bill amid widespread concerns from industry.
The bipartisan committee’s findings raised significant concerns that the Department of Home Affairs was still developing rules for the obligations on industry while its nine-month review was under way. It said this led to “inconsistent engagement from industry with the Committee process, as well as an evolving and shifting evidence base during the course of the inquiry”.
Chair of the Committee, Liberal senator James Paterson, said the inquiry received “compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally”.
“Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” he said.
“However, as the regulatory framework is still undergoing co-design with each of the eleven sectors and will not be finalised until after passage of the bill, many businesses have expressed concern about this uncertainty and asked for the entire bill to be paused in the current economic climate.”
Government sources confirmed it would probably have to split the bill after the committee’s recommendations.
Vicki Thomson, chief executive of the elite Group of Eight universities lobby, welcomed the recommendations saying the two-step approach would enable rapid response to counter cyber threats and ensure the long term protections are effective.
“By splitting the urgent and non-urgent elements of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, Australia will have the capacity to respond rapidly to looming cyber threats, while enabling a thorough consultation process to take place between universities, business and government to develop an effective regulatory framework for the long-term security of our critical infrastructure,” she said.
Business Council chief executive Jennifer Westacott said the committee’s recommendation “charts a practical way forward to keep Australia secure while maintaining our ability to attract investment, create jobs and recover from the pandemic”.
In its submission to the inquiry, Qantas said the financial implications of implementing the reforms may create a significant financial burden for some businesses including its own. Qantas said it would have to “strike a balance between investing additional financial resources to meet the additional regulations under the bill, with the need to remain viable and sustainable as a business in this challenging time”.
Australian Council of Trade Unions secretary Sally McManus declared the laws would “attack the basic rights of working people right across the economy” on the basis that they would have to endure invasions of privacy through background checks and other security measures.
But the inquiry also heard a major Australian company that was under a cyber attack refused to comply with the ASD for weeks, with the nation’s cyber spy agency saying it was sometimes frustrated with a lack of engagement from businesses.
Transport and logistics giant Toll Group later conceded it may have been the company that failed to adequately engage with the ASD.
Prime Minister Scott Morrison last year revealed a wave of sophisticated cyber attacks on all levels of government, industry and critical infrastructure including hospitals, local councils and state-owned utilities. Australian security agencies believe China was behind the cyber raids, but the government decided not to publicly name the state actor involved.
Paterson: ‘Hamas a singular entity’
October 21, 2021
"The bipartisan nature of the committee's report shows that Parliament is united on the need to proscribe the entire organisation. This is a welcome development."
Wacky and delusional: Inside the 'dangerous' Greens' defence and peace plan
October 20, 2021
Taiwan should not be forced with "kinetic" means 𐩽 Senator Paterson on Sky
October 18, 2021