iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Critical infrastructure operators, in particular, have dropped the reporting ball despite being required to do so under the Security of Critical Infrastructure Act 2018 (SOCI).
The Australian Signals Directorate (ASD) has noted a major decrease in the depth and frequency of cyber incident reporting by the private sector, particularly with critical infrastructure operators.
Australia has mandatory cyber incident reporting legislation that requires organisations to report eligible cyber incidents to the Office of the Australian Information Commissioner (OAIC).
Critical infrastructure operators, such as those who manage power and water, are also required to report certain incidents under the Security of Critical Infrastructure Act 2018 (SOCI). Under this, critical incidents must be reported within 12 hours, while other eligible incidents must be reported within 72 hours.
Now, however, the ASD has said that the private sector’s cyber incident reports have sharply declined, adding that this could threaten its ability to fend off cyber attacks.
“ASD relies upon the flow of trusted information from industry partners to build a national threat picture, harness information to prevent cyber incidents, and to mitigate harms in the early stages of a cyber incident,” wrote the ASD in a parliamentary submission.
“There is a need to address a decline in the quantity and quality of cyber security reporting to the ASD. Both feedback from industry and ASD’s operational experience bears out a steadily declining willingness to share information in a timely fashion among entities affected by cyber vulnerabilities or attacks.”
Critical infrastructure operators, in particular, were identified as having dropped the quantity and quality of reporting, despite the consequences of cyber attacks and data breaches being much greater and a potential threat to the lives of citizens or national security.
“ASD has observed a decrease in the frequency and richness of cyber incident reporting from the private sector, particularly critical infrastructure operators. This has been driven in part by a shift to a more compliance-based approach from these entities as they assess their reporting requirements against regulatory rules. This means:
The ASD already has plans to encourage organisations to disclose and report cyber incidents, reiterating that the government has plans to legislate a limited-use obligation for the national cyber security coordinator and the ASD.
The limited use obligation, which was outlined in the 2023–2030 Australian Cyber Security Strategy, would limit the way the ASD uses information shared in incident disclosure, only being able to use information provided by entities outside of cyber security purposes. It also assures entities on how much information revealed in an incident can be used.
This, in turn, encourages organisations to report incidents, knowing that the information collected is purely for mitigating cyber incidents.
“The proposed limited use obligation aims to strike the balance between encouraging early and open engagement with ASD and the national cyber security coordinator, and protecting broader public interests by ensuring the obligation does not impede on the regulatory environment,” added the ASD.
“It would also address the private sector’s call for greater legal assurance around such collaboration with ASD. As an immediate step, the government also agreed to develop an interim approach for ASD following consultation with the private sector and Commonwealth entities.”
The proposed limited use obligation would not, however, prevent other agencies from seeking additional information through other powers, change reporting requirements under current legislation or protect from legal liability.
Be the first to hear the latest developments in the cyber industry.
