The newly passed Critical Infrastructure Bill is a step in the right direction but fails to plug holes in Australia’s cyber security framework, according to the CEO of a major telecommunications company.
The Coalition government has passed reforms to the Security Legislation Amendment (Critical Infrastructure) Bill 2020, designed to improve nationwide responses to cyber attacks on critical infrastructure.
Reforms include the provision of government assistance to industry as a last resort – subject to “appropriate limitations”.
Other amendments include the introduction of a cyber-incident reporting regime for critical infrastructure assets and expanding the definition of critical infrastructure.
The expanded definition would include:
- financial services;
- defence industry;
- higher education and research;
- data storage or processing;
- food and grocery;
- health care and medical;
- space technology;
- transport; and
- water and sewerage sectors.
David Tudehope, CEO of Macquarie Telecom Group, has welcomed the reforms, noting they’re a step in the right direction.
“The whole economy depends on the proper functioning of these sectors, so it’s appropriate that their resilience and security are now being recognised as a shared responsibility, with government providing guidance and specialist assistance where necessary to the owners and operators of critical infrastructure and systems,” he said.
“As a long-time provider of data storage and cyber security services to government and critical infrastructure providers, Macquarie is very aware of the dynamic and increasingly volatile risk environment facing Australia’s digital infrastructure.
“These risks are significant and underscore the importance of a comprehensive approach to securing these systems and infrastructure.”
However, according to Tudehope, the amendments don’t go far enough in shoring up Australia’s data sovereignty.
“If Australia’s laws and authorities are to help secure and defend Australia's critical data assets, that data must first be brought within the remit of this new security regime,” he said.
“The same security expectations and standards should apply to it regardless of whether it is managed in-house, hosted by a third party, or located offshore.”
Further legislative amendments are expected to be introduced over the next year, aimed at ensuring the corporate sector implements appropriate risk management procedures.
These latest reforms are in addition to newly proposed criminal offences, tougher penalties and a mandatory reporting regime as part of a new and comprehensive Ransomware Action Plan.
- introducing a new stand-alone aggravated offence for all forms of cyber extortion;
- introducing a new stand-alone aggravated offence for cyber criminals seeking to target critical infrastructure;
- criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence;
- criminalising the buying or selling of malware for the purposes of undertaking computer crimes; and
- modernising legislation to ensure that cyber criminals won’t be able to realise and benefit from ill-gotten gains.
The government also plans to develop a mandatory ransomware incident reporting regime for businesses with a turnover exceeding $10 million per annum.