Australian Signals Directorate director-general Rachel Noble has backed calls for legal protections for companies that share information with the national cybersecurity agency while responding to a cyber-attack.
With recent cyber-attacks playing out in a very public way, Ms Noble said a limited safe harbour mechanism that gives companies the confidence that information won’t be passed on was a “most excellent idea”.
Ms Noble was responding to questions from Liberal Senator and shadow minister for cybersecurity and countering foreign interference James Patterson at a Senate Estimates hearing on Tuesday afternoon.
Senator Patterson raised the concept of a legal safe harbour after meeting with a cyber lawyer, who said “they couldn’t advise a company that it was a risk-free exercise to share with government when they’re under attack”.
“Some in industry have been calling for some sort of safe harbour, or some sort of mechanism, where there can be a way in which they know if they share information, it’ll never be used against them in a legal proceeding, for example,” he said.
Ms Noble agreed that a safe harbour “would be a very attractive arrangement for our technical people who are in that minute by minute, hour by hour engagement with a company under duress”.
“Where’s there’s ambiguity of ‘if I’m dealing with government, do you hand that information over to other government departments or don’t you? How can I be sure that that won’t occur without my permission? And so forth,’” she said.
“So, from an operational perspective, in that sort of heat of the incident… where we’re still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector that at the very least their operational engagement with ASD would be exempted from the inquiry of others. Whether they’re other government agencies or other people scrutinising the process like we’ve seen in class action lawsuits, for example, that’s very attractive to us as well.”
Senator Patterson, who is the former chair of the Parliamentary Joint Committee on Intelligence and Security, also used estimates to highlight concerns with the government’s early criticism of the Optus data breach that compromised the personal information of almost 10 million Australians.
He said he had met with as many as 30 chief information security officers that were “alarmed by the way in which, in the middle of the crisis, the minister was publicly attacking Optus and disputing facts about the nature of the attack”.
“They said to me that it made them think twice about whether they shared information with government if they were to become the victim of a cyber-attack because they couldn’t guarantee the CEO that that information wouldn’t be used against them in the public domain,” he said.
Do you know more? Contact James Riley via Email.