Government moves to beef up the security of Australia’s critical national infrastructure (CNI), set out in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and introduced into Federal Parliament on 10 December, will impact many companies, institutions and organisations that might not see themselves as being part of critical infrastructure.
These organisations should prepare for the bill’s impact now, by taking note of how recent moves by the finance industry regulator to strengthen cyber security requirements is playing out.
In his second reading speech on the bill, Home Affairs Minister Peter Dutton said it would cover “organisations in communications, transport, data and the cloud, food and grocery, defence, higher education, and research and health” – seen as critical to “maintaining basic living standards for the Australian population; sustaining Australia’s wealth and prosperity; Australia’s national security and defence; and the security of large or sensitive data holdings”.
Entities to which the legislation will apply are required to “adopt and comply with a risk management program that ensures that critical infrastructure assets are protected and safeguarded from all hazards”.
The introduction of the proposed new legislation is timely. We are already seeing critical infrastructure overseas being attacked with dire consequences, and the threat actors are becoming more sophisticated.
Phishing emails have long been a favoured threat vector but can generally be thwarted by an alert reader. Now, attackers are gathering information sufficient to create heavily socially engineered attacks that create high levels of trust, making them more difficult to detect.
How the new critical national infrastructure legislation will work in practice, and whether the goals set for it by the government are achieved remains to be seen.
The recent imposition of cyber security requirements on financial services industry players provides valuable insights and sets an example for other industries as they gear up to comply with the new cyber security regime.
The Australian Prudential Regulatory Authority (APRA) introduced its Prudential Standard CPS 234 Information Security in July 2019. Its aim was to make sure APRA-regulated entities maintained a security capability sufficient to make them resilient to cyber-attacks.
Cyber security issues had long been of concern to APRA, but prior to CPS 234 it lacked the power to act on those concerns. CPS 234 gave it that power, and at Mimecast we are seeing the impact. Superannuation funds, credit unions, tier two banks and financial service providers are coming to us to help them meet their obligations.
However, APRA has already recognised the limitations of CPS 234, and has beefed up its cyber security oversight of the finance sector considerably.
In August 2020, its Corporate Plan 2020-2024 detailed a new security strategy. In a speech to the Financial Services Assurance Forum, APRA executive board member Geoff Summerhayes, said the new strategy aimed to “extend APRA’s reach beyond our regulated entities to influence the broader eco-system of suppliers and providers they rely upon”.
There are certain industries that drive innovation, and the finance industry is one. It will play a major role in determining how increased cyber security regulation impacts all industries.
History shows that regulation tends to hit financial services first, and then spreads into other industries, because investment impacts all industries.
Director level responses to CPS 234 and to APRA’s new cyber security strategy will set the tone for how boards in other industries respond to the new legislation and execute their new cyber responsibilities.
Organisations that will be covered by the new CNI legislation can learn from the finance sector’s response to CPS 234 and APRA’s new cyber security strategy and act on that legislation appropriately.
The greatest challenge for legislators and regulators implementing the new critical national infrastructure legislation – and for industry – will likely be in maintaining adequate cyber security in many small organisations that have the potential to cause severe disruption to national infrastructure if they are compromised.
I recently asked the CISO of a body with a strong interest in our critical infrastructure what kept him awake at night. His answer: a small FinTech transferring billions of dollars through the payments system.
The role of that FinTech could at least be identified. Identifying every organisation that could be compromised and exploited to attack critical infrastructure is likely to be much more difficult.
APRA realises this challenge. At the heart of APRA’s new cyber security strategy, Summerhayes said, is “recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers”.
APRA directly regulates only 680 of these entities, but a cyber breach of any of these could “have a cascading impact on the whole system”.
Nick Lennon is the Mimecast Country Manager for Australia. This article was produced in partnership with Mimecast as a member of the InnovationAus Leadership Council.