Key role for industry in critical infrastructure regime

Stuart Corner

Businesses large and small across a broad swathe of the Australian economy will be affected by new legislation which sets out to protect critical infrastructure and their supply chains, and industry groups will have a key role to play ensuring their members take the necessary steps to comply with the new regulations.

This was one of the key insights to emerge from a discussion on the new legislation between the director of the International Cyber Policy Centre at the Australian Strategic Policy Institute’s (ASPI) Fergus Hanson; Verizon Business Group ANZ managing client partner Derek Fittler; and InnovationAus publisher Corrie McLeod as part of the Age of Trust podcast series.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 defines a much wider section of the Australian economy as critical infrastructure than the current legislation.

Derek Fittler, Corrie McLeod, Fergus Hanson
Verizon’s Derek Fittler, InnovationAus publisher Corrie McLeod and ASPI’s Fergus Hanson

Communications, data storage and processing, financial services and markets, water and sewerage, energy, health care and medical, higher education and research, food and grocery, transport, space technology and the defence industry are all included within the bill’s definition of industries responsible for critical infrastructure.

Mr Hanson said businesses in these sectors that are not subject to current critical infrastructure legislation would have a huge task ahead of them to become compliant with the new bill when it becomes law, and should be looking to their industry bodies for help.

“They really need to be talking to their peak industry bodies to understand how this is going to apply to them and taking a look at the legislation, because there’s positive obligations on them, and consequences for non-compliance,” Mr Hanson said.

“If you are in any of those 11 industry sectors and you’re a reasonable-sized player, you should be getting on the phone to your industry body and having a chat about how this works or reaching out to the Department of Home Affairs to understand what your obligations are, and taking a look at the legislation.

“For industries that don’t normally think about cybersecurity, it’s going to be a big shift, because their systems are not going to be up to scratch. And, they’re going to have to do quite a bit of heavy lifting to get up to speed.”

Mr Fittler said industry bodies also had a role to play bringing together individual businesses in each sector to ensure an effective response to the requirements of the new legislation.

“Organisations like ASPI, providers like Verizon, member organisations that operate in those sectors, all have a responsibility to work together to engage with government, and to learn and understand the steps and changes that will need to be taken.”

He said organisations that would be covered by the bill should not wait until it becomes law but should start working immediately to beef up their cybersecurity.

“If you’re on the list, you need to be considering, identifying and understanding where you are in terms of your cyber maturity. There are many in the sectors included in the remit of the legislation that need to take some immediate steps to start that journey.

“You should be doing a stocktake and identifying where are you today: what is your cyber maturity, what are your risks. There is more education to be done, there’s more identification of risk, and, and ultimately, there will be need to be more resources spent and allocated towards addressing and responding to the threats we face.”

Mr Hanson said organisations in some sectors — typically banking and telecommunications — have a long established and sophisticated approach to cybersecurity, but others, that the legislation will apply to, should be cautious as to what lessons they could draw from such businesses.

“If you’re not a very mature industry, and you’re looking at the banking sector, or telecommunications, you might freak out at the number of staff required and the cost involved,” he said.

“So you probably wouldn’t want to benchmark yourself against a bank, but it could provide a lot of insights into how you could structure your cybersecurity and the types of capability you are going to need.”

Mr Fittler agreed: “They have some very significant capability and have been quite adept at sharing information within industry, and increasingly with government. That two-way flow within your community and with government is part of a cultural change that will need to happen as part of the legislation coming into force.”

The Age of Trust podcast series was produced as a partnership between Verizon Business Group and InnovationAus.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories