Escalating cyber threats has meant there is no time to refine Australia’s critical infrastructure security scheme, Home Affairs secretary Mike Pezzullo says, urging Parliament to pass the bill without delay.
If passed, the legislation would impose a positive security obligation on a wide-range of operators of critical infrastructure, including data storage and processing providers, and allow government agencies to take control of their networks in situations like a serious cyber-attack.
Industry has raised concerns that the legislation could impose regulatory duplications and an unnecessary burden on them, including unworkable reporting times. Large entities have also questioned what benefit government assistance would provide their sophisticated networks during a cyber attack.
During a joint security committee hearing on Thursday, Mr Pezzullo downplayed the concerns, insisting protections in the bill prevents unreasonable regulations being imposed, and ensure rules are co-designed. He said government agencies would only step in as a “last resort” and the public benefit of government assistance may outweigh a private entities benefit of dealing with attacks themselves.
Officials from Australian security agencies within Home Affairs, as well as the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre said it was critical they get access to this step-in power, with Mr Pezzullo saying he wanted it “tonight”.
“The government assistance measures … certainly keep me awake at night,” Mr Pezzullo said.
“All of the powers and capabilities of the ASD, as well as the reach that they have into our military information warfare capability, cannot by law be deployed onto our [infrastructure] networks as we speak right now. Right now, that is the pressing urgency.”
Mr Pezzullo said the regulatory rules to outline a positive security obligation for infrastructure operators would be written after the bill passes and follow a co-design process with industry. They have deliberately been left out of the legislation to allow sector specifics and to adapt to technology and innovation in the future, he said.
But the urgency of the cyber threat meant there was no time wait for that co-design before passing the legislation, Mr Pezzullo said.
Despite claims from some companies government assistance during a cyber attack could cause more harm than good, the Home Affairs Secretary insisted government assistance led by the ASD would “render a more effective incident response than any company possibly could”.
“I say that with all due respect to those great companies because they know their systems very well. What [ASD Director-General Rachel Noble] knows better than them, though, is the attacker.
“She can see the attacker, not always but often. [Companies] can’t. And it’s the lack of that ability to, some people say ‘step in’…that is the matter that is most strategically imperative.”
Mr Pezzullo also defended the requirement in the bill for critical infrastructure entities to report a critical cyber-attack to the government within 12 hours. Several industry submissions criticised the timeframe as too onerous and it potentially being too difficult to confirm the severity of an attack in half a day.
But Mr Pezullo said every hour is critical in a major attack and ASD assistance could be vital.
“At least [ASD] can start to get behind the red team — who’s doing this, what is the nature of this malware, have I seen it elsewhere — against holdings that the company will never have.”
Do you know more? Contact James Riley via Email.