The Ukraine crisis and recent significant data breaches have proved to be test cases for Australia’s landmark new critical infrastructure regime. Recent cyber-attacks on Optus and Medibank have highlighted the devastating impact that a breach of a critical infrastructure provider can have.
This was already recognised by the federal government last year, and earlier this year, with the passage of a series of legislation focusing on the security of critical infrastructure. These new rules expanded the sectors and businesses defined as critical infrastructure by the government, and placed significant new requirements on them, including around cybersecurity.
Industries now included under critical infrastructure include electricity, communications, data storage and processing, financial services and markets, water, healthcare and medical, higher education and research, food and grocery, transport, space tech and the defence industry.
The new laws require companies in these fields to maintain a critical infrastructure risk management program, while those deemed to be of national significance have further enhanced obligations. Another major part of the legislation was new powers for the federal government’s cyber agencies to intervene in the event of a significant cyber-attack against a piece of critical infrastructure.
The new laws crucially outline the rules underpinning the government acting in these situations, including liability and appeal options, said Australian government assistant secretary, deputy group manager of cyber and infrastructure security centre, Sam Grunhard.
“The legislation is designed to set the rules of the game for everybody, so everyone knows who is responsible for what, who is overseeing it, and to make that engagement quicker and easier in the event of a crisis,” Mr Grunhard said. “The whole point of the legislation is to underpin that partnership between industry and the federal government.”
Mr Grunhard joined CyberArk ANZ regional director, Thomas Fikentscher , and InnovationAus.com’s editorial director, James Riley, for a Bridging the cyber divide: Casting the cyber net wider podcast on the new critical infrastructure Act and what it means.
The passing of the critical infrastructure bills marked a “step change” in the way the country governs risk within critical infrastructure, he said.
Russia’s invasion of Ukraine and use of cyber-warfare provided an early test case of Australia’s new critical infrastructure regime, with fears these cyber-attacks could spillover and impact Australian businesses or governments.
“The Ukraine crisis was a very early test of our ability to understand what legislative tools are now available,” Mr Grunhard said.
“[We were] concerned about the threat environment prior to and at the commencement of that conflict. That’s exactly the sort of crisis that was on the government and Parliament’s mind when it passed the crisis step-in measures. We need to be better prepared – we are regrettably in an increasingly unstable world.”
Mr Fikenstcher said the recent cyber-attacks on Optus and Medibank should serve as a wake-up call for all businesses covered by the new critical infrastructure regime.
“Every time a major breach happens, and this time it’s in Australia, it always focuses the mind, and it’s a wake-up call,” he said. “Unfortunately, that’s a reactive way of acting rather than proactively focusing on that topic day in, day out.
“We tend to shy away from using these opportunities.”
The critical infrastructure act marks the first time the federal government has defined what it deems to be critical infrastructure.
Mr Grunhard explained that it has implemented a tiered scheme where those deemed to be more nationally significant have increased obligations. “Not all obligations apply to all assets equally – there’s a measured and tiered approach, and that means it’s a complicated story to tell.
“Entities covered particularly by the risk management program obligation will have to pay much closer attention all the way to board level.”
This has created some confusion for companies, Fikenstcher said, and it’s important that they access the advice and support that’s on offer from the federal government.
“Some sectors that are part of the 11 sectors are probably a little more hesitant, and there’s a level of confusion,” he said. “It depends on who you talk to, but I don’t think it’s a very clear picture yet.”
The ability of companies to meet these new requirements is also being impacted by the global skills gap and war for talent which is impacting businesses in most sectors.
“The sheer availability of qualified people, of people who actually know what a Privacy Act looks like, will understand the Commonwealth risk management program, that knowledge availability is something that we see people asking about,” Mr Fikenstcher said.
This is something that government departments are also struggling with, Mr Grunhard added. “It’s a very challenging labour market at the moment. We need to really tackle this challenge of the cyber skills pipeline over the coming years. We are short on what we need and there are only so many people we can pull from overseas.
“I feel it acutely myself within government. We need to hire people who have the right understanding and skills, and it’s becoming increasingly difficult to find them.”
Securing Australia’s critical infrastructure is not yet a team game, but the new regime aims to foster collaboration between government and industry.
“We need to collaborate with industry and get industry collaborating with each other in a non-competitive way,” Mr Grunhard said.
This podcast series is being produced by InnovationAus in partnership with CyberArk.
Do you know more? Contact James Riley via Email.