Rachael Falk
Cyber security reforms, currently before Federal Parliament, are specifically aimed at strengthening the cyber defences of our nation’s critical infrastructure.
Cyber threats are the antithesis of this approach and, while there is an increasing understanding of the vital importance of cyber security, there remains an element of the unknown. Because these threats are intangible, because they cannot be “seen”, they are difficult to measure and countering them often becomes a tick box compliance metric.
That is, of course, until an organisation finds itself in the middle of a cyber emergency. And then it is too late.
Reforms to Australia’s Security of Critical Infrastructure Act 2018, which are currently before Federal Parliament, are specifically aimed at strengthening the cyber defences of our nation’s critical infrastructure and systems of national significance. These changes would see the number of critical infrastructure sectors captured by the Act increase from four to 11, and there will be an onus on business to help carry the load.
And in 2021, when all the conveniences we rely upon for everyday life operate on internet-based digital systems, this should not come as a surprise.
As it comes to the proposed critical infrastructure changes, some corners have honed in on the burden of cost and the peripheral issue of the “government assistance measures” with the Australian Signals Directorate (ASD) being authorised in extremis to respond to a cyber incident, which have been poorly labelled “step-in powers”. It is time to put these concerns into perspective.
Imagine if private businesses demanded government help them pay for their physical security — security cameras, security guards, door locks and high fences. Do you think this would pass the pub test?
So why should government help pay for the cyber security of these businesses? Certainly, there is a role for government to play in incentivising cyber uplift via tax levers and supply chain procurement. But the concept that government should somehow help pay for cyber uplift is not sensible, feasible or reasonable.
Likewise, the hand-wringing surrounding so-called step-in powers is unnecessary and unwarranted. These powers of last resort would only be considered in the case of a cataclysmic cyber incident where a victim was unwilling or unable to act.
These include information gathering powers, directions powers and intervention powers. It is important to remember ASD’s mission is “reveal their secrets, protect our own” so it can be assumed they are the experts at countering how both nation states and criminals might act and would move through and disrupt networks.
While there is no doubt these powers are extraordinary, they are necessary, especially in the face of our ever-expanding cyber threat surface and evolving attack vectors. They would also be tightly guarded, with intervention powers only permitted with the approval of the Prime Minister, Minister for Defence and Minister for Home Affairs.
In other words, it would take a catastrophic event with severe ramifications for Australia’s national and economic security for the flick to be switched.
The global spate of ransomware attacks we have seen over the past two years have been a wake-up call, with the widespread impacts of these attacks having real-life, tangible consequences.
The Colonial Pipeline attack, which brought about 45 per cent of the US east coast’s fuel supply to a grinding halt, is possibly the most graphic example we have seen so far of how an attack on critical infrastructure can impact millions of people. Such acts, though they cannot be seen or touched, are criminal and they result in real-life harms.
Amidst the hype surrounding ransomware attacks, it is essential not to lose sight of malicious cyber activity wrought by nation states or their agents. It would be naïve for Australian organisations to believe they would not be targeted, either for intelligence gathering or disruption purposes.
And it is completely feasible that right now, in critical infrastructure networks right across the country, such threat actors are sitting undetected.
These “grey zone” tactics represent, in some ways, a new Cold War. Our international alliances, especially the watershed AUKUS alliance, have never been more important.
And regionally the reinvigoration of the Quad, with its heavy focus on cyber security, is a clear signal the geopolitical balance is swaying, with the Indo-Pacific playing a starring role.
In 2018, the federal government took a pivotal stance in banning high-risk vendors from Australia’s burgeoning 5G network, because the potential threat to national security was grave. These types of decisions cannot exist in a silo, which is why now is the time to harden our nation’s cyber defences.
The new normal for Australia’s national and economic security is no longer about what can be seen, touched or felt. And while national cyber uplift will not be easy and it may be costly, it is essential. And most importantly, everyone has a part to play.
No comments:
Post a Comment