Published on the 18/08/2020 | Written by Heather Wright
Hand it over – in the name of national interest…
If you’ve got a network of ‘national significance’, including in food, health, education and ‘data and the cloud’, the government may come snooping if proposed changes to critical infrastructure laws go ahead.
The Protecting Critical Infrastructure and Systems of National Significance consultation paper was released by the Department of Home Affairs as part of an ongoing consultation and proposed reforms as part of the Cyber Security Strategy 2020, announced early this month.
The consultation paper proposes granting federal government agencies the power to force the owners and operators of ‘systems of national significance’ to disclose information about their networks and systems, if requested. The request for ‘entity information’ – which doesn’t include any customer information, just systems and networks – is expected to be voluntary initially.
“Owners and operators of systems of national significance will be obligated to provide information about networks and systems if requested.”
The proposal would cover a much wider base of sectors than previously covered by the Security of Critical Infrastructure Act, which currently covers electricity, gas, water and maritime ports sectors. The reforms would up the security obligations for a range of sectors, including banking and finance, communications, ‘data and the cloud’, defence, education, research and innovation, food and grocery, health, space, transport and water.
Organisations covered by the proposals would be categorised as a ‘critical infrastructure entity’, regulated critical infrastructure entity’ or ‘systems of national significance’.
“The proposed reforms will be focused at the owner and operator level, not at a specific piece of technology. This ensures that owners and operators’ interconnected assets are protected from cascading failures and avoids creating vulnerabilities in one area by disproportionality focusing efforts on protecting others,” the paper says.
The consultation paper notes that work is needed to map and identify which organisations fall into which of category, a task that will include consideration of the potential domino effect if a function is compromised, and vulnerabilities within and between systems and networks, as well as the consequences of compromise.
All three categories will be eligible for government assistance to help respond to attacks.
While there will be obligations on the regulated critical infrastructure entities, it’s the systems on national significance which face the most stringent ‘enhanced cyber security obligations’.
‘Entity information will be requested by Government on a voluntary basis in the first instance’ to build situational awareness.
“In the longer term, owners and operators of systems of national significance will be obligated (under amendments to the Act) to provide information about networks and systems to contribute to this threat picture if requested… At present we do not anticipate that all owners and operators of systems of national significance will be requested to provide such information’.
The report notes that while some organisations might already be able to supply that information if required, others will likely need to build their capability first. “In these instances, entities will be supported through voluntary measures and assistance to achieve maturity uplift.”
The information will be used to build and test capability for information sharing to create a near real-time national threat picture.
As well as the ‘enhanced cyber security obligations’ those with systems of national significance will also face the positive security obligations also faced by critical infrastructure entities.
Those obligations include having ‘appropriate’ risk mitigations in place to manage identified risks applicable to their sector and robust procedures to recover quickly in the event a threat is realised.
“This may include ensuring plans are in place for a variety of incidents, such as having back-ups of key systems, adequate stock on hand (such as medicines), redundancies for key inputs, out-of-hours processes and procedures, and the ability to communicate with affected customers.”
Also proposed is the power for the government to ‘take direct action to protect a critical infrastructure entity or system in the national interest’ in the event of any immediate and serious cyber threat to Australia’s economy, security or sovereignty – even when their assistance is not requested.
“The primary purpose of these powers would be to allow Government to assist entities to take technical action to defend and protect their networks and systems and provide advice on mitigating damage, restoring services and remediation.”
While that’s expected to be primarily with the support of the entity, the consultation paper notes in some cases companies may be ‘unwilling to work with government to restore systems in a timely manner’.
“Government needs to have a clear and unambiguous legal basis on which to act in the national interest and maintain continuity of any dependent essential services,” it says.
“We cannot be complacent,” says Minister for Home Affairs Peter Dutton (pictured).
An incident involving Australia’s critical infrastructure has the potential to cause significant consequences across our economy, security and sovereignty.
“By strengthening and better protecting critical infrastructure from threats, Australians can be assured that Government and industry are working together to do what is necessary to keep Australians safe and protect our economy.”