Give spies access to laptop or face jail
PEOPLE who refuse to allow cyber-spooks access to their business computers would be jailed under laws being rushed into parliament.
It will give the Australian Signals Directorate the power to take over the computer systems of any critical infrastructure business unable or unwilling to defend itself against a crippling cyberattack.
The move is in response to fears Australia’s critical infrastructure is dangerously vulnerable to an attack from China, other rogue states or criminal ransomware gangs.
The new “government assistance” powers would authorise the Australian Federal Police to force entry into a business and arrest individuals if they did not provide access to their computer systems.
Two-year jail terms and fines of $26,640 would be levelled against individuals who failed to respond to an ASD order. Corporations would face fines of as much as $133,200.
The extraordinary “lastresort” powers are thought to be the toughest suite of powers for a government cyber agency anywhere in the world.
High-level briefings in Canberra have warned China’s Ministry of State Security, in particular, posed a real threat to our critical infrastructure.
Multiple sources said it was likely Beijing’s hackers had already infiltrated some critical infrastructure systems and planted malware for a future attack. One scenario discussed is the possibility China could launch a cyberattack to take Australia out, before a potential move against Taiwan.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 will bring 11 sectors – communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, water and sewerage – under the remit of the new powers, alongside the industries already deemed vital to Australia’s national security.
Chairman of the parliamentary joint committee on intelligence and security senator James Paterson said Australia’s critical infrastructure faced a cyberattack every 32 minutes.
“Our security agencies need the appropriate tools to mitigate these serious risks,’’ Senator Paterson said. He said criminal ransomware gangs were less likely to cause a major national crisis.
“Only a sophisticated state actor has the resources and the incentive to launch such an attack,” he said.
The power to require companies to upgrade their cyber security will undergo further consultations after strong opposition from business, which fears it could prove too costly.
Director of think tank ASPI’s International Cyber Policy Centre Fergus Hanson said the bill was “a big deal’’.
“It gives the government the ability to send people into an organisation and demand, under pain of a sizeable penalty, that they must . . . do a certain thing to protect their systems,” Mr Hanson said.
“In practice, I don’t think it means you’re going to be seeing ASD ordering major technology companies around . . . companies like Amazon AWS or Microsoft Azure, they’re already going to have superior cyber security capabilities.
“But for sectors that haven’t really thought about cyber security but are really vulnerable to cyber risks and will be increasingly vulnerable, I think it’s really useful.”