Australia’s essential services could be forced to report when they are under cyber-attack
The Morrison government will push ahead with new laws requiring businesses to report when they are under cyber-attack and, in extreme cases, to allow Australian officials to “step in” to help fend off hackers.
The operators of critical assets will be required to report cyber incidents. The legislation will also allow the government – through the Australian Signals Directorate – to provide direct assistance to industry “as a last resort”.
The rationale for this change is to allow the government to “provide assistance immediately prior, during or after a significant cybersecurity incident to ensure the continued provision of essential services”.
On Wednesday, the federal government will split its own critical infrastructure bill, delaying some elements that businesses have complained would impose “red tape”.
It is understood the Coalition hopes the compromise will allow it to get the first round of changes through parliament before the Christmas break, ahead of an election due to be held by May next year.
The first round of changes includes expanding the definition of critical infrastructure to include sectors like food, energy, communications, financial services, and higher education and research.
It comes after figures showed a quarter of cyber incidents reported to the Australian Cyber Security Centre over the past year targeted critical infrastructure and essential services, including healthcare, food distribution and energy.
The home affairs minister, Karen Andrews, said the legislation was “critically important” in light of “recent cyber-attacks and security threats to critical infrastructure, both in Australia and overseas”.
Andrews set out the case for the government to provide technical assistance, arguing businesses should be able to “focus on what they do best – delivering goods and services and supporting their customers”.
“It’s not reasonable for a supermarket retailer, as an example, to have all of the highly specialised personnel and expertise to deal with a major, debilitating cyber-attack that misdirects their supply chains, shuts down payment points, and holds their customers’ data to ransom,” she said.
However, the government plans to delay other elements of the planned
legislation, including imposing additional “positive security obligations” for critical infrastructure assets.
The move to split the bill – to allow for more consultation on the aspects seen as less urgent – is in line with recommendations from parliament’s bipartisan security and intelligence committee.
The committee said in a report last month it had received “extensive evidence in submissions and at public hearings that many companies, industry bodies or stakeholders did not feel like their input or feedback had been actioned or acknowledged”.
The committee also heard complaints about potential duplication of existing regulations and uncertainty about what rules would apply.
Sign up to receive an email with the top stories from Guardian Australia every morning
The National Pharmaceutical Services Association said the bill “provides nothing more than a skeleton framework of broad-ranging and extensive powers” and trusting the government’s statements required “a significant leap of faith”.
The government hopes the first tranche of changes will go through the lower house this week and pass the Senate before the end of the year.
Given the committee report was a bipartisan consensus, the Coalition is likely to be able to pass the initial bill with Labor’s support.
Amid continuing government divisions over climate policy, and with an election looming, some ministers have begun to ratchet up national securityrelated messaging.
The defence minister, Peter Dutton, told parliament on Tuesday the government’s first order of business was to “keep Australians safe and secure”, pointing to the Aukus deal.
Andrews announced last week that cybercriminals who used ransomware would face tougher penalties.
The head of Asio, Mike Burgess, said he was “concerned about the potential for Australia’s adversaries to preposition malicious code in critical infrastructure, particularly in areas such as telecommunications and energy”.
The Asio chief raised the issue in Asio’s latest annual report, which was tabled in parliament on Tuesday.
Without naming any country, Burgess wrote that espionage and foreign interference attempts “by multiple countries” remained “unacceptably high” and occurred “on a daily basis”.
He said foreign spies were “monitoring diaspora communities in Australia and, in some cases, threatening to physically harm members of these communities”.
Asio anticipated that espionage and foreign interference “will supplant terrorism as Australia’s principal security concern over the next five years”.
ASD, in its annual report, said it had used its offensive cyber capabilities to dismantle “online infrastructure used by foreign cybercriminals targeting Australians during the rollout of Covid-19 support measures”.
ASD said it had also conducted “a number of offensive cyber operations” in support of the Australian defence force.