25 Nov Australia leads Five Eyes with new cyber security laws
Under the proposed amendments, for which the government is seeking feedback, if the ASD (with ministerial approval) believes a company or organisation is “unwilling or unable” to respond to a cyber attack, it will be permitted to take over the response.
Corrs head of technology, media & telecommunications James North told The Australian Financial Review that of the Five Eyes intelligence alliance (Australia, NZ, Canada, Britain and the US), Australia was the first to propose such powers.
“I’ve had my team look at the legislation in the US, Canada, UK and NZ and there’s no step-in powers there. Maybe they’ll follow. There’s been some discussions between the Five Eyes of these things that we’re now aware of,” Mr North said.
“At least in terms of the legislation, we seem to be leading the way [among the Five Eyes].”
A source from the university sector, who did not want to be named, said Five Eyes was using Australia as a test case for new cyber security laws and the same thing had happened with the controversial anti-encryption legislation (Telecommunications and Other Legislation Amendment, or TOLA).
“The Five Eyes, and in particular the US, are using Australia to put out legislation that’s beyond [the usual] boundaries,” the source said.
Australia also took a leading stance in blocking Huawei’s involvement in the construction of 5G networks.
As well as allowing the ASD to take control in extreme circumstances, the proposed amendments would effectively make it, and its personnel, immune from civil or criminal liabilities if anything went wrong, providing an act was “done or omitted in good faith” and in compliance with other legislation.
Challenge with immunity
It is likely these rules would come into effect only in extreme circumstances, and the ASD would mostly seek to co-operate with a business that had suffered a cyber breach or an attack, as it does today.
But Mr North said the challenge with giving the ASD immunity was that while its personnel were experts in their field, they would not understand the intricacies of a company’s systems.
“It’s a very high bar, but there’s still no judicial oversight either before a step-in is made, or retrospectively, as to whether it was appropriate,” he said.
“Even with the best in the world [in terms of talent] and while acting in good faith, unintended consequences that take down systems and impact third parties could occur. I’m not surprised they’ve sought immunity to their actions. They don’t know what they don’t know and there could have been potential for third parties to get recourse.”
Critical infrastructure expanded
The proposed changes also expand what is deemed critical infrastructure to include the food and grocery sector, healthcare and higher education. Industries such as financial services, telecommunications and parts of the utilities sector were already considered critical.
For existing critical infrastructure sectors, one of the biggest concerns with the proposed amendments is how they mesh with existing regulations policed by the likes of the Australian Prudential Regulation Authority.
Experts in the sector think the amendments are partly driven by the challenges posed by COVID-19, which cast new light on the country’s reliance on sectors such as logistics, health and food, plus the high-profile attacks on companies such as Toll, BlueScope Steel, Lion and Regis Healthcare.
I’ve had clients who have been hacked and the first they’ve known about it is when the ASD has called them up and told them.
— Cheng Lim, King & Wood Mallesons
Damien Manuel, chairman of the Australian Information Security Association and director of the Centre for Cyber Security Research & Innovation at Deakin University, said the new sectors’ biggest challenge with the proposed legislation would be sufficiently bolstering their cyber security teams, given the skills shortage.
In recognition of this, it is expected these new sectors will be given more time to get up to speed with the new legislation than others such as financial services.
“We’re going to need time in some of these sectors,” Mr Manuel said. “Food and grocery is a completely new area and it’s been highlighted by COVID-19. These sectors definitely have to be folded into critical infrastructure to build the country’s resilience, but it needs to be done in a way that’s a gradual step change.”
King & Wood Mallesons partner Cheng Lim agreed, saying the cyber maturity of different industries varied significantly.
“Banks and telcos are all very sophisticated in dealing with cyber, but at the other end of the spectrum there will be entities with two people in their IT department,” he said.
“I’ve had clients who have been hacked and the first they’ve known about it is when the ASD has called them up and told them.”
Mr Manuel said the cyber security skills shortage would be a big problem with the broad new legislation and criticised the government for cutting funding for university humanities programs, which he said provided a pathway into cyber security for many graduates.
“They’ve restricted it to [the] typical STEM tech aspect, which is neglecting the fact that cyber is really holistic,” he said.
“What they’ve done is remove a whole segment of people who would normally have come into cyber through that pathway with critical thinking skills, legislation policy development abilities, knowledge of human behaviours and who can build programs of awareness. They’re all gone.”