No time to lose
Organisations around the world are increasingly falling victim to serious cyber-attacks that disrupt business operations, impact customers, and damage the reputation of even some of the most well-known organisations. Global business consulting firm Accenture was recently the victim of a serious ransomware incident; the threat actor making a ransom demand for USD$50 million in exchange for the release of over 6 TB of stolen data. This incident follows the attack on Kaseya in July, which included a USD$70 million demand to decrypt victims' files. In May, Colonial Pipeline’s IT systems were compromised and USD$350 million in ransom payments were handed over to the attackers.
These are just a few incidents involving ransomware. There are a myriad of other notable incidents that have severely disrupted the ability of an organisation to operate – they happen every single day and Australian organisations are certainly not immune.
"The clock is ticking… the urgency of this legislation, frankly, is self-evident."
Mike Pezzullo, Secretary for Home Affairs
It is clear why there is a sense of urgency from the Home Affairs department to pass the Federal Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020, a bill they introduced into Parliament on 10 December 2020.
The Critical Infrastructure Bill
The Bill introduces a number of key reforms and requirements, including expanding coverage of the Bill from four to eleven critical infrastructure sectors, introducing enhanced cyber security obligations, and establishing a Government Assistance capability for cyber-attack responses.
Critical Infrastructure operators covered by the Bill face increased obligations, including:
- annual reporting of risk management plans
- development of cyber security incident response plans
- participation in cyber security exercises
- vulnerability assessments and remediation activities
- provisioning of system information to the Australian Signals Directorate.
Failing to comply with an obligation may result in a financial cost of 50 penalty units and up to 200 penalty units per breach.
Industry response to the Bill
At the recent public consultations held by the Government, technology giants including Google, Amazon, Microsoft, and Atlassian raised concerns about the Government having too much intervention power and oversight when it comes to cyber security, and particularly, cyber incidents. In contrast, representatives of the water, electricity, and logistics sectors agreed that Government assistance could be valuable during an incident, depending on the circumstances.
Despite the differences in these viewpoints, most organisations acknowledged the need for cyber resilience.
"In principle, we support the concepts under the ECSO (Enhanced Cyber Security Obligations) relating to incident response planning, cyber security exercise undertaking and vulnerability assessment undertaking. These activities help to build cyber security resilience and preparedness."
The Australian Industry Group
Indeed, many industry bodies support establishing a stronger and more mature cyber security framework for organisations to adhere to – especially when it comes to helping organisations prepare for an incident.
The Government's position on cyber security exercises
The cyber security exercise requirements in the Bill are in line with Australia’s Cyber Security Strategy 2020. In the strategy we saw the Government's commitment to exercises with the continued investment in the ACSC led National Exercise Program (born out of the 2016 strategy).
According to the ACSC, cyber security exercises are an effective way to test cyber security arrangements, take the necessary steps to strengthen them, and ensure incident response plans are up to date.
Cyber security exercise requirements under the Bill
If the Minister for Home Affairs identifies an organisation to be responsible for a ‘system of national significance’, the Secretary for Home Affairs may send them a written notice to undertake a cyber security exercise.
"Systems of national significance are a significantly smaller subset of critical infrastructure assets that are most crucial to the nation, by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted."
Department of Home Affairs
An organisation that receives a written notice must:
- undertake a cyber security exercise in relation to the system of national significance
- undertake a cyber security exercise in relation to one or more specified types of cyber security incidents (as specified in the written notice)
- prepare an internal evaluation report relating to the cyber security exercise and submit a copy of the report to the Secretary.
If the Secretary is not satisfied with the internal evaluation report, they can provide another written notice requiring the organisation to:
- appoint an external auditor who is not an officer, employee, or agent of the organisation
- prepare a new evaluation report written by the external auditor and submit a copy of the report to the Secretary.
Failing to comply with an obligation may result in a penalty of 200 penalty units per breach. For example, not performing the cyber security exercise or not delivering the evaluation report are considered breaches.
What's next?
The Bill is currently under review and, if passed, will allow the federal government to impose obligations and demand more from private and public enterprises.
Cyber security incidents aren’t going away, but exercising regularly means they’ll have less of an impact and enable organisations to return to business as usual faster. The Bill marks a change in direction for the Australian Government’s management of cyber security, a strong emphasis on ‘must’ rather than ‘should’, and goes some way towards outlining what they believe organisations need to do to improve their cyber security posture.
We’re looking forward to being part of a maturing, sovereign, cyber secured nation, and supporting Australian organisations as they strive to improve their cyber capability.