Proposed national security laws will grant federal government agencies the power to “take direct action” against cyber attacks and obtain information from critical infrastructure entities if it is deemed to be in the national interest.
The Department of Home Affairs on Wednesday outlined the proposed changes in a consultation paper aimed at industry, academia, and state and territory governments, with the consultation period to run until September 16.
Within a broad definition of critical infrastructure, the Security of Critical Infrastructure Act 2018 currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors.
The reforms outlined in the paper would include a number of additional sectors to the definition of critical infrastructure: banking, finance, communications, data, the Cloud, defence industry, education, research, innovation, energy, food, grocery, health, space, transport, and water.
Entities covered under the proposal would be categorised as either a “critical infrastructure asset”, a “regulated critical infrastructure asset”, or “systems of national significance”.
Direct action powers proposed
The government has proposed the development of a national alerting system for cyber attacks — similar to the current National Terrorism Threat Advisory System — for situations where it may “declare an emergency”.
Factors such as the potential consequence to Australia’s economy, security or sovereignty, the extent to which the incident would spread across jurisdictions, and the imminence of the threat would be used to determine whether an incident is an emergency.
In cases where the government detects “an immediate and serious cyber threat to Australia’s economy, security or sovereignty (including threat to life)”, the paper has proposed government be granted the power to “take direct action to protect a critical infrastructure entity or system in the national interest”.
The paper doesn’t name which agencies would be given such power, but it does note that “these powers would be exercised with appropriate immunities and limited by robust checks and balances”.
In cases where entities are unwilling to work with the government to “restore systems in a timely manner”, the paper argues that the government needs “a clear and unambiguous legal basis on which to act in the national interest and maintain continuity of any dependent essential services”.
In some circumstances where entities face less extreme cyber and security threats, the government has proposed providing them with reasonable directions on tackling the threat, along with “appropriate immunities to ensure they are not limited by concerns of legal redress for simply protecting their business and the community”.
However, the paper notes that “under no circumstances” will entities be authorised to take actions against the attacker, including with “hack backs”.
System operators ‘obligated’ to share information
The government plans to establish a capability to facilitate information sharing with the owners and operators of “systems of national significance”, and will develop a near real-time national threat picture using information from a variety of sources.
Information shared by the government will be about networks and systems, “not information about consumers”, the paper says. Under the proposed laws, the government would be able to ask entities for their information on a voluntary basis “in the first instance”, but eventually entities would be forced to provide their information if they come under “systems of national significance”.
“In the longer term, owners and operators of systems of national significance will be obligated (under amendments to the Act) to provide information about networks and systems to contribute to this threat picture if requested,” the paper says.
“When a request is issued, it will include the format the information is required in (up to and including near real-time), as well as a specified timeframe to work with the government to provide the information. At present, we do not anticipate that all owners and operators of systems of national significance will be requested to provide such information.”
Home Affairs minister Peter Dutton on Wednesday said the proposed reforms would address the changing threat landscape.
“We cannot be complacent. Owners and operators of critical infrastructure are facing evolving threats including increasing cyber attacks. An incident involving Australia’s critical infrastructure has the potential to cause significant consequences across our economy, security and sovereignty,” he said.
“By strengthening and better protecting critical infrastructure from threats, Australians can be assured that government and industry are working together to do what is necessary to keep Australians safe and protect our economy.”
The reforms are a key initiative of the recently released 2020 Cyber Security Strategy.