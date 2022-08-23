How government can help combat cyber threats to critical infrastructure

The digital frontier has long been recognised as the new battleground for conflict and espionage. Countries such as Russia and China look to use the information superhighway to probe cloud networks and attack digital gateways to snoop on governments, their agencies, corporations and other significant bodies.

Cyberattacks have formed a part of how these two countries have sought to disrupt nation-states. Repeated attempts by foreign actors to peep into sensitive records and steal industrial or government secrets have led to governments tightening legislation intended to protect critical infrastructure.

Australian politicians did this last year when they passed new laws that expanded the number of sectors regarded as critical infrastructure, building on laws made almost three years earlier.

The Security of Critical Infrastructure Act 2018 established a register of who owns and operates certain infrastructure assets. It empowered the relevant minister to direct entities or operators in the electricity, gas, water or maritime ports sectors to take specific actions or cease particular activities.

The 2021 legislation beefs up the number of sectors regarded as having ‘critical’ infrastructure. These include communications, data storage or processing, financial services and markets, water and sewerage, energy, healthcare and medical, higher education and research, food and grocery, transport and the space technology and defence industry.

The more recent law also requires entities with critical infrastructure to mandatorily report incidents classified as “critical cybersecurity incidents” within 12 hours of being aware an incident took place.

Senator James Paterson chaired the parliamentary joint committee on intelligence and security (PJCIS) when the critical infrastructure laws were debated. He told the Senate that a cyberattack executed by state or non-state actors on critical infrastructure assets occurs every 32 minutes and that there had been a 13% increase in the reporting of cyberattacks during the coronavirus pandemic.

Paterson said committee members were most concerned that state-based actors were muscling up against Australia and other countries by engaging in espionage and attacks in the digital realm.

“Our cyber challenges are increasing in complexity as a result of the evolving security environment in the Indo-Pacific region,” he said. “Grey-zone tactics which lie between peace and war, where foreign states use cyberintrusion and digital espionage, among other tools, to threaten our interests, are increasingly being relied upon, particularly by authoritarian states.

“Independent experts who appeared before the PJCIS told us that it was likely that foreign state actors are already prepositioned on sensitive networks and that that presence could be activated against our interests as a prelude to a regional crisis.”

Collaboration required on critical infrastructure protections

Paterson told parliament that new legislation would put in place a government assistance regime enabling entities to get government assistance to bolster their systems. So how can governments cooperate with critical infrastructure leadership to develop more secure systems?

Home affairs department secretary Mike Pezzullo told the PJCIS that this could involve a collaborative approach in which government provides design guidance aimed at helping critical infrastructure operators keep their information secure and the nasties out.

“If the government assistance measures don’t work sufficiently robustly, we might need to start thinking about how, as new networks, cloud and other capabilities are deployed in utilities, telcos, banks, we actually design, from the ground up, and partner with them, using the mechanism of the GAM – the government assistance measure,” said Pezzullo.

He said that government could help operators build and evolve their networks using co-design principles, citing the example of a bank wanting to transform its online presence. They could seek assistance from the Australian Cyber Security Centre (ACSC), Pezzullo suggested, or “they might be obligated to submit future concepts under a PSO (positive security obligation) and say: Rather than having this antagonistic our lawyers will show your lawyers this, why don’t you help us think about what a more secure network looks like?’”

A later committee hearing considered the response of the information technology sector to government thinking on measures designed to ensure people managing critical infrastructure apply best practices in network security to stop unwanted visits from digital intruders. The security of cloud services was front of mind for various participants from the data storage processing sector.

Australian Information Industry Association general manager of policy and advocacy Simon Bush told the committee during a roundtable discussion that data storage and processing service providers are considered critical infrastructure, but there is an interdependency with other sectors on data storage that must be acknowledged.

Bush said that the data storage sector already assisted government in identifying threats, and any measures that facilitate a cooperative approach need to be encouraged.

“I think it’s about a partnership between our sector and government in information sharing, which we’re happy and willing to do, and currently do very, very well, with the ACSC,” he said. “I think any mechanisms to encourage, support and grow that are really important.”

Bush also told the committee that moving more critical infrastructure assets onto cloud platforms would make them secure. “Certainly, one of the easiest things you can do is get people onto global clouds, where the security is incredibly robust,” he said.