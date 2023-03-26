Home affairs secretary Mike Pezzullo has moved swiftly to recast the upper echelons and regulatory machinery of his expansive agency in the wake of the recent Optus and Medibank ransomware attacks, revealing a Cyber and Infrastructure Security Group (CISG) will be established from May 1.

The creation and disclosure of the new CISG ahead of the federal Budget, revealed immediately after the Australian Information Security Industry Association Cyber Conference in Canberra last week at Home Affairs’ own event, marks a major fusion between cyber and critical infrastructure protection. Once regarded as discrete, it’s now irreversibly blurred.

In simple terms, Defence will still set the height of the cyber defensive bar via the Australian Signals Directorate, as well as conducting offensive cyber, but Home Affairs is being given fortified teeth and a wider brief as industry and government cyber cattle dog.

There’s also a freshly minted depsec role, taken by the well-regarded Hamish Hansford, who’s been the go-to adviser at estimates and inquiries of late, displaying a cool, level and demure head when tested by the most ferreting questions.

“I would like to formally congratulate Mr Hansford on his appointment. I would also like to announce that Marc Ablong PSM will be moving from his role as deputy secretary, strategic initiatives, to undertake a secondment to the Australian Strategic Policy Institute, commencing on 1 May 2023, contributing to dedicated research on Australia’s national security.”

The latter isn’t exactly an appointment of an esteemed retiree; perhaps more an of-kind investment into ASPI’s research and evidentiary priorities that will, no doubt, have other esteemed think tanks recalibrating their marketing priorities.

According to Pezzullo, the new CISG “will bring together the cyber security and infrastructure policy settings, response and coordination as well as regulatory elements in one place”.

In other words, the ‘cybergeddon’ regulatory one-stop-shop.

“This will enable an integrated response to support the minister for home affairs, as minister for cyber security, as well as the recently advertised role of the national cyber security coordinator,” Pezzullo said, making it clear any coordinator needs solid muscle.

“The [CISG] will include the Cyber and Infrastructure Security Centre, which will have a focus on regulatory functions and delivery of Australia’s background checking function through AusCheck.

“The National Cyber Security Coordinator will perform a key role in supporting the minister to deliver on a raft of major reforms in the area of cybersecurity.”

The yet-to-be-named national cyber security coordinator “will perform a key role in supporting the minister to deliver on a raft of major reforms in the area of cybersecurity”, Pezzullo added

“The coordinator will deliver a centrally coordinated approach to the government’s cyber security responsibilities and initiatives, and will be instrumental in driving leadership in the Australian government to develop strategic national security capability that underpins our future prosperity.”

The Australian Public Service (APS) was an integral part of this, the home affairs secretary noted, calling out the lead role in agency wrangling.

“This will result in a more coordinated approach across the Australian Public Service to deliver the government’s cyber security priorities and initiatives.

“The coordinator will centrally coordinate the approach to prepare for and manage the consequences of cyber security incidents. This will include leading the government’s coordination of action in response to major cyber incidents, to ensure they are handled in a proper, strategic, and seamless manner.

“The coordinator’s role will be to keep the minister informed to enable effective oversight of whole-of-government responses to cyber incidents. The coordinator will also lead on ensuring cyber security incident management frameworks are aligned and fit for purpose, and will drive the necessary work across government for clear protocols to manage incidents ahead of them occurring.

“As part of this, the coordinator will also be responsible for identifying and mitigating gaps in whole-of-government mechanisms, including advice on legislative options for unauthorised data releases. Additionally, the coordinator will support the hardening of Australian government IT as well as ensuring investments in government IT are strategic and appropriate.

“The coordinator will be supported by the National Office for Cyber Security, a function housed in the department. The office will work closely with other arms of the department and the national security community. The office will consist of employees from the Department of Home Affairs as well as secondees from partner agencies.

“The coordinator and the office will work in collaboration with the Australian Federal Police, the Australian Signals Directorate, the Office of National Intelligence, the Department of Foreign Affairs and Trade, and other key agencies across government, as they respond to these incidents, while providing the government with a rapid capability to manage the consequences as they start to emerge.”

Pezzullo then went to how effective current legislation may or may not be, especially with taking over powers of compromised systems – always an industry favourite.

“Australia has also introduced a global first set of reforms designed to respond to significant incidents. We have, in extraordinary circumstances, ‘government assistance measures’ in the Act; we have at our disposal a set of escalating powers to respond to a cyber-incident. These include information gathering (s 35AK of SOCI) and an action direction (s 35AQ of SOCI).”

Pezzullo said that with approval from the prime minister and ministers for home affairs and defence “[it will] authorise the government’s intervention request (s 35AX of SOCI) into critical infrastructure in order to respond to a cyber-incident. These are powerful authorities that are available if and when required.

“You might well imagine that should Australia face a catastrophic attack against our electricity grid, banking system or hospital networks we indeed would want at our disposal all forms of national power with which to respond. With these authorities, we have just that.”

But alas, the times they change.

“I do acknowledge minister O’Neil’s recent comments about some areas of deficiency concerning the Act,” Pezzullo said. “This principally goes to areas of consequence management as well as definitions.

“The Act was always conceived as being concerned with the protection of critical infrastructure assets. But given recent data breaches, the question that arises is: ‘Do we have the powers we need to respond to the incident, as well as the cascading set of harms that might arise from such an incident?’

“These secondary harms could include fraud or credential misuse. The Act was not designed to deal with these types of scenarios. As the minister’s expert advisory board has noted in the discussion paper for the new Cyber Security Strategy, it is clear that a package of regulatory reforms is further necessary, which includes the need to address response requirements following a major incident that deals with consequences.

“A new cyber security act to draw together cyber-specific legislative obligations and standards across both industry and government could be potentially considered.”

‘Totes’, as they say at the dog track (not that Canberra has one anymore), ‘will adjust’. For the APS, that translates to ‘no third dividend’.

