Why Australia is enacting emergency cybersecurity laws
Emergency alert! Australia’s Federal Parliament is preparing to pass emergency laws to help fend off cyber attacks in a range of key sectors. Here’s what you need to know about how the laws will work, and why this is happening now.
What are the emergency laws?
The parliamentary joint committee on intelligence and security (PJCIS) has tabled a report endorsing the urgent passage of laws to protect Australia’s critical infrastructure from cyber threats.
This would split the critical infrastructure bill that’s been under discussion in half, granting the government emergency powers to defend against cyber attacks on major infrastructure now, while providing time for government and industry to continue consulting on other issues.
The new laws would allow the government to declare an emergency and give agencies like the Australian Signals Directorate (ASD) the power to plug into the networks of companies, organisations and operators that are part of sectors deemed to be ‘critical infrastructure’, as a last resort to help them fend off cyber attacks.
The emergency laws would also require these critical operators to report cyber attacks as they happen. This would impose an obligation on them to send ‘signatures’ – files containing data sequences used to identify cyber attacks – to the ASD when they become aware of an attack.
The bill is expected to cover ports, water, power plants, telecommunications and the defence industry, while also expanding the definition of ‘critical infrastructure’ to include universities, finance and banking, health and the food and grocery sectors.
This follows reports in June that a major Australian company refused to comply with the ASD for weeks, despite being the victim of an active cyber attack that was having what ASB Director-General Rachel Noble called a “national impact on our country”. Transport and logistics operator Toll Group later conceded that they “may” have been the company at the centre of those reports.
A second bill, to be introduced at a later date after further consultation, is expected to impose ‘positive security obligations’ on businesses, which would require them to develop risk management plans.
Under the second bill, company directors could be made personally liable for cyber attacks, in much the same way that they’re already personally responsible for workplace health and safety – but the details of these reforms have yet to be decided on, and have proven controversial with businesses and unions alike.
That’s why, for now, the government is expected to follow the committee’s recommendations and split the bill, passing the emergency measures now and coming back to the more contentious elements of the bill later.
Why is this happening now?
The Chair of the PJCIS, Liberal senator James Paterson, said the inquiry received “compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally”, putting pressure on the government to act now.
“Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” he said.
Paterson said that while many businesses have asked for the entire critical infrastructure bill to be paused “in the current economic climate”, the committee felt there was a need for emergency powers to be granted urgently.
“While sympathetic to the concerns of industry leaders, the committee does not believe that pausing the entire bill is in Australia’s national interests given the immediate cyber threats that our nation faces,” he said.
Last year, Prime Minister Scott Morrison revealed there had been a string of cyber attacks on all levels of government, industry and critical infrastructure, including hospitals, local councils and utilities. At the time, Morrison refused to publicly confirm reports that China was behind the attacks.
This year, however, Morrison joined the US, the UK, the EU, Canada, Japan and New Zealand in calling out the Chinese government for orchestrating the massive Microsoft Exchange attack, which compromised at least 30,000 email systems around the world.
While the intent of the Microsoft Exchange attack might have been to gather intelligence, the smash-and-grab method of the attack led to schools, hospitals, councils and pharmacies having their data compromised.
But the Microsoft Exchange attack was just the most high-profile in a string of recent incidents. As well as the attack on the Toll Group, the likes of Nine Entertainment, BlueScope Steel, Lion Dairy and Drinks and UnitingCare Queensland have all been recently targeted in Australia, while Victorian health operator Eastern Health was forced to postpone elective surgeries at four Melbourne hospitals because of a cyber attack.
The Australian Cyber Security Centre recently saw a 200 per cent increase in reports of ransomware, while an Australian Institute of Criminology report estimated the total annual economic impact of cyber crime at $3.5 billion in Australia alone. Globally, McAfee and the Center for Strategic and International Studies found that losses from cybercrime had reached almost $1 trillion by the end of 2020.
Attacks on critical infrastructure are a particular priority for the government, because the consequences could include shortages of essential medical supplies; instability in the supply of food and groceries; impacts to water supply and sanitation; disruptions to transport, traffic management systems and fuel; and the temporary shutdown of the banking, finance and retail sectors.
When will the second bill be passed?
While the bill authorising the government’s emergency powers is expected to pass urgently, a deadline for the passage of the second bill, imposing cybersecurity obligations on businesses, has not been set.
But in recommending that the bills be split, PJCIS chair Senator James Paterson reiterated the importance of passing the second bill once the details have been finalised.
“The passage of both bills is essential because cybersecurity is not just the government’s job,” he said.
“Industry has a role to play too, and the second bill, which imposes obligations on businesses, is an important part of a comprehensive response to the serious challenges we face.”
Cryptoloc founder Jamie Wilson has welcomed the possibility of cybersecurity obligations for businesses, and believes it’s time for businesses to face the same requirements for cybersecurity that they do for workplace health and safety.
“There was a time not that long ago when many businesses took a laissez-faire approach to health and safety, and now it’s everyone’s number one priority, because they have to comply with strict legal obligations,” he said.
“We need to see these types of expectations being applied to cyber security. It needs to be a basic policy, for instance, for businesses to start securely encrypting their data, and this needs to be driven from the top down. We need to see the government putting forward cyber practices and policies to protect people – because we can’t wait for businesses to police themselves.
“At the same time, there’s a need for the government to educate businesses and the general public alike about the impact of cybercrime, to illustrate why these measures are necessary.”