The Optus and Medibank incidents have exposed “gaps” in Australia’s existing incident response functions, according to a discussion paper released this afternoon.
The discussion paper calls for regulatory changes – including potentially a new Cyber Security Act. Most controversially, the paper suggests that the government’s power to step in to assist organisations or companies respond to cyber attacks could be expanded to a wider range of circumstances. But it is worth pointing out that this is not government policy as yet.
The discussion paper was released shortly after Anthony Albanese addressed the cybersecurity roundtable in Sydney. It was drafted by an expert advisory board chaired by former Telstra boss Andrew Penn and whose other members are former air force chief Mel Hupfeld and cyber security expert Rachael Falk.
The authors say they have heard from industry that business owners “often do not feel their cybersecurity obligations are clear or easy to follow”. The paper says it is “clear from stakeholder feedback and the increasing frequency and severity of major cyber incidents, that more explicit specification of obligations, including some form of best practice cyber security standards, is required across the economy to increase our national cyber resilience and keep Australians and their data safe.”
It adds:
It is clear that a package of regulatory reform is necessary. How this would be implemented, including the potential consideration of a new Cyber Security Act, drawing together cyber-specific legislative obligations and standards across industry and government, and the details of these reforms is something on which feedback will be welcomed.
This should also consider whether further developments to the [Security of Critical Infrastructure] Act are warranted, such as including customer data and ‘systems’ in the definition of critical assets to ensure the powers afforded to government under the SOCI Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions.”
That proposal would expand the circumstances where the Australian Signals Directorate could step in to “assist” in the response to a cyber attack.
Other proposals for feedback include strengthening Australia’s international strategy on cyber security (such as boosting assistance to south-east Asian and Pacific countries). The paper also urges the government to lead by example, highlighting the fact that Australian government entities “have a long way to go to properly secure government systems”. It also suggests more help for small and medium businesses. Feedback is sought by 15 April.
Thisa rticle was originally published by The Guardian.