The Federal Government plans to overhaul the country’s cybersecurity agenda in the wake of last year’s disastrous data breaches on Optus and Medibank, which compromised the personal information of almost 10 million Australians in two of the largest attacks in the nation’s history.
The hackers were able to access information including names, dates of birth, driver licence numbers, and, in the case of Medibank, highly sensitive medical details including instances of mental health and drug addiction.
A burden was placed on State and Federal Government departments to replace large amounts of identification, calling into question the relationship between government and business in responding to cyber incidents and igniting an intense public discussion about the vulnerability of data.
On 27 February, Home Affairs Minister Claire O’Neil slammed the former Government’s cyber security laws as “useless and flawed” after finding themselves unable to effectively respond to the Optus and Medibank incidents in September and October.
“In those events, we were meant to have at our disposal a piece of law that was passed by the former Government to help us engage with companies under cyber-attack, and that law was bloody useless, like not worth being printed on paper when it came to usually using it in a cyber incident,” O’Neil told ABC radio.
“[The laws] are not fit for purpose at the moment, and I do think they need reform.”
Her comments came as Prime Minister Anthony Albanese led a cyber security roundtable with leaders from the public service and intelligence agencies, and independent experts from business and industry to discuss stepping up defences in public and corporate systems.
The Government this week announced it will appoint a Coordinator for Cyber Security, supported by a new National Office within the Department of Home Affairs, to ensure a “centrally coordinated approach”.
“Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age. Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030,” O’Neil said.
O’Neil also released a discussion paper to canvass new laws and seek views from industry on how to streamline current legislation and policy. The paper is also seeking answers to the role governments should play in improving Australia’s cyber resilience.
There are 21 questions in the paper, including whether payment of ransoms and extortion demands by cyber criminals should be banned; the scope of the powers of intelligence agencies to intervene; and whether a standalone Cyber Security Act should be considered.
In Australia, data protection and privacy are principally regulated by the Federal Privacy Act 1988 that is currently under review. However, there are a host of laws on a State and Federal level that touch on cyber security, including within the Criminal Code Act 1995, the Telecommunications Sector Security Reforms (TSSR) and the recently amended Security of Critical Infrastructure (SOCI) Act 2018.
The latter is the primary law being spotlighted by the Government’s recent announcements and in the discussion paper, as it imposes obligations on organisations operating in critical infrastructure sectors to ensure the cyber resilience of their assets. Within the Act, there are also stringent reporting obligations to Government.
The SOCI Act was introduced in 2018 in response to the growing threat of attacks against the country’s most important systems, impacting those in the electricity, gas, water, and maritime sectors.
In 2020, the Act went through 18 months of robust community and industry consultation and was amended at the end of 2021, expanding from four to a total of 11 sectors including health care and medical, the defence industry, higher education and data storage and processing.
However, the recent discussion paper asks whether further reform is necessary, to extend the existing definition of “critical assets” so that customer data and “systems” are included.
Rob Nicholls, Associate Professor of Regulation and Governance at UNSW Business School, explains this is why the SOCI Act has been receiving heat, through the lens of what happened with the Optus and Medibank hacks.
Despite having the legislation at their disposal, the Government was unable to use it in practice, he said.
“O’Neil comes into Government, she has this fabulous piece of legislation that has taken years to negotiate, has support from the 11 sectors that it covers, and then finds it doesn’t help,” Nicholls said.
“SOCI is basically associated with systems in terms of the definition of critical assets, and those systems don’t necessarily include the data which is protected by the systems… If our data is caught in a breach, it doesn’t matter what the systems are. If they had taken a photocopy of the 100 points of ID and left those in a paper file, my personal data would be safe still.
“Not only did SOCI allow Optus to have this breach, but it also didn’t require Optus to work with the Government to analyse the breach to try and ensure it didn’t happen again. This is a trigger to Minister O’Neil’s ‘useless’ comments.”
Melissa Fai, partner at Gilbert + Tobin with expertise in cyber security, told LSJ that the discussion paper is also looking to broaden the exisitng legal scope for the country’s top cyber agency, the Australian Signals Directorate (ASD) to step in when businesses are under significant attack.
The SOCI Act does already contain an ‘intervention request power’ for the Government to ‘step in’ in the wake of a serious cyber security incident, but Minister O’Neil has suggested those powers are currently too limited and “very, very narrowly defined” and, hence, did not assist the Government practically. The suggestion appears to be that an expansion of these powers is necessary but a review of the SOCI Act itself does not convey these limitations.
“Indeed, the definition of ‘asset’ under the SOCI Act is really very broad – it includes a system, a device, a computer program, data and “any other thing”… The Minister seems to be alluding to the fact the Government felt the need to step in but could not for some reason based on limitations in the Act’s scope and powers,” Fai said.
“It is difficult with incidents that are almost instantaneous; they happen and systems have been compromised and the data is gone, so there is often little time for the Government to be able to step in to mitigate or remedy the breach.”
Excerpt from article by Keely McDonough, read the full article here