AGL asks fed gov for stronger cyber security leadership

The federal government needs to set a better example on cyber security - hardening its systems, achieving mandated maturity levels and sharing threat intelligence with the community, AGL Energy has argued.

In a submission to the 2023-2030 Australian cyber security strategy discussion paper [pdf], AGL said that federal agencies' continued problems implementing the Essential Eight controls did not bode well for perceptions of government or for cyber security generally.

"Government entities, at all levels, should be leaders and models for better practice cyber security capabilities, particularly those entities that handle sensitive information and provide critical services," AGL argued.

"It is very concerning that a significant number of government entities fail to achieve Essential Eight maturity, and significant exposures and capability gaps continue to be identified in government audits and reviews at all levels of government.

"Government must show leadership by accelerating the hardening of government systems in line with relevant requirements.

"The government should demonstrate what good cyber security looks like, acknowledge areas where good enough is not being achieved, and take proactive action to mitigate and remediate identified shortcomings."

AGL saw additional opportunities for the government to lead by example on cyber security.

In particular, it asked the government to "declassify and broadly share relevant threat intelligence to provide timely and comprehensive information to industry stakeholders" - and to consider facilitating an information-sharing network.

It also suggested that the government lead a "structured review process" following major incidents, so as to collect intelligence themselves and share it widely.

AGL also suggested that wide-ranging intervention would be needed to address a critical shortage of professionals, ranging from funding more university and TAFE places, relaxing some visa requirements, and supporting people in adjacent fields generally to re-skill.

In addition, it suggested the government run a type of cyber security accreditation on products and services being procured, vetting that they are secure-by-design and appropriately supported through their usable life.

If such a scheme was to be stood up, AGL asked that the accreditation information be made public, so industry could also prioritise the purchase of products and services that prioritised security.

Backs law harmonisation

In other parts of the submission, AGL backed a proposal to harmonise all cyber security regulations and laws under a single Cyber Security Act.

Such legislation, the energy company said, should simplify security practice for “all organisations, regardless of sector or industry”, by “giving organisations a single set of cyber security standards and requirements to adhere to, reducing confusion and promoting compliance.”

Opposes outright ransom payment ban

AGL Energy has joined its voice to that of the Insurance Council of Australia in opposing an outright ban on the payment of ransoms.

Earlier this month, the ICA published its own submission, which said a ban on ransom payments represented a “complex policy issue”.

AGL said such a ban could have “catastrophic” outcomes, including “harm to community, loss of life, disruption of essential services or disclosure of sensitive information.

“In some circumstances and for some organisations, the payment of a ransom demand may be the only path to achieving acceptable outcomes”, the energy company stated.