Feds to face NSW in cyber war games

The federal government is planning to conduct a cyber attack simulation with the NSW government to assess both parties' capability for real-life incident response.

Federal cyber security minister Angus Taylor revealed the planned cyber war games at the opening of the Commonwealth's fourth joint cyber security centre (JCSC) in Sydney today.

He said the exercise would take place at the Sussex St facility "in the coming months".

"I am a huge believer in the power of simulations to help you understand what your strengths and weaknesses are, and how to deal with them," he told iTnews on the sidelines of the event.

Cyber war games or simulations are structured to mimic the experience of a real-world attack scenario.

The federal government held its first-ever cyber war games last year with five teams from 10 agencies. Its attack scenario involved industrial control systems and critical national infrastructure.

Taylor declined to detail the type of simulation the exercise with NSW would involve, saying only that it would mimic a real-world scenario state and federal governments might need to deal with.

"It will allow us to work with them to get protocols right, to understand best what the nature of the threat is, what our vulnerabilities are, and how best to deal with them," he said.

"I'm firmly of the belief that much of how we're going to make progress in this area is through simulations. It's better to learn through simulations than actual practice - Defence has learned that over along period of time, and we need to take those learnings and apply that approach in cyber security."

The NSW government was last month blasted by the state's auditor for weak cyber security detection and response practices.

Taylor and NSW finance minister Victor Dominello both today acknowledged the state needed to "step up" on cyber security. Dominello called the findings "sobering".

Encryption legislation still incoming

The government is still consulting with the private sector over its planned legislative crackdown on encryption, Taylor said today.

It had last year promised a bill would be introduced before the end of the year.

Taylor today told iTnews the government wanted to strike the right balance between the demands of law enforcement and the concerns of encryption technology providers.

He would not commit to a date for the legislation's introduction.

"I'm very sensitive to the concerns of players in the technology sector and realise they don't want to compromise their products," Taylor said.

"I think we can get this right and I think we've got to respect the product integrity of the tech sector, but at the same time we have to make sure our law enforcement have the tookit they need to go after what is unbelievably sophisticated organised crime.

"My focus is not on rushing [the legislation]. We want to make sure that when this happens it's done in a way that we're working with industry, not against them. We've got to get the balance right."

Taylor said he believed the government could address the concerns of technology providers - including that the legislation would force them to build backdoors into their products - to "solve the problem in an innovative way".

"I've come from the private sector and I know that humans within organisations are endlessly capable of solving problems if they're given focus and there's the right consulation," he said.

"I'm not one who believes in storming in and imposing solutions - it is crucial we work with the tech sector to get it right, and I think we can."

The proposed legislation is expected to closely mirror the UK's Investigatory Powers Bill, which obliges encrypted communications providers to ensure they are technically able to hand over decrypted data to law enforcement in near real time.

The UK's 'technical capability notices' work as a first step to "prepare the ground" in case an operator receives an interception warrant. New Zealand has introduced similar legislation.

The Australian government has previously said it wants to "impose upon the companies an obligation conditioned by reasonableness and proportionality".