Gov proposes disclosure delay for most serious cyberattacks

Australia could be set to follow the US with rules that would delay public disclosure of serious cyberattacks on critical infrastructure operators to provide more time for mitigation and response.

The delay mechanism is one of five immediate changes that the government, through Home Affairs, is canvassing [pdf], a day after the release of a review into the country’s Security of Critical Infrastructure (SoCI) laws.

The government said that continuous disclosure requirements, particularly on ASX-listed critical infrastructure operators, could force them to reveal an incident prematurely, when it posed national security or public safety risks.

“While continuous disclosure obligations promote transparency and well-functioning markets, immediate disclosure in rare, high-risk cyber incidents may inadvertently undermine coordinated responses, reveal vulnerabilities, or heighten systemic risks,” a consultation paper states.

Any delay in public disclosure would be “temporary” - a hypothetical example suggests in the region of 30 days.

“The intent is not to shield entities from commercial impacts, but to prevent disclosure from compromising  national security including significant flow-on impacts across the economy,” the consultation paper states.

Vendor product bans

Another proposed change would make it simpler for the government to direct “multiple entities” to stop using a particular vendor’s product or service if it was seen as a “systemic” security risk.

The government already uses the Protective Security Policy Framework (PSPF) to stop federal entities from using “certain products and web services in their networks”,

This has previously led to a ban on using Kaspersky products.

Critical infrastructure laws presently allow blocks only on an organisation-by-organisation basis.

“[This] is not a practical mechanism for addressing systemic vendor or technology-related risks that affect multiple entities or an entire sector,” it states.

“Where coordinated mitigation is required across an asset class, sector, or supply chain, the current framework is too narrow and operationally inefficient to provide a timely or consistent response to multiple entities at once.

“The government is considering a vendor-risk direction power to enable coordinated action where a specific vendor or its products, equipment, services or technologies, presents a material risk to national security. 

“This power would ensure systemic supply chain vulnerabilities can be managed consistently across affected critical infrastructure entities and sectors.”