Govt casts wide net over industry for cyber threat oversight, intervention

Businesses with networks and systems of "national significance" would be forced to disclose information about them if requested under proposed changes to critical infrastructure laws.

The Department of Home Affairs on Wednesday kicked off a month-long public consultation on the proposed “enhanced regulatory framework” for critical infrastructure and systems of national significance outlined in the 2020 cyber security strategy last week.

The framework will introduce new cyber security rules, ranging in severity across three groups: ‘systems of national significance’, ‘regulated critical infrastructure entities’ and ‘critical infrastructure entities’.

Currently, electricity, gas, water and port entities are regulated under the Security of Critical Infrastructure Act.

Under the reforms, banking, health, education, food and “data and the cloud” would be recognised as critical infrastructure sectors, and could be subjected to system disclosure rules.

However, the proposed reforms won't cover government and democratic institutions.

The consultation paper indicates the government is working to “identify the most appropriate mechanisms to ensure governments are held to the same standards”.

Owners and operators of systems of national significance will be subjected to a stringent set of rules, which includes “enhanced cyber security obligations”.

Home Affairs will use the consultation to map which critical infrastructure entities operate systems of national significance by considering the “potential for a domino effect if the function were compromised” and the consequence of that compromise. 

Those obligations are expected to initially see government request “entity information” from owners and operators of systems of national significance on a voluntary basis in a bid to help inform situational awareness.

The information will be used to test and build a “capability to facilitate information sharing with relevant owners and operators - whether industry or government” - to create a “real-time threat picture”.

“A near real-time threat picture, including intelligence insights and trends, will empower owners and operators of systems of national significance to take appropriate and timely action on their own systems,” the consultation paper [pdf] states.

“It will also provide the government with an aggregate threat picture and comprehensive understanding of the risks to critical infrastructure. This will better inform both proactive and reactive cyber response options.”

The government has also proposed that owners and operators of systems of national significance be obligated to “provide information about networks and systems to contribute to this threat picture if requested” in the longer term.

While the government has not detailed what types of information would be requested, this appears to be an evolution of the IT requirements imposed on electricity, gas, water and port entities.

“When a request is issued, it will include the format the information is required in (up to and including near real-time), as well as a specified timeframe to work with the government to provide the information,” the consultation paper states.

“At present, we do not anticipate that all owners and operators of systems of national significance will be requested to provide such information.”

The government will also expect owners and operators of systems of national significance to participate in regular cyber security activities with the government, likely to include cyber war games, and in the “co-development of a playbook of response plans for a range of scenarios”.

Positive security obligation

In addition to the “enhanced cyber security obligations”, owners and operators of systems of national significance, as well as critical infrastructure entities regulated by the Security of Critical of Critical Infrastructure Act, will also be subject to a positive security obligation (PSO). 

The PSO will “set and enforce baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk”.

The government plans to do this by building on the range of existing mechanisms that are already in place across entities to manage risks “to deliver a more consistent approach to managing risk across all sectors”.

“We want to work with critical infrastructure entities to clearly define the high level, sector-agnostic principles that will form the basis for the PSO,” the consultation paper states. 

“We consider that at a minimum, owners and operators of critical infrastructure should be legally obliged to manage risks that may impact business continuity and Australia’s economy, security and sovereignty.”

Some of the PSO expectations will include entities “tak[ing] an all-hazards approach when identifying risk”, having “appropriate risk mitigations in place to manage identified risks” and having an ability to recover from a cyber incident as quickly as possible.

The government also proposed that the framework “clearly set out in legislation the high-level obligations that critical infrastructure entities should meet”, across physical, cyber, personnel and supply chain security.

Non-compliance with the PSO could see entities subjected to enforcement action from the government include “reasonable requests for access to information and inspection and audit powers” or penalties.

Government cyber assistance

The final component of the framework will give Australia's cyber spooks the power to defend the networks and systems of all three classes of critical infrastructure entities in an emergency, even if their assistance isn't requested.

This includes the sectors of banking and finance, communications, data and the cloud, defence industry, education, research and innovation, energy, food and grocery, health, space, transport and water.

While the government said it will generally rely on these entities to “take proactive steps”, scenarios could arise that require government involvement.

“Critical infrastructure entities may face situations where there is an imminent cyber threat or incident that could significantly impact Australia’s economy, security or sovereignty, and the threat is within their capacity to address,” the consultation paper states. 

“In these cases, we propose that government be able to provide reasonable, proportionate and time-sensitive directions to entities to ensure action is taken to minimise its impact.

“Entities may also be able to request that government make such a direction, providing them with the legal authority to conduct any necessary action.”

In the event of an “immediate and serious cyber threat to Australia’s economy, security or sovereignty (including threat to life)”, government will be able to declare an emergency and take direct action.

“In an emergency, we see a role for government to use its enhanced threat picture and unique capabilities to take direct action to protect a critical infrastructure entity or system in the national interest,” the consultation paper states.

“These powers would be exercised with appropriate immunities and limited by robust checks and balances. 

“The primary purpose of these powers would be to allow government to assist entities take technical action to defend and protect their networks and systems, and provide advice on mitigating damage, restoring services and remediation.

“It is anticipated the government assistance element of the framework will be primarily discharged on a voluntary basis, as entities will also want to restore functions expeditiously. 

“However, there may be cases where entities are unwilling to work with government to restore systems in a timely manner. 

“Government needs to have a clear and unambiguous legal basis on which to act in the national interest and maintain continuity of any dependent essential services.”