Telstra has rejected suggestions that government needs unilateral network access to avert or respond to cyber security incidents and is instead pushing for a cooperative arrangement for only the most serious circumstances.
In its submission [pdf] to public consultation on the country’s 2020 cyber security strategy, the telco sought to address the suggestion that cyber security agencies might be granted new powers to respond to “national emergency situations”.
A discussion paper released in September hinted that government might seek to change legislation following the new strategy to allow cyber security agencies to take direction action without the permission of network owners.
“Under existing legislative frameworks, government can only take direct action to prevent or respond to cyber security incidents with the permission of network owners (including other government agencies),” the discussion stated.
“This takes time and gives malicious actors an advantage. In national emergency situations, it may be appropriate for government agencies to take swifter action.”
It follows comments by Home Affairs Minister Peter Dutton in the first half of this year that raised the prospect of Australian banks and payments systems being forced offline because of cyber-attacks.
But while recognising that there were situations where this level of intervention was warranted, Telstra appeared to use the submission to push a more collaborative approach – and only in very specific circumstances.
“We value and appreciate the deep technical expertise of government and understand that there are scenarios where it may be appropriate, and beneficial to industry, for government agencies to take swifter action,” the telco said.
Telstra has suggested government and industry work out the particularities of the approach, both at a technical and leadership level, under “existing legislative frameworks and Memoranda of Understanding”.
It said that these mechanisms, which “should be robust and regularly tested”, could be used to determine “at what point an incident would reach a national security threshold” and any “subsequent actions that could be taken”.
The telco pointed to the collaboration between the US government and the banks in 2012 to respond to a series of DDoS attacks against financial institutions.
“We appreciate the advantages greater visibility into the behaviour of critical networks could afford the government in better protecting national critical infrastructure,” Telstra said.
“There are several different ways this could be achieved, with different levels of collaboration between agencies and network operators, and accordingly of technical and operational risks to the networks themselves.
“Industry can complement government expertise with its understanding of the complexities involved in managing and monitoring networks and operations, patching certain systems or remediating vulnerabilities at speed.
“Industry and government should explore options together and agree on the most effective solutions to proactively identify cyber risks.”
Restore CISO meetings
Telstra also used its submission to call on the government to restore the annual cyber security leaders’ meetings, which have not been held since 2017.
“Government to re-establish previous regularly quarterly operation meetings between the minister responsible for cyber security and key industry CISOs,” the submission states.
“These meetings provided ministers with front-line insights on key cyber security issues and opportunities for greater collaboration.”
Another initiative first introduced in the 2016 strategy also recommended for repeat is the ASX 100 cyber health check, which Telstra described as “an effective tool to initiate discussion on cyber security at the most senior levels”.
“We believe it would be worthwhile repeating this survey to assess progress in the cyber maturity of Australia’s largest organisations,” its submission states.
“A repeat survey may benefit from a ‘split model approach’ that would see strategic questions around risk and maturity directed to the board, and specific questions on technology stacks, controls and capabilities directed to chief information security officers (CISOs) and cyber security teams that are better placed to provide this detail.
“Increased clarity around the definition of key terms used in the survey (i.e.: attacked, incident and breach) will also assist with response baselining across organisations.”
Improved information sharing
Like many other submissions to the consultation, Telstra has similarly called on the government, particularly ASD, to improve threat intelligence sharing.
“Challenges continue to face operational information sharing in Australia, due to a reliance on individual relationship-based sharing rather than more resilient operationalised arrangements,” it said.
“The Trusted Information Sharing Network (TISN) is not the most appropriate mechanism for sharing cyber threat information, and information flow from the ACSC on the threat landscape has not yet reached full maturity.”
One of the proposed changes is the appointment of a “dedicated, visible, senior ACSC leader to be given responsibility for two-way engagement with CNI [Critical National Infrastructure] organisations on sensitive cyber security threats
“This position would replace the current arrangements that often see industry advised to send sensitive information to a generic ACSC mailbox,” Telstra said.
Telstra similarly wants advance knowledge of plans by the government to publically attribute state-sponsored cyber-attacks to a specific country.
“Following an attribution, there is some global precedent for large companies to be used as proxy targets in retaliation,” the submission states.
“A formal, advanced notification process to trusted CNI providers when attributions will take place would enhance the ability to monitor for and protect against this activity.”