Australia proposes critical infrastructure cyber upgrades

The Australian Government has proposed new laws to grant federal government agencies the power to ‘take direct action’ against cyber attacks and obtain information from critical infrastructure entities if it is deemed to be in the national interest.

The Australian’s Government Security of Critical Infrastructure Act 2018 defines as critical infrastructure those entities or facilities ‘which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct national defense and ensure national security’.

The Act currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, entities across all critical infrastructure sectors are facing increasing threats and may require enhanced protections. The reforms outlined in the paper would include a number of additional sectors to the definition of critical infrastructure: banking, finance, communications, data, the Cloud, defence industry, education, research, innovation, energy, food, grocery, health, space, transport and water.

The enhanced framework outlines a need for an uplift in cyber security and resilience in all critical infrastructure sectors, combined with better identification and sharing of threats. The goal is to make Australia’s critical infrastructure – whether private or state owned and operated – more resilient and secure.

The proposed security law is comprised of three elements: Positive Security Obligation, which includes baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk; Enhanced Cyber Security Obligations that establish the ability for government to request information to contribute to a near real-time national threat, owner and operator participation in preparatory activities with the government as well as the co-development of a scenario based ‘playbook’ that sets out response arrangements; and Government Assistance for entities that are the target or victim of a cyber-attack through the establishment of a government capability and authorities to disrupt and respond to threats in an emergency.