Nick Lennon is the ANZ Country Manager at Mimecast, having joined in 2007 as a Channel Sales manager. As a leader in management excellence, Nick has personally grown the local team from five members to over 100 since Mimecast’s introduction to the ANZ market. Nick maintains a passionate focus on achieving rapid local business growth, understanding evolving challenges across all verticals and ensuring customers get the best service driven by Mimecast’s strong culture.
Government proposes new cybersecurity rules for critical infrastructure, but questions remain
The new Bill is part of a package of proposed reforms aimed at achieving the main objective of Australia’s Cyber Security Strategy 2020, which is to protect Australian businesses and critical infrastructure providers from sophisticated cyber threats.
It’s a timely piece of legislation as well. Many critical infrastructure organisations at home and abroad are being targeted by increasingly more sophisticated cyberattacks, and the dangers of even a small disruption to critical infrastructure can be severe.
The current state of our critical infrastructure
Our critical infrastructure organisations have traditionally lagged behind in their cybersecurity practices, and though there has been progress, cyber threats are evolving much more rapidly. As an example, even till a few years ago, phishing emails were the weapon of choice for hackers. While still a cybersecurity risk, they could be countered with a little employee awareness training and standard cybersecurity tools. But now, we’re seeing hackers orchestrate sophisticated social engineering attacks, sometimes planned out weeks or months in advance, which are designed to win a target’s trust before attacking. These types of attacks can be very challenging to detect in time.
The kind of cyber threats that exist today are more than capable of disrupting large swathes of a country’s infrastructure, which is why the new Bill is so important. The idea behind the Bill is to introduce an updated regulatory framework which enhances the cybersecurity and cyber resilience of Australia’s essential services and key infrastructure.
How the proposed Critical Infrastructure Act will work
The new Bill extends the framework to 11 sectors which the government deems ‘critical’, which includes areas like financial services, higher education, healthcare, defense and food and grocery, among others.
To get a better sense of how the proposed legislation will impact these sectors, we can look at the example of the finance sector. History has shown that its usually the financial sector that feels the effects of new regulations first, since investment tends to impact all industries.
The Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers, and a cyber breach in any one of them can have a cascading impact on the whole system. And with billions of dollars flowing through that system, any regulations that impact its security needs to be considered carefully.
Small organisations make up a significant part of our critical infrastructure in almost every sector, which means one of the biggest challenges for regulators will be maintaining adequate cybersecurity across them. If any one of them gets compromised, it can have a huge ripple effect across national infrastructure. Identifying and securing every organisation that poses a potential cybersecurity risk is likely to be an extremely difficult task.
Let’s take a closer look at what the proposed changes entail for the sectors in question.
The introduction of enhanced cybersecurity obligations
Organisations operating in critical sectors, or those which are responsible for a critical infrastructure asset, may be subject to the positive security obligations on three potential aspects:
Adopting and maintaining a critical infrastructure risk management program, where they will be obliged to manage and mitigate risks by applying an all-hazards approach
Mandatory reporting of serious cyber security incidents to the Australian Signals Directorate within 12 or 24 hours, depending how critical the incident is
When required, providing ownership and operational information to the Register of Critical Assets
Each aspect will not necessarily apply to all critical infrastructure assets by default. They must be 'turned on' via rule for a specific critical infrastructure asset or a class of critical infrastructure assets.
Industry concerns need to be considered
The proposed Bill has raised a number of concerns from many organisations, including the Australian Information Industry Association, various technology companies (including Microsoft, AWS, Cisco and the Software Alliance) and several universities.
One of the biggest concerns revolve around the Government’s new direct-action powers and the wide range of organisations which would be subject to the new rules (regardless of their connection to the traditional infrastructure sector).
Businesses and the government usually have differing priorities in a cyberattack. The private sector’s priorities would be to resume business as soon as possible, contain the consequences of a breach and minimise any reputational damage. In contrast, the government would seek to first and foremost protect national interests, and maintain industry-government relations.
Key industry players are also questioning what checks and balances will be in place and what avenues of review or appeal an infrastructure operator would have if the government’s powers were exercised.
The way forward
While well-intentioned and timely, the new Bill still raises some legitimate concerns about how it will be implemented. The best way forward is a collaborative and iterative consultation process between the government and the private sector to find more practical ways to achieve the desired outcomes.
Individual companies, especially those classified as critical infrastructure, will also need to review their cybersecurity practices and make sure they are aligned with government and industry standards.