One of the more controversial aspects of the Security Legislation Amendment (Critical Infrastructure) Bill is the powers it will give to Federal Government in the case of a serious cyber attack.
The Bill, in its current form, would mandate that organisations under the widened auspices of ‘critical infrastructure’ keep the Government informed of any attacks and, in extreme cases, allow it to intervene in responses.
This article is the third in a series that is looking into the Bill, with comments from experts from ASX-listed cybersecurity provider Tesserent and specialist cybersecurity consultancy The Secure Board.
The first piece gave a brief overview of the Bill and explained which organisations would come under its purview. The second article looked into the 12-hour timeframe that the Bill would allow for serious incidents to be reported.
The new powers
Before outlining the following powers in more detail, it is important to note the checks and balances in place.
For the most part, none of these actions can be undertaken without ministerial authorisation, which must be approved by the Prime Minister and the Minister of Defence and only in response to an attack on critical infrastructure that may be of concern for national security.
Organisations that are included in the legislation can be ordered to assess the security of their systems internally and, if necessary mandate independent external auditing.
Reporting on the status and resilience of the systems can also be asked for, either at regular intervals or events-based, lasting up to 12 months at a time. These reports must be submitted even if they are potentially incriminating to the company or an individual, but cannot be used for criminal or civil proceedings unless they relate to the act.
The Government would be able to mandate that an organisation install a piece of software on a system and that the software is maintained and, wherever possible, kept online. However, this software can only be for collecting and recording information that relates to the operation of the computer to determine if further powers under the act should be exercised, and it cannot take personal information protected by the Privacy Act 1988.
It could order an organisation to allow it access to a computer for purposes of analysis or to add, remove or modify installed programs, as well as connect its own computers to the organisation’s systems.
In extreme cases, the Government could direct an organisation to take or refrain from taking actions.
It could request access to premises and, if refused, engage the police – but cannot engage in force against an individual.
Computer equipment could be taken from the premises to be analysed but would have to be returned once the incident is resolved.
In short, if Government representatives believe that a piece of critical infrastructure is under attack in a way that puts national security at risk, they would be able to shut down, change, analyse, remove and control that infrastructure and its component parts.
The response from both Tesserent chief information officer Michael McKinnon and The Secure Board directors Claire Pales and Anna Leibel was that there is not too much to be concerned about here.
They noted that these are worst-case scenario powers, reserved for if an organisation is proving that they cannot handle an incident and it is growing out of hand.
McKinnon said that overall, he was “not too worried” about this aspect of the legislation.
“I think the intention here is from that national security perspective of the government saying, ‘Listen, we need to have control of our entire country, essentially as a battleground to defend and respond to cyber attacks on a national scale’. I think the only way that government can do that is by being able to pull some of these levers and have that control that they're looking for,” he said.
“There is a serious side to this bill that I think shouldn't be washed away, and I think people need to understand that there is an intent here to kind of set us up for a need that might arise in the future where we will need to respond in a very quick way – and the only way they can do that is to have that control.”
Pales and Leibel said that the best thing an organisation can do is to ensure they have reliable and thorough cybersecurity plans in place so that they can respond in a way where the Government would not need to step in.
“As a country, we need to start collectively working on this together. The Government's providing the skills and the resources to help organisations but I think it's also us learning from each other,” Leibel said. “Part of that is the community, part of the government playing a role in helping organisations with their capability, and then also in the event of an attack.”
“The most important thing an organisation can do is put their own internal processes in place for incident response, and rehearse them,” Pales added.
“It's far more likely that things will spin out of control if you don't have those processes in place … If, when the alert comes in and something has occurred, everybody knows what their role is, the process runs like clockwork and you're much more likely to be resilient. If you don't have those processes in place, it can become an incident that maybe you do need intervention from others.”
The final article in this series will outline advice from the experts on how to ensure that an organisation is safe, secure and compliant.