The Security Legislation Amendment (Critical Infrastructure Bill) 2020, in its current form, would reduce the reporting time given for a critical attack on critical infrastructure assets significantly.
This is the subject of this second piece in a series of articles that looks at the bill, and talks with experts from ASX-listed security services provider Tesserent and cybersecurity consultancy The Secure Board.
Part one included a general discussion of the bill and outlined which industries are involved, and can be found here.
12 hours to notify
According to section 30BC of the bill, if an entity responsible for a critical infrastructure becomes aware of a critical cybersecurity incident and the incident has had, or is having a significant impact on the availability of the asset, the entity must report the incident “as soon as practicable, and in any event within 12 hours, after the entity becomes so aware”, either in writing, or orally with a written report submitted within 48 hours.
Failure to make the initial report would result in an $11,100 fine (50 penalty units). Failure to submit the written report another $11,100, and failure to do so in the ‘approved form’ a further $11,100.
For non-critical incidents or imminent incidents, the reporting time is extended to 72 hours, according to section 30BD.
As an example, if Hypothetical Bank discovered that the server failure last week was due to a cyber attack and that there was now malware on their network, they would have 12 hours to at least pick up the phone and let the Government know. They would then have another 48 hours to make an official report in the approved format.
“That does put a lot of stress on organisations ... but I think it is actually a good thing for defending the nation,” said Tesserent chief information officer Michael McKinnon.
“The government should and needs to be aware of unfolding things happening quickly in order to have the best defence. You can't wait 30 days if you've got some nation-state actors attacking some of our organisations.”
The Secure Board director Clare Pales unpacked where this stress may come from, “Most businesses don't have full visibility of their whole network through their cybersecurity operations centre, or through their MSSP, or whoever they're using to monitor their network .. and so to be able to say whether or not they've contained a particular incident will be very challenging.”
However, McKinnon added that these added pressures would be a driver for organisations to improve their systems overall in a way that will, ultimately, be of benefit to their bottom lines.
“A good cybersecurity programme rolled out into an organisation should really be the catalyst that is reshaping how the IT function works such that it optimises that IT function and actually makes it perform better and leaner and meaner than it ever did before,” he said.
“To be able to respond to the government when they expect you to tell them within 12 hours that you've had some serious cyber attack, in the case of this critical infrastructure bill, the only way I know I can deliver that capability is if their IT function is humming along and is perfectly tuned.”
It will be a ‘burden’ to have to invest in upgrading systems to provide full visibility, enable reporting, and be in a position where an org can submit a written report in 48 hours, rather than 30 days as with the OAIC’s Notifiable Data Breach laws.
However, whether you call it digital transformation, cloud migration, or modernisation, it is happening faster than ever.
With this bill, the organisations that benefited from holding a critical position in society must now face the responsibility that comes with it and a half-hearted commitment to digitalisation leaves them and the residents they serve vulnerable - and not just to having their data stolen, as McKinnon pointed out.
“We're seeing infrastructure that can potentially kill people being connected to computer networks,” he explained.
“We have a whole problem around cyber/physical systems where you have a potential risk that someone on the other side of the planet could have access to actually take a life in our country. A human life. Using technology.
This is, of course, a worst-case scenario but McKinnon has the backing of analyst firm Gartner on his assertion that someone with remote access to operational technologies could commit murder.
“That is a scary proposition and that underpins an aspect of why this sort of legislation is required and being looked at,” McKinnon said.
In the coming articles, the new powers for Government intervention will be examined and our experts will offer some advice for cybersecurity providers as we enter this new level of security expectations.