Australian Cyber Security Laws Lack Spine, according to Home Affairs Minister.
Australian Cyber Security Laws Lack Spine – Australia’s cyber security laws and obligations will undergo a complete revamp after the Optus and Medibank data hacks.
The Federal Government will overhaul the $A1.7 billion cyber security plan set up in the aftermath of the hacks of Optus and Medibank, which the Home Affairs Minister Clare O’Neil said lacked “spine”, despite the fact it was set up with bipartisan support.
The changes will include the establishment of a national cyber office under the Home Affairs Department that will be established to lead emergency responses to cyber-attacks. At the same time, cyber laws will be rewritten to give government more power to intervene in the event of a major hack.
The changes will include a reform of the Security of Critical Infrastructure Act to possibly include customer data and “systems” in its definition of critical infrastructure, as well as to give government power to intervene in major data breaches. A new Cyber Security Act would impose new obligations and standards across industry and government.
Home Affairs Minister Clare O’Neil said the Optus and Medibank hacks exposed flaws in Australia’s cyber laws.
“In those events, we were meant to have at our disposal a piece of law that was passed by the former government to help us engage with companies under cyberattack,” O’Neil said.
O’Neil said that, when Optus was hit, there was no emergency response function within the Australian government, and it was able to respond only because a cabinet minister became directly involved.
That hack exposed the customer data of millions of Australians, including passports, drivers licences and Medicare details.
Australian Cyber Security Laws Lack Spine
“Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age,” O’Neil said.
“Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030.”
O’Neil said she wants federal laws to be “fit for purpose for the threat landscape.
“We need the unified effort of government, industry and the community,” she said. “Together, we can equip our community to reduce the number and impact of cyber incidents through improved cyber hygiene and provide clear advice on how to respond confidently when they occur.”
While the current Labor government grumbled about the failings of the previous liberal government in announcing the chnages, it seems a lack of procedures and urgency from the private sector, as well as risk blindness, seems to have been a major contributor.
Australia’s Security of Critical Infrastructure (SOCI) Act primarily applies to key infrastructure assets, but there’s clearly scope for a broader remit, especially when it comes to the importance and risk profile that comes with protecting very large databases containing very sensitive information.
Of note, in April 2021 SOCI was expanded to contain significant measures to uplift the security and resilience of critical infrastructure, keeping it safe from physical, supply chain, cyber and personnel threats.
The Enhanced Cyber Security Obligations in 2021 included:
- Developing cyber security incident response plans to prepare for a cyber security incident
- Undertaking cyber security exercises to build cyber preparedness
- Undertaking vulnerability assessments to identify vulnerabilities for remediation
- Providing system information to develop and maintain a near-real time threat picture.
Had these obligations been undertaken by Optus and Medibank it’s likely their defences could have withstood or considerably reduced the impact of the recent attacks.
“Australian Cyber Security Laws Lack Spine, according to Home Affairs Minister.”