Exclusive
Australia’s cyber shield boosted for ‘jewel’ assets
Companies and institutions considered the “crown jewels” of the Australian economy will get beefed up protection from foreign cyberattacks as the Albanese government activates laws designed to safeguard critical infrastructure and nationally significant systems.
Using national security laws passed by the Coalition for the protection of essential services – including energy, utilities, communications, banking, healthcare and education operations – Home Affairs Minister Clare O’Neil has designated 82 of the most sensitive as critical infrastructure assets.
Managed by 38 different entities, the assets cannot be publicly named under the laws. Together the group is considered the most susceptible to attack from malicious cyber threats and interference, coming amid a deteriorating global threat environment in the wake of the COVID-19 pandemic.
Companies and owners behind the systems, including major Australian and multinational firms, have been alerted to the new designations and associated responsibilities.
The beefed up defence comes as Russia’s invasion of Ukraine and the targeting of networks in Taiwan amid China’s growing military aggression add to a worsening threat landscape. Australia’s national security and intelligence agencies monitor attacks, and say a cyber incident is reported about every eight minutes in Australia, while threats to critical infrastructure are reported every 32 minutes on average.
Declaring critical infrastructure assets as “systems of national significance” under the law affords greater protection from government – in the form of technical assistance – and obliges operators to share details of attacks as quickly as possible. Federal agencies can better track threats or cyberattacks, including ransomware, across the economy using the information.
Requirements for the Australian Cyber Security Centre (ACSC) to be notified of cyber incidents came into force on July 8 this year. Operators of electricity, gas, ports, water and sewerage assets must report significant breaches within 12 hours of an attack.
Building resilience
Ms O’Neil said critical systems were facing a growing range of threats from bad actors around the world.
“We need to build resilience in our essential services – things such as energy and water, health care, education, supply chains and communications – to protect them from a range of threats, including cyber, physical, personnel, supply chain and natural hazards,” she said.
“Australians deserve a government that provides them resilience, reassurance and safety in how we guard our sovereignty and protect our national life. Instead, our national conversation on these matters has been characterised by anxiety, vitriol, and confusing chest-beating with strength.
“While there are clear threats to our critical infrastructure, particularly cyber threats, by embedding preparation, prevention and mitigation activities through a risk management program we will build resilience, not only for individual assets, but also our whole society.”
National security agencies around the world have recorded growing instances of malicious cyber activity since Vladimir Putin entered Ukraine in February. Chinese military drills and tensions with Taiwan have sparked new attacks.
Considered by government as “the crown jewels” of the economy, the assets protected by the new designation keep everyday life and economic activity ticking. Often overlapping and with interdependencies, even temporary loss of such systems could lead to death, communications chaos and economic disruption.
“These declarations support the continued availability and integrity of assets, which are the most crucial and interdependent to Australia’s economic, social and national security,” Ms O’Neil said.
“These measures will boost Australia’s collective cyber defences and ensure that the community and economy remain protected through a regulatory program based on education, threat mitigation and timely advice in partnership with industry.”
Cybercrime on the rise
The ACSC received more than 67,500 cybercrime reports last financial year, an increase of about 13 per cent from the previous 12 months. About 25 per cent involved critical infrastructure companies and essential services, including health care and food distribution.
Severity is also increasing. About half of all incidents were categorised as significant by authorities.
In March this year, an Australian community organisation was targeted by cybercriminals in an attack that saw the theft of internal data. The malicious actor involved gained access to the organisation’s servers by exploiting an unpatched version of Microsoft Exchange.
Within four days the hacker moved from initial access to encryption.
State-based actors are also exploiting unpatched vulnerabilities in critical infrastructure here and around the world. In April, the ACSC contacted Australian government, critical infrastructure, transportation and services sector organisations to notify them of potentially vulnerable software and offering urgent assistance.
“I encourage critical infrastructure owners and operators to report all cyber incidents, even where not mandatory under the [Security of Critical Infrastructure] Act to help us build even greater cyber resilience,” Ms O’Neil said.
“I will be working collaboratively with industry to ensure that the effort of protecting Australia’s critical infrastructure is a shared one, built on trust and constructive partnerships across government, industry and stakeholders.”
Under the laws, passed in December 2021 and April 2022, the minister can declare a system of national significance if compromise, disruption or major damage would affect Australia’s security, economy and sovereignty.
The specific declaration of a system of national significance and any supporting documentation is protected information under the law and cannot be shared publicly.
System operators have increased responsibilities to protect against malicious activity. They can be required to provide systems information to the Australian Signals Directorate for the purposes of threat identification and to maintain emergency response plans and test for threats.
Special “switch on” powers also exist, and existing sector regulators can be called on to monitor risk management activities.
The ACSC can provide private and public sector organisations expert advice in preventing, managing and mitigating attacks, and uses external data to create an aggregated threat picture for Australian entities.
Ms O’Neil will address the Cyber Security Industry Advisory Committee in Canberra on Monday, ahead of an address by committee chair and Telstra boss Andy Penn at the National Press Club on Tuesday.