Threat Watch

Australia Proposes New Cyber-Security Plan for Critical Infrastructure

The Australian Home Affairs office has proposed new national cybersecurity guidelines for private companies operating systems of “national significance.” These new proposed guidelines seek to provide a clear structure for private organizations to report cyber incidents to the Australian government and to request assistance when necessary. The Home Affairs office recognized that each industry already has regulators in place who are responsible for overseeing compliance with sector regulations and feels that there is no need to “duplicate” that structure—instead, it intends to utilize those regulators to assist in the new framework.  Part of the framework will also include a clear chain of reporting for passing information to the government and for receiving guidance, as well as clear points of contact for each industrial sector. In an interesting twist, the current plan would even allow for the provision of “immunities to entities to conduct mitigations that may otherwise open them up to a civil suit.” The Home Affairs office was explicit that those “immunities” would in no way extend to any form of retaliation against the perpetrators of the attack, often referred to as “hack backs.”

ANALYST NOTES

The cyber-attack response “playbooks” which this new framework would require is a plan that all organizations in every industry would benefit from. In a cyber-attack of any kind, response time is key to being able to mitigate the damage done. Having a clearly defined response plan which includes who to contact at each stage of the incident and resources for a response can dramatically improve response times. Following several high-profile attacks on Australia’s infrastructure over the past year, including research institutions supporting defense projects, it is not surprising that Australia’s government would look to improve their readiness for cyber-attacks on critical infrastructure. It is not immediately clear though what sort of mitigation activities would be given immunity from civil litigation. More information on this issue can be found at: https://www.zdnet.com/article/home-affairs-proposes-cyber-regulations-and-legal-immunities-to-respond-to-threats/