The Australian government is carving out plans to revamp cybersecurity laws and regulations in the wake of a series of damaging high-profile data breaches that rocked the country.
Government officials recently released what it called a consultation paper that outlined specific proposals and solicited input from the private sector in a proclaimed strategy to position the nation as a world leader in cybersecurity by 2030.
As well as addressing gaps in existing cybercrime laws, Australian legislators hope to amend the country’s Security of Critical Infrastructure (SOCI) Act 2018 to place a greater emphasis on threat prevention, information sharing, and cyber incident response.
Weaknesses in Australia’s cyber incident response capabilities were laid bare in the September 2022 cyber assault on telecommunications provider Optus, followed in October by a ransomware-based attack on health insurance provider Medibank.
Millions of sensitive records, including biometric data in driver’s licenses and passport photos were exposed after attackers scraped an Optus database containing consumer records; the Medibank breach exposed millions of patient health records.
“Both breaches came through basic errors and poor cyber hygiene, so they were avoidable,” says Richard Sorosina, chief technical security officer for Qualys Australia and New Zealand.
Australia’s cyber resilience came under painful scrutiny in November 2023 when a nationwide outage left Optus’ fixed line and mobile customers without Internet access. The outage was blamed on an issue with a Border Gateway Protocol (BGP) routing table update.
Then came a massive cyberattack days later on the shipping industry that led to lengthy disruptions at four Australian ports.
Cyber Strategy Reform
The cyberattacks on Optus, Medibank, and the nation’s ports were highly public incidents that affected citizens and businesses, which pushed cybersecurity higher on the nation’s political agenda. In response, the Australian government revised its cybersecurity strategy and launched the consultation process on legislative and regulatory reforms.
Clare O’Neil, Australia’s minister for cybersecurity, said in a statement that the government was committed to working with the private sector to usher in a “new era of public-private partnership to enhance Australia’s cybersecurity and resilience.”
Australia’s new proposed cybersecurity legislation covers a wide range of measures, including mandating secure-by-design standards for Internet of Things (IoT) devices, establishing a ransomware reporting rule, creating a “limited use” obligation for incident information sharing, and establishing a national Cyber Incident Review Board.
Also on the agenda: reforms to the Security of Critical Infrastructure Act 2018, which are geared to addressing cybersecurity shortcomings exposed by recent breaches.
These revisions include providing more prescriptive guidance for critical industries like utilities and telecommunications, simplifying information sharing, providing directives for risk management programs, and consolidating security requirements for the telecommunications sector under the SOCI Act for critical infrastructure.
Casey Ellis, founder, chairman, and chief strategy officer of Bugcrowd, says the Australian government is making the right moves. “The [Cyber Security Strategy] consultation paper addresses IoT security, ransomware reporting, incident sharing, and critical infrastructure management, reporting, and accountability, which are all certainly areas of softness in Australian policy,” Ellis says.
Big Country, Big Cybersecurity Challenges
The sheer expanse of Australia makes it difficult to protect critical infrastructure, especially for strategic industries like mining, which is highly dispersed and with sites in remote locations.
Meanwhile, mining, maritime, and other utilities are dropping legacy technologies and embracing Internet-connected and IoT technologies to more efficiently manage and monitor their infrastructure. But this embrace of digital transformation often has left legacy equipment exposed to cyber threats.
“To make sure attacks such as the one on Australian ports remain isolated instead of a common occurrence, the government is rightly looking into how to legislate a Critical National Infrastructure Policy and looking to other countries to learn lessons on how to protect increased attack surfaces borne out of IT/OT convergence,” says Shane Read, CISO at Goldilock, a physical cybersecurity startup.
Australia lacks both the scale and population to go it alone, however — so referencing known, global standards wherever possible makes sense, according to independent experts.
“Australia has looked to the UK/US/EU for guidance when it comes to cybersecurity policy,” notes Qualys’ Sorosina.
Like many other countries, Australia is struggling to bridge the cybersecurity skills gap.
Phillip Ivancic, APAC head of solutions at Synopsys Software Integrity Group, says that because of the small population relative to the size of the economy, there is a “huge shortage of skilled engineers and cybersecurity experts” in Australia.
“That’s why the government’s move to be more prescriptive and to provide real standards-based guidance, as well as to force change through mandates, should be welcomed,” Ivancic says. “We simply don’t have the scale to go out on our own, and mandating international standards that are already widely used is the right approach.”
The government’s policy proposals lack key elements like controls around software supply chains, such as software bills of materials listing the components that make up applications, according to Ivancic. That’s a “glaring gap,” he says.
Major Cybersecurity Investments
The path to becoming a cybersecure nation is not solely a governmental responsibility. Recognizing its own self-interest in improving cybersecurity practices, the private sector in Australia also is making huge investments in improving information security practices.
Australian organizations will spend more than AU$7.3 billion on information security and risk management products and services in 2024, an increase of 11.5% from 2023, according to Gartner. Cloud security will enjoy the biggest rise, increasing to A$248m (up 26.9% year-on-year).
The increase in spending is driven by a combination of high-profile cyberattacks and increased regulatory obligations, Gartner wrote.
BugCrowd’s Ellis believes Australia’s effort to become a cybersecurity leader is achievable. “Australia has always been a nation of innovators and rule-breakers, and I do believe that the goal to become a world leader in cybersecurity, while ambitious, is an attainable one.”
Source: www.darkreading.com