The Australian government wants to increase the security of critical infrastructure, for this reason, it plans to manage the response of private enterprises to cyber attacks targeting them.
According to a Consultation Paper titled “Protecting Critical Infrastructure and Systems of National Significance.” critical infrastructure is exposed to continuing cyber attacks. The paper is a consultation paper, this means that its purpose is to stimulate a discussion on the topic.
Experts are observing several attacks against infrastructure in different industries, such as energy, banking and finance, that could have severe consequences.
“Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, natural disasters and the impacts of COVID-19 illustrate that threats to the operation of Australia’s critical infrastructure entities continue to be significant.” reads the paper. “We must work together now to ensure Australia’s security practices, policies and laws bolster the security and resilience of our critical infrastructure and position us to act in any future emergency.”
The Australian government plans to extend the concept of critical infrastructure to more sectors, these means that owners
and operators of these infrastructures should be legally obliged to manage risks that may impact business continuity and Australia’s economy, security and sovereignty, by meeting the following PSO principles-based outcomes.
The government aims at developing security baselines that operators in the critical industries have to implement.
The Australian Government is concerned about situations where critical infrastructure is exposed to an imminent cyber threat or incident that could significantly impact Australia’s economy, security, or sovereignty. In these circumstances, the Government aims at providing reasonable, proportionate and time-sensitive directions to entities to mitigate the risk of exposure.
“Entities may also be able to request that Government make such a direction, providing them with the legal authority to conduct any necessary action.” continues the paper. “Entities must be empowered to take necessary, preventative and mitigating action against significant threats. Government recognises that entities require appropriate immunities to ensure they are not limited by concerns of legal redress for simply protecting their business and the community.”
Even if critical infrastructure operators are not allowed to hack back, they should be empowered by the Australian Government to take necessary, preventative and mitigating action against threats.
The Government could use its unique capabilities to protect a critical infrastructure entity or system.
The Government’s powers would be exercised with appropriate immunities and regulated by robust checks, allowing the Government to assist entities in responding to the offensives and provide “advice on mitigating damage, restoring services and remediation.”
“It is anticipated the Government assistance element of the framework will be primarily discharged on a voluntary basis, as entities will also want to restore functions expeditiously. However, there may be cases where entities are unwilling to work with Government to restore systems in a timely manner.” concludes the paper. “Government needs to have a clear and unambiguous legal basis on which to act in the national interest and maintain continuity of any dependent essential services”
(SecurityAffairs – hacking, Australian government)