Increasing geopolitical tension and blurring lines between nation-state and for-profit hackers have seen the Australian Home Office nearly doubling the number of businesses being considered under the ‘Systems of National Significance’ schedule. The increase sees the number of businesses increasing from 87 to 168. These businesses are now subject to the cyber security regulations in the schedule that ensure that they are better safeguarded against attacks that could potentially put Australia’s national security at risk. Owners of assets deemed to be critical infrastructure had initially been given a six-month grace period to work on their cyber security procedures on their own before being appointed as SoNSs by the Home Office.
What are Australia’s Systems of National Significance?
“Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.”
- Regulation Impact Statement, Ref. no. 25902
This definition now includes 11 sectors decided and defined by the Australian government after close consultation with key industry players. The 11 sectors thus considered are, financial services and markets, communications, data storage processing, the defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewage. These sectors are now considered critical to the continued stability and prosperity of the Australian state and its people. The destruction or the degradation of these sectors or the key assets they own would either impact the country’s social and economic well-being or put national security at risk.
Are the threats only digital?
Australia’s national risk management system actually considers four key risk domains. These include the physical, cyber, supply chain, and personnel. However, increasing attention is now being paid to cyber security as all the stakeholders in the sectors specified by the Home Office function in markets best known for their interconnectivity and increasing technological support. The integration of new information management systems into these industries has yielded many benefits in the form of increased efficiencies and other economic benefits to the country. However, it also makes the market vulnerable to the increasingly evolving threats that threaten it.
The COVID-19 pandemic shed vital light on how a range of hazards impacting the supply and delivery of these key sectors or their support systems can disrupt and compromise the supply of essential services across the nation. It revealed how industry and national assets are only strong as their weakest link. According to the Home Office, the number of hazards impacting their safe operation can only be expected to increase over time. The Australian Cyber Security Centre has even reported that the cyber activity against the country’s interests is increasing in frequency, scale, severity, and sophistication. Australia’s 2020 Cyber Security Strategy has revealed that providers of critical infrastructure were the victims of 35% of the reported cyber incidents carried out by bad actors in the year ending on 30 June (2020). This has prompted the estimation that a four-week interruption to the country’s digital infrastructure could potentially cost the national economy about $30 billion – 1.5% of Australia’s GDP.
What do the new regulations require of corporate players?
The organisations included under the latest schedule are tasked with creating response plans for potential cyber incidents, prepping through cyber security exercises and obtaining cyber security assessments that identify and fix weak points in the system. They are then expected to hand over system information to the Australian Signals Directorate, who will then develop and maintain a near real-time picture of potential threats to the system. In the development of a threat that the asset owners are unequipped to meet or in the event that they have lost control of their system, the schedule also allows the ASD to intervene as a last resort to protect the asset from the threat.
Stepping up of cyber security not limited to the SoNS schedule
The steps taken by the Australian government to step up cyber security across the nation are not limited to the Systems of National Significance schedule. Australia is also in the process of unveiling a new cyber strategy charting a new path forward to boost the capacity of companies to both stop and respond to cyber attacks. The strategy aims to create six separate shields around the country to protect the general public, organisations, and businesses.
Unfortunately, this step-up is also followed by the revelation that Australia does not have the necessary mechanisms to effectively bring cyber criminals to the justice system. In a statement to the press, Home Affairs Minister Clare O’Neil revealed that,
“Cybercrime is a relatively new form of criminal activity and I think what we’re seeing is countries around the world start to build and develop responses that will actually help us bring perpetrators to account. It’s not like a physical individual in our country who we can hunt down on the street, this does have some different elements to the crime.”
- Home Affairs Minister Clare O’Neil
However, the Minister has gone on to reassure the general public that there are ample laws in place to ensure that company directors abide by their duties in safeguarding their clients from third-party risks. Companies in Australia are already wary of cyber threats following the Optus hack in 2022. The data breach of the country’s third-largest telecommunications company affected 9.7 million current and former clients, putting their personal information at risk last September. The company is still embroiled in a class action lawsuit for its part in leaving the personal information of its clients vulnerable to external threats. The government was not empowered to intervene in the data breach, as existing laws at the time only allowed the government to intervene while the breach was actually in the process of taking place. It did not allow the government to help with the clean-up process that followed the breach.
According to the Home Affairs Minister, the Australian Signals Directorate and the Australian Federal Police do possess the capacity necessary to disarm criminals that threaten privately and publicly owned systems. However, she did not detail the measures that enable them to do so to the public.
(Theruni Liyanage)