ASD says cyber attack intervention will be ‘rare’ under critical infrastructure Bill

ASD says cyber attack intervention will be ‘rare’ under critical infrastructure Bill

Posted February 15, 2021

ASD says cyber attack intervention will be ‘rare’ under critical infrastructure Bill

  • As described in the current form of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, government assistance will be provided to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.
  • ASD may be requested by the Secretary of the Department of Home Affairs to assist in responding to a serious cybersecurity incident. The Minister for Home Affairs must consult with the asset owner or operator before authorising the Secretary to request ASD assistance, and the measures authorised must be “proportionate and technically feasible”.
  • Before stepping in, the government must be satisfied that a cybersecurity incident has occurred, is occurring, or is imminent; that the incident is having a relevant adverse impact on the functioning of a critical infrastructure asset; the incident is posing a material risk to the social or economic stability of Australia, its people, national defence, or national security; the relevant entity or entities are unwilling or unable to take all reasonable steps to respond to the incident; and no other options for a practical and effective response exist.
  • The tech community is concerned such governmental intervention would undermine the objectives of defence and recovery. Microsoft, for example, believes this would result in “The Fog of War”, further complicating any attempt to mitigate cyber attack response.
  • Under the proposal, once a responsible entity becomes aware of a cybersecurity incident, it must be reported within 12 hours if the incident is having a significant impact on the availability of the asset; or 72 hours if the incident is having an impact on the availability, integrity, or reliability of the asset or on the confidentiality of information about, or held by, the asset.

– Asha Barbaschow | February 15, 2021