The Australian government plans to review its cyber security laws and regulations following a series of harmful and large-scale data breaches that have shocked the country.
Government officials recently released a so-called consultation document outlining concrete proposals and soliciting input from the private sector for what they call a strategy to position the nation as a world leader in cybersecurity by 2030. I asked for
As well as addressing gaps in existing cybercrime laws, Australian lawmakers have also amended the Security of Critical Infrastructure Act 2018 (SOCI) to focus on threat prevention, information sharing and cyber incident response. I want it.
Weaknesses in Australia's cyber incident response were exposed in September 2022 with a cyber attack on telecommunications provider Optus, followed by October 2022. Ransomware-based attack on health insurance company Medibank.
Millions of sensitive records were exposed, including biometric data contained in driver's license and passport photos. Attackers scraped the Optus database Contains consumer records.of Medibank breach Health records of millions of patients were exposed.
“Both breaches were avoidable because they were caused by basic errors and poor cyber hygiene,” said Richard Sorosina, chief technology security officer at Qualys Australia and New Zealand.
Australia's cyber resilience came under intense scrutiny in November 2023. Nationwide power outage leaves Optus fixed line and mobile customers unable to access the internet. This failure is believed to be caused by an issue updating the Border Gateway Protocol (BGP) routing table.
A few days later, a large-scale cyberattack occurred against the shipping industry. Prolonged disruptions at four Australian ports.
Cyber strategy reform
The cyberattacks on Optus, Medibank, and the country's ports were highly public incidents that affected citizens and businesses, and thus elevated cybersecurity to the top of the country's political agenda. In response, the Australian Government revised its Cybersecurity Strategy and consultation process Regarding legal and regulatory reform.
Claire O'Neill, Australia's Cybersecurity Minister, said: stated in a statement The government said it was committed to working with the private sector to usher in “a new era of public-private partnerships to strengthen Australia's cybersecurity and resilience”.
Australia's new proposed cybersecurity bill would mandate secure-by-design standards for Internet of Things (IoT) devices, establish ransomware reporting rules, create “limited use” obligations for incident information sharing, and National Cyber Incident Review Board.
Also on the agenda are amendments to the Critical Infrastructure Security Act of 2018, aimed at addressing cybersecurity deficiencies exposed by recent breaches.
These revisions include providing more prescriptive guidance for critical industries such as utilities and telecommunications, simplifying information sharing, providing directives for risk management programs, and improving the telecommunications sector's security requirements under the SOCI Act. Includes integration. For critical infrastructure.
Bugcrowd founder, chairman and chief strategy officer Casey Ellis says the Australian government is making the right move. ” [Cyber Security Strategy] “The consultation document addresses IoT security, ransomware reporting, incident sharing, critical infrastructure management, reporting and accountability, all of which are areas where there is definitely softening in Australian policy,” Ellis said. .
Big countries have big cybersecurity challenges
Australia's size and vastness make it difficult to protect critical infrastructure, particularly for strategic industries such as mining, which are located in remote locations.
Meanwhile, mining, maritime, and other utility companies are retiring legacy technologies and adopting internet connectivity and IoT technologies to more efficiently manage and monitor their infrastructure. However, the introduction of digital transformation often exposes legacy equipment to cyber threats.
“To ensure that attacks such as those on Australian ports remain isolated rather than becoming more frequent, the government is considering how to legislate a national critical infrastructure policy. “We're trying to get other countries to learn lessons on how to protect their growing attack surface. We're missing the IT/OT convergence,” said Shane Read, CISO at Goldlock, a physical cybersecurity startup. say.
But Australia is not large enough or populous to go it alone, so independent experts say it makes sense to refer to known global standards wherever possible.
“Australia has been looking to the UK/US/EU for guidance on cybersecurity policy,” says Qualys' Soroshina.
Like many other countries, Australia is struggling to close its cybersecurity skills gap.
Filip Ivancic, head of solutions for Asia Pacific at Synopsys Software Integrity Group, said Australia's small population relative to the size of its economy meant there was a “significant shortage of skilled engineers and cybersecurity professionals”. said.
“This is why the government's move to provide more prescriptive, real standards-based guidance and force change through obligations should be welcomed,” Ivančić said. “We just don't have the scale to go on our own. Mandating international standards that are already widely used is the right approach.”
Ivancic said the government's policy proposals are missing key elements, such as controls around the software supply chain, such as a software bill of materials that lists the components that make up an application. It's a “clear gap,” he says.
Major cybersecurity investment
The path to becoming a cyber-safe nation is not the sole responsibility of governments. Australia's private sector also recognizes its own benefits in improving its cybersecurity practices and is making significant investments in improving its information security practices.
Australian organizations are expected to spend more than A$7.3 billion on information security and risk management products and services in 2024, an 11.5% increase from 2023. According to Gartner. Cloud security is expected to see the biggest rise, reaching A$248 million (up 26.9% year-on-year).
According to Gartner, the increase in spending is due to a combination of high-profile cyberattacks and increased regulatory obligations.
BugCrowd's Ellis believes Australia's quest to become a cybersecurity leader is achievable. “Australia has always been a nation of innovators and rule breakers and I believe our goal of becoming a world leader in cyber security is ambitious but achievable.”
