The Australian government has unveiled plans for unprecedented interventions in the operations of critical infrastructure providers.
A new discussion paper [pdf] by Australia’s Department of Home Affairs fills in the blanks in Australia’s otherwise vacuous 2020 Cyber Security Strategy. It recommends amending the Critical Infrastructure Security Act to provide authorities easier ways to respond to aggression by a foreign adversary, irrespective of whether the impacted assets are owned and operated by private interests or state governments.
Up until now, ‘critical infrastructure’ in Australia was a select club: electricity, gas, water, ports and telecommunications. The paper proposes broadening that definition to include banking and finance, tech companies, defence contractors, education and research providers, energy, food and grocery, healthcare, space and transport companies.
Many of those will be shocked to learn the steep price of membership. Home Affairs wants to empower regulators to issue ‘security notices’ if infrastructure providers aren’t meeting sector-specific security baselines that cover cyber, physical, personnel and supply chain security. Company directors (or their public sector equivalent) would have to demonstrate compliance in annual reports to regulators.
Home Affairs wants to be able to serve ‘directions’ that compel these organisations to mitigate threats that could “significantly impact Australia’s economy, security or sovereignty.” Our sources tell us this might involve critical infrastructure providers being asked to cut off access to a supplier or a customer on government orders, turn off or remove untrusted components from a system, or patch a vulnerability detected in their systems. In return, the government promises to indemnify them against legal issues that arise from taking that action.
As in other countries, significant foreign capital is now tied up in Australia’s critical infrastructure assets, especially in ports, telcos and power generation. Those that have invested in domestic cyber security capability feel they are at a commercial disadvantage to those that prioritise cost containment while playing lip service to security. Regulation that enforces minimum standards would create an “even playing-field”, one CISO told us.
Government-issued ‘directions’ would also negate the need for CISOs to have awkward conversations with their higher ups. The government expects CISOs to petition their bosses against the use of lower cost, high-risk suppliers (cough: China), while withholding access to the classified information that supports the government’s position.
In the absence of concrete evidence, business leaders tend to choose fiduciary duty over national security. A formal direction from the government will swing the decision the other way.
The amendments would also lay the groundwork for the ACSC to provide direct technical assistance (investigations, evictions and remediation) when critical infrastructure providers are compromised by a state actor. While most would welcome that help, Home Affairs wants legislative backing to force the door open when help is refused.
Feedback from a handful of Australian CISOs Risky.Biz spoke to this week was split down the middle. Those that fall within the traditional definition of critical infrastructure welcomed the proposal, but those caught for the first time by the new definition said that company directors and departmental secretaries were dismissive, as they can’t see themselves fitting in the ‘critical infrastructure’ bucket. “They’re in for a rude shock,” one CISO said.
The paper proposed that a subset of critical infrastructure providers – those that provide “systems of national significance” – must provide authorities up-to-date registers of software and hardware assets, just as telcos are compelled to today under the TSSR. That’s where the paper gets genuinely interesting: Home Affairs wants legislative backing to ask that information from these critical systems be forwarded to the government for ingestion in “near real-time”, in the government’s preferred format. Owners and operators of these systems will also be asked to submit to “third party security assessments” and network perimeter scans commissioned by the government.
The process for determining what falls into the “systems of national significance” bucket isn’t clearly defined. Well-placed sources told Risky.Biz they expect it to apply to the heavily regulated power, water, ports, aviation and telecommunications sectors already considered ‘critical infrastructure’.
Home Affairs also aren’t sharing what they mean by “near-real time” sharing of data, either. One CISO from the energy sector told Risky.Biz that the concept of forwarding syslog and network log feeds to the ACSC was openly discussed during industry consultations.
“I said, take it all,” he told Risky.Biz. An extra set of eyes on remote access logs into control systems would actually help him sleep easier at night.
Others doubt the government even has the capacity to ingest and analyse this log data. It’s more likely, one telco security exec told us, for the new laws to require these logs be captured and stored by the critical infrastructure provider in the government’s preferred format, such that it is available for forwarding to the government for ingestion during a significant event.
“The last thing a government agency would want is to find out it was unknowingly holding onto data that could have been used to anticipate or prevent a major security event,” he pointed out. Government agencies would rather get a heads-up when dashboards start lighting up, and be able to pull in relevant feeds from across the industry to paint a more complete picture of what’s going on.
There are question marks over whether the government can sufficiently skill up and scale up to regulate and provide assistance to so many industries. It’s worth noting that Kjerstin Nielsen, the former Secretary of the US Department of Homeland Security (DHS), is advising the Australian Government’s effort. At DHS, she oversaw the ‘Continuous Diagnostics and Mitigation Program’, which was set up to provide a higher baseline across America’s civilian (Federal) government agencies.
It took seven years and billions of dollars for DHS to deliver software and hardware asset management and vulnerability scanning services promised under that program. Critics point out that if it ran on-time and on-budget, by now it would be offering a broader set of services to privately-owned critical infrastructure providers.
Other countries, including Australia, need to learn from these lessons: keep the scope tight, provide genuinely valuable services and intelligence to foster trust with the critical infrastructure community, and don’t burden your best technical resources over compliance issues.
Australia’s Critical Infrastructure Centre is accepting feedback on its plan until mid-September, but the government has already flagged plans to legislate somewhere between late September and early October. If you’ve got something to contribute, say it loud and early.
Enjoy this story? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page for plenty more like it. Feedback welcome at firstname.lastname@example.org.