A reworked Cyber Security Act forcing new compliance obligations on government entities and the business sector is on the cards as the Federal Government ramps up its fight against cyber attacks on Australian institutions.
The government is also considering changes to the Security of Critical Infrastructure Act so customer data is included in the definition of critical infrastructure.
This would give the government greater powers to intervene when data breaches occur and opens the discussion over whether companies should be allowed to pay ransoms when hacked.
A certainty is a new national office for cyber security, headed by a senior official inside the Department of Home Affairs.
Prime Minister Anthony Albanese and Home Affairs Minister Clare O’Neil are currently holding talks with corporate bosses and government security chiefs over just how prepared Australia is for more high-level cyber threats.
Ahead of the meeting, Ms O’Neil said the recent Optus and Medibank cyber attacks exposed flaws in Australia’s cyber laws that must be amended.
She said the $1.7 billion cyber security plan set up under the former Coalition government was poorly drafted and “not worth the ink printed on paper” when it came to implementing it.
“In those events, we were meant to have at our disposal a piece of law that was passed by the former government to help us engage with companies under cyber attack,” Ms O’Neil said.
“Australia has a patchwork of policies, laws and frameworks that are not keeping up with the challenges presented by the digital age.
“Voluntary measures and poorly executed plans will not get Australia where we need to be to thrive in the contested environment of 2030.”
A discussion paper seeking views from industry is being released, with the view to overhauling Australia’s cyber threat policy and formulating a ‘fit-for-purpose’ plan.
The paper raises legislative changes required if comprehensive reform is to take place to better defend Australian networks from increasingly sophisticated and determined data threats.
When Optus was attacked late last year, it became clear there was no emergency response function within the Australian government.
Customer data from that attack and the subsequent hack on Medicare resulted in criminals obtaining the personal records of millions of Australians.
Plans being discussed involve how to have a centrally coordinated approach to cyber responsibilities that would see the government triaging actions following a major breach.
The paper also explores opportunities for Australia to play a more significant role internationally in setting global cyber security standards.
The government hopes to strengthen its international cyber partnerships.
The cyber security roundtable being held in Sydney is attended by the Cyber Security Strategy Expert Advisory Board appointed by the government last year.
Its members include former CEO of Telstra Andy Penn, retired Air Force chief Mel Hupfeld, and CEO of the Cyber Security Cooperative Research Centre, Rachael Falk.
The discussion paper produced by the advisory board – the 2023-2030 Australian Cyber Security Strategy – will be released following the roundtable meeting today.
The newly created cyber security coordinator is yet to be appointed.