Preparing Australian business for a Cyber-Attack

By MySecurity Media Staff Writer ©

With the rise in cybercrime in Australia, this is a challenge that will face many businesses across a wide range of industries. Last year, the government introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Federal Parliament to improve security and resilience across the country’s critical infrastructure sectors.

The new legislation sets to amend the Security of Critical Infrastructure Act 2018 and includes:

• Broadening the definition of Critical Infrastructure from four to eleven sectors. • Enhancing security obligations via sector-specific rules across cyber, supply chains, physical and personnel security; and • Establishing government assistance powers.

In late September, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) made 14 recommendations in relation to the Bill, including proposing a split in the current proposed framework into two amended Bills. One Bill for rapid passage aims to expand the critical infrastructure sectors covered by the Act, introduce government assistance measures to be used as a last resort in crisis scenarios as well as mandatory reporting obligations. The second for further consultation includes declarations of systems of national significance and introducing positive security obligations which are to be defined in delegated legislation.

Australian organisations are not immune to malware attacks, with 12% of small businesses experiencing a cyber event. As part of AustCyber launching Australian Cyber Week later this month, the not-for-profit body is examining the increasing number of Australian small businesses faced with an alarming rise in the volume and variety of malicious cyber-attacks.

Sarah Sloan, Head of Government Affairs and Public Policy, ANZ, Palo Alto Networks joins the brains trust presenting during Australian Cyber Week 2021. Sarah explains why support for the Critical Infrastructure Bill is so vital in the current climate of heightened hostilities.

“We’re supportive of the Critical Infrastructure Bill’s and understand the government’s objectives of trying to secure critical infrastructure, which is increasingly important to our national and economic security. We’ve been actively engaged with the government for well over a year, in the process [of developing the Bill], responding to discussion papers, and trying to work with government around what that framework will really look like.”

“Nothing in this world is 100% secure. It is all about making sure you’re taking preventative measures, and you’re preparing for an attack. Furthermore, it is important that businesses are also well across how you respond to

incidents, and that they’ve got an understanding of how the company is going to step through the cyber incident response requirements, if and when that happens.”

Sarah says the Critical Infrastructure Bill holds key components in addressing the risk management plans businesses need to implement.

“Under the positive security obligations, they’re [the Government is]pushing organisations to turn their minds to cybersecurity risks, as well as supply chain risks, physical and personnel risks, and how they’re measuring up on international standards.”

Critics of the Security Legislation Amendment argue it is an extension in the long line of security related acts that could potentially give more power to the executive and at the expense of individual freedoms of citizens.

The Security Legislation Amendment will give the government power to defend networks of critical infrastructure providers under cyber-attack as a “last resort”. The Australian Federal Police and Australian Criminal Intelligence Commission will have the power to combat serious crime enabled by anonymising technology using three new warrants: network activity, data disruption and account takeover. Sarah is hoping to work with industry to raise awareness of the Bill and its measures which will hopefully minimize the need for those powers from being executed.

“Our understanding from government is that they will act as our measure of last resort, they’re only going to use these powers in particular circumstances of cyber incidents..” said Sarah.

When we think of our critical infrastructure and the need to protect it from cyber-attacks, Sarah emphasises there is another way to stop cyber threats before they hit our businesses. She talks of clean pipes, in which, she says it “refers to the ability of internet service providers (ISPs) to have constant real-time visibility across traffic passing through their networks and being able to detect and stop in real time cybersecurity threats within that traffic.”

Sarah says while clean pipes is not a silver bullet, it is important to start the discussion of it as an option to reducing the volume of threats hitting organisations, especially small businesses.

“In the context of even ransomware and critical infrastructure threats – all these cyber threats are putting strain and compromising Australian organisations – and they all traverse over our telecommunication internet providers infrastructure. We’re really keen to have a conversation about how we can adopt measures to detect and block this traffic as it traverses the network in real time, so that it is stopped before hitting those end users.”

The Bill and the flow on of effect of education

AustCyber believes the way forward in protecting our critical infrastructure lays in education. That is, in the education of the masses at all levels. A notion Sarah says is greatly supported by the Critical Infrastructure Bill.

“I think the really interesting point about the Critical Infrastructure Bill is its flow on effects across industries. So, although it is targeting these 11 sectors, there are requirements in the Bill to look at supply chain risks and supply chain measures. What that might mean is these larger companies will turn their minds to outward, ‘we contract with a range of smaller companies, what is their cybersecurity risk profile?’.

“We know that attackers understand that some of these smaller companies may not have the cyber defenses of larger organisations with more resources, they can be softer targets for entry. We’ve seen that cybercriminals can penetrate these smaller companies with the intention of getting into larger organisations.”

Harm prevention begins with effective communication

At the core of intuitive understanding is effective communication. For Australia to stay ahead of the cyberwarfare on our digital doorstep, the conversations need to be widespread and they should have begun happening yesterday.

Sarah echoes this need for education through communication, placing particular emphasis on just starting the conversation.

“Have the conversation within the companies, communication is key.”

But Sarah also stresses, the importance of established communication and real-time threat sharing between government and industry. “If we are to see an attack at scale in Australia, established communication channels between government and private sector as well as critical infrastructure entities would be really important. Additionally, the sharing of threat intelligence between private sector and government will also be very important because each have a unique perspective and see different things. The cybersecurity community has access to this plethora of data and threat Intel visibility that the government may or may not have.”

AustCyber is providing that platform of effective communication at its Australian Cyber Week 2021 event.

MySecurity Media is an official partner of the virtual conference to be held between 25-29 October.