New cyber laws ‘necessary but not sufficient’ to protect national security, expert warns

Save articles for later

Add articles to your saved list and come back to them any time.

A leading cyber security expert has warned a planned shake-up of Australia's cyber defences won't be enough to protect critical infrastructure, saying companies will need to go beyond minimum standards to combat escalating threats from state-based actors and criminal organisations.

The Morrison government on Monday released the draft exposure bill for its overhaul of critical infrastructure, which would give national security agencies powers to step into the networks of some companies to disrupt and fend off major attacks.

Australia has been combating a wave of cyber attacks from a state-based actor.

Companies that operate critical infrastructure, including hospitals, electricity networks, transport, banking, food supplies and defence, will face stricter obligations to report vulnerabilities and cyber attacks.

Accenture's Australia security lead, Joseph Failla, said the proposed security standards were "necessary but not sufficient to protect our national security".

"If an organisation only takes action to the extent required by regulation that is like taking out health insurance but never going to the doctor," Mr Failla said. "However, the government has been raising awareness of a very significant issue highlighting the need for investment and focus."

A report by Accenture has warned some of the world's most skilled nation-state cyber adversaries and criminal networks are deploying an arsenal of new tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms. Sophisticated adversaries, including state actors, are masking identities with off-the-shelf tools – increasing the rate and severity of attacks.

Accenture’s Australia security lead, Joseph Failla, says companies need to invest more in cyber defences.

Under the proposed laws, operators of critical infrastructure will face "positive security obligations", including a requirement to report threats specific to their sector. The government will also be able to request information to create a "near real-time national threat picture" and will be able to declare an emergency to plug into networks to disrupt cyber attacks and bring them back online.

Home Affairs Minister Peter Dutton said the government would continue to work closely with companies to better protect the nation's critical infrastructure "without imposing an unnecessary regulatory burden".

Mr Dutton last month warned Australia must prepare to counter prolonged and catastrophic cyber attacks on critical infrastructure that could disrupt entire industries.

Australian security agencies believe China was probably behind a series of cyber raids this year on all levels of government, industry and critical infrastructure, including hospitals, local councils and state-owned utilities.

Get our Morning & Evening Edition newsletters

The most important news, analysis and insights delivered to your inbox at the start and end of each day. Sign up to The Sydney Morning Herald’s newsletter here and The Age’s newsletter here.

Most Viewed in Politics

Source: Read Full Article