Australia’s home affairs minister would be able to order critical infrastructure such as energy, transport or communications entities to take or cease action during a significant cybersecurity situation, under changes proposed by the federal government. In related changes billed as a response to the 2022 Optus and Medibank incidents, the minister could also order companies to replace personal documents compromised in a data breach, or to share customer data with banks in a bid to prevent further fraud. The home affairs and cybersecurity minister, Clare O’Neil, on Tuesday released a consultation paper on proposed new cybersecurity legislation and proposed changes to the Security of Critical Infrastructure Act 2018, further unpacking issues raised with the release of last month’s government cybersecurity strategy. The paper outlines the government’s consideration of mandatory security standards for devices such as smart TVs, watches and baby monitors, as well as rules which may compel more businesses to report cyber-attacks or extortion. The paper said the government had “identified opportunities to strengthen cybersecurity laws”, making numerous references to large-scale cyber incidents in recent times. Sign up for Guardian Australia’s free morning and afternoon email newsletters for your daily news roundup The department, in releasing the paper, noted that recent incidents had “demonstrated that businesses often face difficulties responding effectively to the aftermath of cyber-attacks.” The paper notes those companies were restricted in sharing information with banks about affected customers to prevent fraud and that the government “did not have sufficient powers to direct them to take action”. It also states the government “does not have powers to support industry with post-incident consequence management”. Under one proposal canvassed, the home affairs minister would be given powers under the Security of Critical Infrastructure Act 2018 to “direct a critical infrastructure entity to do or prohibit from doing a certain thing to prevent or mitigate the consequences of an incident, such as a direction to address issues onsite or suspend operation”. The proposed changes also would give the minister power to authorise the disclosure of protected information to allow for the sharing of information, to “gather information for the purpose of consequence management”. These powers, for instance, could be used to direct companies which have experienced a data breach to share some of that data with financial institutions to help prevent further fraud or theft by criminals who have accessed the exposed information. That action, in some circumstances, would otherwise be a breach of privacy legislation – with the suggested legislation proposed to act as a shield from liability for the company sharing the data. The paper notes this would be a “last resort power” and that all other relevant powers need to be exhausted before using it. It notes that, for instance, amendments to the Privacy Act would already enable the attorney general to authorise the sharing of personal data between entities; the proposed power for the home affairs minister would be engaged if an entity was unwilling or unable to share the data. The same power would allow the minister to direct an entity to replace documents affected by the incident. Recent data breaches have seen many customers seeking to replace personal identification such as passports. The federal government publicly pressured Optus to cover the cost of replacing passports, a request the company later agreed to. Separately, the consultation paper also raises issues around the “Internet of Things” or smart devices, and flags potential for a mandatory standard of security on those gadgets to align with international benchmark. It notes a British standard which applies to smartphones, TVs, toys, baby monitors, fitness trackers, fridges and home assistants which can connect to the internet. The paper also discusses the potential for more businesses to be mandated to report when they have been targeted by ransomware or cyber extortion. The paper goes on to discuss other potential areas for reform, including how agencies such as the powerful Australian Signals Directorate could use information they receive through cybersecurity investigations. Consultation will close on 1 March 2024.
This content was originally published here.
