Australia’s federal government will overhaul a $1.7 billion cyber security plan set up under Scott Morrison in the aftermath of the hacks of Optus and Medibank.
A national cyber office — led by a new coordinator for cyber security — will be established under the Home Affairs Department to lead the renewed strategy.
Home Affairs Minister Clare O’Neil said the Optus and Medibank hacks exposed flaws in Australia’s cyber laws.
“In those events, we were meant to have at our disposal a piece of law that was passed by the former government to help us engage with companies under cyber attack,” Ms O’Neil said.
“That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident. It was poorly drafted.”
Ms O’Neil said that, when Optus was hit, there was no emergency response function within the Australian government, and it was able to respond only because a cabinet minister became directly involved.
That hack exposed the customer data of millions of Australians, including passports, drivers licences and Medicare details.
The government hopes to have its cyber coordinator in place within a month, to develop an emergency response plan and to be a central position in managing attacks with “spine”.
The government is holding a meeting of cybersecurity experts, industry bodies and researchers today to hear feedback on its proposed changes.
Speaking ahead of the meeting, Prime Minister Anthony Albanese said he was aware people and businesses were worried about their data being stolen.
“Sole traders who reinvented their business model in the course of the pandemic to keep their heads above water can be targeted as well and we can’t expect time-poor businesses to do it by themselves,” he said.
“That’s the idea of bringing this group together to facilitate action and leadership across our economy, across our society to make sure we address what is a very real challenge indeed.
“For businesses these days, cybersecurity is as important as having a lock on the door. You wouldn’t leave your business at the end of the day and just leave the door open, and that essentially is what will occur unless there is more diligence, and unless we upgrade the level of security which is needed.”
However, the minister said, Australia’s security laws would also need to be rewritten.
In particular, the government would look to reform the Security of Critical Infrastructure Act to possibly include customer data and “systems” in the definition of critical infrastructure, to give government power to intervene in major data breaches.
It will also consider a new Cyber Security Act that would impose new obligations and standards across industry and government.
Ms O’Neil said the government was also open to discussions on whether companies should be able to pay ransoms to end a cyber attack.
Former Telstra CEO Andy Penn, who was appointed to chair an expert advisory body on cybersecurity, said both government and business needed to lift their standards.
“There’s absolutely more that we can do, but I think you need to put that against the context of the fact that since COVID we’ve seen a dramatic increase of digital adoption, and unfortunately we’ve also seen a dramatic increase in the rate of cyber crime,” Mr Penn said.
“The bottom line is there was not a single person within government who could step in [during the Optus hack].
“The community expected the government to be in a better position to give it guidance as to what to do to protect itself.”
Mr Penn said Australia “undoubtedly” needed law reform to establish clearer minimum standards and to enable government to intervene.
Shadow Cyber Security Minister James Paterson said it had been six months since Ms O’Neil announced the previous government’s strategy would be scrapped, but a new plan might not be in place until the year’s end.
“I am concerned about the way in which the government is handling this issue,” Senator Paterson said.
“It was certainly clear in the wake of Optus and Medibank that this government’s response was incoherent and uncoordinated.
“It really should fall on the minister’s shoulders to respond to these things.”
He noted that a parliamentary inquiry into granting the Australian Signals Directorate powers to intervene in the back end of businesses during an attack was met with strong resistance from industry, and those powers were only granted in limited settings.
The prime minister and Ms O’Neil are due to host a roundtable on cyber security today with industry and civil society groups.
ABC News