Emergency laws to be passed to fend off major cyber attacks

New laws will be urgently passed to help Australian businesses fend off major cyber attacks in a range of new sectors including banking, groceries and universities, while businesses continue to express serious concerns about the government’s proposed overhaul of the critical infrastructure regime.

Federal Parliament’s security and intelligence committee has recommended the government split the critical infrastructure bill in half to allow urgent measures to pass now to equip the government with the emergency powers it needs to defend against major attacks on critical infrastructure while allowing additional time for the government and industry to continue consulting on the other issues.

The bipartisan committee has urged the government to split the bill.Credit:Shutterstock

The first bill would redefine what is deemed “critical infrastructure” with universities, finance and banking, health and the food and grocery sectors, communications, defence industry, energy and transport added to the list. It would also allow agencies such as the Australian Signals Directorate to step in to protect networks during or following a significant cyber attack “as a last resort”.

But the committee recommended that other proposals, such as new “positive security obligations” for businesses – which would include mandatory cyber incident reporting – be put in a separate bill amid widespread concerns from industry.

The bipartisan committee’s findings raised significant concerns that the Department of Home Affairs was still developing rules for the obligations on industry while its nine-month review was under way. It said this led to “inconsistent engagement from industry with the Committee process, as well as an evolving and shifting evidence base during the course of the inquiry”.

Chair of the Committee, Liberal senator James Paterson, said the inquiry received “compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally”.

“Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” he said.

“However, as the regulatory framework is still undergoing co-design with each of the eleven sectors and will not be finalised until after passage of the bill, many businesses have expressed concern about this uncertainty and asked for the entire bill to be paused in the current economic climate.”

Government sources confirmed it would likely have to split the bill after the committee’s recommendations.

In its submission to the inquiry, Qantas said the financial implications of implementing the reforms may create a significant financial burden for some businesses including its own. Qantas said it would have to “strike a balance between investing additional financial resources to meet the additional regulations under the bill, with the need to remain viable and sustainable as a business in this challenging time”.

Australian Council of Trade Unions secretary Sally McManus declared the laws would “attack the basic rights of working people right across the economy” on the basis that they would have to endure invasions of privacy through background checks and other security measures.

But the inquiry also heard a major Australian company that was under a cyber attack refused to comply with the ASD for weeks, with the nation’s cyber spy agency saying it was sometimes frustrated with a lack of engagement from businesses.

Transport and logistics giant Toll Group later conceded it may have been the company that failed to adequately engage with the ASD.

Prime Minister Scott Morrison last year revealed a wave of sophisticated cyber attacks on all levels of government, industry and critical infrastructure including hospitals, local councils and state-owned utilities. Australian security agencies believe China was behind the cyber raids, but the government decided not to publicly name the state actor involved.