Tell me in 30 seconds
The Government has proposed legislative reforms as part of its 2023-2030 Cyber Security Strategy. Significant proposed changes include the introduction of mandatory ransomware reporting, the establishment of a Cyber Incident Review Board, and the expansion of the Security of Critical Infrastructure Act 2018 (SOCI Act) to cover data storage systems used by critical infrastructure entities and to grant increased powers to the Minister to deal with consequence management.
Context
On 22 November 2023, Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP, released the highly anticipated 2023-30 Australian Cyber Security Strategy (Strategy) accompanied by an Action Plan detailing key initiatives to be implemented across the next two years. The Strategy charts a path for Australia to achieve its ambitious goal of becoming a global leader in cyber security by 2030. See our insight here into the Action Plan.
As a Christmas present and for holiday reading, the Department of Home Affairs has now released a Consultation Paper (available here) outlining a number of proposed legislative reforms that were foreshadowed in the Action Plan. There is a bit of time to digest it and think about the implications of it as submissions will close at 5:00pm AEDT on Friday 1 March 2024.
Overview of Consultation Paper
The Consultation Paper covers both new cyber security legislation and amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The key reforms are set out in the following table from the Consultation Paper:
New cyber security legislation
|
SOCI Act
|
Example
uses 2
|
|
|
|
This insight focusses on what we think are some of the key reform proposals and our observations on them.
Ransomware reporting
The Strategy had proposed to introduce a legislated no-fault, no-liability ransom reporting obligations for businesses. The Consultation Paper fleshes this out:
- The Government proposes to establish two reporting obligations in relation to ransom demands:
- The first notification will be required when a ransom demand is received to decrypt data or prevent data from being sold or released.
- The second notification will be required if a ransom payment is made.
- The timeframe for providing the reports may be aligned to existing reporting requirements (eg the 72 hour mandatory incident reporting mechanism under the SOCI Act).
- The Government is seeking input on the kinds of information that should be reported. There is a long list of detailed information that could be reported, including:
- when the incident occurred, and when the entity became aware of the incident;
- what variant of ransomware was used (if relevant);
- what vulnerabilities in the entity’s system were exploited by the attack (if known);
- what assets and data were affected by the incident;
- what quantum of payment has been demanded by the ransomware actor or cybercriminal, and what method of payment has been demanded;
- the nature and timing of any communications between the entity and the ransomware actor or cybercriminal;
- the impact of the incident, including impacts on the entity’s infrastructure and customers; and
- any other relevant information about the incident or actor that could assist law enforcement and intelligence agencies with mitigating the impact of the incident and preventing future incidents.
- The Government seeks input on including:
- a no-fault principle to provide assurance to entities that the agency receiving ransomware reports will not seek to apportion blame for the incident, and
- a no-liability principle to provide assurance to entities that they will not be prosecuted for making a payment.
- The Government is also seeking input on the entities that should be required to report ransom demands:
- Entities that are already subject to reporting obligations – this would include responsible entities for critical infrastructure assets under the SOCI Act (~1,000 entities).
- Entities with an annual turnover of more than $10 million (~42,00 businesses). Small businesses would be exempt (noting that the current small business threshold under the Privacy Act 1988 is $3 million).
- To enforce compliance, Government proposes that a civil penalty would apply to any failures to comply with these reporting obligations. There would be no criminal penalties.
The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules.
Initial Observations
- The reporting obligations, the level and kinds of information required to be provided, and the timing of reporting could be onerous, difficult to comply with, and distracting for an organisation that is dealing with a serious cyber security incident. Requiring two reports be given, with short reporting deadlines, potentially extensive information provision and civil penalty provisions does not appear to us to reduce the regulatory burden on entities dealing with a cyber incident. It seems to significantly increase the burden on entities trying to fend off a threat actor or dealing with the impacts of an encryption event or data theft.
- We think that mandatory ransomware reporting should only be required if a ransom is paid. The provision of the suggested information goes far beyond whether or not a ransom payment has been made and to whom. It requires disclosure of indicators of compromise, threat intelligence information, and impacts on the organisation. It is not appropriate to use a ransomware reporting framework to establish a threat intelligence sharing regime.
- It is not clear if the no-liability principle would essentially constitute a defence against an entity breaching sanctions laws or instruments of crime laws by making a ransom payment. This should be made clear as otherwise it doesn’t simplify the current complex analysis that an entity needs to undertake to avoid breaching laws by making a ransom payment.
Limited Use Obligations
The Government proposes a ‘limited use’ obligation to restrict how cyber incident information shared with the Australian Signals Directory (ASD) and the National Cyber Coordinator can be used by other Australian Government entities, including regulators:
- This obligation would only allow cyber incident information to be used for prescribed cyber security purposes, including:
- to assist the entity with preventing, responding to and mitigating the cyber security incident;
- to facilitate consequence management after a cyber incident;
- to identify further potential cyber security vulnerabilities and take steps to prevent further incidents;
- to analyse and report trends across the cyber threat landscape, including the provision of anonymised cyber threat intelligence to government, industry and international cyber partners;
- to inform relevant Ministers and government officials of the fact of a significant cyber security incident;
- to share incident information with other agencies for law enforcement, intelligence and national security purposes, such as taking action to identify, disrupt or deter cyber threat actors;
- to provide stewardship and advice to industry, including provision of advice to industry on cyber maturity and best practice risk mitigation across sectors; and
- to improve existing incident response mechanisms, such as incident reporting processes and coordination between government and industry.
- At the same time the Consultation Paper states that the limited use obligation does not preclude ASD and the National Cyber Coordinator from sharing appropriate information with other agencies – including law enforcement, national security, intelligence agencies and regulators. It states that regulators can use incident information for industry stewardship to help manage cyber risks across sectors and to mitigate harms to individuals arising from cyber security incidents. However, they would not be able to use the information as part of an investigation or compliance activity.
Initial Observations
- The list of permitted uses includes to facilitate ‘consequence management’. As noted below, it is not clear what falls within this concept and it should be made clear that this does not include investigation or compliance activity.
- It is not clear how the limited use obligation as expressed would prevent a regulator having knowledge of information provided under limited use from simply exercising its other powers to obtain the very same information for an investigation or compliance activity.
A cyber Incident Review Board
The Government proposes to establish a Cyber Incident Review Board (CIRB). It is proposed that the CIRB would conduct no-fault incident reviews to reflect on lessons learned from cyber incidents, and share these lessons learned with the Australian public. It is seeking input on the development of ‘no-fault’ principles for the CIRB, the membership of the CIRB and the extent to which it would have information gathering powers.
Initial Observations
- Information disclosed to the CIRB should be protected information and subject to statutory confidentiality obligations to ensure that it is not capable of being accessed, used or disclosed for other purposes.
- Any information that is subject to legal professional privilege should not be capable of being required to be given to the CIRB. In any event, even if disclosed, it should not lose that privilege by reason of the disclosure.
Extension of the SOCI Act to cover data storage systems and business critical data
- Following a number of recent incidents, the Government has decided that it is necessary to ensure that:
- Data storage systems that hold business critical data be specifically included within the definition of ‘asset’ under the SOCI Act.
- The CIRMP Rules[1] be amended to make it clear that material risks to be addressed in an entity’s critical infrastructure risk management plan (CIRMP) include risks to data storage systems holding ‘business critical data’ and the systems that access the data.
- This means that:
- Critical infrastructure assets that are currently caught by the SOCI Act, would also include data storage systems that hold business critical data relevant to the assets.
- Responsible entities for those critical infrastructure assets must take positive steps to protect and manage material risks relating to those data storage systems, provide operational and ownership information relating to them, report on cyber incidents affecting them and comply with directions under the SOCI Act when an attack has a relevant impact on their asset. Some of the positive steps include:
- introducing more stringent security controls for credentials belonging to third-party service providers,
- implementing tighter access controls on sensitive research and operational data,
- vetting prospective employees whose roles require access to large amounts of operational data, and
- having all the above measures signed off on by the entity’s Board.
Initial Observations
- The requirement to introduce more stringent security controls for credential belonging to third party service providers reflects a recognition that this kind of privileged access is a target for threat actors.
- Responsible entities will need to review their arrangements and agreements with their data storage providers to ensure that they are able to comply with these new obligations.
- The requirement to have Board approval should only apply to responsible entities that are required under the CIRMP Rules to have a CIRMP and who are currently required to submit a Board approved annual report on their CIRMP.
Introduction of new consequence management powers
Following the 2022 Optus and Medibank incidents, the Government is clearly of the view that there were no clear powers available to it to support a fast and effective response to those incidents. This is because the existing direction and information gathering powers under the SOCI Act are limited in scope to the event of the technical cyber incident, and do not cover management of consequences following an incident. Consequently, the Government proposes to permit the Minster for Home Affairs to exercise an ‘all-hazards power of last resort with the following characteristics:
- Direct a critical infrastructure entity to do or not dos thing to prevent or mitigate the consequences of an incident, such as a direction to address issues onsite or suspend operation.
- Provide a direction to a critical infrastructure entity to replace documents of individuals or businesses impacted by the incident (where this is not duplicative with other legislative levers).
- Authorise the disclosure of protected information as defined in the SOCI Act to allow for the sharing of information between government entities (including states and territories), between government and industry, or between the affected entity and a third party.
- Gather information for the purpose of consequence management, if this does not interfere with or impede any other law enforcement action or regulatory action.
There are some proposed safeguards, including that:
- The incident must have a ‘relevant impact’, whether direct or indirect, on the availability integrity, reliability, or confidentiality of critical infrastructure.
- The Minister must be satisfied that no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
- The Minister must be satisfied that the responsible entity is unwilling or unable to address the consequences that prejudice the socioeconomic stability, national security or defence of Australia.
- Before exercising the power, the Minister must consult with the relevant Commonwealth Minister, or First Minister of the Relevant State or Territory.
Initial Observations
- We understand that some of the specific characteristics of the powers listed above arise out of recent incidents. For example, legal barriers to Optus’s ability to share information with financial institutions had to be overcome through the amendment of the Telecommunications Regulations to authorise the disclosure of that information[2]. We do support the authorisation of the sharing of information (but not the compulsion to do so).
- However, the breadth of the proposed power is concerning, given there it is not clear what is encompassed by the term ‘consequence management’. It clearly is intended to go beyond the event of the technical cyber incident and clearly covers an entity’s management of its dealing with its customers – as is evidenced by the ability to direct an entity to replace documents of individuals or businesses. Could it extent to directing entities to compensate customers or providing information about the incident to third parties? How would the costs of complying with such a direction be allocated? Would this be the responsibility of Government given the power can be exercised whether or not an entity is not at fault or is responsible for the incident? And if there is a fault based threshold to the cost allocation, can the powers be exercised to determine fault or liability?
- Leaving aside the uncertainty of the term ‘consequence management’ it is concerning that the power to gather information for consequence management is a broad and unfettered power – which could include obtaining information in order to take regulatory or other action against the entity or its officers or employees. This would not necessarily ‘interfere with or impede’ other regulatory actions but could be additional or complementary to them.
See Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 (Cth)
Clarification of protected information provisions
The Government intends to clarify the operation of the protected information provisions of the SOCI Act to make it clearer for entities to know when they can disclose protected information for the purposes of the operation or risk mitigation of their critical infrastructure assets and to clarify information sharing rights between Government agencies (including with State and Territory agencies).
Initial Observations
We support the simplification and clarification of when responsible entities can disclose protected information about their assets for the purposes of operating them or for risk management related to them. The current provisions are difficult to interpret and unwieldy.
Consolidating the telecommunications security requirements
One of the challenges with the recent amendments of the SOCI Act has been marrying the desire to have an economy wide approach to the protection of critical infrastructure with the fact that there are existing industry specific regulatory regimes which cover some of the same ground. These include Part 14 of the Telecommunications Act 1991 (Cth) and APRA’s Prudential Standards 230 and 234. In telecommunications, to date this has been managed by including SOCI Act like provisions in carrier licence conditions and determinations[3].
The Government now proposes to reverse this approach for telecommunications and move the security provisions in Part 14 and SOCI like provisions in telecommunications regulation to the SOCI Act. It also appears that responsible entities in the telecommunications sector will be subject to an obligation to have and comply with a Telecommunications Security and Risk Management Plan (TSRMP) under the SOCI Act. The details of the TSRMP will be co-designed with industry.
See The Telecommunications (Carrier License Conditions – Security Information) Declaration and Telecommunications (Carriage Service Provider – Security Information) Determination 2022
Initial Observations
As with many things, the devil will be in the detail. It will be important to be clear what the TSMRP will require and the extent to which it requires carriers and carriage service providers to do more than they are currently required to do under the Telecommunications Act and associated regulations, licence conditions and determinations.