The Department of Home Affairs has said the recent ransomware attack earlier this month targeting the operator of the Colonial Pipeline in the United States was a “timely reminder” of why Australia’s Critical Infrastructure reforms are “so important”.
Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.
“In the absence of these measures, we will remain vulnerable in an increasingly hostile threat environment for our critical infrastructure,” Home Affairs secretary Mike Pezzullo told Senate Estimates on Monday.
“You saw the pipeline attack … transnational criminal groups are holding whole economic sectors effectively to ransom — we’re seeing this with hospital systems, we’re seeing it with vaccine data, and we’re seeing it with healthcare providers. Typically, the criminals will chase opportunity, in the knowledge that it’s likely to achieve a benefit.”
In justifying the passage of the legislation, the secretary said it makes “good business sense” to have common platforms and connected systems so that, in an example of an electricity grid going down, plant operators and others can remotely dial in to see how machinery is performing.
“For all of those reasons — and I could keep adding more layers of explanation — the government has seen fit to propose to the parliament that the current regime known as the Security of Critical Infrastructure Act be significantly overhauled to add additional layers of mitigation,” he said.
“Should the Parliament see fit to pass this legislation — and, hopefully, as the government has proposed, by 30 June — we can enliven these obligations from 1 July.”
Failing to pass the legislation, Pezzullo said, would see Australia left “perilous”.
As part of the 2021-22 Budget, the government earmarked AU$42.4 million over two years to improve security arrangements for critical infrastructure assets, including those designated as systems of national significance, in accordance with the yet-to-be-passed Bill, and to assist critical infrastructure owners and operators to respond to significant cyber attacks.
Pezzullo said the preponderance of the money is staffing resources.
“There’s also some infrastructure mapping software and tools that we’re looking to put in place to understand the interdependencies of infrastructure,” he added. “It’s to assist us in designing what are called the rules under the legislation.”
Department representatives later confirmed the funding would be spread across three components: Staffing expenses, supply costs, and capital.
Staffing costs represent AU$21.4 million of the AU$42.4 million, and that is for 59 staff in 2021-22, and 83 in 2022-23.
Supply costs are flagged as AU$14.9 million in 2021-22 and AU$6.1 million in 2022-23.
Meanwhile, AU$1.1 million in 2021-22 and AU$1 million in 2022-23 are classed as “capital”, in particular, for an investment in the current regulatory management system to expand its capability and scope.
Mandatory ransomware reporting under consideration
Pezzullo was asked if the government has considered the merits of a mandatory reporting requirement for any sort of cyber extortion or ransomware.
“It’s currently considering that matter, as an extension of the cybersecurity strategy that was released last year … there was a specific commitment to put in place a national strategy to combat cybercrime, as an element of that,” Pezzullo said, pointing to the lacklustre Commonwealth cybersecurity strategy that was released in August.
“Obviously, that work was well advanced. We’ve had a change of minister since that time. I have flagged with the minister that that will be one of the issues. I haven’t yet given her advice on that question. It is something on which I wish to consult with the Director-General of the Australian Signals Directorate, given the close working partnership that we necessarily need to have.”
Pezzullo said he was also in the process of consulting with law enforcement and other colleagues due to the need to “balance the burden of reporting and the efficacy of reporting as against the value of that reporting”.
“My inclination — I will not state it as an opinion — is that it’s likely that a regime of that character will be proposed, but there’s still some stakeholder engagement to undertake,” he said.
“I don’t want to presume or preempt government policy. I think most advanced economies are at a point where, through some means, whether it’s mandatory reporting combined with the sorts of other measures that I’ve already described, a much more active defence posture will be required, simply because of the prevalence of the attacks, which I can state in those general terms.”
Too much independence with government cloud use
Elsewhere on Monday, Pezzullo declared there is too much “independence” when it comes to the usage of cloud services across the government.
Each government entity, in effect, contracts out their own cloud services, but in accordance with the Information Security Manual, the Secure Cloud Strategy, and the Data Hosting Strategy.
“This is too much independence,” Pezzullo said. “The government has recently moved in that direction. So Minister Robert, who retains responsibility for digital services, has directed, through the promulgation of a data hosting policy framework and strategy, that departments are to consolidate their data hosting arrangements.”
Internally, Michael Milford, group manager of technology and major capability within Home Affairs, said the department doesn’t have a heavy cloud presence “yet”.
“Unlike most departments, we haven’t historically been a cloud department, but we do have a number of cloud services, primarily with a few of the systems we have been putting in place recently,” he said. “I don’t have the exact data on each of those, but there is Microsoft Azure Cloud, and others.
“We do have a number, generally speaking, in scale they are small. We clearly get DTA’s guidance on those that are appropriate.”
It is currently a requirement to have data stored in Australia, but historically that hasn’t always been the case.
“We are in transition,” Milford said in response to being asked where Home Affairs’ data was located. “We are moving the data, or attempting to ensure that the data is 100% verified as being in Australia.”