As it comes to the proposed critical infrastructure changes, some corners have honed in on the burden of cost and the peripheral issue of the “government assistance measures” with the Australian Signals Directorate (ASD) being authorised in extremis to respond to a cyber incident, which have been poorly labelled “step-in powers”. It is time to put these concerns
Imagine if private businesses demanded government help them pay for their physical security — security cameras, security guards, door locks and high fences. Do you think this would pass the pub test?
So why should government help pay for the cyber security of these businesses? Certainly, there is a role for government to play in incentivising cyber uplift via tax levers and supply chain procurement. But the concept that government should somehow help pay for cyber uplift is not sensible, feasible or reasonable.
Likewise, the hand-wringing surrounding so-called step-in powers is unnecessary and unwarranted. These powers of last resort would only be considered in the case of a cataclysmic cyber incident where a victim was unwilling or unable to act.
These include information gathering powers, directions powers and intervention powers. It is important to remember ASD’s mission is “reveal their secrets, protect our own” so it can be assumed they are the experts at countering how both nation states and criminals might act and would move through and disrupt networks.
While there is no doubt these powers are extraordinary, they are necessary, especially in the face of our ever-expanding cyber threat surface and evolving attack vectors. They would also be tightly guarded, with intervention powers only permitted with the approval of the Prime Minister, Minister for Defence and Minister for Home Affairs.
In other words, it would take a catastrophic event with severe ramifications for Australia’s national and economic security for the flick to be switched.
The global spate of ransomware attacks we have seen over the past two years have been…