ASD says cyber attack intervention will be 'rare' under critical infrastructure Bill

The power awarded under the draft legislation may see government modifying the functioning of computers or even deleting software if it was to step in.
Written by Asha Barbaschow, Contributor

The Australian Signals Directorate (ASD) expects intervention in the cyber attack response of companies considered critical infrastructure to only occur in "rare circumstances".

As described in the current form of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, government assistance will be provided to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these "last resort" powers.

"In the rare circumstance of a serious cybersecurity incident impacting the availability of key critical infrastructure assets, Part 3A, Division 5 of the Bill provides a mechanism for government to directly assist an asset owner or operator in rapidly responding to, and remediating a cybersecurity incident," the ASD explains in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

ASD may be requested by the Secretary of the Department of Home Affairs to assist in responding to a serious cybersecurity incident. The Minister for Home Affairs must consult with the asset owner or operator before authorising the Secretary to request ASD assistance, and the measures authorised must be "proportionate and technically feasible".

Before stepping in, the government must be satisfied that a cybersecurity incident has occurred, is occurring, or is imminent; that the incident is having a relevant adverse impact on the functioning of a critical infrastructure asset; the incident is posing a material risk to the social or economic stability of Australia, its people, national defence, or national security; the relevant entity or entities are unwilling or unable to take all reasonable steps to respond to the incident; and no other options for a practical and effective response exist.

"Interventions under this provision are limited," ASD said. "In responding to a critical cyber incident, ASD's incident response teams will only be able to undertake actions specified in the Ministerial Authorisation."

However, this may include accessing, modifying, or altering the functioning of computers and implementing mitigations, restoring from backups, and installing "incident response tools".

It may also include accessing, restoring, copying, altering, or deleting software.

The tech community is concerned such governmental intervention would undermine the objectives of defence and recovery. Microsoft, for example, believes this would result in "The Fog of War", further complicating any attempt to mitigate cyber attack response.

The draft legislation, which entered Parliament in December, also introduces a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the ASD, as well as enhanced cybersecurity obligations for those entities deemed critical infrastructure.

In its submission, ASD said its knowledge of domestic cybersecurity threats and vulnerabilities relies on the Australian community and industry to voluntarily report incidents.

"More incident reports to ASD through the provisions proposed in the Bill will assist in building improved national situational awareness and allow ASD to identify trends, and provide targeted advice to others in order to assist entities to better prepare and protect their networks and Australia's critical infrastructure," it told the PJCIS.

It said just over a third of all incidents reported to the ASD's Australian Cyber Security Centre over the last 12 months have been from Australia's critical infrastructure sectors.

"This is expected to be just a fraction of the number of cybersecurity incidents affecting critical infrastructure given the voluntary nature of reporting," it said.

Under the proposal, once a responsible entity becomes aware of a cybersecurity incident, it must be reported within 12 hours if the incident is having a significant impact on the availability of the asset; or 72 hours if the incident is having an impact on the availability, integrity, or reliability of the asset or on the confidentiality of information about, or held by, the asset.

"The primary purpose of ASD receiving information under Part 2B will be to improve national situational awareness, allowing the production of anonymised mitigation advice to assist individual sectors or organisations more broadly to take steps to protect themselves," ASD wrote.


Editorial standards