The federal government in November published an exposure draft on the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which seeks to amend the Security of Critical Infrastructure Act 2018 (SOCI) to implement "an enhanced framework to uplift the security and resilience of Australia's critical infrastructure".
If passed, SOCI would create a new class of regulated entities known as "systems of national significance", which Secretary for the Department of Home Affairs Mike Pezzullo has labelled the most profoundly important segments of national infrastructure: Gas, water, power, and banking.
It would create mandatory reporting loops between the sector and the Australian Cyber Security Centre, allowing the responsible minister to designate a sector as being so sensitive that the Australian Signals Directorate (ASD) would be on the network and perform monitoring.
But not everyone, Pezzullo noted, would get that ASD-level protection under SOCI as the economy is just too large.
See also: Tech giants not convinced Australia's critical infrastructure Bill is currently fit for purpose
Facing the Legal and Constitutional Affairs Legislation Committee on Friday, Pezzullo was asked if looking after the "top tier" would result in the needs of the "middle tier" being neglected. He was also asked to expand on what the government's view of its responsibility is.
"There are two strands here. It's like general crime. Governments frame insurance markets -- people take out insurance -- but they also fight crime," he said.
"Right down to the household level, you're expected as part of your household insurance to secure your property with alarms and locks et cetera-- and that affects the premium, but that doesn't prevent the police -- in fact, the police actively go after the criminals who might be doing break-and-enter. Cyber is no different."
The element that's missing, he said, continuing the insurance metaphor, is what the cost is, in an actuarial sense, that both households and firms would be willing to bear in order to provide a certain level of protection.
"Then the government strikes at the attacker, or strikes at the criminal group, in a complementary fashion," Pezzullo said. "It's very much like an insurance and crime-fighting model. Cyber is very underdeveloped. There are no insurance products. There's no way to price the risk in the same way as, for instance, burglary or property damage or car accidents. We're in the very early days."
He said the department is looking at how to price in risk and what regulatory schemes should be put in place in order to also cover the level below that of national security.
"I'm sure that you and I would agree that an attack on the grid or an attack on our air traffic control system or an attack that takes out our ability to conduct banking would cause chaos, so the government is focusing its most potent weapons, its most potent resources, on that risk," he continued. "It has to be a holistic society and economy-wide response.
"It will be a tiered approach throughout the general economy, in other words."
Pezzullo expects the legislation that wraps the enhanced regulatory scheme to be introduced into Parliament "soon". There are two sitting days left before Christmas.
Pezzullo was asked what action the government was taking to thwart ransomware crews so it could attack them at their source. He was also asked if ransomware was the top cyber threat facing Australia.
"It's certainly the most pervasive. It's like crime in general. In terms of volume of crime it is. In terms of strategic risks to our nation, the government has stated on a number of occasions … that in terms of consequence of attack, our banking system or the payment system that sits within the banking system or the electricity grid and the distribution of electricity to go down that would be a more consequential risk to the Australian economy and to our society -- it's less probable," he said.
"So it's like crime -- there's volume of crime and then there's very high-end, impactful crime."
On Thursday, the Australian government put forward its Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 that would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new warrants for dealing with online crime.
"We want the powers that are contained in the Bill … [so we can] get the tide to go out so we can see exactly where these cybercriminal nodes are. They're often out of jurisdiction. By the time you get a warrant up and go with law enforcement cooperation, they will have shut down their operation and moved on," Pezzullo said.
"We want to attack them in situ, attack their servers, take over their systems, identify their IP addresses, and geolocate where they are on the face of the planet. The problem is that, increasingly, the technology has gotten ahead of the law with the dark web. It's very much like encryption.
"The problem is that the very same anonymising technology allows you to go invisible so we want the dark web legislation … to be able to strip back that invisibility cloak. That's where volume is going, and if we don't hunt them on the dark web they will become immune."
Expanding on the technical assistance that ASD would be able to provide under its extant powers, under the relevant section of the Intelligence Services Act, Pezzullo said the department is currently not seeking any additional powers for ASD but rather, the use of its powers offensively.
"There is no requirement for those powers to be enhanced. When you say 'using military intelligence capabilities', ASD has the highest level ... both of intelligence collection in cyber and of cyber-disruption," he said. "What we've done now is start to apply those offensive tools ... against criminals. So the police will select the targets. They'll have the powers to collect the intelligence, but, rather than building a whole new duplicated 'ASD type' -- if I can use that phrase -- system in the AFP, they will import ASD's powers through its technical assistance provisions under the ISA so that we don't have to duplicate that."