Logistics and utilities providers agree to help from ASD in the event of a cyber incident

After being hit twice by ransomware last year, Toll has said it welcomes the installation of software from the Australian government to help with thwarting cyber criminals, admitting it already let the ASD into its systems. Qantas, AGL, and Water Services Association of Australia are all happy with the looming mandate, too, providing it is done proportionately.

Australian logistics and utilities providers have raised concerns with the speed at which consultation on the looming critical infrastructure legislation has been pursued by the government, but they have otherwise accepted the Bill, including the installation of software on their systems to help with incident response.

Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide "assistance" to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that is touted as aiding providers in dealing with threats.

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Thursday morning heard from four large technology firms who declared they did not need assistance from the Australian Signals Directorate (ASD) nor its Australian Cyber Security Centre (ACSC) and that the installation of software would do more harm than good.

But later that day it was a different story, with representatives from the nation's water, electricity, and logistics sectors accepting government assistance, within reason, however.

"I'm quite open to the idea, but it needs to be, for it to be effective, it actually has to be done with us," Toll global head of information security Berin Lautenbach said. "It's very hard to walk into an organisation and just know where the critical servers are, how the network works, everything like that, we'll just roll some stuff out and everything will be good. But it's not quite the way it's going to work, it's actually got to be, 'Right, we're coming in to help, here's software, here's what it does, here's where we think it needs to go, here's how it's going to be deployed."

Lautenbach continued by saying it needed to be a joint exercise between the company and ASD.

"It does have to be done with care, because it is very easy to have unintended consequences when installing software in a network," he added.

Last year, Toll found itself victim to ransomware on two occasions. Lautenbach said Toll has already had the ASD load software on its systems.

"I don't see how you can have this kind of legislation and not have a power to walk in," he added. "If we have something critical to the nation that is out or failed or something is going wrong and the necessary actions aren't being taken, there has to be an ability to do something about that, so I think that's fair.

"What I worry about is the practical reality of how that would work. And it is really hard to walk into a large network or a large company and understand the IT environment well enough to be able to quickly take action."

Water Services Association of Australia similarly accepted the idea of government assistance, but added it would be open to some sort of indemnity or insurance that provides security to the organisation.

"Something that provides security to the organisation that if something does go -- there are some of these unintended consequences -- that the federal government is willing to then pick up the tab and take ownership of the problem," the association's director of business excellence Greg Ryan added.

His colleague Luke Sawtell said he preferred to see ASD's intervention occur "few and far between" and as a last resort.

In agreement with Lautenbach and the Water Services Association was Qantas Group security officer Luke Bramah and representatives from AGL.

"I think that's absolutely correct that if it were emergent need, you need the hook in the legislation, but very sparingly used," Bramah said.

While those appearing before the PJCIS testified that they were consulted on the legislation, many raised concerns with the speed at which it has been pushed through and the lack of clarity around what is actually considered critical.

Clean Energy Council policy officer Lucinda Tonge asked for a clearer definition of "critical electricity asset" and Ports Australia CEO Michael Gallacher wants a distinction drawn between the Bill and competing legislation affecting his industry, as some examples.

"We want to see these issues resolved, we want to support this legislation, we will support it, but we want to see it work … and while there is a glaring weakness in the legislation, that has a real confusion between who's actually responsible for the delivery of port services and the response, we think we need to get it fixed, otherwise, the only people are going to take advantage of it are going to be bad people," Gallacher said.

Bramah, as well as AGL, testified that the "early days" of consultation had moved "a little too fast" and Lautenbach said it was more important to get things right than out the door.

"We'd just like to see the time spent on getting the rules right, work with us on that, and we will work with Home Affairs," he said. "We're a bit concerned that things will be missed."

RELATED COVERAGE