The CEO of Australia's Cyber Security CRC Rachael Falk has offered clarity on the contentious government "step in" powers that are set to be legislated under the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
She told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that there has been a "bit of a labelling problem" in the Bill when it is called "step in" powers or powers to intervene.
"I don't think what is intended, if I may say so, is not what we call in traditional corporations law step in rights, which is traditionally associated with companies in liquidation where you have liquidators come in and step into the shoes of the companies and literally operate the company as if it were their own," she said.
"So I think this power has kind of been misunderstood and mislabelled."
Falk said, instead, it should be explained as a way for the Australian Signals Directorate (ASD) or its Australian Cyber Security Centre (ACSC) to lend their expertise.
"It could be by way of a compulsory notice served in an organisation when it is clearly struggling to gain control of quite a serious cyber attack, that they then are able to be served with a compulsory notice, and then they have to engage and discuss with ASD," she said.
"I think what's lost here a little bit in the debate is the Australian Signals Directorate are the experts here in terms of poacher and gamekeeper, they do this for a living every day. So a compulsory notice to be served, not step in rights, I think that label should be removed."
During its hearing on Thursday, the PJCIS heard from four large technology firms that declared they did not need assistance from the Australian government and the installation of software would do more harm than good. But later that day it was a different story, with representatives from the nation's water, electricity, and logistics sectors accepting government assistance if it was within reason.
As part of his testimony, Water Services Association of Australia's director of business excellence Greg Ryan discussed the potential for an indemnity or insurance that provides security to the organisation ahead of ASD/ACSC engagement.
Falk believes rebranding it to "compulsory engagement" rather than being a step in power would remove the need for indemnity.
"I think there's a bit of a vision that Homer Simpson comes in and presses all sorts of red buttons, which in that case you might want the indemnity scenario. I think if there were more of a compulsory notice to engage, then they would be working with the impacted organisation, not working as the impacted organisation," she said.
"So it might mean there is no need for an indemnity because they are saying you need to engage and we advise you to take this advice.
"I can see the advantages of an indemnity but if they were simply the subject of a compulsory notice to engage, they could disregard ASD advice and therefore wouldn't need the indemnity."
She also touched on the requirement to notify the government of an incident within 12 hours. While Falk accepted it may not be known within 12 hours that an incident has occurred, she suggested a "staged approach" to notification.
"Immediate notification isn't too onerous. Once you realise you're in the middle of an incident, and details can also follow in a reasonable period of time … I think a staged process where there's immediate notification, we have an incident running, we're unsure of what it is, we will come back once we have clarity within up to a timescale of 21 days," she pondered.
A case for ransomware payment notification
The federal opposition last month introduced a Bill to Parliament that, if passed, would require organisations to inform the ACSC before a payment is made to a criminal organisation in response to a ransomware attack.
The Ransomware Payments Bill 2021 was introduced in the House of Representatives by Shadow Assistant Minister for Cyber Security Tim Watts, who at the time took the opportunity to say the government's current position of telling businesses to defend themselves by "locking their doors to cyber-criminal gangs" was "not good enough".
Cybersecurity expert and former United States CISA chief Chris Krebs agreed with Watts.
He told the PJCIS it would be useful to compel critical infrastructure providers to disclose cybersecurity incidents, including ransomware.
"Mandatory reporting for any ransomware victim before they make a payment," he told the committee. "For ransomware, in particular, we do not know how big this problem is, in fact, probably the only people that know how big it is, are the criminals themselves. And they're not apparently sharing that with us.
"We have to get to the denominator of ransomware attacks and the easiest way to do that is require ransomware victims to make a notification to the government. This is not yet in determination on whether paying ransom itself is illegal, I think that's a separate conversation, but just at a minimum, if you're going to be engaging with the transaction, with the ransomware group, that that needs to be notified."
Krebs said this was so authorities could understand the scope of the problem and also collect the data on the payment.
"We also want to make sure that the information, specifically the wallet to which the ransomware payment is going, to be tracked by law enforcement intelligence officials to light up the economy," he explained.
The DoJ and the FBI seized 63.7 bitcoins -- valued at $2.3 million at the time -- of the 75 bitcoins that the Colonial Pipeline CEO admitted to paying. Despite paying for the ransom, the encryption tools handed over did not work nor help the company's efforts to restore its systems.
Apprentice sparkies to be treated like an ASIO employee
Acting national secretary of the Electrical Trades Union of Australia Michael Wright told the committee during his testimony that the Bill, as currently drafted, would see apprentice electricians held to the same security standards that ASIO officers are.
"We've been engaging with the Department of Home Affairs around the rules that have been drafted … the department isn't familiar with our industry, nor would you reasonably expect it to be. The issue we have is that they're requiring the draft rules that they've designed have said that everyone who accesses, provides access to assets, would therefore need to go through the Auscheck process," Wright said.
"That may or may not make sense in other industries, but in an industry where asset means power pole and you do need an access permit to work on that, that means that the entire workforce … or workers in that industry would wind up being required to go through that Auscheck, that ASIO backgrounding … it really stats to pry into their personal lives."
Senator James Paterson said he considered it to be an unintended consequence for an apprentice electrician to be subject to the federal government's ASIO vetting process, calling the idea "absurd".
"That's a process that can take anywhere between six months and a year and researches all of the family and personal connections that a person might have, their international travel, their prior employment -- are you suggesting seriously that apprentice electricians will have to get PV [positive vetting] security clearance to work?," Paterson questioned.
"We raised these concerns and we get nothing back," Wright said in response.
MORE FROM THE INQUIRY
The cybersecurity expert has told an Australian Parliamentary committee there are elements of the election administration function that should 'absolutely' be considered critical infrastructure.
After being hit twice by ransomware last year, Toll has said it welcomes the installation of software from the Australian government to help with thwarting cyber criminals, admitting it already let the ASD into its systems. Qantas, AGL, and Water Services Association of Australia are all happy with the looming mandate, too, providing it is done proportionately.
Google, Microsoft, AWS, and Atlassian all believe they are best placed to respond to cyber incidents and that installing software from the Australian government would only increase the risk in their respective platforms and systems.