Share this article on:
The federal government has announced that it will be introducing new legislation designed to bolster protections for businesses that suffer from cyber attacks.
In particular, Home Affairs and Cyber Security Minister Tony Burke announced that businesses would be granted a “safe harbour” for cyber security reporting, in which they would be allowed to share the details of a cyber attack against them with government cyber agencies without risking that information coming back to bite them in other investigations.
Now, industry leaders have commented on the new legislation and have largely said the projections are much needed but should not be treated as a get-out-of-jail-free card for businesses that fail to protect data.
Here is what they had to say.
Jaqueline Jayne
The Independent Cybersecurity Expert and Online Safety Specialist
“There is a definite need for more sharing when it comes to unsuccessful and successful cyber attacks of all types. If these ‘safe harbour’ measures prompt more businesses to come forward and share information, we, as a nation, can only benefit from it.
“It shouldn’t, however, remove the basic levels of cyber protections that businesses need to have in place. To that end, it would be beneficial to include a support framework with the goal to increase cyber protections.
“For example, if a report comes in and the cause of a data breach was human error when someone engaged with a phishing email, there should be an audit of awareness and education programs at that business. Depending on the outcome of the audit, the business may need to implement a corresponding program to reduce that risk occurring again.”
Sandro Bucchianeri
Chief security officer, NAB
“We welcome the government’s stance. If there’s safe harbour [rules], then you’re not punishing the victim, essentially.
“I think the other part of it is that collaboration is key.
“We’ve enjoyed our relationship with the ACSC with Abigail Bradshaw [head of ACSC] and the team, in sharing threat intel, because you know for the most part, I’ve got a large security budget … but it’s to help those that cannot afford threat intelligence sharing or whatever the case would be.”
Craig Searle
Global director – cyber advisory, Trustwave
“The safe harbour provisions the government is proposing as part of the Cyber Act are a step in the right direction; however, there needs to be a consistent yardstick by which Australian corporations can measure themselves to in order for directors to then assess the reasonableness of their response and address the concerns raised by the Australian Securities and Investments Commission (ASIC).
“While the Essential Eight is undoubtedly effective as a set of preventative measures, it is very difficult and expensive even for mature and well-funded organisations to achieve, as evidenced in Australian National Audit Office (ANAO) reports such as ’Management of Cyber Security Supply Chain Risks’. It also does not address response and recovery. This means it is unlikely to be suitable as a nationwide measure of resilience without significant caveats being adopted.
“Over time, it is likely that the scope of the Security of Critical Infrastructure Act will continue to expand to incorporate sectors of interest to the government as the threat landscape evolves. Financial incentives for good corporate behaviour and vice-versa, as utilised in the US, are the most likely method to have a meaningful impact. Cyber insurance also has a significant role to play here, particularly as there are likely to be impacts to a policy payout as a result of disclosure by an organisation.”
Annie Haggar
Head of Cybersecurity Australia at Norton Rose Fulbright
There has been lots of discussion around whether new laws will provide 'safe harbour' - which many people understand to mean immunity from prosecution by regulators if they do share information with the ACSC or the National Cybersecurity Coordinator. The answer is no. The ACSC will have 'limited use' rights over any information shared by organisations, meaning they can only share or use the information in accordance with a limited use case. For example, information provided by the ACSC wouldn't then be provided directly to the OAIC.
However if an organisation separately has to report a breach to the OAIC, then the organisation still has to comply with this obligation and provide the OAIC with the information required and the OAIC may still investigate and, if appropriate, take further action within its powers. An organisation is not made 'immune' from prosecution by the OAIC or any other regulator because they reported to the ACSC or NCC.
So why would you share with the ACSC or NCC then you may well ask, if there is no 'immunity' and its 'voluntary'? There are several things to consider:
1. Sharing attack information may well enable the ACSC or NCC to assist in the response (depending on the severity and size);
2. Simone Constant from ASIC said that "information sharing in the immediate aftermath of a hack played a minimal role in investigations into how directors have prepared for and responded to cyberattacks." The ASIC investigations are about failure to take 'reasonable steps' to prepare for a breach. ASIC aren't prosecuting an organisation for having a breach but for failures in "the months and years of work in the lead-up to a hack, including whether the management and directors have developed a plan to prevent and respond to a cyber incident that has been updated and tested."
3. sharing information during a breach with the ACSC or NCC can also help other organisations to be warned about, and defend, against the same attack - it forms part of the 'threat intelligence' the government can provide to the community which is a critical part of an organisation's toolbox of defences.
4. There are likely to be some circumstances where sharing is not voluntary - details are yet to be announced but the public consultation on the proposed cybersecurity regulatory changes included a mandatory reporting obligations for ransom payments.
Not sure when you have to report? See the Single Reporting Portal here.