Australian government doubles down on cybersecurity in wake of major attacks

Government officials recently released what it called a consultation paper that outlined specific proposals and solicited input from the private sector in a proclaimed strategy to position the nation as a world leader in cybersecurity by 2030.

As well as addressing gaps in existing cybercrime laws, Australian legislators hope to amend the country’s Security of Critical Infrastructure (SOCI) Act 2018 to place a greater emphasis on threat prevention, information sharing, and cyber incident response.

Weaknesses in Australia’s cyber incident response capabilities were laid bare in the September 2022 cyber assault on telecommunications provider Optus, followed in October by a ransomware-based attack on health insurance provider Medibank.

Millions of sensitive records, including biometric data in driver’s licenses and passport photos were exposed after attackers scraped an Optus database containing consumer records; the Medibank breach exposed millions of patient health records.

“Both breaches came through basic errors and poor cyber hygiene, so they were avoidable,” says Richard Sorosina, chief technical security officer for Qualys Australia and New Zealand.

Australia’s cyber resilience came under painful scrutiny in November 2023 when a nationwide outage left Optus’ fixed line and mobile customers without Internet access. The outage was blamed on an issue with a Border Gateway Protocol (BGP) routing table update.

Then came a massive cyberattack days later on the shipping industry that led to lengthy disruptions at four Australian ports.

Cyber Strategy Reform

The cyberattacks on Optus, Medibank, and the nation’s ports were highly public incidents that affected citizens and businesses, which pushed cybersecurity higher on the nation’s political agenda. In response, the Australian government revised its cybersecurity strategy and launched the consultation process on legislative and regulatory reforms.

Clare O’Neil, Australia’s minister for cybersecurity, said in a statement that the government was committed to working with the private sector to usher in a “new era of public-private partnership to enhance Australia’s cybersecurity and resilience.”

Australia’s new proposed cybersecurity legislation covers a wide range of measures, including mandating secure-by-design standards for Internet of Things (IoT) devices, establishing a ransomware reporting rule, creating a “limited use” obligation for incident information sharing, and establishing a national Cyber Incident Review Board.

Also on the agenda: reforms to the Security of Critical Infrastructure Act 2018, which are geared to addressing cybersecurity shortcomings exposed by recent breaches.

These revisions include providing more prescriptive guidance for critical industries like utilities and telecommunications, simplifying information sharing, providing directives for risk management programs, and consolidating security requirements for the telecommunications sector under the SOCI Act for critical infrastructure.

To read the complete article, visit Dark Reading.