The federal authorities is pursuing a brand new cybersecurity agenda within the wake of final yr’s main cyber breaches with Optus and Medibank.

“For companies lately, cybersecurity is as necessary as having a lock on the door”, mentioned Prime Minister Anthony Albanese in opening the federal government’s cybersecurity roundtable in Sydney on Monday.

There, Minister for Cyber Safety Claire O’Neil launched a dialogue paper that seeks to reply questions concerning the function the federal government ought to play to be able to enhance Australia’s cyber resilience.

The federal government may even create a Nationwide Workplace of Cyber Safety, and a brand new function based mostly within the Division of Residence Affairs – Coordinator for Cyber Safety.

O’Neil mentioned the federal government was struggling to seek out acceptable responses to final yr’s main hacks attributable to a scarcity of prior coverage or regulation.

The Optus and Medibank breaches every affected round a 3rd of the Australian inhabitants. Hackers leaked private info together with drivers licenses, passports and extremely private medical particulars.

In each circumstances, authorities intervention was essential, resembling by creating strategies for individuals to exchange drivers license ID numbers.

The dialogue paper consists of 21 questions, and plenty of deal with how authorities and trade can work collectively.

However two questions stand out as critically necessary.

1. Ought to the federal government ban ransomware funds?

Whether or not ransomware funds needs to be banned is a sophisticated query, and one which I’ve lined earlier than.

Briefly, a blanket ban on all ransomware funds can be unlikely to cease cyber criminals from persevering with their assaults. And the injury accomplished to companies and significant infrastructure may very well be extreme. A authorized ban from paying to get well their techniques may imply small and medium companies can’t get well.

O’Neil has beforehand acknowledged she’s contemplating a ban on ransom funds. The dialogue paper demonstrates a extra considerate method.

It suggests the potential for a distinction between various kinds of ransomware fee bans. For instance, whether or not the federal government ought to prohibit fee to maintain stolen knowledge secret, versus fee to unlock an organization’s hacked techniques. It additionally asks whether or not, as an alternative of banning corporations from paying ransom, we must always as an alternative ban insurance coverage payouts to companies who fall sufferer.

2. Ought to the federal government be capable to commandeer corporations’ IT techniques?

The Safety of Vital Infrastructure Act was launched in 2018 in response to the rising risk of assaults in opposition to the nation’s most necessary techniques. It was extra lately expanded to incorporate a whole of 11 sectors from electrical grids and telecommunications, to schooling and knowledge storage.

The act is particularly about securing the techniques that our essential infrastructure run on.

However the dialogue paper asks whether or not that ought to broaden to incorporate the private knowledge held on these techniques, and to permit the Australian Alerts Directorate to commandeer the IT techniques of corporations affected by a hack.

The Australian authorities plans to offer itself extra energy to intervene throughout an lively cyber incident following what occurred with @optus and @medibank. Ideas, anybody? #infosec #auspol https://t.co/XZGaaHtbCC

— Jeremy Kirk (@jkirk@infosec.trade) (@Jeremy_Kirk) February 27, 2023

Whereas a seemingly small addition to the act, the inclusion of private knowledge and expanded Australian Alerts Directorate powers may very well be reaching too far.

Particularly, it would embody handing over residents’ private knowledge held by the telecommunication and well being sectors to the federal government.

What’s extra, expansions to the act in 2021 and 2022 to incorporate knowledge storage means nearly any firm may fall inside its scope.

No particular particulars of how this potential change may work are included within the dialogue paper, however it could be a step with extreme penalties.

Anything I ought to know?

The dialogue paper additionally requires simplifying rules as a precedence.

Australia’s knowledge legal guidelines are unfold throughout a spread of acts: the Privateness Act, the Vital Infrastructure Act, the Telecommunications Act, the Nationwide Well being Act, and the listing goes on. Having the necessities unfold out throughout so many acts makes it tough for companies to know their obligations in relation to cybersecurity.

Australia has a patchwork of insurance policies, legal guidelines and frameworks that aren’t maintaining with the challenges introduced by the digital age. pic.twitter.com/8qwJ0r2Wwr

— Clare O’Neil MP (@ClareONeilMP) February 28, 2023

What’s extra, the paper clearly outlines the necessity to prioritise cybersecurity workforce coaching, each in technical and non-technical roles.

Australia has an estimated expertise scarcity of 30,000 cybersecurity professionals.

The dialogue paper has many ideas that may seemingly be welcomed by trade, however clearly some questions elevate issues amongst trade professionals about authorities overreach.

In the meanwhile, these are simply questions. And trade, authorities and schooling suppliers may have an opportunity to answer these questions over the subsequent six weeks earlier than selections are finalised. Hopefully, they’ll be heard.

This text is republished from The Dialog below a Inventive Commons license. Learn the authentic article.