Australia Proposes Cyberattack Disclosure Delay for Critical Infrastructure

The Australian government proposes delaying public disclosure of serious cyberattacks on critical infrastructure operators. This move aims to allow more time for mitigation and response efforts. The proposals are part of broader amendments to the Security of Critical Infrastructure (SoCI) laws, focusing on an Australia cyberattack disclosure delay.

Government Considers Australia Cyberattack Disclosure Delay

Home Affairs is currently canvassing five immediate changes, including this proposed disclosure delay. The government’s reasoning highlights continuous disclosure requirements. For ASX-listed critical infrastructure operators, these could force premature incident revelation. Immediate disclosure in “rare, high-risk cyber incidents” might “inadvertently undermine coordinated responses, reveal vulnerabilities, or heighten systemic risks,” according to the consultation paper.

Details From Proposed Australian Cybersecurity Policy

The proposed disclosure delay mechanism would be temporary. A hypothetical example suggests a delay of approximately 30 days. The intent is “not to shield entities from commercial impacts, but to prevent disclosure from compromising national security including significant flow-on impacts across the economy.”

Another proposed change simplifies directing multiple entities to cease using a vendor’s product or service. This would apply if it poses a “systemic” security risk. Current critical infrastructure laws permit blocks only on an “organisation-by-organisation” basis. This is impractical for systemic risks affecting many entities or an entire sector. This addresses critical infrastructure security and government cyber regulation.

Why New Australian Cybersecurity Policy Matters

The government’s stated justifications for these proposed changes center on national security and public safety. A disclosure delay could facilitate better-coordinated responses to cyber incidents. Current disclosure obligations pose challenges during high-risk cyber incidents, making this Australian cybersecurity policy significant.

Background Context: SoCI Law Amendments

These proposals follow a review into Australia’s Security of Critical Infrastructure (SoCI) laws. The assessment found Australia’s critical infrastructure security laws were “toothless.”

The government currently uses the Protective Security Policy Framework (PSPF). This prevents federal entities from using “certain products and web services in their networks,” as exemplified by the previous Kaspersky ban. However, the current framework is “too narrow and operationally inefficient” for timely or consistent responses to systemic vendor or technology-related risks affecting multiple entities. These SoCI law amendments aim to strengthen government cyber regulation.

Future Implications (SPECULATIVE)

Australia could potentially follow the US in implementing similar disclosure rules. The government is considering a vendor-risk direction power. This aims to manage systemic supply chain vulnerabilities consistently across affected entities and sectors. This enhances government cyber regulation.

Conclusion

The Australian government proposes key changes including an Australia cyberattack disclosure delay. Simplified vendor product bans for critical infrastructure are also proposed. These measures aim to enhance national security. They also improve response to systemic cybersecurity risks.

Frequently Asked Questions

What is the Australian government proposing regarding cyberattack disclosures?

The Australian government is proposing a temporary delay in the public disclosure of serious cyberattacks on critical infrastructure operators.

Why does the government propose a disclosure delay for cyberattacks?

The government states that immediate disclosure in high-risk incidents could undermine coordinated responses, reveal vulnerabilities, or heighten systemic risks, potentially compromising national security.

What other cybersecurity changes are being considered alongside the disclosure delay?

Another proposed change is to simplify the process for the government to direct multiple entities to stop using a specific vendor’s product or service if it poses a systemic security risk.

What is the purpose of a “vendor-risk direction power”?

This power would allow for coordinated action across critical infrastructure entities and sectors to manage systemic supply chain vulnerabilities consistently, as the current framework is too narrow.