Australia’s spy agency chief Rachel Noble has cited an unnamed company’s refusal to work with the government when responding to a cyber attack as evidence of the need for laws that would compel some form of cooperation.
Speaking at an inquiry into the Security Legislation Amendment (Critical Infrastructure) Bill, Noble said the cyber attack – which had “national impact” – was an example of what “bad looks like” when it comes to incident response.
She declined to name the company involved, though Home Affairs secretary Mike Pezzullo described the incident as a “nationally known case, involving a nationally known company”.
“Bad looks like – and this is a real example, but I’m not going to name names – we find out something’s happened because there are media reports,” Noble told the parliamentary joint committee on intelligence and security on Friday.
“Then we try to reach out to the company to clarify if the media reports are true, and they don’t want to talk to us.
“Five days later, we’re still getting a very sluggish engagement of trying to help them to provide data to us and deploy some of our tools so we can work out what’s happened on… their networks.
“That goes for 13 days, this incident had a national impact on our country. On day 14 we’re able to only provide them with only generic protection advice and their network is still down.
“Three months later and they get reinfected and we start again.”
Noble said that sometimes the Australian Signals Directorate would have to “use [its] own very senior level contacts… to try and establish trust, and build a willingness to cooperate”.
“We have at times spent nearly a week negotiating with lawyers about us even being able to obtain that basic information… of can we please have some data from your network, we might be able help tell you quickly who it is and what they’re doing and what they might do next,” she said.
Asked by Liberal senator James Patterson whether businesses are always cooperative with ASD when impacted by a cyber security incident, Noble said “that is not our lived experience”.
Noble said that legislation could overcome this by giving ASD more leverage to “expect these critical infrastructure providers… [to] actually have better cyber security standards in the first place.”
If passed, the bill will require critical infrastructure operators to hand over ownership and operational information and undertake prescribed activities like vulnerability assessments.
It will also give the ASD the power to defend networks and systems of critical infrastructure against cyber attacks in exceptional circumstances, a proposal that has alarmed tech companies.
“The best part of this legislation, from my point of view, is that if they look after themselves, it doesn’t become work for my people,” Noble said.
“And if they’re defences are much higher, they’re keeping out the low level crims, and then we might be able to focus on the much more sophisticated, highly-organised criminal syndicates or state actors.”
Noble cited ASD’s interaction with the Victorian government after a 2019 ransomware attack against the healthcare sector as one of the “wonderful examples of incredible cooperation”.
“’Good’ looks like they contact us. We are able to work with them. They are able to provide technical information off their network like logs, images of disks. That happens on day one,” she said.
“Within that same 24 hours, we sent incident responders on the ground working side-by-side with the Victorian government, the private entity impacted, their private service provider and our staff.
“We’re able to fully map the network. We were able to identify the nature of the criminality.”