The government is weighing the merits of a mandatory reporting requirement on organisations that are attacked or extorted by cyber criminals.
Home Affairs boss Mike Pezzullo told senate estimates yesterday that mandatory reporting is being considered “as an extension of the cyber security strategy” released mid last year.
While cautioning that he did not want to “presume or preempt government policy”, and qualifying that further stakeholder consultation is necessary, Pezzullo expressed a view that such a reporting regime is “likely” to be introduced at some point.
“There is a specific commitment to put in place a national strategy to combat cybercrime,” Pezzullo said.
“My inclination – and I’m not going to state it as an opinion – is that it’s likely that a regime of that character will be proposed, but there’s still some stakeholder engagement to undertake.
“I think … most advanced economies are at a point where by some means … a much more active defence posture is going to be required, simply because of the prevalence of the attacks.”
At present, disclosure of ransomware attacks and other cyber incidents is often tied to a major operational disruption that is difficult to hide, or to the breach of personally-identifiable information, which must be reported through the separate notifiable data breaches (NDB) scheme.
Despite large attacks frequently making the news, it is likely that some organisations may be able to avoid disclosure.
Pezzullo was asked by Labor Senator Kristina Keneally specifically about a mandatory reporting regime for cybercrime incidents.
In addition, Keneally sought clarity from Home Affairs – which leads the development of cyber security policy for the government – on the extent to which the government may publicly reinforce its offensive capabilities to try to ward off some of the volume of attacks on Australian entities.
The last major public pronouncement on offensive capabilities was in response to Covid-themed attacks back in April last year.
Pezzullo said it was “difficult … to speak in an open forum” on either defensive or offensive capabilities or activity undertaken by the government.
“Suffice to say that the offshore disruption capability of the ASD is increasingly well-known,” he said.
“I’m going to be very cautious and very careful about what I say here, and I do not at all link this answer to any [attacked] entities … whether an attacker would judge that the degradation of their capability, in some cases the termination of their capability, was specifically as a result of Australian action, disruptive or otherwise, may never be known to them.
“It may be known to them if we choose to declare it, and without going too much into the depths of deterrence theory, the extent to which you signal the potency of your capabilities is really a matter for judgement carefully taken.”
A telco-laden advisory panel asked the government in the lead-up to last year’s cyber security strategy to make consequences clearer to would-be attackers, in the hope of discouraging some from trying.
Critical infrastructure budget
Home Affairs also provided a high-level breakdown for how a $42 million budget allocation around critical infrastructure security is to be spent.
The money is largely to be used to implement measures in critical infrastructure security legislation that is currently before parliament.
Pezzullo said that most of the money would be spent “hiring expert staff in this area in anticipation of that legislation being passed.”
“That will allow us to work with industry both to co-design the regulatory burden but also to then ensure that those regulations are met,” deputy secretary of policy Marc Ablong said.
Some of the money will also be allocated to “some infrastructure mapping software and tools that we’re looking to put in place to understand the interdependencies of infrastructure,” Pezzullo said.
Ablong explained that the “IT [systems are] required to allow us to map interdependencies, to be able to understand, for instance, if a particular telecommunication node was to go down, what impact does it have on other sectors of critical infrastructure where those have a dependency on that particular telecommunications [infrastructure].”
Home Affairs said it would provide a full breakdown of the proposed spend at a later date.