Written by staff writer.
Deputy Prime Minister and Defence Minister Richard Marles says the Australian government wants to pursue safe harbour provisions for entities that self-report cyber breaches. The confirmation comes as the Australian Cyber Security Centre (ACSC) releases its Annual Cyber Threat Report 2022/23, revealing that the number and cost of cyberattacks is rising.
“We saw a 23% in the number of cybercrimes in the last financial year,” Marles told ABC Radio after the report’s November 14, 2023, release. But he also acknowledged that some entities not covered by the recent critical infrastructure reporting legislative reforms are not informing or fully cooperating with the ACSC and its controlling agency, the Australian Signals Directorate (ASD), during cyberattacks.
Among the reasons for this are reputational and legal liability concerns. However, it is hampering the ability of the government to respond to cyberattacks, and the ASD is leading the charge, calling for further legislative reform to protect entities that self-report.
“This is an issue we want to get right, and it will form part of our cyber strategy we plan to announce later this month,” said Marles. “If you’re a company and experiencing a cyberattack, you need the best advice you can get, and the ASD are the experts. The ASD’s ability to come in in the moment, look at the systems and understand what is going on, is critical.”
“But I can understand why companies want to make sure that whatever ASD comes across is not used against them by any other government agency. This safe harbour concept is something we want to see pursued.”
The upcoming release of the 2023–2030 Australian Cyber Security Strategy is expected to call for a whole-of-nation cyber uplift and focus on the recently articulated six shields of cyber security.
Legal firm Allen & Overy, currently the subject of an ongoing ransomware attack, is reportedly reluctant to involve the ACSC and ASD because they are concerned about future damages claims or regulatory action. Allen & Overy count NBN and the Port of Melbourne as among their clients.
“Companies need to be confident that they can interact with the ASD in the moment because that’s when we can mitigate and make sure they lose the least amount of data,” said Marles.
The limited-use model used by the National Security Agency in the United States is cited as an example of what could work. It forbids information disclosed by entities when dealing with cyberattacks from being used against them for class actions, regulatory action, or other punitive action.
ASD head Rachel Noble wants to see the government enact safe harbour legislation, which would encourage those entities not already obliged to report cybercrimes to do so, preferably as early as possible. Because not all entities are obliged to report attacks, the ASD thinks the headline number of breaches is higher than the headline 94,000 figure.
Noble says the ASD’s ability to build a “timely and rich” picture of cybersecurity breaches depends on self-reporting. Aside from enabling the agency to deal with specific incidents, she says it better informs overall threat mitigation advice with the latest trends and threats posed by malicious cyber actors.
You can download ACSC’s report HERE.