The Security Legislation Amendment (Critical Infrastructure) Bill 2020 aims to ensure Australia’s critical infrastructure assets are more secure and more resilient.
In a world of virtual systems, digital technology, increasingly interconnected and interdependent systems, mass volumes of data and a hostile cyber landscape, the Bill (sensibly) responds to the need to safeguard against vulnerabilities and attacks that have potential to significantly disrupt the essential services Australians rely on daily.
Because there has not been a catastrophic attack to date does not make us immune to one now or in the future – a point recently reinforced by the Australian Strategic Policy Institute in their analysis of the threat of ransomware (Exfiltrate encrypt, extort. The global rise of ransomware and Australia’s policy options). Notwithstanding that the focus on ransomware, the Report underlines the stark reality of Australia’s vulnerability in the cyber sphere. As both this Report and the Bill highlight, the cost of an attack has potential to harm not only our economy but undermine our national security and ultimately our sovereignty.
In introducing a range of new security and compliance requirements and expanding the list of critical infrastructure assets to 11 (from four) industry sectors, the Bill reflects an acute awareness of the extent to which the risk environment has changed.
Phil Dawson
It is no surprise then that with the increasing reliance on digital technologies and the exponential growth in the volume, storage and movement of data, that the spotlight has turned to the role of data and, as a result, the intention to specifically call out a Data Storage and Processing Sector: one of the additional seven sectors identified as managing critical infrastructure assets.
While there has been some definitional gnashing of teeth about what the ‘asset’ is in this context, to many of us the answer is obvious. Whether it’s data about the people receiving services, the organisation delivering services or the data that is used to operationalise and deliver the service –it’s all about the data. For those of us in this sector, it is about whatever it takes to ensure the confidentiality, availability and integrity of that data to ensure it can be relied on to determine and/or deliver the outcome intended.
In terms of what’s needed to protect this ’asset’, somewhat ironically the benchmark has already been set – and by government.
Despite all its shortcomings, the original Certified Cloud Services List (CCSL) and now it’s replacement the Cloud Assessment and Authorisation Framework (CAAF), set the bar of expectation regarding how data and data driven applications are stored and managed in the new digital operating environment – cloud services.
The CAAF in fact goes even further.
In specifically defining ‘data’ and calling out that it is not simply top layer customer information/data but also the metadata associated with it and the support, monitoring and analytics data related to the customer and/or the service, the CAAF recognises the fundamental primacy and priority of what in our digital world must be protected – the data, in all its forms.
As Phil Dawson points out in his recent appearance before the Parliamentary Joint Committee on Intelligence and Security (PJCIS), “data is the key asset to be considered along with the related protection of confidentiality, integrity and availability”.
Arguably, and by logical extension, why wouldn’t you treat protection of that data in the same way that government has benchmarked how these same services are delivered to them, i.e., in accordance with the CAAF and government’s own Information Security Manual (ISM) that outlines a clear cyber security framework for the protection of information systems.
In fact, why would Australia be satisfied with anything less in the context of protecting the critical infrastructure that is the backbone and foundation of our democracy and livelihood of our citizens?
To read Phil Dawson’s opening Statement to the PJCIS see:
To read the full Transcript of the PJCIS Hearing on July 8 that Phil provided evidence see:
