After Weathering 2022 Cyber Attacks, Australia Positions Itself as World Leader in Cyber Security

Australia’s first cabinet minister for cyber security, Clare O’Neil recently presented a new plan for the country to become “the world’s most cyber secure country by 2030,” after Australia weathered multiple large-scale hacks in 2022.

In 2022, Australian telecommunications company Optus suffered a cyber attack that compromised 9.8 million customer accounts, Gerard Cockburn reports for The Western Australia.

Although the company says there aren’t reports yet of crimes being committed against those whose information was leaked, the amount of information left vulnerable to hackers has been under scrutiny. 

The just under 10 million victims of the Medibank hack weren’t as lucky. With heaps of patient data posted on the dark web, the Australian police have identified a group of Russian-based hackers allegedly responsible for the attack.

As recently as this week, the country has continued calls for Russia to take action on cyber criminals, saying their actions threaten national security, Alasdair Pal and Byron Kaye report for the Associated Press. 

In a move to increase the protection of private data, the Australian government passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 202, a piece of legislation that significantly increases the penalty for companies suffering from serious or repeated data breaches. 

Maximum fines have been raised from AU$2.22 million to AU$50 million, 30% of an entity’s adjusted turnover in the period when the contravention occurred, or three times the value of any benefit obtained through misuse of information,-whichever is greater.

“Major privacy breaches in recent months have shown existing safeguards are outdated and inadequate,” Attorney-General Mark Dreyfus said in a recent press release from the AG’s office. The bill also granted more powers to Australia’s Information Commissioner to tackle security breaches.

Now, to further try and tackle their cyber security issue, the Australian government recently released a discussion paper led by Andrew Penn. Penn is the ex-CEO of the telecommunication company TELSTRA and head of the National Cyber Security Board.

One central aspect of Australia’s approach is enhanced cyber security threat sharing through multiple avenues including utilizing Australia’s privacy act and 2021 the Surveillance Legislation Amendment (Identify and Disrupt) Act. The amendment previously came under fire by opponents because it gave police access to three new warrants without requiring a judge’s approval. 

The act includes data disruption, network activity and account takeover warrants. It allows law enforcement to modify or delete a suspect’s data, gain information from their computers and take control of their online accounts.

Critics have raised concerns that these measures may be too intrusive or may even open up opportunities for misuse by law enforcement agencies, Jack Dunhill reports for IFL Science.

“The cyber-capabilities of criminal networks have expanded, and we know that they are using the dark web and anonymizing technology to facilitate serious crime, which is creating significant challenges for law enforcement,” Australia’s opposition party said in support of the act at the time, Paul Karp reported for The Guardian. 

The discussion paper discussed multiple other ways to enhance regulation across the board for businesses and governments when it comes to cybersecurity.

“It is clear from stakeholder feedback and the increasing frequency and severity of major cyber incidents, that more explicit specification of obligations, including some form of best practice cyber security standards, is required across the economy to increase our national cyber resilience and keep Australians and their data safe,” the Penn-led Expert Advisory Board wrote.

The paper proposes expanding the definition of critical infrastructure assets to include customer data and “systems.”  This change would give the Australian Signals Directorate the ability to “step in” as a last resort in some emergency situations, including major data breaches like Medibank and Optus.

“This should also consider whether further developments to the SOCI [Security of Critical Infrastructure Act] Act are warranted, such as including customer data and ‘systems’ in the definition of critical assets to ensure the powers afforded to the government under the SOCI Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions,” the paper’s authors proposed.

The Australian parliament and key industry leaders have already expressed resistance to this expansion due to fears that it may hamper recovery efforts. 

The Shadow Minister for Cybersecurity, James Paterson, said the step-in ability of the government was not meant for things like user data breaches but larger breaches such as attacks on telecommunication companies and energy suppliers.

“It would be a significant departure from the philosophy of those laws and the government would need to make the case it was justified, and that ASD had the resources required for what would be a major task,” Paterson said according to  CMAX, a bipartisan government relations and corporate strategy firm.

The Department of Home Affairs is seeking feedback on its upcoming Australian Cyber Security Strategy for the years 2023-2030. Australians have until April 15 2023 to submit their written comments and ideas through the department’s website.