Home Affairs minister Clare O’Neil has conspicuously left the door open to organisations being allowed to pay ransomware extortionists to back-off, as the Albanese government tries to put its own official seal on cyber security policy through the creation of yet another coordination agency.
Referring to the new agency as the National Office of Cyber Security, the organisation will be led by a “coordinator of cyber security” in what O’Neil on Monday was selling as a dedicated function to address what she slammed as years of “continental drift” under the Morrison government.
The move to create a dedicated cyber agency within Home Affairs follows the Albanese government’s creation of a dedicated cyber security ministry following the change of government.
Speaking on ABC Radio, O’Neil flagged the widening of definitions of what constitutes critical assets and infrastructure and slammed existing legislation dealing with cyber responses, namely the SOCI Act (Security of Critical Infrastructure Act 2018).
“We went through Optus and Medibank, two of the biggest cyber attacks that Australia has experienced last year, and in those events we were meant to have at our disposal piece of law that was passed by the former government to help us engage with companies under cyber attack.
“And that law was bloody useless, like not worth the ink printed on the paper, when it came to actually using it in a cyber incident. It was poorly drafted,” O’Neil said, adding that her dedicated cyber agency would have made a “huge difference” had it existed.
The Home Affairs minister also momentarily stuck the boot into the Australian Public Service for dropping the cyber ball in her incoming brief before quickly redirecting the sledge at the former government.
Asked if the bureaucracy was aware of problems in the SOCI laws and whether there was notice of this in her incoming brief, said there was not.
“Yeah, no, it wasn’t something I was warned about. And I think, you know, it was political leadership that was lacking. And I certainly wouldn’t blame public servants for any of these failings,” O’Neil said.
Asked whether there was “merit in having a public discussion about whether ransom should be paid to get back sensitive data that stolen”, O’Neil left that door wide ajar.
“I do think it’s, it’s an important public discussion. That’s why I haven’t shut it down and said that it’s something that we won’t consider,” O’Neil said.
One of the main issues with the SOCI laws, which ostensibly give the government the power to take over a compromised businesses systems, is the business community, and especially multinationals, are fiercely resistant to giving the government any system access. That is unlikely to change.
The notion of a central cyber response controller within government is not new, although its elevation to a dedicated agency is.
Previous efforts have usually centred around Prime Minister and Cabinet in order to overcome rivalries between various security agencies and Defence’s signals intelligence, cryptographic and offensive capability functions.
One of the known issues with cyber is that as the need for various agencies and businesses to comply with protective security requirements – like the Australian Signals Directorate’s Essential Eight and Security of Critical Infrastructure Legislation – so too does the compliance burden and funding demands.
Speaking of ABC Radio, O’Neil did not resile from the need to manage cyber costs better, a key complaint from non-cyber industry and stakeholders naturally suspicious of regulatory empire building and compliance-based rent seeking.
O’Neil said the new agency will “try to provide some strategy and structure and spine to the work being done across government.
“So it will mean things like making sure that the billions of dollars that we are investing in cybersecurity each year are being spent in a way that’s strategic and appropriate, that we’ve got different parts of government communicating with each other and working together on helping lift cybersecurity protections across the country.”
That of course will require yet another engagement with industry and stakeholders, with the government releasing another discussion paper today on how to better coordinate cyber efforts.
The big problem for all governments is that there has never been any agreement on what minimum cyber security standards should be and how these ought to be enforced, an especially vexing issue for small businesses that often struggle for clarity and resources to meet cyber mandates.
A major bugbear for businesses is that the government still allows banks to offload their losses for online payment card fraud, that nets circa $450 million a year in Australia, back onto merchants, creating a disincentive for banks to clean up their act.
At the same time there are serious security deficiencies on the so-called Open Banking and Open Data regimes, namely the reliance on so-called screen scrapers to give fintechs and other intermediaries account access.
Some of that is likely to be on the table today when the Prime Minister and Home Affairs Minister try to sell their new game plan to industry today at a round table of stakeholders.
“The PM is hosting a roundtable in Sydney with cyber experts from around Australia… We’ll be talking about the key questions. We know cyber attacks are relentless, and they are growing over time.
“How do we set ourselves up for a safe future in the context of a really dangerous geopolitical environment that we’re heading into,” O’Neil asked.
With a Budget proposal that re-prioritises funding for a new agency and a new dedicated Minister for Cyber Security and eliminates the waste and inefficiency of previous proposals, one presumes.
“So this is a core national security risk, and the PM is very actively and personally involved in it,” O’Neil said.
READ MORE:
Denying hackers a pay day will break the ransomware business model
Any feedback or news tips? Here’s where to contact the relevant team.