Proposed reforms aiming to shore up the security of Australia's critical infrastructure would prevent up to 90 per cent of cyber attacks, a senior security official says.
Australian Cyber Security Centre head and Australian Signals Directorate deputy director-general Abigail Bradshaw gave a blunt analysis of the cyber risk to Australian industry on Wednesday, warning of a global uptick in cyber attacks amid conflict in eastern Europe.
"The invasion of Ukraine by Russia has really marked an unprecedented level of malicious cyber activity on a global level," Ms Bradshaw told a parliamentary inquiry.
While many of the attacks were targeted at Ukrainian industries, Ms Bradshaw said there had been an increase in activity aimed towards NATO nations and Five Eye members including Australia since the war began.
Ms Bradshaw made the warnings during the inquiry's hearings into a proposed critical infrastructure protection bill, which seeks to require peak industries in technology, education, healthcare and trades sectors to adopt critical infrastructure risk management programs.
Each program would require organisations to identify hazards occurring and to minimise the risk of potential cyber attack on infrastructure essential for energy, food, water, transport, communications, health and banking and finance.
The protections would differ depending on the industries, and not all would have to implement them if they already had suitable mechanisms in place, which is decided by the Home Affairs Department secretary.
Asked by Liberal senator James Paterson about the number of attacks that could be prevented if industries implemented the necessary safeguards, Ms Bradshaw said the protections would immediately lighten the load for the cyber security centre to focus on higher risk factors.
"My gut reaction to that without doing any formal analysis would be in the vicinity of 85 to 90 per cent," Ms Bradshaw said.
While intelligence agencies advocated for the legislation, peak technology industry operators such as chief operations officer Dr Bruce Tonkin of .au Domain have expressed concern about the possibility they would be required to install third party software.
"Installing software into a critical system is normally done very carefully with extensive testing, so the idea of putting in third party software at short notice is generally extremely dangerous," Dr Tonkin said.
While the bill has a provision that only smaller industries would be required to install the third party software, there were concerns that the decision to require installation lies at the minister's discretion. Director of public policy at Amazon Roger Somerville called for further regulation of the government's decision-making.
"From our perspective, we're also very concerned that we still do need to see clear, practical guidance on how this would work as well as some form of strengthened oversight around this as well," Mr Somerville said.