Labor could face Senate difficulties if it tries to dramatically expand the government’s powers to directly intervene in companies’ IT systems during cyber-attacks.
Under existing laws – which were controversial when introduced by the former Coalition government – the Australian Signals Directorate has the ability to “step in” as a “last resort” in some emergency situations, but only for critical infrastructure assets.
A discussion paper released by the government on Monday proposes expanding the definition of critical assets to include customer data and “systems”.
That option would “ensure the powers afforded to government … extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions”.
But the Coalition and the Greens – which together hold more than half of the seats in the Senate – have expressed reservations about changes that could dramatically expand the reach of the “step in” powers.
The shadow minister for cybersecurity, James Paterson, said the critical infrastructure laws and emergency step-in powers “were never intended to guard against data breaches but even more catastrophic attacks on our most systemically important businesses like telco companies and energy suppliers”.
“It would be a significant departure from the philosophy of those laws and the government would need to make the case it was justified and that ASD had the resources required for what would be a major task,” he said.
The Greens senator David Shoebridge, who is responsible for the party’s policy on digital rights, said the government had “not made a case to justify the expansion of these extraordinary takeover powers”.
Shoebridge said the existing laws were designed for critical infrastructure “and can’t simply be copy-pasted to solve another problem”. He said the nation could not “keep relying on reactive measures and god-like takeover powers”.
“Any powers must be strictly limited in scope and subject to close scrutiny and review, including full transparency in the way the powers are used to ensure people’s personal data is safe.”
While the Labor government has not yet drafted a bill outlining specific changes, it has opened a public debate by declaring it is “having a big look” at cyber laws.
The minister for home affairs and cybersecurity, Clare O’Neil, said the existing laws envisaged that in “limited circumstances it will sometimes be necessary for government to come in and assist an Australian company or organisation to help manage a cybersecurity incident”.
“The problem today is that those powers are very, very narrowly defined,” O’Neil told reporters in Sydney.
“The question Australians need to ask is when we look to 2030 and understand the growing, relentless, huge nature of the threat that we confront, do we want to equip government to be better able to support businesses and organisations when they are under that really serious cyber risk?”
O’Neil said the government was also considering making it illegal to pay ransoms to hackers in a bid to “reduce the fruits of ransomware for cyber criminals” and signal that “we are not a soft target”.
The discussion paper, written by the government’s expert advisory board, said the Optus and Medibank incidents had exposed “gaps” in Australia’s existing incident response functions.
“It is clear that a package of regulatory reform is necessary,” wrote the former Telstra boss Andrew Penn, the former air force chief Mel Hupfeld and the cybersecurity expert Rachael Falk.
Another option they suggested was a new cybersecurity act “drawing together cyber-specific legislative obligations and standards across industry and government”.
The paper said business owners “often do not feel their cyber security obligations are clear or easy to follow” and clearer standards would “increase our national cyber resilience and keep Australians and their data safe”.
Penn told the ABC’s 7.30 program the definition of critical infrastructure should remain under review because “the amount of things we’re doing online today has increased dramatically and that will only continue to increase in the future”.
“The more we do things online, the more they do potentially become vulnerable to malicious cyber activity,” Penn said.
Earlier, Anthony Albanese told a cybersecurity roundtable event that his government was concerned about increasingly prevalent “state-sponsored attacks” and other criminal acts seeking a profit, such as ransomware.
“Clearly as it stands, government policies and regulations, business sector systems and measures and our general awareness and capacity as a nation are simply not at the level that we need them to be,” the prime minister said.
“This is an ever-evolving threat and it will need adaptation from us and from business and government to make sure that we keep on top of this.”
The government also announced it would appoint a new coordinator for cybersecurity, supported by a national office for cybersecurity within the Department of Home Affairs, “to ensure a centrally coordinated approach”.