Enter the Matrix: Are new govt cyber powers being rushed in the wrong direction?

Share:

Share on facebook
Share on twitter
Share on linkedin

For some time, the federal government has been considering policies that would allow it to step in and intervene in the case of certain cybersecurity incidents that have potentially national implications.

It has slightly Matrix-esque connotations. I don’t mean in conspiratorial, the “system is controlled” sense. But in the sense of government agents / officers / operatives “inserting themselves” into the “system” to uphold the integrity and safety of critical infrastructure assets that may be threatened by a damaging incident.

In some people’s perspective, including corporations who think government cyber agencies would flounder when trying to grapple with the complexities of their information systems, it is a move that is inappropriate and potentially counter-productive.

In other people’s perspective, it is the sort of government oversight that is needed and which only government can provide, given its unique social and moral mandate to uphold the integrity of key national systems and assets.

Wherever you stand, the developments are important and worth noting. So here is a note to make sense of some important recent evolutions in the area of cyber policy and its national politics.

Government “last resort powers” – a 101

For some time, the federal government has been considering policies that would allow it to step in and intervene in the case of certain cybersecurity incidents that have potentially national implications.

These ‘last resort’ powers that would allow the government to intervene to contain a cyber attack on critical infrastructure.

A parliamentary committee yesterday commented that these intervention powers should now be “swiftly legislated”.

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) yesterday called on the government to split a bill rushed before parliament last year in two so as to allow it to pass parliament faster.

Under its proposal, part of the legislation that would be carved out and rushed through parliament. This part “sets up a regime for the Commonwealth to respond to serious cyber incidents” impacting the operators of “critical infrastructure“.

Critical infrastructure in this sense casts a wide net: encompassing sectors including communications, data storage or processing, financial services, health care and medical, higher education and research, utility services, transport, food and grocery, defence industry and space.

What could an operator be compelled to do?

Under “Ministerial direction”, an operator would be compelled to provide information, take certain actions, or potentially have the Australian Signals Directorate (ASD) insert itself into the incident response and provide direct “assistance” to counter the threat.

This is where the Matrix-esque connotations come in, for fans of the trilogy who may recall its portending of system-upholding “agents” in a tech-dominated society. I also note the relevance of this analogy at a time when the fourth film trailer – some two decades on – has been released, but this is the mother of all digressions.

“Never Send A Human To Do A Machine’s Job” (Agent Smith). The Australian Government adopts a decidedly different philosophy

Industry has consistently pushed back against these proposed powers, wary of having a third-party without knowledge of its systems or architecture suddenly add itself to an incident response.

The PJCIS said that evidence from Home Affairs secretary Michael Pezullo had swayed it to believe government incident response takeover powers were needed sooner rather than later.

Michael Pezullo recently said:

… Once the bill achieves royal assent as an act of parliament it allows us to activate certain emergency procedures under the government assistance measures, and it is those measures that, frankly, I would prefer to have on the statute books tonight”

Home Affairs secretary Michael Pezullo

In what circumstances would compulsion apply?

Thankfully, the committee expects that given the statements to date from witnesses regarding a willingness for cooperation in the corporate sector with the department and ASD, “these measures will need to be used rarely, if at all. And if they are used, it will only be on those entities that are unwilling or unable to respond appropriately.”

The PJCIS acknowledged there would still be “reservations with the enablement of the assistance measures, especially within the technology sector. However, the committee recognises that the potential threat faced to critical infrastructure assets is too great to stall introduction of these essential measures for any longer,” it said.

It noted with emphasis that the measures will only be used as a last resort.

New rules around mandatory incident reporting

Also present in the carved out and rapidly passed legislation would be new rules around mandatory reporting of cyber incidents.

Operators would need to tell the government of an incident having “a significant impact on the availability of the asset” within 12 hours, or 72 hours for lesser incidents.

Are these powers the right way to go?

This is the ultimate question.

I’ve written previously that there are inherent conflicts of priorities (and perhaps interests) when it comes to government intervention in what are inherently private spaces.

I don’t have any pretensions to libertarian views, and can well see the case for governments intervening where the national interest is at stake. But the concerns of corporates around government capability in this regard are well founded.

Government agencies and teams are ill-equipped to deal with the complexity of systems that many of Australia’s listed organisations have. Even in the event of a serious cybersecurity incident, there seems to be little that the ASD would add that these corporations — or their consulting partners — would not readily be able to bring to the table at short notice.

Whether the companies or organisations in question be telcos or major healthcare organisations, it seems difficult to believe that expertise cannot be found within their ranks or rapidly found close at hand.

While government assistance would be welcome, a government team or individuals working on the incident response itself seems too interventionist with little value-add.

In our view, the government’s role is best kept to regulation-setting and creating an overall national environment of cyber-awareness and consciousness, not direct intervention into private organisations where such interventions will only likely breed distrust and are unlikely to create much benefit.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.