New laws to protect critical infrastructure from malicious attack are a crucial step forward in protecting Australia’s economic nervous system from cyber attack, according to cyber security firm Macquarie Government.
The chief of Macquarie Government, managing director Aidan Tudehope, says the laws, initiated by the government last year and passed by the Federal Parliament overnight on Wednesday, were also a good example of continued responsible bipartisanship in cyber-security.
“The sad reality is that there are individuals, groups and even nations that have shown a willingness and ability to put the wealth, health and even lives of innocent Australians at risk by attacking critical infrastructure,” Tudehope said.
“Much of the infrastructure that allows us to operate in our day-to-day lives — power, communications, water, transport systems — are privately owned, and all are completely dependent on information and communications technologies to work.”
{loadposition peter}Tudehope said the government’s own core agencies are required to comply with well-established standards and best practice guidelines, but the effective protection of the national interest required these high standards to now reach beyond these agencies.
“The government is right to step in now, before we have had a major incident, to take a leadership role in overseeing the preparedness of owners and operators of critical infrastructure to address these new challenges.”
Tudehope said programmes developed to protect the government’s own agencies — such as controls over pathways to the Internet and certification of private sector cloud services by the experts in the Australian Signals Directorate of security standards — have become integral to the cyber security of the Commonwealth.
“The owners and operators of critical infrastructure — be they state governments or private enterprise — have been under no obligation to even consider these standards.
“The new laws mean the country’s leading cyber security experts in Canberra can now investigate the practices by these owners and operators.
“If necessary, the minister can step in as a last resort. Hopefully this will never be necessary as the passage of the laws should be enough to prompt critical infrastructure businesses to take action themselves to come into line with the standard practice for federal government agencies.”
Tudehope acknowledges that concerns of many in the private sector about governments intervening in their decision making was understandable.
“But the government has worked hard to strike an appropriate balance to ensure there is a focus on cyber safety without being overly intrusive, including the provision of a 12-month implementation period,” he said.