Australian government wants power to run cyber-response for businesses under attack

Australia’s government has proposed giving itself the power to take over private enterprises’ response to cyber-attacks on critical infrastructure.

A new Consultation Paper titled Protecting Critical Infrastructure and Systems of National Significance [PDF] notes that critical infrastructure is vulnerable to cyber attack, that such attacks are already happening and that the nation needs a plan so that if something nasty happens – like a hack taking out energy suppliers - other industries don;t go down like dominoes.

The government’s plan is mostly to define more industries as critical infrastructure and make them “legally obliged to manage risks that may impact business continuity and Australia’s economy, security and sovereignty”. The government proposes to develop baselines that critical industries can use to help them meet their obligations.

But a few recommendations are rather more spicy, among them the suggestion that when an attack is detected “ …. Government be able to provide reasonable, proportionate and time-sensitive directions to entities to ensure action is taken to minimise its impact.”

Or the government could just kick the infrastructure operator out of the driver’s seat and take control.

“In an emergency, we see a role for Government to use its enhanced threat picture and unique capabilities to take direct action to protect a critical infrastructure entity or system in the national interest,” the paper suggests. “These powers would be exercised with appropriate immunities and limited by robust checks and balances. The primary purpose of these powers would be to allow Government to assist entities take technical action to defend and protect their networks and systems, and provide advice on mitigating damage, restoring services and remediation.”

Another says that critical infrastructure operators must not be allowed to hack back, but should “be empowered to take necessary, preventative and mitigating action against significant threats.” Under such circumstances, critical infrastructure operators should be given “appropriate immunities to ensure they are not limited by concerns of legal redress for simply protecting their business and the community.”

The document is a consultation paper and therefore exists to generate debate.

Justin Warren, an Australian IT consultant who serves global clients and is a keen observer of Australian government IT policy, believes the document over-reaches.

“Most of the document is vague platitudes,” he told The Register. But he thinks it is also worrisome because the definition of an “emergency” that would allow government intervention is broad.

“It requires you make guesses about the likely future behaviour of this and future governments,” he said.

Noting recent flimsy government oversight of other sectors in Australia, and harm that followed, he also raised the point that if infrastructure is sufficiently critical that it must be forced to comply with government regulations and permit government intervention, it should perhaps be run by the government.

“The document foresees a situation so bad that you need to quasi-nationalise a piece of infrastructure,” he said. ®