Key Points:
- The Australian government is proposing changes to the Security of Critical Infrastructure Act that would give the home affairs minister powers over critical infrastructure during cyber-attacks.
- Under the proposed changes, the minister would be able to order energy, transport, or communications entities to take action during a cybersecurity incident.
- The minister could also order companies to replace personal documents compromised in a data breach or share customer data with banks to prevent further fraud.
The Australian government is considering changes to the Security of Critical Infrastructure Act that would grant the home affairs minister additional powers during cyber-attacks. The proposed changes would allow the minister to order critical infrastructure entities, such as those in the energy, transport, or communications sectors, to take or cease action during significant cybersecurity incidents. These changes are being considered in response to the 2022 Optus and Medibank incidents. The minister would also be able to order companies to replace personal documents compromised in a data breach or share customer data with banks to prevent further fraud.
The proposed changes were outlined in a consultation paper released by the home affairs and cybersecurity minister, Clare O’Neil. The paper also discusses other potential areas for cybersecurity reform, such as mandatory security standards for smart devices and rules that would require more businesses to report cyber-attacks or extortion attempts.
The government argues that these changes are necessary to address the challenges that businesses face in responding effectively to cyber-attacks. Currently, businesses are restricted in sharing information with banks about affected customers, and the government does not have sufficient powers to direct them to take action. The proposed powers for the home affairs minister would allow for the directio{n} of critical infrastructure entities to prevent or mitigate the consequences of an incident. They would also authorize the disclosure of protected information to allow for the sharing of information and the gathering of information for consequence management.
The consultation period for the proposed changes will close on March 1, 2024.