Safe harbour laws that temporarily shield companies from liability during a cyber-attack will be pursed by the federal government in a bid to improve information sharing with Australia’s cyber responders.
Defence minister Richard Marles foreshadowed legislation on Wednesday, as a new report from Australia’s cyber spy agency revealed a 23 per cent increase in cyber crime reports last financial year.
It follows reports that Australian Signals Directorate (ASD) efforts to help businesses recover from cyber-attacks are being hampered by lawyers, who are concerned about future regulatory actions from the government.
ASD director-general Rachel Noble has backed calls for such a legal protection, describing a temporary safe harbor as a “very attract arrangement” when asked during Senate Estimates last year.
The protections also have the support of the Business Council of Australia to reduce the amount of time businesses spend ‘vetting’ information to “ensure it cannot be misinterpreted by the plethora of existing regulators and government agencies”.
Speaking on ABC AM on Wednesday, Mr Marles said it was understandable that companies “want to make sure that whatever ASD comes across is not ultimately then the subject of what any other in government might do”.
“So, that safe harbour concept is absolutely a concept that we want to see pursued. We need to be building the greatest possible confidence that we can for companies to interact with ASD in the moment,” he said.
Mr Marles said “safe harbour mechanisms”, including legislation would be examined by the government and that the issue would form part of the national cybersecurity strategy, which is expected to be released as early as next week.
“The issue here is that if you’re a company and you’re in the midst of a cyber-attack. You need the best advice you can get. The ASD is really our expert here, and their ability to come in in the moment… is really critical,” he added.
Mr Marles comments followed the release of ASD’s latest annual threat report, which shows there were more than 94,000 reports of cybercrime last financial year, or one every six minutes – a 23 per increase on 2021-22.
The report also shows that ASD responded to 1,134 cyber incidents in 2022-23, mainly in the federal government (30.7 per cent), state and local government (12.9 per cent) and professional, scientific and technical services (6.9 per cent) sectors.
ASD responded to 143 cyber incidents related to critical infrastructure last year – 50 per cent more than in 2021-22. Attack vectors include operational technology connected to the internet and corporate networks.
It is unclear whether the increase in incidents is related to the start of new reporting obligations under critical infrastructure laws, with 2022-23 the first full financial year after since the legislation was passed.
The report indicates the main type of incident affecting critical infrastructure providers were related to compromised accounts or credentials, compromised assets, networks or infrastructures, and Denial of Service.
“These incident types accounted for approximately 57 per cent of the incidents affecting critical infrastructure for 2022–23. Other more prominent incident types were data breaches followed by malware infection,” the report said.
ASD has urged critical infrastructure providers to “report anomalous activity early and not wait until malicious activity reaches the threshold for a mandatory report”, having notified seven entities of suspicious cyber activity – two more than last year.
