Days after the collapse of Optus’s network cut off 40 per cent of Australians from essential phone and internet services, Home Affairs Minister Clare O’Neil will move to classify telecommunications as “critical infrastructure”.

This means, for the first time, the boards of telcos will be held to the same standards as hospitals, utilities, ports and power plants. They will be required to develop risk management plans to fend off cyber attacks, which are costing Australians $42bn a year, based on the latest data from the Australian Cyber Security Centre.

The Albanese government is moving towards a European-style regulation of cyber security. Under the EU’s NIS2 Directive — which splits essential and digital service providers and came into force this year — companies can face fines of up to 2 per cent of annual turnover or €10m ($16.8m) for noncompliance.

Ms O’Neil blasted Optus in September last year after hackers infiltrated its database of more than 10 million customers and published a cache of sensitive documents, exposing Australians to identity theft and other financial crime. At the same time, she branded Australia’s cyber security laws as “bloody useless”.

Ms O’Neil said “reliable telcos are vital to Australia’s national security” and the Optus outage — the telco’s second reputational crisis in 13 months after last year’s cyber attack — underlined why the government needed to “both strengthen and simplify the rules”.

“As we learned again last week, nothing much works in the 2020s without reliable internet,” she said.

“Our telcos must be prepared for major vulnerabilities, have risk management plans in place, and build backups to maintain essential services when things go wrong.”

A spokesman for TPG Telecom — the nation’s third biggest telco — said the company supports “sensible reform to strengthen the resiliency and redundancy of our networks”, but cautioned against creating an extra layer of bureaucratic burden that doesn’t deliver on that promise.

“TPG Telecom … has been working with the government on streamlining the various legislative tools overseeing the nation’s critical communications infrastructure,” the spokesman said.

“While it is always important to collaborate on matters of national security, we need to ensure any changes promote accountability without adding unnecessary regulatory burdens.”

Despite ports being held to rigorous standards, one of the country’s biggest terminal operators DP World was forced to shut down its operations at the weekend — potentially throwing Christmas deliveries into chaos — after it suffered a cyber attack.

It was the latest in a series of high profile cyber assaults on companies including Optus, Medibank, Toll, Nine Entertainment, Latitude Financial and Australian Clinical Labs.

The country’s biggest telco, Telstra — which has about a 60 per cent market share of the business and government broadband market — said the new laws simplified existing cyber security rules.

A Telstra spokesman said: “Securing our nation requires all of us to do our part — Government, business and individuals — and it is a key part of Telstra’s strategy”.

“Telstra has worked closely with the Government as it develops its Cyber Security Strategy and associated reforms to critical infrastructure legislation,” a spokesman said.

“Strengthening of critical infrastructure security helps to safeguard Australians from cyber incidents and we welcome the government’s proposal to streamline obligations and remove duplication between the TSSR (telecommunications sector security reforms) and SOCI (security of critical infrastructure act) Telecommunications Risk Management Program.”

Optus vice president of regulatory and public affairs Andrew Sheridan also backed the reforms.

“Optus supports the announcement from government, and appreciates the ongoing consultation with industry about the security of critical infrastructure.”

The Australian Securities and Investments Commission said most companies are being “reactive rather than proactive when it comes to managing their cyber security”, exposing Australians to malicious threats from criminals and state-sponsored hackers.

Crucially, almost two-thirds of Australian companies have limited or no capability to protect confidential information, according to an ASIC ‘pulse’ survey based on almost 700 voluntary participants.

ASIC chair Joe Longo said: ‘For all organisations, cyber security and cyber resilience must be a top priority”.

“ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain — it was alarming that 44 per cent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” Mr Longo said.

Mr Longo said there was also a need to go beyond security alone and build up resilience.

“It’s not enough to have plans in place. They must be tested regularly — alongside ongoing reassessment of cyber security risks.

“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”

More Coverage

L1 Capital the pick of the stock pickers

John Stensholt

Canberra moves on financial advice reforms

James Kirby

Originally published as New telco cyber security laws must promote action not more red tape, says TPG Telecom