‘Hack back’ powers to repel cyber attack under proposed national security laws

Security agencies to win power to fight back in an extreme cyber attack under proposed laws.

The proposed laws will dramatically expand the industries covered under security legislation.

3 min read

9:44PMAugust 11, 2020.

Updated 7:28AMAugust 12, 2020

Proposed national security laws will allow a “national emergency” to be declared during an extreme cyber attack against critical infrastructure, giving security agencies, for the first time, the power to counter-attack through commercial networks.

As private sector assets deemed critical to the national interest come under increased attack, an alert system based on the terrorism threat level advisory is also being flagged for cyber threats.

The new powers would work alongside the 2001 Intelligence Security Act including “emergency” provisions for the use of classified capabilities to protect critical private sector assets in the most extreme cases.

A Department of Home Affairs discussion paper, obtained by The Australian, outlines proposed changes to the Security of Critical Infrastructure Act imposing obligations on companies to employ encrypted cyber defences under a three-tiered system ranking the national significance of commercial assets and systems.

The proposed laws will dramatically expand the industries covered under security legislation from only the physical protection of the gas, water, electricity and ports sectors to include cyber attack against the health, banking and finance, food and grocery, data and the Cloud, defence industries, transport, space, education, energy and communications sectors.

“In an emergency, we see a role for government to use its enhanced threat picture and unique capabilities to take direct action to protect a critical infrastructure entity or system in the national interest,” the discussion paper says. “These powers would be exercised with appropriate immunities and limited by robust checks and balances.

“In these situations, it may be appropriate for government to declare an emergency. Further, it may be also (be) appropriate for an alerting system at the national level, similar to the current National Terrorism Threat Advisory, particularly for a cyber-related attack or incident.”

Industry voices has been calling for government assistance to protect commercial systems and assets from attacks that are beyond their capability to defend against. Industry also faces legal limitations preventing it from “hacking back”.

The discussion paper outlines assistance for entities that are the target or victim of a cyber-attack, through the establishment of a government capability and authorities to disrupt and respond to threats in an emergency.

The government will release the paper to engage industry in the drafting of new legislation that the government plans to introduce in the October sitting.

In the most extreme cases, it would involve the Australian Signals Directorate being called in to defend against an “immediate and serious cyber threat” to Australia’s “economy, security or sovereignty, including threat to life”.

The government said the emergency powers would be used only in exceptional circumstances, and limited by robust oversight mechanisms but would give agencies the power to “take direct action to actively deny, disrupt and respond to malicious activity with corresponding powers and immunities” to protect the country’s most significant networks.

Over the past two years, there have been numerous cyber attacks targeting federal parliamentary networks, water services, airports, logistics companies and universities.

Businesses operating in key supply chain networks transporting groceries and medical supplies have also been targeted.

Health sector organisations and medical research facilities have also been targeted during the COVID-19 crisis.

Health service providers, the finance sector, legal, accounting and management services, education and personal services are the top five industry sectors targeted by malicious or criminal attacks and cyber incidents.

Entities covered under the proposed legislation would be categorised under the regime as a “critical infrastructure asset”, a “regulated critical infrastructure asset” and a small subset of entities — that are the most important to the nation — would be called “systems of national significance”.

Home Affairs Minister Peter Dutton said in the case of a cyber emergency, Australians would expect the government to act. “We cannot be complacent,” he said. “Owners and operators of critical infrastructure are facing evolving threats, including increasing cyber attacks.

“An incident involving Australia’s critical infrastructure has the potential to cause significant consequences across our economy, security and sovereignty.

“Security is a shared responsibility. Australia is more resilient and secure when we work together. Businesses and all levels of government have a role to play and we are committed to building on this partnership.

“By strengthening and better protecting critical infrastructure from threats, Australians can be assured that government and industry are working together to do what is necessary to keep Australians safe and protect our economy.”

The cyber security strategy released by Scott Morrison last week endorsed new definitions of critical infrastructure and systems of national significance, responding to calls from the industry advisory panel led by Telstra chief executive Andy Penn.