iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Australian businesses are set to gain new “safe harbour” protections that would allow them to share the details of a cyber attack against them with government cyber agencies without risking that information coming back to bite them in other investigations.
Late last year, Deputy Prime Minister and Minister of Defence Richard Marles suggested that the government would potentially introduce “safe harbour” legislation, allowing them the confidence to reach out without the fear of punishment.
“I can understand why companies in that instance want to make sure that whatever ASD comes across is not ultimately then the subject of what any other agency in government might do,” said Minister Marles.
Now, Home Affairs and Cyber Security Minister Tony Burke is set to launch new legislation that will outline new cyber measures, including granting affected businesses a safe harbour for cyber security reporting.
“We will be incentivising industry to share more information about cyber threats via strong limited-use provisions,” Minister Burke is set to state at the second annual The Australian Financial Review Cyber Summit, according to speech notes seen by The AFR.
“In responding to cyber incidents, knowledge is power. These provisions will enable organisations to share information with ASD [Australian Signals Directorate] and the cyber co-ordinator, who can then assist with responses to cyber threats early, without the fear of that information being used in regulatory action against them.”
Alongside the safe harbour, the new legislation will make it mandatory for businesses that pay ransom to threat actors over a certain amount to disclose how much they have paid and to who.
In regard to the above mandate and previous discussions about banning ransomware payments, the government said it currently does not have the required understanding to ban them outright or combat the ransomware business model and that the new reporting will assist in developing that understanding.
Additionally, the government is set to launch a Cyber Incident Review Board, which will analyse cyber incidents and the lessons to be learnt from them. Board members are yet to be announced.
Craig Searle - global director, cyber advisory, at Trustwave - says the move is a step in the right direction, "however, there needs to be a consistent yardstick by which Australian corporations can measure themselves in order for directors to then assess the reasonableness of their response and address the concerns raised by the Australian Securities and Investment Commission (ASIC)."
"While the Essential Eight is undoubtedly effective as a set of preventative measures, it is very difficult and expensive even for mature and well-funded organisations to achieve, as evidenced in Australian National Audit Office (ANAO) reports such as 'Management of Cyber Security Supply Chain Risks'. It also does not address response and recovery. This means it is unlikely to be suitable as a nationwide measure of resilience without significant caveats being adopted," Searle said.
UPDATED 18/09/24 to add Trustwave commentary
Be the first to hear the latest developments in the cyber industry.
