Are you ready for the new Critical Infrastructure law?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Applause] um welcome to sp everyone and um enter the lands of the noon of all people i'm fergus hanson uh director here at aspie it's incredibly nice to be in a room full of life forms beside my terrier and also nice to be joined by the hundreds and hundreds of people who are leading to us from around australia i asked if you could bear with me uh this is my first uh in-person uh event where i haven't been in my board shorts and with my terrier for the last year but we're here today to talk about the the critical infrastructure bill uh which will um is a is a major legislative initiative uh by the government and for people joining us today the the cyber security risks that surround our critical infrastructure won't be any news to you i had my own encounter with cyber security and critical infrastructure very early on in my role here a friend who helped manage a water treatment plant was telling me the story of how they brought in hackers to test the resilience of their systems the whole executive was standing by while this young man went to work and they were all feeling fairly confident and until uh very quickly on in the piece he said i'm finished um they were massively disappointed and the executive spent the rest of the day in crisis mode thinking through what they might be able to do better they left that evening feeling like they were in a bit of a better place and that they had the situation under control uh the kicker came though the next day when my friend received this call from the from the hacker who said would you like me to turn it uh switch it back on and he said we'll switch what back on and he said the water the water treatment which had been left off for the for the previous 24 hours so there's obviously lots of issues here and of course this bill goes a long way beyond water treatment plants it goes so much further that i wonder if many of the businesses that are going to be affected are actually aware of the extent to which they're going to need to change their operations that's why we convened today's event to provide an opportunity to better understand what this bill is going to mean and what companies need to do to prepare for it we have hamey chansford here the first assistant secretary for cyber digital and technology policy at home affairs who's the lead public official on this bill and is here to answer your questions directly we have nick lehmann from splunk to provide a perspective from a cyber security firm given that cyber security firms are going to be so central to uplifting this space and mick can i just thank you and splunk for making this uh panel possible today and we have sarah mccullough the chief information officer from essential energy who's joining us remotely from she's from essential energy which runs the electrical distribution network for the vast majority of new south wales to provide a perspective from a company that's going to be impacted by this bill the format for this afternoon's event is a panel discussion which i'll shortly commence and a q a where we'll be taking questions from both the audience here in canberra and the many people joining us online so please get your questions ready and i'll do my very best to get through as many of them as possible including the online questions um and i wish i could press the mute button right now but for the for the audience here in canberra we're going to be uh serving canapes afterwards so um hamish i'm going to turn to you first if that's okay um just to just give us a bit of a pre-see of what this is about uh what are the reforms and and what are they intended to achieve and and why do we need this bill well thanks i might just uh go back in history to 2016 where the government released their first cyber security strategy which is really premised on the idea around cyber the cyber industry in and of itself two years later the government developed and through the parliament a security of critical infrastructure piece of legislation which target targeted four sectors and effectively the utilities the the change in the environment um objectively since 2016 up to 2020 and it was really some of the issues that we were consulting on in the development of the 2020 cyber security strategy that industry was saying that cyber security was becoming an increasing threat i think the last couple of months have demonstrated the impact of ransomware solarwinds microsoft exchange are all elements of the cyber threat but what the new piece of legislation does the bill was introduced on the 10th of december last year and expands the 2018 legislation from four sectors to 11 and really starts to set out a regime to deal with risk and its risk at all hazards risk but there's a particular focus in the legislation on uplift of cyber security for those 11 critical sectors i think it's really premised by the need for what we rep what we saw during covert the importance of supply chains and the importance of critical infrastructure that both run our lives and help us live our daily life but also are incredibly vulnerable to some of the security threats so the new legislation sets out a positive security obligation for critical infrastructure in the 11 sectors and and sets up a baseline which many companies are potentially already doing um for a number of years companies have been mitigating risk and this sets up a regime that really focuses on our critical infrastructure and then we can get into it later but there's a particular part of the legislation which particularly focuses on systems of national significance and adds a another layer of cyber security obligations around those systems of national significance really drawing out the the impact that some of the critical systems that underpin underpin the functioning of our prosperity and our security as a nation um and having added protection to those so a bit of a bit of a history fergus and a bit of a summary at a very high level of the legislation introduced on the 10th of december last year great thanks hamish um maybe i can turn to you the the cyber security industry as you know is for firms that have been you know made aware of a problem and then they don't fix that problem um what's your view on um on the need for these reforms and will the legislation change this problem that we've got of companies knowing they have a problem but not having the inertia stopping them from from doing something about it in your view are the reforms needed are they are they unnecessary are they overdue where are you at so to echo hamish's words i see this fundamentally as being the intersection of two major muscle movements and the first is the increasing importance of the digital world to australia's interest whether it's economic whether it's social whether it's security and then the increasing scale and sophistication of threat that we all face but critical infrastructure in particular faces i don't however think that a discussion of need nowadays of the reform from a business perspective is really a relevant one the government signaled that critical infrastructure was going to be a main focus in the 2020 security strategy consultation began in august of last year and i think from businesses perspective as opposed to academia or the press our focus is actually on understanding the implementation of what government wants and making sure that those organizations that may be affected are planning and preparing for the implementation so i think that from the business perspective the actual need now is one of understanding and one of preparation because the discussion is to well i think government's intent is crystal clear and it's something that we need to address as such so maybe i'll throw to to you and sarah just to chase the question on that um when i i'm sort of curious whether um to what to the extent to which companies and sectors are going to be affected are aware that they're going to be affected by this legislation so when we were casting around to get an industry perspective on this i went to a bunch of different folks that were covered going to be covered by this legislation and very often was met with blank stares by different associations about what this bill was um i'm just wondering sarah i'd love your perspective to start with maybe are you using your view as the people you're speaking with in in the industry are they all ready for this is everybody across this um beyond the electricity sector are you aware of people being fully across this or is it still a bit of uncertainty uh yeah thanks ferguson thank you for having me today i appreciate uh being virtual i get the pleasure of wearing board shorts and having a mute button so uh very pleased to be here look i think from a critical infrastructure sector representative we're very okay with the legislation proposed legislation and have had good interactions to date through the industry groups i suspect that some of the other sectors that are coming into this legislation for the first time are probably the ones who are coming up the curve um as opposed to those who have been on the journey and uh representing um the energy sector or essential energy here today we've definitely been on a journey to take a risk-based approach to uh cyber security and risk management more broadly um our life conditions so it's very much a factor for us this is a continuation of where we've been through um so i do think if if you are in one of those sectors that are not aware or not not afraid of the legislation there's been ample opportunities to come on the journey today through those interactions great nick do you have a perspective on those is this the company are you talking with all the companies covered by this bill or is it still a handful that are aware of them we i think we we recognized fairly early that this bill was potentially really impactful on um a variety of customers of ours who work in the critical infrastructure sector and so we sought to engage with them again the aspiration is to be a strategic partner and not a transactional vendor to them and so we had a series of webinars and engagements that were focused on what it might mean because there was a whole lot of uncertainty over the journey and the details are still being worked out as to what the legislation means in implementation um the thing that actually gives me a great deal of heart is the fact that there are several hundred formal responses to the three formal opportunities to engage in the the initial consultation paper the draft legislation then the pj cis review and to me that indicates that stakeholders are engaged i don't have a reliable view on how how well that covers all 11 sectors but i think the other thing that's really important is that whether where the rubber hits the road for the legislation in implementation is a sector-specific co-design activities and those workshops that started this month with energy i think was electricity and gas specifically being the first of those and it's going to roll out over the next 12 to 18 months and these are critical in my view and it's splunk's view and we've been trying to tell everyone in our client base and anyone who listen that this is the chance for business to be heard and to understand what government intends you've got to be involved in this process in in our view um this is really a question to to all the panel but especially i guess maybe ask you first hamish when we're looking at this this bill is expanding the scope of what is considered critical um infrastructure what is it that's made what is it that's made triggered an expansion of the scope why is it suddenly that some things that haven't been considered critical infrastructure previously are now critical you know are considered critical infrastructure what's been the trigger or the defining sort of feature of what's been the moment that's it's moved something from this side to that side of the ledger i think um our experience during the last couple of years have demonstrated that there is a changing threat environment and a real and present threat on critical infrastructure particularly from the cyber vector and the importance of critical infrastructure in our lives i think the 2018 legislation got us to a sense of conceptualization of utilities is critical to our life and i think the the expansion of the 11 sectors really tries to articulate in legislation what are the critical things that run our lives but i think um the important thing to potentially realize and i think you potentially made the point that this new legislation doesn't start at the beginning and one of the key principles of the government has really asked us to look at is try and as far as possible reduce the regulatory impact on australian business and there are a whole range of sectors that are highly regulated from the finance and banking sector which have recently sophisticated levels of security to telecommunications that have a whole regime in the telecommunications act what we're trying to do though is put all of the critical infrastructure together in one piece of legislation because of their interconnected nature and because of the relationship between the different sectors and then we'll get to government assistance later i'm sure and then the kind of second part of the legislation is if if we're going to protect critical infrastructure there are certain tools that the government can bring in partnership with industry that can apply to protect critical infrastructure particularly in that nightmare scenario over a cyber attack and putting those 11 sectors which really underpin the functioning of our society together in a single piece of legislation that has the government assistance regime um supporting those sectors i think is another driving factor so with that kind of philosophical underpinnings then there's anticipation that you would add other sectors as they become critical to the economy and you just sort of do a rolling review of additions and subtractions if necessary i think uh the the the government's open-minded to that um but when you look at the critical infrastructure sectors that have been chosen they're pretty representative of those that impact our our infrastructure and our lives and importantly i think they capture supply chains as well so on the face of it it is 11 sectors but the supply chain security elements kind of goes right down into ultimately almost all parts of the economy um sarah i was going to turn to you that's alright i'm i'm guessing the electricity sector has always considered itself to be critical infrastructure you've obviously i'm assuming seeing the an increasing cyber security threat in recent years how has that affected um somebody in a in a cio role like yourself has the has the priority for cyber security actually um changed in terms of resourcing has it increased decreased stayed the same yeah i'm good good question fergus i think we've seen um as we've discussed today that explosion of the importance of cyber security and that has been felt through how we manage the risk and also how we resource and have responded to that cyber threat which continues to evolve and some tangible and practical examples today in the audience we've got our head of cyber security or essential energy's personal decision brad flanagan and that's a new role that we've created in response hopefully brad's there somewhere waving um but that's a new role that we've created in in response to the importance of cyber security um and that works really closely across our executive and also the increased focus from the board and the executive in response to not only cyber security but also risk management and the criticality around it um we've also seen uh ferguson the realization that cyber security is particularly internally is not a technology problem it's a people process technology whole of business and the expansion of the awareness around that has has increased so it's not only the resources we're putting on that are directly cyber security experts analyst resemblance it's a realization that in every everyone's job description that's part of a critical infrastructure provider there's an aspect there of what do i need to do to protect our business and that's really starting to come through i think this this reform and this legislation looked at what do we need to do as a nation to address that because it's it's not an individual sector business industry and we're all going to have a part to play there i think it's definitely coming through so for somebody in your shoes where you're already operating what's widely regarded as critical infrastructure you've had a lot of time to be attacked and you know think about the risks is this kind of legislation is this legislation going to change the way that you do things at all or is it going to be business as usual i think there's a little bit of wait and see there serious as we work through some of the nuance on how this would be implemented it's really heartening and hamish and the team have made it very clear throughout the interaction that um that desire to use existing regulation and reporting frameworks is one that's particularly of interest to us we are heavily regulated and to create another mechanism of which we report would be duplication and expensive and and the real objective of the energy sector and certainly the signatories to the energy charter of which essential energy is one is to continue to drive affordability for our consumers that is very much this sense from customer advocates that any legislation changes or increases in our response need to be encountered with the realization that this is cost that will be borne by consumers so the other overlay i've put on there is that hopefully it doesn't have a huge impact on how we do business it will be regulatory reporting requirements and of course we already participate in the industry-wide cyber um which are fantastic and i recommend to anyone who's not doing them um so provided we're able to streamline that reporting and compliance um it'll take some change but hopefully we can fold it into how we work now well maybe i can just spend a moment on on the concerns that different sectors have raised is there what's come out of your discussions hamish in terms of concerns that industries have flagged with you that the things that you're you're grappling with or thinking through is get to the point the end of this sure i think the the first thing to say is the design of the overall framework uh we we've spent a long time through many consultation processes to try and get the overarching legislation and design of the legislation suitable i think for all in terms of the framework so i don't think anyone's particularly arguing against the framework of the legislation is really down to the co-design of the rules how it would operate in practice what the obligations are and the cost to industry i think the kind of number one issue to note is that lots of these obligations should already be done by business and by putting a positive security obligation on critical infrastructure hopefully that should already represent the management of personnel security physical security supply chain security and cyber security within existing critical infrastructure and if there's an existing regulatory regime which supports those outcomes then the co-design of the rules will reflect the existing regulatory regimes i think there is a lot of concern around the code design of the rules and i think trying to factor in how much a new regulation will cost what it all mean in practice there's obviously a bit of nervous nervousness from from some elements of industry around that and we've committed both in the explanatory memorandum in the public statements the government has made to do that cooperatively and and together so i think there's an area of discussion around co-design and we're trying to be as transparent as we can there uh are you expecting me to be constant i mean have you done modeling to look at what what you're thinking it's going to cost for the different sectors to sort of uplift and things like that yeah and parts of that we we've obviously done a regulatory impact statement of the overall regime and we're committed to do that for each of the sector specific rules so it's kind of an ongoing body of costing but i think that the flip side that we're particularly mindful of and we do cover in our submission to the parliamentary joint committee is the cost to industry of a cyber event and particularly looking at if that event has a 10 impact on your business and and putting it down for a certain period what's the dollar impact so we're both looking at the cost but also the benefit and that's both um both been done in the overall design of the regime but it's an ongoing thing that the government's committed to yeah and mick from from a cyber security firm's point of view what are the concerns that people have been flagging with you i think that um every organization is somewhere on a cyber security journey and so it faces a different risk profile it faces a different funding profile and quite frankly as was referred to before there's a different degree of management attention on it this legislation i think will provide a laser-like focus for critical infrastructure on that um there's probably probably three or four the first is the old adage that attackers only have to be successful once but the defenders have to be successful all the time and that goes to the heart of cyber security is a constantly evolving test of management resilience and focus and technical expertise in order to achieve the cyber security outcomes for the organisation and having a single pane of glass whether you're a tier one stock analyst or you're a cfo in a boardroom trying to you know judge whether a cyber security investment is worthwhile for the business justifies that risk and the cost that hamish talked about um is a is a management technical concern that straddles the whole cyber security approach of an organisation there's also the fact that the attack surface is just expanding exponentially i'm old enough in case anyone wasn't um wasn't clear to remember when it and ot security were kept separate was segregated and that's how you ensure the cyber security of both well we're all aware that that's being smashed together and that the amount of ot of operational technology out there with an ip address is phenomenal and that expands the attack sector um let alone as i said at the start that the scarlet sophistication of the threats that we face and lastly i i think there was a point that sarah made about the human factor about attacks at machine speed about a shortage of people with skills about making sure that your people are focused on where they add best cyber security value to the organization and that kind of cuts into automation of of response um an orchestration of response in its simplest form playbooks and then you can go up through ai and ml um assisting those run-of-the-mill tasks um and all of it of course has to be done in a way that is justified in terms of um earning a slice of a business's budget so it's complex their challenges um and they depend on each organization's specific circumstances noting that the critical infrastructure reforms will set a baseline of expectations from government with penalties attached if you don't hit that baseline right um hamish i wanted to turn to the most controversial part of the legislation which is the government step in powers um could you could you walk us through practically what that is going to look like in terms of is you know is sarah going to be frog marched out of the essential energy offices and replaced by the acsc or what's going to actually happen in practice here and what is it that why does government need this power and what's practically going to be gained by by having it sure well i think the very first uh premise of the government assistance power and we don't really refer to it as stepping powers it's really there in terms of government assistance is that for the majority of cases the government would like to work voluntarily with critical infrastructure providers and and entities in the supply chain but there are some circumstances where for business reasons for legal reasons that that companies and critical infrastructure providers don't necessarily want to work with the government and so the there's a graduated regime in the new bill that sets out a whole range of different powers that ultimately lead up to a government assistance power and so it's everything from information gathering powers to directions powers to actually forcing the collaboration with the government to assist in a cyber security incident i think when you look at the bill the government's taking the a lot of time to put the bill together that really balances the threshold about which that regime will start and looks at balancing a whole range of different issues from proportionality to reasonableness to putting all of the thresholds in the legislation to deal with some of the scenarios that you started with at the beginning of this presentation and discussion around some of those nightmare scenarios i mean what do we do if a power grid is taken down for a prolonged period how can the government assist and at the very top end where companies don't want to work with the government how can that actually assistance be compulsory to try and deal with the cyber security incident so it's not a step in power in the sense the government's going to come in and run a company it's a step in power to assist with a cyber security incident that's really premised around assistance um sarah maybe i could just turn to you i mean i don't want to make you say never never say never but is it do you imagine and have you talked about in your comp uh your organization that these assistant powers might be necessary for for your business look i think the discussion has started and the instance in which these powers would be used to one of fairly catastrophic or serious a catastrophic or serious event is happening so you know touchwood we haven't had that circumstance to date and some of the challenges i think with the powers would be the logistics of how does that practically work and what you know what can we do to support and how how do we work together as a supply chain in those instances or as a value chain um to resolve the incident um i do take some level of comfort that there is the ability for a coordinated approach i think we have set a number of instances where the supply chain needs to be contemplated when reacting to a cyber security incident i think for me the devil is in the detail and just working through what that would look like and how practically you know that response would assist um is the next level that we need to work through if if we are talking about this as a real crisis situation where it's in extremists that you can have these assistants being being offered or provided um in that scenario is there are we talking about you'd imagine a fairly catastrophic style national scale attack are we talking then does the acsc have the resources to back up that level of assistance to 11 sectors across the economy and presumably hundreds and hundreds of entities providing these services or is it is it's going to be modeled on a triage sort of approach of some you know some some sectors will be prioritized over others or just deal with it as it comes i think if we're in a situation where there is a large-scale multi-sectoral cyber attack that industry are going to be critical and they're on the front line to respond what the premise of the legislation is there are some tools the government through the australian cyber security center can offer to assist in a situation and i think once you kind of view the legislation in that regard it's not about the government coming in and taking over it's about the specialized tools that the government has to complement um industry who are at the front line of defending their networks to responding to cyber security attacks who are patching systems so i think that the premise is are there certain areas where the australian cyber security center can step in well not stepping actually it can assist industry to rectify an issue and i think once you kind of view that as the premise that the government's here to help and we're here to help in special situations and we have special tools to assist but the majority of the cyber response will be for industry um can i ask what type of situation do you think this power would be useful for the assistance power um that's an interesting question to put to a vendor uh the i think the thing is that the assumption has to be one of good faith across your business i'm just curious what they're doing it does i the way i see it is that government has tools and you know full disclosure i actually worked in government in this sort of area for a while so i guess i bring a certain perspective to it if a company or companies are overwhelmed in services that matter to the australian national interest then the assumption would be it's a very well resource sophisticated state actor i think that's probably a reasonable starting point in that case if an individual or a sector or sectors is hit by a cascading overwhelming attack it seemed to me to be precisely the sort of circumstance in government with its unique views and unique tools um should step in has a obligation to step in to assist sorry vocab is important um and so so i think that that is reasonable as i said however i have a certain perspective on national security shaped by my background so not everyone might i i'm wondering if perhaps the situation in victoria with um victorian hospitals and you might remember the cyber security there a couple of years ago there seemed to me to be a you know a very genuine desire on behalf of a lot of cyber security providers and different organizations to assist in that circumstance given the impact that it had on victoria and its health system and hopefully that sort of good will and the understanding of the threat that australia faces you know will go beyond sheer money or contractual considerations to have us respond to a threat of that magnitude or at least i'd like to to hope so um i'm going to start opening up to questions so if you've got questions please let me know by raising your hand i've got a couple that have come in online and there's one on this topic so i might just chase it to you amy issues if that's okay the upvoted question and i'll just read the end part because i think you've covered the first part is is there a moral hazard here um business sitting back and letting government just solve solve the problem and not having to to do do the job themselves and is there sufficient oversight of this power such as judicial oversight well a couple of points to maybe talk about the um in the physical world we don't require companies to have an air force at all or submarines or um to really look at the point end of an attack on australia so i think in the in the online world particularly from a cyber vector it's almost like having a strike fighter in reserve to have surgical um response to certain issues and so i think if you kind of conceptually look at that the physical world and the online world it really is a surge support during a period of intense cybersecurity event or crisis and and it's really a an assistance function so i think that that's kind of conceptually for me important in terms of oversight and i think when you look at the legislation you look at the very impact of an event like this and the very first thing is that the level the threshold about some a cyber security event impacting the economy the prosperity of the nation or the security of the nation is a very high bar to start with so you're already almost in a natural crisis the fact that the minister for home affairs then has to seek agreement to use the powers from the minister for defence and the prime minister is another check the inherent oversight functions of asd is the assistance body from the inspector general of intelligence and security the work of the ombudsman on the department all the oversight functions that function every day um to to keep government in check are existing and then obviously um there's always uh the original jurisdiction of the high court if you get into very difficult territory right thank you is there any questions in the audience here yes catherine hi it's interesting we've spent a bit of time today talking about some of the ye oldie types of critical infrastructure and you know poles and wires and um one of the things that is in the new legislation is an expansion into some non-traditional softer areas so health was mentioned education data centers and i wonder just on that point again we're talking a lot about burdens on industry but how does the relationship differ when we're talking about the research sector for instance maybe state governments and how do you get that balance right between imposing compliance obligations and genuine capability uplift when dealing with a really diverse array of people and assets affected sure well i think that the first thing is that i mentioned that some sectors are much more mature than others and some sectors have inherently and deeply thought about security is an integral part of how they function others are kind of coming a bit new to the issue and there is a great diversity of depth and experience across those sectors what i'd say though is that the legislation is really targeted at critical infrastructure assets networks systems and so when you think about a sector like um the the education sector we've got to really kind of take the next step about co-designing under the definition of education and research well what are the types of assets networks and pieces of infrastructure in that sector which are truly critical and then have the additional question about are there things that are so sensitive in terms of connectivity that relate to other critical infrastructure sectors that really underpin another crown jewels of how a network operates and that's that's where you arrive at the decision around a system of national significance so i think you're right the sectors in one sense are broad but in in terms of networks and assets and systems they're narrower they've really got to fit um a criticality definition um i've got another question from our online audience a highly upvoted question to you hamish i was wondering if hamish might make a comment on the concept of australian sovereignty in the context of the cybersecurity of critical infrastructure will australian companies be favored by government or does sovereign equal five eyes well um i think that uh sovereignty is a kind of a live discussion with government and i know minister robert has made some comments on sovereignty and put out a hosting certification framework and and has some particular guidance there for industry but i think the the idea of sovereignty is kind of twofold one in a national sense but i think more generally is knowledge of where your data is kept knowledge about systems knowledge about managing risk so i think we prefer the term risk managing risk and managing your solvent risk great i think we had a question right here hamish probably for you um a follow-on question i guess on the sovereignty aspect has government mapped now we've gone from four sectors to 11. has the government mapped where they perhaps have overlaps and we potentially have a swiss cheese forming where you've got electricity gas data water communications perhaps overlapping with a single provider maybe a foreign-owned chinese russian firm that's providing all those services in one place so for example if uh 50 of the electricity gas water transport and communications in victoria was provided by one single provider would that be apparent to the government and would the government want to take steps to mitigate that risk so we've done a fair degree of mapping within the critical infrastructure center within home affairs so we're building all the time a good sense about critical infrastructure assets principally to get a sense about what we would include in the legislation obviously the critical infrastructure already regulates four of the sectors and has a solid understanding of the assets within sectors and the ownership arrangements um already under existing law but we're doing further work to map the individual kind of sectors working really closely with sectors in terms of definition of critical infrastructure assets and working really really cooperatively to have the common discussion around well what are critical infrastructure assets how do they interrelate and i think the really important thing that we're looking to do into the future is run exercises where that very issue is tested how in an exercise do we look at the interrelationship of critical infrastructure assets um and and particularly and it's a requirement for systems of national significance under the proposed legislation to have exercises we really want to make sure that they're involved in day-to-day understanding of risk and trying to work through and and wargame how we develop playbooks in response so i think the short answer is yes we're mapping yes we're looking at interdependencies but there's also a way to go um james you've got a chaser from the online group on on this question um somebody has noted that i'm sorry i don't have your name here the bill does not include government um is this an attempt to maintain an opaque view of government operations uh no so government doesn't normally regulate itself so government has existing and can introduce a whole range of different policies and procedures everything from uh the pgpa legislation to the protective security framework and so that's the the way that the government uh regulates themselves effectively not not in the statute um yes rupert thank you rupert's enterprise vault cloud we run a number of critical infrastructure clouds here in australia one thing we've noticed you were talking before was the interdependency of a lot of these systems and it's very hard to sort of unmap them you know ot and iit have really combined over the last few years and we've seen that quite practically at the moment um in those supply chains you could ultimately then end up with um as sort of following off the previous question completely foreign owned controlled no staff in australia no infrastructure in australia how do you envisage the act sort of dealing with those scenarios and probably noting particularly that there that a a company with no particular operations in the country is probably more likely to be less willing to collaborate here locally and so how do you see those complex supply chains being managed in a global sense when when you may not have any available access to resources domestically sure so i think um inherently the the legislation deals with critical infrastructure assets networks and systems onshore effectively but does contemplate in terms of the positive security obligation the supply chain so the obligation exists for critical infrastructure providers to look at their supply chains to work out where the risks are and how to mitigate those risks and that's going to open ended in terms of how you mitigate it and also that the kind of parallel regime of foreign investment sits alongside um the the reforms and they've had we've had reforms to the foreign investment review decisions through the federal reforms recently i think they sit side by side as well um but but obviously the legislation doesn't capture everything and we've still got lots of work to do to secure australian data australian infrastructure and and the work never ends any other questions in the audience here yes hi uh peter kaminski from medicines australia thank you for sharing your insights with us today my question relates to you mentioned that you were doing a cost-benefit analysis for what it would cost business in terms of um adding particular regulatory compliance burdens um but first note that within the prescription prescription medicines arena the idea of passing the costs down to the consumer which is the patient is a not only a non-starting but actually in the way that the system works is not is not actually possible because pbs prices are set and are negotiated between companies and the government and when that price is set that price is set so any additional costs can't be passed on they have to be i guess consumed or taken up by the by the company um the the other question sort of relates to the the cost benefit analysis that you're looking at are you looking at it more broadly from the social perspective because if let's say a prescription medicine company gets attacked hacked the logistics or the logistics framework falls apart that's out of control out of their control that's part of the another the other sector um sure there'll be a cost on the business but the far worse cost is the cost on the patients the people that don't receive their particular medicines and how that impacts whether it be on a hospital or or a gp surgery or a particular town and so on so um how are you are you and how are you looking at those sorts of issues sure i think it's really topical uh in the middle of a covered 19 pandemic and australia has done um pretty well and but some of the inklings of ransomware attacks on on medical networks and hospitals i think give you an inkling of the threat that's posed by some actors on hospitals and kind of the nightmare scenario that i think we're seeing around the world is a cyber attack on icus and and the impact that that actually has on patients so um the regulatory impact statements that we're doing both for the regime overall but for individual sectors do contemplate inherently the costs as well as the benefits so yes yes they do but i think one of the kind of issues that underpins business today and i know a lot of consultancies are looking at how to cost the risk of cyber and cyber security and cyber events and from some of those unfortunate companies who are subject to ransomware attacks the the costs can be prohibitive and they they ultimately may well pay a ransom or shut down and and obviously the government's position is not to pay a ransom but we are looking at both the costs the benefits and it's an inherently tricky area and a much greater i think you mentioned before much greater threat surface for hospitals for medical providers for a whole range of people but yes we are looking at both costs and benefits so can i just make a comment there um focus not specifically related to medicines but i describe myself as a cyber policy tragic and so for example what i've done in my spare time is i've provided um uh submissions to the therapeutic goods administration when they've been seeking um comment on how they can regulate connected medical devices and this gets back to the point about that i think sarah made about existing regulation and about those attempts to consult there are so many initiatives to try and corral what this means to how the how digital connectivity and data impacts upon a whole variety of life and it is complex to stay across at all um i think hamish to to paraphrase you you know this is an umbrella that sits over the uh over the lot um it is complex it's difficult it consumes a lot of bandwidth um but i think back in 2014 i did some writing about a thing called 23 nyc rr 500 new york state's financial services institution cyber regulations which was in my personal perspective before it's time and staying on top of that and staying involved and staying aware and continuing to make your voice heard through all of those initiatives um i think is key you know being engaged to shape government engage with government in order to have your voice heard um the phrase is being used several times the devil's in the detail by having your voice heard that's the way you make sure the devil is as well behaved as possible oh yes all right another question for hamish and it's really a leading lead on from some of the earlier ones about the scope of the act of the bill and with respect to supply chain security because a lot of the critical infrastructure that we're talking about is utterly reliant on sea trade and all of our sea trade is on foreign ships and this bill has no reach at all into foreign vessels and i think you mentioned earlier hamish that you know it stood up well through covert i think we should view what happened with our supply chains through covert as a near miss and what it has shown is the inherent fragility in the international supply chains on seabourn trade because at the moment we're effectively to this day still just getting by with a bunch of seafarers who haven't been home for 12 months you know it's not quite slave labor but it's getting pretty close so the international shipping industry is on edge and there's a lot of if you like complacency that has built been developing since the second world war into just how reliable international sea trade is so the question i suppose is knowing all of this is the government having any kind of in-depth review to make sure that those people who are reliant on the market to keep behaving it always had to have another look or to dive a little bit deeper to see if in fact we can achieve supply chain resilience yeah the government's absolutely looking at supply chain security supply chain resilience diversification of supply chains um through workload by prime minister and cabinet but but also kind of looking at how do we create a digital economy out to 2030 how does supply chains work how do we try and create a kind of more secure australia and i think these reforms are part of an overall package that includes supply chain security but it's kind of only one element but the government is absolutely looking at supply chains reliance on markets diversification of the economy all of those those particular issues i was going to throw a question to sarah and um mick um to let hamish catch his breath but one thing i was wondering is when we're looking at the the implication you know the the i guess the um the mythology in this area is that you've got a a sharp cliff edge from the companies that takes i have the resources to take all the incentives to take cyber security very seriously and then you've got a sharp drop off once you move out of one or two sectors with this piece of legislation are you both expecting that there's going to be a leveling in the playing field that everybody's going to be coming up to the the same kind of level of cyber security or are we still going to see that big variation between different sectors maybe you can start with you mick and go to sarah okay um i'll be fairly brief i think the the most impactful part of the legislation is the way that it requires the elevation of cyber security to a board level concern in that the risk management program that it requires has to be signed off by the board or its equivalent and then the annual reports that have to be made also have to be signed off by the board and in the last one of the co-design workshops that i participated in there was an implication that the government was looking for specific and i assume it's positional accountability to make sure that things are actually done so given that as opposed to leveling the field in terms of grading it down i think it's going to lift it up because to my mind boards cannot if they're in a critical infrastructure sector and a nominated asset or operator they simply can't afford to ignore this there are there are penalties there's even one mention of jail term in the um i think it's non-compliance to a direction so you know it's government is serious and therefore business has to be serious as well um of course taking into account its budget and the impact on its business in terms of that compliance i don't think there's i don't think there's any um option but to make sure that the right resources the right structure the right frameworks right capability and the right funding ongoing funding is associated to an organisation's cyber security or its attention to cyber security there is no choice sarah is that reflect your experience and as your board um has the idea of jail time caught your board's attention certainly caught my attention uh thank you and look just to use one of the most overused terms and potentially up there with unprecedented from last year but to say that it's a journey would probably be my response um fergus and that speaks to i think there is that sharp cliff now i think everyone will come up the curve it's not as easy as saying today i'm at a very low maturity in terms of my risk management and cyber security and now you know legislate or this proposed bill or um government requirement says that i need to mature quickly it's actually not that easy so it's a bit of a pantene moment with it might not happen overnight but it will happen and it's a journey to evolve to that um it has certainly been the experience of a number of businesses that i've spoken to and i think that'll be um part of the step up here great thank you is there any questions in the audience you just gotta wait for the microphone so people online can hear if that's okay uh thank you very much i'm jeffrey anderson from the australian food and grocery council um just talking about stepping up and going up that curve i mean i think um there's going to be a real requirement for more skilled employees in this area and i think you sort of mentioned it in passing but does the government has the government factored into its uh its policies and its strategies how it will um boost the level of training uh in terms of sheer numbers of people and whether that's also reflected in the education's uh sector which is presumably also going to have a role in this upskilling of a significant part of the workforce yeah absolutely so the education sector some of the really short-term courses that were implemented at the height of code it really went to cyber security skills education to try and uplift people who are already existing in industry to try and give them short term skills if they were either retrenched or let go for some reason to try and reskill them greater emphasis from skills australia on cyber security uh there's an innovation fund under the cyber security strategy which really looks to how do we innovatively uplift our cyber security skills 26 million that program is that there's a range of work going across industry and ourselves and education trying to work out how do you uplift the industry in and of itself and how do you prepare australia for a much different society and i think that's kind of all underpinned by the government's redesign of the stem and hex regime that applies to the stem disciplines i think there are a range of different initiatives across the economy and of course we're seeing the emergence in australia of a growing cyber security industry underpinned by us cyber which promotes their growth as well as the cooperative research center which also does a whole range of research and innovation work on cyber security uplifting the economy and we've got some great people here from the cyber crc today um i think we've got one more question here and then we might just wrap up with thank you sevilla gradient news australia all of the panelists mentioned the onus on industry to collaborate and i just wondered what appetite for vermiconcera what their the appetite was for industry to share data and share the lessons learned and for hamish what government leavers will incentivize that and is dha talking to itself with other areas responsible for disaster recovery like the nbrf um because the the bill obviously focuses primarily on cyber security but we know after covert and the bush fires that there are a number of other threats to our critical infrastructure great why don't we start with sarah certainly look i think there's a number of um formal and informal uh sharing mechanisms that are usually intra industry um as part of the proposed bill though and some of those town halls have given the opportunity for further sharing but i think there are a great amount of lessons learned on on on the curve and so rather than a yes or no i think my comment would be that i'm very supportive of those lessons learnt sharing um forums and if we can assist in any way sing out but definitely a strong need for that um i i think i'll take a a more narrow perspective while endorsing everything that sarah said um if i recall correctly the draft reforms have specific um information sharing elements to them um the comment that i'd make there is that when you're sharing information about threat about vulnerability and the like there's already existing government measures my personal opinion is that the sharing of information needs to be not just information but potential response needs to be at machine speed of course increasingly that is how attackers are operating sorry i thought i'd turn that off it is always going to be right hopefully this isn't the boss telling me i don't have a job tomorrow but it has to be at machine speed a lot of it because working for policy and working for paper-driven responses is not necessarily fit for purpose in this environment so a digital threat needs a digital response with the human in the loop where the human really makes the difference to that complexity so that's a probably really awful response to a very good question and now the industry government's industry advisory committee you put out a paper on ransomware which shared some of the stories of companies that were subject to a ransom wear attack and i think that's a really good example of where industry and the government are working together to really outline some of those learnings and some of them are pretty heartfelt stories so first point second point is the australian cyber security center has got funding for a threat sharing platform and you're right the legislation does require cyber security reporting to government and that's two-way and the joint cyber security centers that are in most states and territories we're trying to uplift those as well and recruit people to proactively work with industry and we're also revamping the trusted information sharing network under the critical infrastructure center so the government is taking pretty strong mechanisms to share with industry and i think industry are starting to share more and more with themselves about what happens when things go wrong well we're on the hour so i'm going to um call a close um sarah thank you so much for offering us a perspective of um a company that's going to be affected by the bill and for beaming in and joining us for this really appreciate your time today nick thank you very much for offering a perspective from cyber security firm for splunk for making this um possible for being uh supporters of the cyber center we really appreciate it um hamish i i hope this has been good practice for centered estimates and um that you'll come back coming up next week so that'll be fun thank you for being i i love the fact that you always give you know you don't give the talking points and so you try to genuinely engage with the questions and the concerns that people raise so thank you very much for that very sincere and genuine effort really appreciated and thank you as always for supporting the work and engaging with the center really appreciate it thanks to you too it's been great thank you everyone you

Info

Channel: ASPICanberra

Views: 498

Rating: 4.6363635 out of 5

Keywords:

Id: 1d_RCKGEF_8

Channel Id: undefined

Length: 60min 32sec (3632 seconds)

Published: Mon Mar 29 2021