Some Takes on the Minister’s Takes on Risky CNI Business
By Ravi Nayyar
Last week, the wonderful Mr Patrick Gray (aka Mr Risky Business) interviewed the Commonwealth Minister for Home Affairs and Minister for Cyber Security, Clare O’Neil MP, and the founding CEO of the UK National Cyber Security Centre, Professor Ciaran Martin. It was a wide-ranging discussion, covering matters like CNI incident response, ransomware (including ransom payments), counter-cybercrime operations by the state, Australia’s forthcoming cyber security strategy and potential reforms to the Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’). All in all, Patrick asked some great questions and Prof Martin provided some great insights, as per usual.
Many of the Minister’s responses, however, made me furrow my brow. (Full credit to Patrick for pushing back on some of the Minister’s more curious assertions.)
Given the subject of my PhD research, I will predominantly review the Minister’s comments on the incident response powers of the Commonwealth under the SOCI Act pt 3A. These powers are those of the Minister to give Ministerial authorisations for the Secretary of the Commonwealth Department of Home Affairs (‘Secretary’) to give the: relevant entity for a CNI asset (‘relevant entity’ is defined by SOCI Act s 5) an information gathering or action direction (divisions 3 and 4 of part 3A, respectively); and Director-General of the Australian Signals Directorate (‘ASD’) an intervention request (division 5).
After reviewing Minister O’Neil’s comments on these powers, I will provide brief takes on some of the other comments the Minister made in the interview.
Let’s get cracking.
The Minister’s Takes on SOCI pt 3A
The Minister argued that the SOCI Act pt 3A powers are hamstrung by ‘a very technical’ definition of a cyber security incident, such that ‘once the technical event is over, basically, those powers pretty much evaporate’. Having closely examined the intervention request regime under SOCI Act pt 3A div 5 in a piece last year, I found the Minister’s comments rather fascinating.
From the off, this is because:
- SOCI Act s 35AB(1) allows the Minister to give a Ministerial authorisation for an intervention request (or indeed an action direction or information gathering direction) even if the incident has had a ‘relevant impact’ on a CNI asset, provided there remains a ‘material risk’ that the incident ‘is likely to seriously prejudice’ national security. So, the powers do not ‘evaporate’ once the breach is resolved, rather once national security isn’t likely to be seriously prejudiced;
- SOCI Act s 12M (see Figure 1) defines ‘cyber security incident’ extremely broadly and sections 8G(2)-(3) (see Figure 2) define ‘relevant impact’ for such an incident on a CNI asset or system of national significance extremely broadly. This helps cast a generous regulatory perimeter for the powers in the first place; and
- though, per SOCI Act s 35AG, a Ministerial authorisation (and thus an intervention request, per SOCI Act 35AX(3)) can only be in force for up to 20 days, the Minister is allowed to issue a fresh authorisation (for a fresh intervention request) which comes into force immediately after the previous one expires, per SOCI Act s 35AG(3). The Minister need only revoke either authorisation once she is satisfied that it is ‘no longer required to respond to the incident’, per SOCI Act 35AH(3). The Secretary need only revoke either request once they are satisfied that it is ‘no longer required to respond to the cyber security incident’, per SOCI Act s 35BA(3). So the powers do not ‘evaporate’ after 20 days, especially when read with the above criterion of material risk of serious prejudice to national security.
In her commentary on SOCI Act pt 3A, the Minister pointed to how, in her incident response role for Medibank and Optus, ‘the technical bit’ of that response is the ‘first 10%’. The ‘90% beyond it’ is ‘logistics, government systems and how we are going to continue service provision for our citizens while systems are down’. She suggested that the legislation was ‘sort of, written very technically’, flagging potential law reform to add powers necessary for ‘deal[ing] with cyber incidents beyond the technical event’.
I find these comments curious because, if we hone in on the intervention request regime, the intent of the Commonwealth Parliament in enacting it, as I highlighted in my earlier piece, was that such powers were of last resort (see also SOCI Act s 35AB(10)(b)), technical (see also section 35AC) and to be used in targeted scenarios, that is, constrained to a specific cyber security incident and a specific asset (see also sections 35AB(2)(e)-(f)). While we’re here, note also the wording of sections 35AB(6), (7): the information gathering and action directions regimes, respectively, are similarly those of last resort.
These particular powers, when used in relation to a specific asset, are not meant to deal with what’s going on outside the asset thanks to the event, such as ‘logistics, [and] government systems’, to quote the Minister. Once the serious risk to national security which is posed by the incident is resolved, the powers are not applicable.
Given the extraordinary and coercive nature of the regime, mission creep for part 3A (especially division 5) of the SOCI Act is not a good idea.
Amendments to SOCI on the Cards?
If the law is amended to allow, for instance, the intervention request regime to be used even after material risks of serious prejudice to national security from the incident in question have been mitigated and have a broader regulatory purview (‘Extended Regime’), then we need to have a conversation about oversight.
The thing is, as I pointed out in my previous piece, part of the Commonwealth’s justification for the absence of oversight of the giving of Ministerial authorisations for intervention requests and actual intervention requests by an independent third party, such as a federal judge or the President/a Deputy-President of the Administrative Appeals Tribunal, was the rather compressed timescale under which these authorisations and requests would be given, as well as the need for the third party to quickly understand the nuances of the network of the CNI asset hit by the incident to assess if the authorisation and request met required criteria under what is now SOCI Act s 35AB(10).
For the Extended Regime, it is hard to plead the same justification. The timescales for decision makers to act are much longer, allowing for deliberation by an independent third party on whether the proposed exercise of the powers is necessary and proportionate for tackling ongoing threats to national security. Which is key when such powers, I’d imagine, will be coercive (why else enact them?), enabling the state (through ASD) to continue directly intervening in the running of what are most likely private sector assets.
Of course, if the Minister was foreshadowing the development of powers other than the Extended Regime, such as powers requiring the provision of real-time telemetry to ASD to improve transparency of our CNI’s operating environments for government, then that’s less controversial. But then again, the Commonwealth ought to be careful to avoid regulatory duplication.
There are a few powers already for the Secretary to direct the relevant entity for a system of national significance (‘SoNS’, a class of CNI assets declared by the Minister to be such because they are of ‘national significance’, per SOCI Act s 52B(1)(b)) to provide ASD with information on the functioning of their networks (and which is not PII), such as basic telemetry, and which ‘may assist with determining whether a power under this [SOCI] Act should be exercised in relation to the [SoNS]’, per SOCI Act ss 30DB(1)(b), 30DC(1)(b). If the Secretary reasonably believes the relevant entity to be technically capable of providing this information, the Secretary can direct they do so periodically (via a ‘system information periodic reporting notice’, per section 30DB) or ‘each time a particular kind of event occurs’ (via a ‘system information event-based reporting notice’, per section 30DC). If the Secretary reasonably believes they are not technically capable of providing this data themselves, the Secretary can direct them to install a specific piece of software on their networks to transmit it to ASD (via a ‘system information software notice’, per section 30DJ).
Each of said notices can be in force for up to twelve months, but the Secretary can (like the Minister with Ministerial authorisations) give a new one which comes into force immediately after the previous one expires (per SOCI Act ss 30DE, 30DL, depending on the notice given). This gives the state plenty of time to play with when it comes to collecting and leveraging said data to better preserve the cyber resilience of the SoNS in question, particularly during the ‘90%’ of the time after the ‘technical incident’ (ie the breach) has occurred when we need to do a whole-of-government/CNI response, which the Minister spoke about. All the Minister would have to do is check that she has lawfully declared the CNI asset in question, from which the government needs ongoing telemetry, to be a SoNS (as at March 2023, the Minister already has declared 82 assets to be SoNSes).
Perhaps the Minister was foreshadowing that these notice-issuing powers of the Secretary would be amended to be available in relation to all CNI assets, not merely SoNSes?
In terms of additional powers, if the government is looking at enacting coercive, last-resort powers for directing the activity of a reporting entity or operator for any CNI asset (‘reporting entity’ is defined by SOCI Act s 5), including assets beyond those suffering a relevant impact from a cyber security incident and especially in the absence of an ongoing national security crisis where SOCI Act pt 3A would be otherwise available, well, it already has them.
Enter SOCI Act pt 3: ‘Directions by the Minister’ (see Figure 3).
These should be useful during the ‘90%’ phase which the Minister flagged in her comments and for dealing with the broader fallout of a ‘technical incident’ on our CNI; such as the lingering effects of the operator of a critical freight services asset (like Toll Group, given SOCI Act s 12C and Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 (Cth) r 9 (‘SOCI Definitions Rules’)) being bricked on the ability of the operator of critical food and grocery assets (like Coles, given SOCI Act s 12K and SOCI Definitions Rules r 15) to manage their inventories. Again, the government needs to do legislative inventory management the law before proposing amendments.
In any case, that the Minister was flagging potential amendment of the SOCI Act to bring in broader, coercive powers to enable better, seemingly more holistic incident response was interesting. Because these powers — especially the Extended Regime — would not be required if the relevant entities for CNI assets were willing to work with ASD to clean up the relevant mess of and after an incident, as opposed to, say, stonewalling the agency with lawyers when it wants telemetry to be able to help out, like Toll Group apparently did in the aftermath of the first of its two major incidents in 2020.
I can understand the current intervention request regime providing coercive tools for the state when the chips are (likely) down and the relevant entity stonewalls. But to suggest that, when the immediate cyber security incident has been resolved and where timescales for decision makers in relevant entities and the state are a bit more relaxed, there are still relevant entities for CNI assets that need more than a nudge to cooperate casts a long shadow on the government’s, and indeed the Minister’s, efforts towards their goal to make us ‘the world’s most cyber secure nation by 2030’.
After all the singing of kumbaya at industry conferences, talks, briefings, the rhetoric, the ‘lessons learned’ from Optus and Medibank, that the state is flagging the introduction of coercive powers to help those operating CNI assets recover from an incident after the actual incident has been resolved is, well, far from ideal.
But anyhoo, let’s see what Home Affairs comes up with.
The Minister’s Other Takes
Having gone through the Minister’s comments on the SOCI Act pt 3A framework, let’s turn to her takes on other matters of cyber policy.
On Transparency about Incidents
The Minister said she wanted more transparency about breaches, but did not talk about the performance of the SOCI Act pt 2B incident reporting regime for CNI assets since she switched it on in July 2022 with the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) r 5 for specified categories of CNI responsible entities (‘responsible entity’ is defined by SOCI Act s 12L). A regime which saw 334 incident reports being given to Home Affairs until June 2023.
On Australia’s Incident Response Capability
The Minister asserted that Australia was ‘about five years behind’ in terms of incident response capability when the Albanese government was sworn in. Patrick rightly rebutted this with reference to the Turnbull government enacting the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Act 2018 (Cth), which specifically authorised ASD ‘to prevent and disrupt, by electronic or similar means, cybercrime undertaken by people or organisations outside Australia’.
Additionally, the Minister’s assertions were curious because the intervention request and incident reporting regimes under the SOCI Act were enacted in 2021 by the Morrison Government following the recommendation of the bipartisan Parliamentary Joint Committee on Intelligence and Security (on which the present Commonwealth Attorney-General, Mark Dreyfus KC MP, sat). The SOCI Act was far from a tabula rasa prior to the Albanese Government.
On What the ASD-Australian Federal Police Counter-Cybercrime Operation Has Done
The Minister’s response to Patrick’s question on the absence of transparency on the fruits of ASD and the Australian Federal Police’s ‘ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups’ left a fair bit to be desired.
As Patrick pointed out, the Yanks release a good deal of information about the disruption operations they do, versus the Commonwealth being tight-lipped on what the operation has actually achieved following its commencement last year.
On Collectively Learning from Incidents
The Minister flagged that, as part of the forthcoming cyber strategy, the government is considering how to create a framework for us, as a country, to ‘actually learn’ from breaches like those at Optus, Medibank, Latitude Financial and HWL Ebsworth, and thus bolster our collective cyber security. The Minister stated that ‘bringing some more transparency to those conversations is something that is really important to [her]’.
Which makes me wonder why the Minister did not criticise Medibank (having just pointed to its holding a quantum of Australian PII which is of national significance) for choosing to not publicly release the Deloitte review of its catastrophic data breach last year (looking at the ‘incident itself, control effectiveness and the response of Medibank’). A review which the Australian Prudential Regulation Authority planned to factor into its action against Medibank.
Surely, and to reiterate an earlier point, in the interests of transparency and us as a country learning from the utterly catastrophic stuff-up by that company (including misconfiguration of a firewall and substandard C-SCRM which allowed the threat actors to enter Medibank’s network), that report ought to be made public?
On the Development of Our Forthcoming National Cyber Security Strategy
The Minister said that we can expect a draft of our new national cyber security strategy ‘over the next few months’. Note that the development of the strategy began in December 2022 and submissions to the government’s discussion paper closed in April 2023. So I don’t know if the government is seeking to write the next War and Peace and not a 60-page high-level strategy which will be very similar (I guess) to the 2020 one and indeed any FVEY country cyber strategy.
When asked about a multinational consulting firm being paid $2.4 million for work (ie ‘developing briefings and background content, stakeholder engagement and minutes for industry meetings, as well as project management…’) on the strategy, the Minister responded that her Department is responsible for contracting, not her. Well, as the phrase goes, ‘Yes, Minister’.
The Minister also suggested that such a quantum of spending on the development of the strategy is justified by the high stakes context of the strategy. I found this all quite strange because it suggests that her own Department has not invested in recruiting enough experts in-house for so crucial a policy area and contradicts the Commonwealth’s otherwise admirable moves to cut outsourcing to external consultants and lawyers.
Furthermore, there already are senior bureaucrats within Home Affairs whose roles can easily accommodate what the consultants are being paid to do above, for crying out loud (see Figure 4). Or is the empty position of ‘First Assistant Secretary Cyber Security Strategy’ to be given to whichever consulting firm the Department has retained?
Note that iTnews erroneously reported the consulting firm as KPMG at first but corrected it after Patrick’s interview to say it was McKinsey, where the Minister worked from 2009–13. Nonetheless, the Minister did not herself clarify in her response that McKinsey got $2.4 million in taxpayer funds, not KPMG.
Just on what that $2.4 million is getting us, why couldn’t the Department of Home Affairs hire Masters/PhD students as research assistants/interns to do the same for much less? As an OECD intern helping run a multi-stakeholder policy consultation for distributed ledger technology, this was the lion’s share of my day job.
On Banning Ransom Payments
The Minister said a conditional ban on ransom payments ‘is something we should keep an open mind to’ but stated that the government’s ‘first port-of-call’ is gaining a better idea of payments (noting the absence of payment reporting obligations for firms) and providing as much support as the Commonwealth can to ransomware victims so that they do not feel compelled to pay.
In principle, the Minister’s comments make sense, but we were denied an explanation as to why the government has not already passed legislation which mandates the reporting of ransom payments or why federal regulators have not used applicable authorities to specifically mandate the reporting of ransom payments. Why hasn’t the government resurrected now-Assistant Minister for Foreign Affairs, Tim Watts’, fairly decent Ransomware Payments Bill 2021 (Cth), which he brought as a private member’s bill while Labor was in opposition (which I had a look at in another piece)? The government obviously has the numbers in the Lower House and I doubt the politics of enacting such obligations are fraught.
Given the Minister’s comments on ransom payments, I hereby plug my essay calling for officers, who are involved in the decisions of their companies to pay ransoms, to be prosecuted for money laundering (the stick) and for the state to provide comprehensive support to all businesses, particularly SMEs, to strengthen their cyber resilience to minimise the chance they pay in the first place (the carrot).
On Negative Externalities of Breaches at CNI Assets
The Minister made a good point about how breaches like those at Optus and Medibank (both CNI asset operators, given the wordings of SOCI Act ss 5, 12H(1)(e), respectively, and SOCI Definitions Rules r 13(5) for Medibank) are not merely ‘private events that affect private companies’.
Hence, I would have loved to hear her thoughts on the operation of the SOCI Act pt 2A critical infrastructure risk management program regime, which the Minister switched on for the responsible entities for certain categories of CNI assets early this year via the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (Cth).
Linked with that, it would be have been marvellous if Minister provided her thoughts on how cyber governance at companies generally should be regulated in Australia (the interview was focused on ‘technical’ matters of cyber policy, to borrow the Minister’s word).
All in All
Mr Business did a fabulous job and Prof Martin was his usual wise self, but I felt many of the Minister’s comments were rather (you guessed it) curious.