Home Affairs to Grant Companies Cyber ’Safe Harbor’ Protections
Australian businesses are set to get new “safe harbour” protections that would allow them to share details of a cyber attack against them with government cyber agencies without risking the information coming back to harm them in further investigations.
Late last year, Deputy Prime Minister and Defense Minister Richard Marles suggested the government could introduce “safe harbour” legislation, which would give them the confidence to act without fear of punishment.
“I can understand why companies in that case want to make sure that anything ASD finds is not ultimately subject to what any other government agency might do,” Minister Marles said.
Now, Home Affairs and Cyber Security Minister Tony Burke is set to launch new legislation that will outline new cyber measures, including granting affected businesses a safe harbor for cyber security reporting.
“We will encourage industry to share more information about cyber threats through strong limited use provisions,” Minister Burke will say at the second annual meeting. The Australian Financial Review Cyber Summit, according to speech notes viewed by The AFR.
“When responding to cyber incidents, knowledge is power. These provisions will allow organizations to share information with ASD. [Australian Signals Directorate] and the cyber coordinator, who can then assist with early responses to cyber threats, without fear of that information being used in regulatory actions against them.”
In addition to the safe harbor, the new legislation will force companies that pay ransoms to threat actors above a certain amount to disclose how much they paid and to whom.
Regarding the previous mandate and previous discussions on banning ransomware payments, the government said it does not currently have the knowledge necessary to ban them completely or combat the ransomware business model and that the new reports will help build that knowledge .
Additionally, the government is set to launch a Cyber Incident Review Board, which will analyze cyber incidents and the lessons that can be learned from them. Board members have not yet been announced.
Craig Searle, global head of cyber advisory at Trustwave, says the move is a step in the right direction, “however, there needs to be a consistent yardstick by which Australian corporations can measure themselves so that directors can then assess the reasonableness of your response and address the concerns raised by the Australian Securities and Investments Commission (ASIC).”
“While the Essential Eight are undoubtedly effective as a set of preventative measures, it is very difficult and expensive to achieve even for mature and well-funded organizations, as demonstrated by Australian National Audit Office (ANAO) reports such as ‘Authority Management’. “Cyber security” “Supply chain risks” also does not address response and recovery. This means it is unlikely to be suitable as a national resilience measure without significant warnings being adopted,” Searle said.
UPDATED 09/24/18 to add comments from Trustwave