Eric Holdeman | govtech.com »
It seems a bit much.
See below for an interesting situation that is developing down-under. I know this would not fly here in the United States. It is one thing for the federal government to offer assistance. It is quite another thing to “take over” a cyber-attack response.
“Sydney based Financial Review is reporting Coalition moves to boost critical infrastructure security. The Australian government plans to give their security agencies the power to intervene in the case of a cyber-attack on essential services. The bill would direct the Australian Signals Directorate (ASD) to take over control of a business’s cyber defenses during a cyber-attack as a “last resort”. Though based on the premise that most ordinary businesses are not able to bring sophisticated defensive resources to bear on a such an attack, critics see a serious problem with allowing the government to take on this responsibility. As the argument over Government “control” and the definition of “essential businesses” proceeds, the scope of such an intrusive move will be highly controversial.
Experts with Cyvatar and Gurucul offer [their] perspective.
Saryu Nayyar, CEO, Gurucul (she/her):
“The Australian government is set to pass laws requiring “essential industries” to report cyber-attacks immediately, and as a last resort, have the Australian Signals Directorate come in and take control of cyber defenses to respond. Essential industries include food, energy, communications, financial services, and higher education and research.
“Transparency on attacks is important, and formally informing the government is a good way of achieving that, but it’s not clear that having an outside organization come in to take over defense is realistic. The Australian Signals Directorate personnel will be unfamiliar with the organization, the attack, and any existing defenses in place. This will likely result in confusion and an inadequate response. Instead, perhaps the government should direct essential industries to have a cybersecurity risk management program in place and define the minimum standards needed for organizations to protect themselves.”
Josh Brewton, vCISO, Cyvatar:
“It’s interesting that the Government are willing to step in when the response is deemed not adequate. Where is the line drawn? How will they define their triggers? How or who will be paying for the response if the ASD take control. Given the frequency of Cyber Attacks today I wonder how the cost of such a response would be dealt with. It could push smaller businesses over the edge. With a healthy bill from the government and the added financial, operational and reputational impacts from the attack itself.”
The above information was shared by Jeff Steuart.