Australian Prime Minister Scott Morrison unveiled on Thursday a new cybersecurity strategy (pdf) to protect the country’s critical infrastructure against cyber-attacks. New legislation will be introduced to give law enforcement agencies powers to access the networks of companies deemed critical infrastructure to protect them against potential cyber-attacks.
The strategy says, “The Australian Government will ensure law enforcement agencies have appropriate legislative powers and technical capabilities to deter, disrupt and defeat the criminal exploitation of anonymizing technology and the dark web.”
These powers will “allow offensive disruption capabilities” and will empower “law enforcement to take the fight to the digital front door of those using anonymizing technology for evil purposes,” according to a joint statement by Morrison and Australia’s Minister of Home Affairs Peter Dutton.
To support the new strategy, Australia will spend A$1.67 billion ($1.2 billion) over the next 10 years, Morrison said.
The increased spending is intended to fortify critical infrastructure, boost police efforts to disrupt criminal activity on the dark web, and strengthen community awareness.
The Australian Signals Directorate (ASD)—a government intelligence agency focused on cybersecurity and cyberwarfare—received government funding in June to enhance its capabilities to identify and disrupt cyber threats, and the new strategy will direct more funding to “expand ASD’s data science capabilities.”
The government will also invest in Australian universities to strengthen their cyber security and fund their cyber threat intelligence sharing network.
Companies will also be legally bound to ensure that their networks comply with cybersecurity standards.
The new strategy expands the list of industries that will be protected.
In 2018 the Australian Government introduced reforms to protect critical infrastructure sectors such as “the telecommunications sector and certain electricity, water, gas and port assets” against cyber threats.
The new strategy “will build on this foundation to include” other sectors critical to the Australian way of life.
“The Government will work with owners and operators of critical infrastructure to update legislation to ensure that critical infrastructure sectors deliver their essential services with security front of mind,” Dutton said in the joint statement.
“Agencies will be equipped to help address sophisticated threats, particularly to the essential services all Australian’s rely on—everything from electricity and water, to healthcare and groceries,” he added.
The banking sector will also be considered critical infrastructure, Dutton said at a press conference.
Penn said that the new powers, which allow the government agency into the networks of critical infrastructure operators, were needed, but they should be done “with close and careful consultation” with industry, according to The Sydney Morning Telegraph.
Dutton told media that the new strategy will assist law enforcement agencies in countering terrorists, drug or human traffickers, pedophiles, and other criminals who operate on the dark web which allows them to remain anonymous, according to The National Digest.
Alastair MacGibbon, a former director in the ASD said the government agency would access networks to monitor and defend them, not “to spy,” reported The Sydney Morning Telegraph.
If the strategy gets implemented, Australian spy agencies could for the first time directly target specific Australian citizens.
Cyber-attacks in Australia
Some controversies in Australia have risen over power given to the ASD. In 2019, government agents raided the home of a News Corp journalist who reported about the Ministry of Home Affairs attempting to use the ASD to spy on Australians. Dutton denied the allegation that his ministry sought ASD powers to spy on Australian people.
Cyber-attacks on businesses and households in Australia cost about A$29 billion ($20.83 billion) or 1.9 percent of Australia’s gross domestic product (GDP), Morrison told reporters in Canberra.
During the COVID-19 crisis, malicious cybercriminal activity intensified targeting Australian households and businesses with a goal to steal personal information and distribute malware through COVID-19 themed phishing emails. The ASD “used its offensive cyber capabilities to disrupt foreign cyber criminals” behind those attacks, disabled their infrastructure and prevented them from accessing stolen information.
According to data provided by the new strategy, the most targeted sector in the country within the 12 month period ending in June was the Australian government, where over 400 cybersecurity incidents occurred, and Australian state and local governments which reported more than 350 incidents.
Individuals reported almost 200 incidents and the health sector more than 150. The lowest number of incidents occurred in water, communications, transport, and mining sectors.
Morrison said in June that a “sophisticated state-based actor” had spent months trying to hack all levels of the government, political bodies, essential service providers, and operators of critical infrastructure.
Sources told Reuters that Australia views China as the chief suspect, a suggestion swiftly dismissed by Beijing.
Much of Australia’s cyber policy to date has focused on bolstering the defenses of government agencies after an attack on the parliament in 2019, but malicious cyber activity is increasing against small and medium businesses, universities and households, Morrison said.
The ASD determined China was responsible for hacking Australia’s parliament and will be given new funding to counter foreign cyber-attacks.
Reuters contributed to this report.