The defence force’s former head of information warfare says new laws to toughen cyber security “can’t come soon enough”.
Retired Major General Marcus Thompson has told AAP Australia’s reliance on overseas cyber infrastructure has left the country especially vulnerable to cyber attacks from sophisticated state-based actors and professional criminal groups.
“The threat is real, the threat is active, the threat wishes us harm,” he said.
He warned the recent Fastly outage that brought down global news websites is a timely reminder of the country’s dependence on offshore IT infrastructure.
“We were dependent on a foreign entity to get that back up and running; it was entirely in foreign hands,” Dr Thompson said.
He said critical data should be stored in Australian sovereign territory.
“I would like to see Australia become a little less dependent on foreign entities for the capabilities that we rely on for our everyday activities.”
There were 2266 cyber incidents reported to the Australian Cyber Security Centre in 2019-20.
Recent cyber attacks have targeted the health sector, airports, water services, transport and logistics, as well as federal parliamentary networks.
The federal government has allocated more than $42 million to secure critical infrastructure, such as hospitals and power networks, against major cyber attacks.
Dr Thompson said access to critical material could be shut off if the data is stored anywhere subject to a foreign power, and he warned of developments such as cloud data storage.
“I have a belief that there are aspects of this we ought to be careful about,” he said.
The draft Security of Critical Infrastructure bill, currently before federal parliament, would give cyber security agencies power to intervene in serious incidents where critical infrastructure such as telecommunications is threatened.
The bill identifies infrastructure across 11 sectors that would be subject to the laws, including telecommunications.
Australia isn’t immune
The Australian Signals Directorate submission on the bill said malicious cyber activity against Australia is increasing in frequency, scale and sophistication.
“While Australia has not suffered a catastrophic cyber attack on critical infrastructure, we are not immune,” the ASD warned.
A number of business and industry groups told the parliamentary committee examining the bill the laws would put a heavy regulatory burden on industry and make it harder for Australian companies to get finance.
But the Active Cyber Defence Alliance group, composed of cyber security firms as well as the ACCC, told the committee the proposed laws are too weak, “like bringing a knife to a gunfight”.
Dr Thompson believes the laws could be strengthened over time and hopes they will provide some impetus to move critical data storage within Australia.
“So if something goes wrong the ability to get it back up and running again is in our hands,” he said.
Dr Thompson works with companies including Macquarie Telecom Group, Penten and ParaFlare.