Image credit: Senator James Paterson.
Liberal senator James Paterson has urged the government to build trust and psychological safety mechanisms that encourage the private sector to share – and not withhold – critical information in cyber attack investigations.
Speaking at the Australian Cyber Conference 2023 yesterday, Paterson said one of the “lessons” from the Optus and Medibank incident response is in the way that the government, in particular, inserted itself into the fray.
Optus, in particular, faced strong and repeated criticism from federal government ministers after disclosing its data breach last year.
“In the wake of the Optus attack, I met with a number of CISOs. What you told me loud and clear was that you were alarmed by the public attacks by the government on Optus in the middle of the crisis,” Paterson said.
“Many told me it raised doubts in your mind about whether it was safe, or in the best interests of your company, to share information with the government about an evolving cyber crisis, because you feared it might be used against you while you were busy trying to put the fire out.
“Instead of picking up the phone to the ACSC [Australian Cyber Security Centre] in the first instance, you would call the lawyers instead.”
Paterson added that he was advised by one lawyer that they “could not advise their clients there was no legal risk sharing information with government about a cyber attack.”
While Optus is a recent example, the issue of cooperation with authorities pre-dates the incident; Toll Group was previously criticised, albeit in veiled terms, over its level of cooperation with authorities following a high-profile 2020 ransomware attack.
Paterson said there needed to be a “genuine partnership between industry and government” on cyber security to ensure that information flows between the two parties continued.
“We need seamless, time sensitive sharing of information between government and business when there is a cyber attack,” he said.
“We can’t afford for any CISO or their CEO to hesitate to pick up the phone to the ACSC and share what they know.”
Paterson said he had previously proposed a safe harbour mechanism – “a protected and confidential process to share information that won’t be used for any other purpose.”
“By removing the fear of vilification and litigation, a safe harbour would encourage the private sector to work cooperatively with federal agencies like the ASD in times of crisis,” he said.
“That doesn’t mean companies can’t or shouldn’t be held accountable for negligent handling of customer information or poor cyber security. They absolutely should.
“But that can come after the crisis has subsided, and shouldn’t rely on information voluntarily shared by companies with ASD when trying to solve the crisis.”
He added that information wasn’t just important for incident response, but also so that affected customers and members of the public could be kept informed with credible information as an incident unfolded, and that the government should consider installing an “authorative voice” to educate the public on cyber security risks.