Published by Grant Walsh, Strategy & Consulting on 10 October 2024
This week the Minister for Home Affairs Tony Burke introduced a suite of critical infrastructure and cyber security reforms that form the key legislative pillars of the Government’s 2023-2030 Cyber Security Strategy.
These are some of the most significant pieces of legislation since the Security of Critical Infrastructure Act 2018 (SOCI Act) reforms in 2020/2021.
Among the raft of changes the Government aims to pass through parliament are:
- Mandating minimum cyber security standards for smart devices.
- Introducing mandatory reporting of ransomware payments (for government entities or businesses that have an annual turnover of greater than $3 million).
- Clarifying and enhancing obligations for systems holding business-critical data.
- Introducing new ‘Direction’ powers for the government to compel organisations to address serious deficiencies within their critical infrastructure risk management programs (CIRMP).
- Streamlining information sharing across industry and government, including by limiting the way information shared can be used against an organisation who suffers an incident.
- Bolstering the Government’s ‘step in’ powers to manage the consequences of impacts of incidents on critical infrastructure – including non-cyber consequential impacts.
While the reforms are wide-ranging and will impact organisations across the entire economy, it’s worth zeroing in on one sector in particular: Telecommunications.
Expanding SOCI Act Obligations for telcos
The Government’s cyber reforms single out the Telecommunications sector with some long awaited and significant changes.
When SOCI was introduced a few years ago it applied to 11 sectors deemed critical infrastructure – but some obligations were not ‘turned on’ for telcos. That reflected a view that there was significant existing (and potentially duplicative) regulation in place for telcos already, like the Telecommunications Sector Security Reforms.
However, that’s about to change.
The Government is seeking to uplift and align the current security obligations under the Telecommunications Sector Security Reforms with those in the SOCI Act.
In particular, the obligation to develop and implement an all-hazards Critical Infrastructure Risk Management Program (CIRMP), which to date has not been ‘turned on’ for the telco sector, looks almost certain to be imposed once the legislation passes and enabling rules are made by the Minister.
The policy logic of not immediately applying the CIRMP obligations remains sound. Indeed, similar approaches were taken for already heavily regulated sectors like transport and aviation.
The reality is that the telco sector has long been forward leaning in terms of security and cyber security. Not just for regulatory compliance but also out of necessity (i.e. keeping revenue generating assets available) and to maintain the significant social licence which our major providers rely on given the critical nature of the services they provide to everything from businesses large and small, to government and individual consumers.
But with an evolving threat landscape and in the face of multiple high-profile breaches – including a number within the telco sector – this shift to SOCI Act alignment for telcos had become inevitable.
The Government has taken a comprehensive ‘belts and braces’ approach – by both paving the way to turn on CIRMP obligations in the SOCI Act and updating the existing security obligations in the Telecommunications Act 1997 (Tel Act) to reflect an all-hazards approach.
This is a positive step to contemporising the Tel Act – whose security provisions have served us well – but are focused on older, narrower threats like sabotage and espionage. Uplifting these security obligations not only supports SOCI Act alignment – but enlivens the existing provisions in the Tel Act and makes them more relevant for the modern, digital threat environment.
So what does this mean for the telco sector?
Adapting to these changes are going to pose some challenges for telco security teams, but there are some pragmatic steps CIOs and CISOs can take in preparation.
Challenges:
- The shift from managing risks with a ‘network’ focus under the Telecommunications Sector Security Reforms to an ‘asset’ focus under the SOCI Act will be significant for telcos – who sit on complex digital estates with legacy systems and infrastructure acquired over decades.
- The significant third-party dependencies, and complex supply chains in the sector will make contending with the personnel and supply chain requirements of the CIRMP obligation tricky.
- Protecting large distributed networks of critical assets from physical and natural hazards is a huge task and is required by the CIRMP. That said, our major carriers have been continuously enhancing the resilience of their networks in the face of natural disasters and bushfires, and have already made significant progress in this space.
- Identifying data storage systems that hold business critical data, and managing the risks associated with large volumes of personal and sensitive data holdings which are often not well understood will remain significant for the sector.
Some pragmatic steps:
- Getting ahead of and focusing on asset level risk assessment – a detailed view of your critical assets, associated risks and existing controls is a fundamental step in supporting compliance.
- Getting ahead of personnel risk – understanding key roles, responsibilities and access in relation to your critical assets.
- Enterprise Cyber Risk Assessment – mapping those critical assets, risks and controls against your organisations risk framework and business impact levels to understand how you are (or are not) managing material risk.
- Uplifting Second Line Assurance – a disciplined and well documented approach to Second Line Assurance will support SOCI Act compliance, deliver efficiencies in addressing regulatory burden – and importantly help drive practical security uplift.
Given the breadth of these proposed reforms, it’s likely some will go to committee, creating the opportunity for telcos to engage through public submissions and hearings. However, telco CISOs and CIOs should be thinking about how these reforms would impact their organisation now.
For more information on the SOCI Act or to speak to an expert at CyberCX about what this means for your organisation, visit our website here.