The federal government has released a new set of voluntary principles aimed at providing guidance to organisations in how they protect critical technologies from cyber attacks.
Labelled the Critical Technology Supply Chain Principles, Minister of Home Affairs Karen Andrews said the voluntary principles were designed to give organisations and consumers the confidence to allocate more resources towards critical emerging technologies such as artificial intelligence, quantum computing, blockchain, and algorithmic automation.
“These principles come at a vital time — both for Australia and for our critical industries. We face unprecedented threats from a range of malicious cyber actors, growing geostrategic uncertainty, and are increasingly reliant on technologies that can be hacked, held to ransom, or otherwise disrupted,” Andrews said.
The principles were developed in partnership with industry, non-government organisations, state and territory governments, and the community.
There are 10 new principles in total, with the four of them being: Understand what needs to be protected, why it needs to be protected, and how it can be protected; understand the different security risks posed by an organisation’s supply chain; build security considerations into all organisational processes, including into contracting processes that are proportionate to the level of risk; and raise awareness of and promote security within supply chains;
In relation to these four principles specifically, Home Affairs hopes they will allow less-resourced organisations to implement appropriate measures for protectecting critical technology.
“When security is built in by-design it also means customers do not need to have expert knowledge and that they are not unfairly transferred risk that they are not best placed to manage,” Home Affairs said.
The remaining principles are: Know who critical suppliers are and build an understanding of their security measures; set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for suppliers; encourage suppliers to understand and be transparent in the depth of their supply chains, and be able to provide this information to customers; seek and consider the available advice and guidance on influence of foreign governments on suppliers; consider if suppliers operate ethically, with integrity, and consistently with international law and human rights; and build strategic partnering relationships with critical suppliers.
Home Affairs warned that consideration of these principles are important as the lack of security measures can have flow-on impacts to the broader community and Australia’s national interest.
As part of the principles being announced, Andrews said the federal government itself would be implementing the principles for its own decision-making practices.
“Alongside important legislation currently before the Senate to support and assist critical industries confront cyberattacks, wide adoption of these new principles will safeguard Australia’s security, and prosperity for years to come,” Andrews added.
The release of the principles follows the federal government recently submitting a revised Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Parliament. The revised Bill is a stripped-down version of the original version, only containing the elements that would introduce government assistance mechanisms and mandatory notification requirements.
Meanwhile, parts of the Bill that have been cut out will be considered in a future Bill down the road.
The Bill was revised in response to recommendations made by the Parliamentary Joint Committee on Intelligence and Security, which said this two-step approach would enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design a regulatory framework that provide long-term security for the country’s critical infrastructure.
The federal government is also developing a new set of standalone criminal offences for people who use ransomware as part of its Ransomware Action Plan.