{"id":65602,"date":"2021-07-08T11:00:59","date_gmt":"2021-07-08T01:00:59","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=65602"},"modified":"2021-07-08T12:42:09","modified_gmt":"2021-07-08T02:42:09","slug":"securing-data-to-protect-australias-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/","title":{"rendered":"Securing data to protect Australia\u2019s critical infrastructure"},"content":{"rendered":"
<\/figure>\n

In the recent JBS cyberattack, an American subsidiary of a Brazilian meat processor was hacked from Russia<\/a>, causing operations in Australia, Canada and the United States to shut down. This crime provides a timely reminder that Australia\u2019s critical infrastructure is only as strong as the weakest link in its international digital supply chains.<\/p>\n

The government is proposing a complete overhaul of the way owners and operators of Australia\u2019s critical infrastructure ensure the resilience of the physical facilities, supply chains and ICT they rely on, and on which our society and economy depend.<\/p>\n

The proposed legislation before parliament will extend the regime under the Security of Critical Infrastructure Act<\/em> 2018<\/em><\/a> beyond its outdated narrow focus on utilities to include other critical sectors of the economy, such as communications, transport, banking, healthcare and groceries. Industry-specific rules and standards will follow to improve security and resilience across these sectors. For the most vital infrastructure systems, the legislation will give the government a \u2018last resort\u2019 power to intervene in their operations in order to defend against a serious cyberattack.<\/p>\n

These reforms are a necessary response to the risks that now confront society given the interconnections and interdependencies between the physical and the digital. Data is the nexus between these worlds, from personal information and metadata about consumers, to internal corporate emails, information about research and development, and the supervisory control systems used to operate industrial infrastructure.<\/p>\n

Indeed, data is effectively the economy\u2019s critical infrastructure. The proposed legislation recognises this new reality by including data storage and data processing in the expanded list of critical sectors.<\/p>\n

However, the bill only partly protects the data controlled by these sectors and treats it inconsistently, erroneously focusing on its physical nature. This has the potential to create a dangerous gap in which we lose control of our data.<\/p>\n

In practice, a critical infrastructure provider will either manage and secure its own critical business data or outsource some or all of those responsibilities to a third-party data processor, cloud service provider or data centre operator. That third party may store and maintain the data in physical facilities in Australia or overseas. A combination of these arrangements may be used for the primary and backup data stores to provide additional redundancy in case of disaster.<\/p>\n

Data faces similar risks under each scenario, so it\u2019s reasonable that equivalent security expectations and standards apply whether it\u2019s stored onsite, outsourced to a third party, or moved offshore.\u00a0Unfortunately, the proposed legislation doesn\u2019t consider this and creates very different expectations around data security depending on how and where it\u2019s stored.<\/p>\n

Under the bill as currently drafted, an Australia-based third party becomes a critical infrastructure provider if it knowingly stores government data or the critical business data of another provider. It\u2019s a case of \u2018tag, you\u2019re it\u2019. A critical infrastructure provider\u2019s data is so crucial to national security that the mere fact that it\u2019s stored with an Australian-based service provider makes that third party a provider too.<\/p>\n

That provider (rightly) will be subject to stringent legal requirements concerning cybersecurity, the security of its physical facilities, the resilience of its supply chain, and the trustworthiness of its employees and contractors.<\/p>\n

A critical infrastructure provider that manages and secures its own data on-premises will be subject to a positive security obligation to manage and mitigate risks to its critical data assets, but not necessarily to the same standard that applies to data held by third-party service providers. Hence, the Australian Cyber Security Centre advises<\/a> organisations to consider the security risks of not<\/em> shifting data to the cloud.<\/p>\n

In stark contrast, a third party that stores and maintains a critical infrastructure provider\u2019s critical business data overseas will not be expected to do anything to secure that data. This is because the new regime won\u2019t apply to Australian data stored overseas.<\/p>\n

Australia should not be so timid. Under the US CLOUD Act<\/a>, the US government extends its jurisdiction over all data in the possession or control of American cloud providers wherever in the world it\u2019s stored. And the European Union\u2019s General Data Protection Regulation applies to data processing undertaken outside the EU if it relates to the supply of products to Europeans.<\/p>\n

Besides the obvious security gap, Australia\u2019s proposed legislation creates a perverse incentive for critical infrastructure providers\u2014and their suppliers\u2014to shift critical business data stores offshore to avoid security regulation under the regime and the associated costs. This is at odds with the emphasis placed on data security when physical critical infrastructure assets are sold to foreign investors.<\/p>\n

Whereas the draft legislation doesn\u2019t safeguard Australian data stored overseas or require its repatriation, the Foreign Investment Review Board will often make its approval of investments in critical infrastructure conditional on the data being kept in Australia in certified secure facilities. There should be no inconsistency here. After all, it\u2019s the same data, just different custodians.<\/p>\n

The proposed reforms are necessary and overdue. But given the increasing importance of data from a national security perspective, a critical infrastructure provider\u2019s data should be treated as a critical asset regardless of whether it\u2019s managed in-house, hosted by a third party or located offshore. It should be subject to equivalent security expectations and standards.<\/p>\n

Ensuring this data is always stored and secured in Australia will not in itself prevent it from being targeted or compromised. But if Australia\u2019s laws and authorities are to help secure and defend Australia\u2019s critical data, it must first be brought within the new security regulatory regime.<\/p>\n

To do otherwise is to surrender our sovereignty over data when it has never mattered more.<\/p>\n","protected":false},"excerpt":{"rendered":"

In the recent JBS cyberattack, an American subsidiary of a Brazilian meat processor was hacked from Russia, causing operations in Australia, Canada and the United States to shut down. This crime provides a timely reminder …<\/p>\n","protected":false},"author":1384,"featured_media":65605,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[416,1395,2138,2175],"class_list":["post-65602","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australian-government","tag-critical-infrastructure","tag-cybersecurity","tag-data"],"acf":[],"yoast_head":"\nSecuring data to protect Australia\u2019s critical infrastructure | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing data to protect Australia\u2019s critical infrastructure | The Strategist\" \/>\n<meta property=\"og:description\" content=\"In the recent JBS cyberattack, an American subsidiary of a Brazilian meat processor was hacked from Russia, causing operations in Australia, Canada and the United States to shut down. This crime provides a timely reminder ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-08T01:00:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-08T02:42:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/07\/GettyImages-187265644-e1625703986408.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"542\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"David Tudehope\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Tudehope\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/07\/GettyImages-187265644-e1625703986408.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/07\/GettyImages-187265644-e1625703986408.jpg\",\"width\":800,\"height\":542,\"caption\":\"Thousands of servers are pictured at the new Facebook Data Center, its first outside the US on November 7, 2013 in Lulea, in Swedish Lapland. The company began construction on the facility in October 2011 and went live on June 12, 2013 and are 100% run on hydro power. AFP PHOTO\/JONATHAN NACKSTRAND \/ AFP PHOTO \/ JONATHAN NACKSTRAND (Photo credit should read JONATHAN NACKSTRAND\/AFP via Getty Images)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/\",\"name\":\"Securing data to protect Australia\u2019s critical infrastructure | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#primaryimage\"},\"datePublished\":\"2021-07-08T01:00:59+00:00\",\"dateModified\":\"2021-07-08T02:42:09+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/866184e5da2a85869bd0fe136228c980\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing data to protect Australia\u2019s critical infrastructure\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/866184e5da2a85869bd0fe136228c980\",\"name\":\"David Tudehope\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/52ac541c0eb461f1499f847924361e4e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/52ac541c0eb461f1499f847924361e4e?s=96&d=mm&r=g\",\"caption\":\"David Tudehope\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/david-tudehope\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing data to protect Australia\u2019s critical infrastructure | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/","og_locale":"en_US","og_type":"article","og_title":"Securing data to protect Australia\u2019s critical infrastructure | The Strategist","og_description":"In the recent JBS cyberattack, an American subsidiary of a Brazilian meat processor was hacked from Russia, causing operations in Australia, Canada and the United States to shut down. This crime provides a timely reminder ...","og_url":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2021-07-08T01:00:59+00:00","article_modified_time":"2021-07-08T02:42:09+00:00","og_image":[{"width":800,"height":542,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/07\/GettyImages-187265644-e1625703986408.jpg","type":"image\/jpeg"}],"author":"David Tudehope","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"David Tudehope","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/07\/GettyImages-187265644-e1625703986408.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/07\/GettyImages-187265644-e1625703986408.jpg","width":800,"height":542,"caption":"Thousands of servers are pictured at the new Facebook Data Center, its first outside the US on November 7, 2013 in Lulea, in Swedish Lapland. The company began construction on the facility in October 2011 and went live on June 12, 2013 and are 100% run on hydro power. AFP PHOTO\/JONATHAN NACKSTRAND \/ AFP PHOTO \/ JONATHAN NACKSTRAND (Photo credit should read JONATHAN NACKSTRAND\/AFP via Getty Images)"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/","url":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/","name":"Securing data to protect Australia\u2019s critical infrastructure | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#primaryimage"},"datePublished":"2021-07-08T01:00:59+00:00","dateModified":"2021-07-08T02:42:09+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/866184e5da2a85869bd0fe136228c980"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/securing-data-to-protect-australias-critical-infrastructure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Securing data to protect Australia\u2019s critical infrastructure"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/866184e5da2a85869bd0fe136228c980","name":"David Tudehope","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/52ac541c0eb461f1499f847924361e4e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/52ac541c0eb461f1499f847924361e4e?s=96&d=mm&r=g","caption":"David Tudehope"},"url":"https:\/\/www.aspistrategist.ru\/author\/david-tudehope\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/65602"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1384"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=65602"}],"version-history":[{"count":5,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/65602\/revisions"}],"predecessor-version":[{"id":65614,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/65602\/revisions\/65614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/65605"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=65602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=65602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=65602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}