New cyber laws could be an incentive for companies to store important Australian data overseas, creating a security weakness.
Australia’s New Cybersecurity Laws Could Leave Critical Data Vulnerable Overseas
CANBERRA, Australia — New cybersecurity laws could result in critical data being sent overseas, the head of a major Australian data firm warns.
The Security of Critical Infrastructure Bill, currently before the Australian parliament, would give cybersecurity agencies power to step into corporate information technology systems when there’s a major cyberattack that threatens to bring down vital infrastructure.
But the laws won’t apply to Australian data stored overseas.
“This has the potential to create a dangerous gap in which we lose control of our data,” the chief executive of Macquarie Telecom Group David Tudehope said.
He said that the bill actually creates a perverse incentive for companies to store important data offshore, to avoid extra regulation and the costs that come with it.
“It’s absolutely critical for the nation to defend against a cyberattack,” he said.
“We believe its essential data is stored and secured in Australia.”
Australia’s existing privacy and telecommunications laws apply to organizations operating overseas, and he said the same is needed to combat the cyber threat.
The bill identifies 11 industries that would fall under the new laws, including communications, transport, banking, healthcare, and groceries.
As well as a tougher reporting regime, the laws would enable federal cyber detectives to reach into companies’ systems to detect hackers and foreign adversaries.
“A lot of companies have contracts that would make it difficult for them to accept government help, and this legislation would override that,” Tudehope explained.
In a recently authored blog, he said: “Ensuring this data is always stored and secured in Australia will not in itself prevent it from being targeted or compromised.”
“But if Australia’s laws and authorities are to help secure and defend Australia’s critical data, it must first be brought within the new security regulatory regime.”
According to the head of the Australian Signals Directorate, the cyber threat is intensifying, with a 60 percent increase in ransomware attacks over the past 12 months.
Rachel Noble fronted a parliamentary committee on cybersecurity in June and said healthcare systems have been a significant target.
“The vast majority of the attacks over the past year that ASD (Australian Signals Directorate) is aware of are focused on critical infrastructure sectors or systems of national significance,” she said.
She gave evidence that Australian companies including JBC, Toll Group, and Nine had already been hit by “catastrophic” attacks.
On some estimates, a significant cyberattack on Australia could cost AU$30 billion (or $21.99 billion) and 160,000 or more jobs.
Macquarie Telecom runs five data centers in Australia, and earlier in July announced it would build its biggest-ever storage center in Sydney at an initial cost of AU$78 million (or $57.18 million).
(Edited by Vaibhav Pawar and Krishna Kakani)