Australian spy agency gets teeth
In the wake of the increase in the incidence and sophistication of cybercrime, from 1 July 2018, the Australian Signals Directorate (ASD), an Australian government foreign intelligence collection agency responsible for foreign signals intelligence and information security, will become an independent statutory body with new powers to combat cybercrime.
The ASD provides the Australian government with advice and assistance on matters relating to security and integrity of information, greater understanding of sophisticated cyber threats and co-ordination of responses to cyber incidents of national importance across government. The ASD also works closely with industry to develop and deploy secure cryptographic products.
The ASD incorporates the Australian Cyber Security Centre (ACSC), which includes:
- CERT Australia, the contact for cyber security issues affecting major Australian businesses
- The Australian Federal Police, who investigate and respond to cybercrime of national significance
- The Australian Criminal Intelligence Commission
- Cyber investigations and security specialists from the Australian Security Intelligence Organisation
- Strategic intelligence analysts from the Defence Intelligence Organisation
New functions of ASD
From 1 July 2018, the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Act 2018 (Cth) will come into force. It will see the ASD become an independent statutory body reporting directly to the Minister for Defence, with several increased functions including:
- expanding its network defence function by providing advice and assistance on cybersecurity to not just government authorities, but also foreign persons or entities, within constitutional limits. Any such assistance will require the knowledge and consent of that person or body.
- combating cybercrime, by preventing and disrupting cybercrime committed by entities located outside Australia. It should be noted that the ASD is required to obtain ministerial authorisation to prevent or disrupt cybercrime undertaken by Australians, but not otherwise.
It has been reported that there is a push, backed by Home Affairs Minister Peter Dutton, to further expand the powers of ASD to enable it to collect intelligence on Australians, by giving ASD the ability to:
- shut down computers within Australia, by targeting Australian criminals, terrorists and paedophiles
- conduct convert cyber penetration tests on Australian companies to test their cyber security and vulnerability to hacker attack
- exercise coercive powers to direct companies and government to improve their cyber security
This is strongly opposed by some in parliament, including some members of the Cabinet.
Implications for insurers
Given the constant evolution and sophistication of cybercrime, ASD’s increased powers are a welcome addition to a national approach to cybercrime defences. Whether this will lead to less cyber-attacks and less data and financial losses suffered by insureds covered under cyber policies, remains to be seen.
It is more likely that ASD’s combative efforts will be directed towards prominent or large-scale cyberattacks, rather than individually targeted attacks, such as phishing scams, which can still cause significant loss. Notably, ASD’s remit is confined to combating overseas cyber interference rather than hacks originating domestically. This demonstrates a significant limitation on ASD’s powers, however some members of Cabinet are considering a broader scope for ASD.
Until the results of ASD’s prevention and combat efforts are seen, some of the best defences for insureds against cyber losses are to have systems and policies in place to educate staff about cyber risks on an ongoing basis, and to have localised defence systems in place to ward off external cyber penetrations. Such efforts protect against both domestic and international attempts to compromise information and technology systems.
6 June 2018