Australia's Government has proposed the possibility of taking control of critical infrastructure entities affected by cyber threats of national importance.
In the Consultation Paper, Protecting Critical Infrastructure and Systems of National Significance (August 2020), the Government notes that owners and operators of critical infrastructure should be legally obliged to manage risks, but there may be occasions when the Government would be required to step in and assist.
"In an emergency, we see a role for Government to use its enhanced threat picture and unique capabilities to take direct action to protect a critical infrastructure entity or system in the national interest," states the Paper, adding that, in the event that an entity is unwilling to co-operate, "Government needs to have a clear and unambiguous legal basis on which to act in the national interest and maintain continuity of any dependent essential services."
Taking control of a critical infrastructure entity is seen as the last resort and entities must be given the necessary means and opportunity to prevent significant cyber threats, although that doesn't mean taking direct action against an attacker, including hack-backs.
Even if a critical infrastructure entity is able to take necessary action against a cyber threat, it may still call upon the Government to provide assistance and help minimise any impact.
Should a cyber threat arise that is deemed to significantly impact Australia's "economy, security or sovereignty", the Government understands it may be necessary to take steps to mitigate the situation. In such cases, it's proposed that Government can provide assistance to entities in order to minimise any impact.
If an emergency is called and Government takes direct action, the powers under which the Government acts would be limited.
"These powers would be exercised with appropriate immunities and limited by robust checks and balances," states the Paper. "The primary purpose of these powers would be to allow Government to assist entities take technical action to defend and protect their networks and systems, and provide advice on mitigating damage, restoring services and remediation."
Being a consultation paper, it is open to suggestions and debate, and Government is keen to hear from a range of entities in what it perceives to be critical infrastructure fields, including banking and finance, data and the cloud, defence industry, education, research and innovation, energy, food and grocery, health and transport.
Submissions close on September 16, 2020.
