November 9, 2022
Australia’s top cyber spy says she supports giving companies some legal protection when they quickly share information with government agencies when responding to a cyberattack.
Rachel Noble, director-general of the Australian Signals Directorate, said a so-called “safe harbour” mechanism was an “excellent idea” to mitigate the concerns of companies that had been hacked about getting legally targeted over information they shared with the ASD.
Safe harbour would not give companies a complete legal immunity, but offer protection around sharing information with particularly government agencies, such as ASD, when responding to a cyberattack.
The opposition spokesman for Cybersecurity and Countering Foreign Interference, James Paterson, told Ms Noble in senate estimates that in a recent conversation a lawyer, specialising in cyber, said “they couldn’t advise a company that it was a risk-free exercise to share”.
High-profile data breaches at telecommunications company Optus and health insurer Medibank Private have thrust cyberattacks, particularly ransomware, into the public eye.
“Where there’s ambiguity of ‘if I’m dealing with the government, do you have that information over to other government departments or don’t you? How can I be sure that that won’t occur without my permission? And so forth,’” Ms Noble told the hearing on Tuesday.
“From an operational perspective, in that sort of heat of the incident where we’re still trying to pull people out of the water into the lifeboats, to have that absolute confidence for the private sector that, at the very least, their operational engagement with ASD will be exempted from the inquiry of others, whether they are the government agencies or other people’s scrutinising the process like we’ve seen in class action lawsuits, for example. That’s very attractive to us as well.”