AUSTRALIA Trends and Developments Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
State-sponsored cyber-operations are set only to increase with growing geo-political tensions, including the competition in the Indo-Pacific. Aswe continue to see sanctions, states may co- opt actors and state hacking itself to supplement revenue streams. Other risks/vulnerabilities Overall, it is important to acknowledge that the vulnerabilities are not only from external mali - cious actors. Incidences that occurred in 2024 highlight other critical focus points, such as the following. • Insider threats: in October 2024, Qantas con - firmed that two contractors working for Air India SATS company had allegedly accessed at least 800 customer booking details and diverted their frequent flyer points. As this India SATS provides services to a lot of air - lines across the OneWorldAlliance, the true extent of the issue may never be known. • Software issues: in July 2024, CrowdStrike released an update that caused worldwide outages of certain programs. Legislative and Regulatory Reform In 2024, the Australian government passed the Cyber Security Act package, introducing a range of new legislative reforms; some of which are explored below. Overall, these changes pave the way for better-informed government actions as well as increased enforcement actions to raise the general standard of Australian businesses across the board. SOCI Act The Security of Critical Infrastructure Act 2018 (Cth) (the “SOCI Act”) regulates the critical infra - structure assets identified across eleven sectors, and was amended in November 2024 by the Security of Critical Infrastructure and Other Leg -
islation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (the “SOCI Amend - ment Act”). The SOCI Amendment Act included: • crucial clarifications on the status of data storage systems; • amendments to what is protected informa - tion, as well as exemptions to the prohibitions on the use and disclosure of such informa - tion; and • new regulatory powers for “seriously defi - cient” Critical Infrastructure Risk Management Programs (CIRMP). The shared-responsibility for and complexities of a single business’ CIRMP and cybersecurity overall is demonstrated by the media’s cover - age of the back-and-forth between Delta Air Lines and CrowdStrike after the former com - menced proceedings against the latter for dam - ages caused by the CrowdStrike-Microsoft out - age in July 2024. Delta claimed, inter alia, that CrowdStrike “cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised”; while CrowdStrike retorted that Delta has had a “slow recovery away from its failure to modernise its antiquated IT infrastructure”. Both businesses and service providers have responsibilities under a capable CRIMP. It remains to be seen if this specific mat - ter progresses further. The importance of reviewing and properly imple - menting these changes is only increased by the continued stance taken by the Department of Home Affairs (DoHA) under its performance tar - gets. Target 8 comprises that 100% of instances of identified non-compliance with obligations in the SOCI Act will be subject to a compliance action within 90 days. The precise “compliance
32
CHAMBERS.COM
Powered by FlippingBook