Australia ’ s critical infrastructure is the reason we have food on our tables , light in our homes and healthcare in our hospitals . The fact that we have seen hospitals , energy companies and food processing organizations fall victim to devastating cyberattacks over the past year demonstrates the urgent need to protect these vital pillars of our society and economy .

Imagine if the cyberattack launched against JBS Foods – which took the meat processor ’ s systems in Australia and the US offline for days and threatened to delay supplies and increase meat prices – was replicated against a major supermarket chain today ? With our supply chains already stretched due to worker shortages as a result of the Omicron variant , the additional damage inflicted as the result of a cyberattack could lead to major crises affecting public health and social cohesion .

For this reason , Macquarie Telecom Group sees the merits of the Australian Government ’ s amendments to the Security of Critical Infrastructure Act 2018 ( SOCI ). The expanded definition of ‘ critical infrastructure ’ ( CI ) and the new legal requirements for CI organizations around physical , cyber and supply chain security , are a vital step towards ensuring our future national resilience .

Unfortunately , the SOCI amendments don ’ t go far enough . A big gap in the amendments exists where they do not extend to third parties that store and maintain ‘ critical business data ’ outside Australia , putting that data beyond Australia ’ s jurisdictional control and protection .

This legislative loophole could even act as a perverse incentive for CI organizations to move their critical data

storage , and / or the suppliers they use to store and maintain that data , offshore to avoid compliance with the legislation and the associated costs .

CI providers , which rely on critical data to operate , can reduce the risk of intentional and unintentional security threats by having their data stored , transmitted and processed onshore in Australia , where they can rely on legislative regimes that are designed to help protect their data .

The Australian Cybersecurity Center ( ACSC ) has thrown its support behind this option , encouraging organizations ‘ to either choose a locally owned [ IT services ] vendor or a foreign-owned vendor that is located in Australia and stores , processes and manages sensitive data only within Australian borders ’.

While storing and securing data onshore is no panacea against cyberattacks , it does ensure the information , supply chains and physical storage locations are easily accessible and subject to local laws . When a rapid response is required – for instance , in the event of a cyberattack – organizations are much more likely to quell the issue before it escalates if information is situated locally , and they don ’ t have to wait on the expertise of support staff located in a different time zone .

To successfully emerge from the pandemic , ready and prepared to face future challenges , we need to ensure our most vital data assets are fully protected , just as we are doing with our critical physical assets . The highest levels of sovereign protection for critical data is the only way CI organizations can have full confidence in the controls and protections available to meet the cyberattacks of the future .

www . intelligentcio . com INTELLIGENTCIO APAC 33

Intelligent CIO APAC Issue 21 | Page 33