Source: ITnews

By Ry Crozier
May 25 2021
11:56AM

Home Affairs boss indicates a scheme is ‘likely’.

The government is weighing the merits of a mandatory reporting requirement on organisations that are attacked or extorted by cyber criminals.

Home Affairs boss Mike Pezzullo told senate estimates yesterday that mandatory reporting is being considered “as an extension of the cyber security strategy” released mid last year.

While cautioning that he did not want to “presume or preempt government policy”, and qualifying that further stakeholder consultation is necessary, Pezzullo expressed a view that such a reporting regime is “likely” to be introduced at some point.

“There is a specific commitment to put in place a national strategy to combat cybercrime,” Pezzullo said.

“My inclination – and I’m not going to state it as an opinion – is that it’s likely that a regime of that character will be proposed, but there’s still some stakeholder engagement to undertake.

“I think … most advanced economies are at a point where by some means … a much more active defence posture is going to be required, simply because of the prevalence of the attacks.”

At present, disclosure of ransomware attacks and other cyber incidents is often tied to a major operational disruption that is difficult to hide, or to the breach of personally-identifiable information, which must be reported through the separate notifiable data breaches (NDB) scheme.

Despite large attacks frequently making the news, it is likely that some organisations may be able to avoid disclosure.

Pezzullo was asked by Labor Senator Kristina Keneally specifically about a mandatory reporting regime for cybercrime incidents.