Ask Hamish Hansford what keeps him up at night, and he'll tell you it's the possibility of a catastrophic cyber incident.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
It's the kind of scenario his agency, the Australian Cyber and Infrastructure Security Centre, is tasked with helping prevent: a major attack leaving Australians without functioning banks, phones, or services providing food and water, for example.
Before the massive data breach at Optus, Mr Hansford put industries on high alert, telling companies they need to look at their cybersecurity settings and manage risks.
Speaking to The Canberra Times before the Optus data breach that affected 10 million customers, the CISC head said the agency was working with companies on strengthening their cybersecurity.
The centre, established in September 2021, is one of the newest federal agencies playing a significant role in the nation's security apparatus.
Mr Hansford said its work relied on partnering with industries at potential risk of cyber attack.
"Cyber is one element but extreme weather and other physical issues, the terrorism threat, all combined make it a difficult scenario for industry to deal with and we're really here to partner and help with the security outcome," he said.
READ MORE
"We've put industry on high alert, I've written to industry outlining the need for risk management and the need to look at cybersecurity settings."
The secretive centre gave The Canberra Times a tour of the building - rumoured to originally be built as a shopping centre - with each level up requiring a higher level of security containing some of Australia's national secrets.
Mr Hansford points outside across from the centre's building, at the neighbouring Australian Signals Directorate, which works parallel to another agency at the core of Australia's cyber defences, the Australian Cyber Security Centre. The two agencies work with Mr Hansford's agency, but have distinct roles.
Some of Mr Hansford's staff work in that building "just down the road" as the work of the two offices often overlaps.
"My centre is all about regulation and building an awareness and a culture of security ... they do the incident response," he said.
Where the centre sits with the Optus hack
The security threat involved in the Optus data breach is not at the forefront of the CISC's function. Instead, its remit is to keep networks running and functional, protecting the infrastructure that lets people make phone calls or transfer money online.
The centre's powers primarily arise from a piece of legislation - the Security of Critical Infrastructure Act - amended in Parliament earlier this year and the focus of the new Home Affairs Minister's ire following the Optus data breach.
Minister Clare O'Neill blasted the laws this week, saying she found them ineffective in letting her appropriately respond to the Optus crisis.
"[I was told] these laws were going to provide me with all of the powers that I would need in a cyber security emergency incident ... I can tell you that those laws were absolutely useless to me when the Optus matter came on foot," she said.
The CISC is tasked with helping organisations meet the requirements under the newly-amended legislation, including submit cyber incident reports, and taking other measures to bolster their security.
Mr Hansford said his agency is at the forefront of working with industries and sectors through the legislation.
"We've had an ongoing conversation and dialogue with industry and I've really noticed that there's been such a different sort of collaboration over the last couple of years," he said.
"We've built up such a good relationship with some sectors we've never dealt with prior to the commencement of the discussion about the legislation, so I really see that there's such a willingness by industry to collaborate."
While the Home Affairs Minister has called out the laws, chief strategy officer of CyberCX, Alastair MacGibbon, said the legislation was never originally created for data breaches like Optus.
"[The legislation] was never designed to stop data being leaked. It was designed to reduce the likelihood that society would be brought to its knees should critical infrastructure fail," he said.
"Data has traditionally sat with the Office of the Information Commissioner and Australia has never pursued really strong privacy laws ... and so to find ourselves in the situation we're in is no sort of huge surprise."
How privacy protections could improve
Cybersecurity expert Nigel Phair said the Optus attack revealed the security risks when privacy protections fail.
Mr Phair, who is director of the UNSW Institute for Cyber Security, said the incident highlighted the need for government and industry to focus more on the security of people's personal data.
He said the CISC could play a role in improving safety.
"From an organisational perspective [the centre] needs to spend their time almost training sectors to undertake a risk management approach to the data that they hold in the systems that they have and getting them to understand what it means to participate and do something about it," he said.
Mr Phair said organisations such as Optus were potentially exposed to data breaches that could leak important personal information of customers including passport numbers, Medicare numbers and licence registrations.
One potential change that could improve safety was that companies destroy personal data rather than store it for prolonged periods, he said.
"They need to be helped by the CISC about what does it mean to collect this data and why are they collecting it? Why are they retaining it? What are they using it for?" he said.
"The best way to not fall victim to a data breach is to not have people's data, we kind of forget with all this collection and use of data it needs to be deleted at some stage."
The Office of the Australian Information Commissioner is the agency primarily responsible for investigating incidents like the Optus data breach.
Mr Phair said it should have further support.
"They need to be resourced and start doing these investigations. Simple as that," he said.
A Home Affairs departmental spokesperson said the CISC has "a long-standing regulatory relationship with the communications sector."
"The CISC will continue to look at best practice responses, including through its hosting of a Trusted Information Sharing Network between government and industry, as well as risk mitigation regulatory measures," they said.
We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on The Canberra Times website. Find out how to register so you can enjoy civil, friendly and engaging discussions. See our moderation policy here.