University Cyberattacks Justify the Incorporation of Higher Education in Critical Infrastructure Bill

Australia’s higher education sector could soon find itself considered an “asset of national significance”, as the government is prepared to “enhance the existing framework for managing risks relating to critical infrastructure” upon universities through the Security Legislation Amendment (Critical Infrastructure) Bill 2020, writes Asha Barbaschow.

Last year, Australia was the target of a sophisticated cyberattack that infiltrated a range of sectors, including government, political organizations, education, health, and essential services. Other malicious activity against Australia’s critical infrastructure included a ransomware attack on steel manufacturer BlueScope that generated disruption to some of its operations.

In the following months, Australia has increased its cybersecurity actions which included the release of a new cybersecurity strategy endorsed by a $1.67 billion investment. Prime Minister Scott Morrison said in a press release that

The 2020 Strategy means that cybersecurity is a fundamental part of everyday life, so Australians can reap the benefits of the internet and the digital economy safely, and with confidence. The digital economy is the future of Australia’s economy. We will protect our vital infrastructure and services from cyberattacks. We will support businesses to protect themselves so they can succeed in the digital economy.

Part of Australia’s renewed cybersecurity efforts includes the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. The legislation, which was introduced in December, gives the Australian government the power to take direct action against cyberattacks and obtain information from critical infrastructure operators if the information is in the national interest.

Despite these measures, Australian universities believe the administration has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, according to them, the government doesn’t feel that higher education and research should be included as a critical infrastructure sector, taking into consideration the regulatory ramifications.

The Go8 group, which includes the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia, considers the proposed legislation to be “disproportionate to the likely degree and extent of the criticality of the sector”.

In 2018, the Australian National University was the victim of a massive security breach that wasn’t discovered until May 2019 and revealed in early June. The attackers managed to access up to 19 years’ worth of data which included names, addresses, birth dates, phone numbers, personal email addresses, and emergency contact details, tax file numbers, payroll information, bank account details, passport details, and student academic records.

Last month, Melbourne’s RMIT University revealed it was the target of a phishing attack, stating they are working to restore their systems. The specifics of this incident are still under investigation.

Despite these events, there was no official attribution made regarding who is responsible for the attacks. Nevertheless, Australian Security Intelligence Organisation’s (ASIO) Director-General of Security Mike Burgess said

I do know who was behind it but I would not say that publicly because I don’t believe that’s my role to do so. My organization’s role is to identify threats and help reduce the harm from that. Public attribution of that is not for the director-general [of] security alone. There are many other factors that the government must take into account when they decide on how they deal with that particular problem.

The two cyberattacks were used by the Home Affairs representative to explain the incorporation of higher education and research in the Critical Infrastructure Bill.