Independent Senator for South Australia, Nick Xenophon, will this afternoon push for a wide-ranging Senate inquiry into IT security in Australia.
The move for the inquiry follows allegations yesterday of a serious security breach at the Bureau of Meteorology, the remediation of which reportedly could cost hundreds of millions of dollars.
The breach allegedly compromised IT systems of a number of other agencies.
Xenophon has given notice of a motion that he intends to put to the Senate this afternoon to refer the issue to a Senate committee.
The inquiry would be conducted by the Senate’s Environment and Communications Committee and cover Australia’s laws and their enforcement.
The proposed terms of the wide-ranging inquiry also include the cyber security policy framework and reporting requirements for government agencies, security vetting of people with access to sensitive personal data of Australians (on government and non-government IT systems), destruction of sensitive data and security breach detection.
“For too long successive governments have been asleep at the wheel when it comes to cyber security, whether it is individuals’ mobile phones or government organisations being hacked by spies, there are huge vulnerabilities that need to be looked at,” the senator said in a statement.
The government has been conducting a Cyber Security Review. The review was due to be released earlier this year. However, the Department of Prime Minister and Cabinet recently said that a date had yet to be set for its release.
Senator Xenophon: To move—That the following matter be referred to the Environment and Communications References Committee for inquiry and report by 23 June 2016:
The adequacy of security for government and citizen data held, or transmitted, by governments, commercial entities, non-government organisations (NGOs) or citizens, with a particular focus on:
(a) Australia’s current laws and their enforcement;
(b) the Government’s cyber security policy framework for government agencies, and reporting requirements of same;
(c) security, such as vetting, measures for personnel with access to government and citizen data stored, or transmitted, on government, NGO and commercial entities’ information technology (IT) systems;
(d) physical security measures for government, NGO and commercial entities’ IT systems which store or transmit government and citizen data, including for mobile phone networks;
(e) cyber-attack and interception security measures for government, NGO and commercial entities’ IT systems which store, or transmit, government and citizen data, including for mobile phone networks (for example, SS7 vulnerabilities and International Mobile Subscriber Identity (IMSI) catchers);
(f) the safe disposal of obsolete government, NGO and commercial entities’ IT systems, databases, storage systems;
(g) methods for detecting security breaches, including the detection of mobile surveillance devices such as IMSI catchers;
(h) other approaches to these areas used in other jurisdictions; and
(i) any other related matters.