When it comes to policies and legislation about technology, most of the world’s governments are several years behind the curve — and that’s putting the situation very, very politely.

The few exceptions are almost entirely in the Asia-Pacific region, most notably, in Australia. The country’s technology legislation stance is leaps and bounds ahead of most in bringing out relevant governance that’s practical and modern.

There are a couple of other outposts of sanity in the world: In the US, California’s state legislature appears to have an advantage over its neighbors. At the same time, Europe looks to (or should look to) Estonia as a fine example of a digital-first government.

Australian organisations have faced mandatory cyber breach disclosure regulations since 2018, and the latest tabled amendments to the Critical Infrastructure Bill, on the whole, make sense.

In it, the definition of what comprises “critical infrastructure” is significantly broadened and now includes communications, financial services and markets, data storage and processing, defence industries, higher education and research, energy, food and grocery, healthcare and medical devices, space technology, transport, water, and sewage.

The implication for many organisations is that they are now subject to “enhanced obligations” under the Bill. At first glance, this might seem like overreach on the part of an administration keen to flex its legislative muscle. But several recent cyberattacks have made the situation clear: the successful infiltration and compromising of private businesses has a significant impact on national economies, and can therefore be deemed a matter of national security.

We spoke exclusively to Alexandra Drury, Regional Vice-President at Tanium, a cybersecurity company cited in the US Senate (pp.4 ) [PDF] by Major General Christopher P. Weggeman as being “truly revolutionary.”

Alexandra mentioned the Colonial Pipeline ransomware attack as a prime example of where discrete organisational security is of national importance. “At the end of the day, a nation’s security chain is only as strong as its weakest link,” she said.

However, the situation goes international very quickly. In the case of the cyberattack on JBS (one of the world’s biggest meat processing companies), the price fluctuations hit food markets in the US, Canada, and Australia.

We asked Alexandra what every business should do, and especially, how should those companies newly deemed critical infrastructure respond?

“[The Government] uses this term ‘positive security obligations’ for critical infrastructure assets. And it includes three main facets. The first one is that organisations need to have risk management programmes in place. The second is mandatory cyber incident reporting. The third involves enhanced obligations for organisations that are considered to be of national significance. They get more granular in terms of what the obligations become.

“They include incident response plans, cyber security exercises in relation to preparedness for cyber incidents, vulnerability assessments to identify weaknesses for remediation efforts, and sharing system information for situational awareness – which is key –  while disclosing near real-time threat information. So, a large part of the enhanced obligations is around visibility and speed.”

The broader inclusion of more verticals and those enhanced steps in the legislation mean that now, “cyber is a corporate board issue,” Alexandra says. “Because of this Bill, the government is forcing cybersecurity into the boardroom across a broader range of industries than ever before.”

As an innovator of cybersecurity systems, Tanium is a government-level protection provider. Alexandra states: “Governments all around the world rely on Tanium to deliver visibility, IT hygiene [and] security.”

Previous articles on Tech Wire Asia have discussed the need for visibility into all IT assets — with many organisations “discovering” assets they didn’t know they had (never mind knew to protect) in the initial phases of Tanium deployment.

Tanium’s approach, per Alex, is to provide “[…] the right single platform, single agent, [and] extensible capabilities that broach not just security, but also IT ops.”

Integrating cybersecurity practices into IT operations goes a long way towards increasing security awareness and raising the levels of cyber hygiene — an area historically  mired in vague definitions around user education. “Hygiene is more systematic, more systemic, “she says.

With many more businesses now having to implement enhanced cybersecurity processes as a result of  legislative changes, the Tanium solution allows operators “[…as Major General Weggeman stated] ‘to perform vulnerability management, incident response, system health diagnostics, asset identification, optimisation, all in a matter of seconds.’ And that’s the key to Tanium success: our ability to deliver all of those capabilities in a matter of seconds to minutes, versus days, weeks, or even months in some cases!”

In 2021, malicious actors don’t load warplanes with bombs to drop onto vital infrastructure or supply lines. They press Enter to invoke code from thousands of miles away. To keep safe, all organisations should be re-assessing their cybersecurity posture — especially in Australia, where a government seems to have its eye on the ball.

To learn more about Tanium and how the company can help your organisation stay safe and  compliant, get in touch to discuss your options.