The Federal Government is considering legislation similar to the Y2K disclosure act, that was introduced in the run-up to the year 2000, to facilitate information sharing with the private sector.
Attorney General's department national information infrastructure (NII) senior adviser Mike Rothery has confirmed a scoping paper is being prepared over the next two months to review the current legislative framework to accommodate the reporting of IT security breaches by Australian companies.
Rothery said legislation has "not been ruled out", but said a scoping paper will be circulated to members of the Business-Government Task Force on Critical Infrastructure following consultation with industry including the Australian Stock Exchange (ASX), Australian Competition and Consumer Commission (ACCC) and Australian Securities and Investments Commission (ASIC).
The Year 2000 Information Disclosure Act was enacted in preparation to Y2K to give business some protection for voluntarily exchanging information and Rothery said this could serve as a model for infrastructure protection.
He said it is too early to speculate on the outcome of the scoping paper, but regulation or legislation may be necessary to overcome business obligations under corporations law, particularly as they relate to market disclosure.
There was also concern that the collective sharing of information and investigation of system vulnerabilities in a specific industry sector could be perceived as collusion and be prohibited by the Trade Practices Act.
"The scoping paper will address these issues; there also needs to be a public interest test on information relating to vulnerabilities in software products should the flaw remain confidential until a patch is released," he said.
Rothery said the scoping paper will also determine if laws are necessary for companies that operate Australia's critical infrastructure such as banking, telecommunications and utilities, or if it will apply to all companies.
Speaking at a meeting of the Institute of Company Directors last week, Rothery said it is essential Australia develop the capability to monitor and respond to IT security threats before cyber terrorism emerges as a tool of global warfare in the modern age.