Tech giants not convinced Australia’s critical infrastructure Bill is currently fit for purpose
The tech sector has taken issue with a handful of proposals made by the federal government in its Security Legislation Amendment (Critical Infrastructure) Bill 2020, specifically around government step-in powers and a potential misunderstanding of the relationship between cloud service providers (CSPs) and their customers.
The amendments in the Bill are aimed at enhancing the obligations in the Security of Critical Infrastructure Act 2018, and expanding its coverage to the communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.
The Bill, if passed, would introduce a positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements; enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
Commenting on the proposed Bill, Microsoft asked that in crafting such requirements for CSPs, the legislation should recognise the customer relationships that these organisations have with critical infrastructure operators “who have already imposed significant compliance requirements to meet existing regulatory obligations”.
Its submission [PDF] on the Bill has asked the government to separate data centres and CSPs in the sectoral definitions; align Australian regulatory requirements with international standards; map existing regulatory requirements and security obligations met by CSPs and “harmonise those requirements to avoid duplication”; create protocols that ensure that the operator of the critical infrastructure systems is the focal point for any of the proposed obligations; and create clearly identifiable thresholds and checks for the use of the ministerial direction powers.
Salesforce, meanwhile, has recommended that sectoral definitions be narrowed and clarified — particularly as it pertains to “data and the cloud”.
“Salesforce encourages an approach which concentrates on regulated entities which control the systems of national significance, not service providers or processors that work across sectors,” it wrote in its submission [PDF].
“Whilst Salesforce welcomes risk-based elements of the proposed framework, we recommend that Australia not pursue compliance-oriented mechanisms.”
The CRM giant recommended concentrating oversight and expertise in a single agency and taking into account existing practices within each vertical.
It also recommended that data and/or system security rules should consider classification, criticality, and sensitivity of the asset being protected.
Offering its support for something similar, Cisco in its submission [PDF] said regulators and industry bodies informing classification of entities under the framework should include clear lines of accountability.
This Bill also introduces a government assistance regime to respond to serious cybersecurity incidents that applies to all critical infrastructure sector assets.
“Government recognises that industry should and in most cases, will respond to the vast majority of cybersecurity incidents, with the support of government where necessary,” the Bill’s explanatory document stated. “However, government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the Bill provides for government assistance to protect assets during or following a significant cyber attack.”
While Microsoft said it acknowledged that there may be emergency scenarios where the government may consider the need for direct action with critical infrastructure operators, it believes such actions must only occur as a last resort and “under a framework that incorporates robust checks and balances, as well as the Commonwealth Ombudsman acting on behalf of the private sector that reflects the interests and risks of undertaking such an action”.
“The use of such powers should be subject to a significant threshold, time limited and require independent authorisation,” it wrote.
“In the rare instances where ministerial direction is warranted, we recommend that it be narrowed to apply to circumstances in which gaps in abilities to defend and repel cyberthreat activity have been demonstrated during joint preparedness exercises among the government and private sector.”
Similarly, Salesforce said extraordinary circumstances that would require emergency government powers should be carefully defined to “establish full clarity and mutual expectations of the standards, liability, and procedures that apply”.
“Any decision should have the ability for judicial redress,” it added.
Cisco requested there be checks and balances for all government assistance, especially for step-in powers.
“Without a defined operating model on how the step in process would work, it is difficult to determine the checks and balances required but there are examples provided in other parliamentary reviews into security laws that could provide guidance,” it wrote.
“It is not clear yet what impact the government assistance powers to step-in could have on the operation of companies that are either not headquartered in Australia or operate in offshore markets.”
Amazon Web Services (AWS) also raised concerns that the proposal for government “assistance” or “intervention” powers could give it overly broad powers to issue directions or act autonomously.
AWS is concerned that there isn’t clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal.