Bronte Munro | Cyber & Technology Fellow
Amazon Web Services, Universities Australia, and Google Cloud were among 85 organisations that formally raised concerns with the Australian Government’s amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020. The Joint Parliamentary Committee on Intelligence and Security held the first public inquiry into the Bill’s amendments on 9 July 2021. The Bill stipulates that the amendments are designed to enhance “the existing framework for managing risks relating to critical infrastructure’’, and involve a reclassification of what organisations are considered critical infrastructure. Beyond this, the amendments seek to establish more stringent cyber incident reporting standards for relevant industries and grant the government greater powers of intervention, in instances where cyber-attacks pose significant and unmanaged risk to national security.
Whilst there are significant questions being raised around changes to the government’s ability to interfere directly in the critical infrastructure sector, the broader question of how effective policy can be in deterring, mitigating, and protecting against the threats that Australian critical infrastructure providers face, needs to be considered.
The Australian Risk Policy Institute's (ARPI) individual submission in opposition to the proposed amendments, largely encapsulates how the Bill lacks fundamental awareness around developments in risk management strategies, which significantly hinders its ability to act as the critically informed and resilient risk management policy it aims to be. ARPI’s concerns underpin the flawed architecture of the Bill and reinforce the industry specific issues raised at the public inquiry. Canberra should take this as an opportunity to begin an iterative process of policy development with critical infrastructure organisations. Focus should be on embedding a resilient and informed security culture within Australian policy, and by consequence, those regulated by it.
Issues with the Proposed Amendment’s
Canberra’s concern for Australia’s critical infrastructure is evident throughout the Bill. A key change stipulates that if an organisation’s response and management of a significant cyber-attack is deemed inadequate or a risk to national security, Canberra can step in and “access, add, restore, copy, alter or delete data”, as well as install their own security programs, without any indication of when and under what conditions they will be removed.
Alarm is being raised from both the private sector and public bodies around Canberra’s attempt to legalise their ability to interfere in and alter, the functioning of an organisation’s systems in instances of national security. Backlash is primarily around the government’s overreach in power, and the risks that come from a ‘one-size-fits-all’ response to cyber incidents. The argument being that Canberra’s interference in nuanced systems and unfamiliar industry environments that often operate across multiple geographic locations, could cause more damage than good, regardless of the risk to national security that a cyber-attack could pose.
The invasiveness of the amendments was another common theme raised at the public inquiry, specifically the conditions that require businesses to be transparent about their data and cyber-security practices. The amendments also give the government power to collect and record any information they deem to be relevant.
Amazon Web Services have voiced specific concerns with this condition, due the commercial ramifications if shareholders and customers were to perceive the company’s security and privacy to be violated. The one-sidedness of this arrangement was also highlighted by a spokesperson from Google, who argued that the private sector would benefit from Australian intelligence agencies providing more information on active threats, as opposed the vague outlines for intervention in an organisations system following a cyber-attack. This highlights the critical point that for the Bill to be effective in managing risk to Australia key interests, the security relationship between the Australian government and critical infrastructure providers needs to be a partnership. The strategic, operational, and tactical gaps in Australia’s critical infrastructure security can only be understood and addressed through collaborative policy development that applies proven international standards for risk management within each industry, as opposed to policy that focuses on reactive intervention.
As this dialogue emerges, Canberra should also leverage the opportunity to address amendments pertaining to the security of Australian data held by private sector companies. The amendments that deal specifically with data are significantly less aggressive and airtight in comparison to other national cyber security policies. Under the proposed changes, Australian based third-parties are only considered critical infrastructure and subject to stringent policy governance, if they knowingly store government or critical business data. Whereas the comparable US Cloud Act and data security laws in Europe, extend jurisdiction over all data holders, regardless of their location or knowledge of their ownership of the data. This loophole creates opportunities for organisation that handle Australian data to arrange its processing and storage abroad, where it can avoid regulation.
How effective can policy be?
Tension between the regulated and the regulators will always exist. However, as the public inquiry into the amendments of the Bill revealed, concerns are less around being regulated, and more about the unintended negative consequences that the governments proposed plans could have on individual businesses and Australia’s critical infrastructure security. The amendments are sparking timely and necessary conversations around Australia’s cyber security, which need to be leveraged to address the policy’s significant ambiguities, if it is going to be effective in achieving its goal of mitigating security-related risks to critical infrastructure. The sheer existence of such fundamental issues indicates a need for more collaborative efforts between the government and critical infrastructure providers, to ensure the policy is effective in risk management.
Bronte Munro is the Cyber & Technology Fellow for Young Australians in International Affairs