The government’s proposed new powers to step in and take control of a company during a cyber-attack should not be applied to data storage companies, according to the Australian Information Industry Association.
Earlier this month the government unveiled draft legislation outlining a new positive security obligation for a range of businesses deemed to be operators of critical infrastructure, including data storage and processing firms.
The bill will also impose further obligations for operators of “national security businesses” and introduce government powers to take control of a company in the event of a cyber-attack.
In a submission to the Department of Home Affairs on the draft legislation, the Australian Information Industry Association (AIIA) called on the government to consider excluding data storage firms from this direct intervention action power, or to introduce an independent appeals tribunal at the very least.
The organisation also criticised the rushed approach behind the development and introduction of the bill, and the lack of sector-specific guidelines before its intended passing through Parliament in the next fortnight.
Companies operating in the data storage and processing space already have strong cyber protections and may not be appropriate to be included under this new regime, the AIIA said.
“We do question the appropriateness and application of powers inherent in the legislation for the data storage or processing sector, given its complexity, interconnectedness, overlapping regulatory regimes and the potential global implications,” the AIIA submission said.
“The government should give consideration to whether the direct intervention powers in the legislation are appropriate for this sector, as the sector already has a high level of cybersecurity capability, with a large portion of the sector already complying with positive reporting obligations related to cyber incidents and threats.
“If the intent of this legislation is to capture less mature entities in this sector, the legislation has no mechanisms sensitive to that distinction. Furthermore, these entities are often globally connected to supply chains, so these impacts are naturally of great concern to our members.”
Rules to apply to these tech companies must be “genuinely co-designed and flexible” and the legislation should be put on hold until these are ironed out, it said.
While pushing to be exempt entirely, the AIIA said that at the very least there should be an appeals mechanism, means for companies to seek an injunction and an expert independent panel in place to review direction actions from the government.
These powers will only be used by the government in the event of a significant cyberattack and when the company in question refuses to cooperate with the government. But this could be the result of a difference in opinion over the best response, the AIIA said.
“The AIIA posits that genuine disagreements as to strategy and best course of action may arise between government and industry heads, that this may be interpreted for the sake of justifying intervention as an ‘unwillingness’ to take ‘all reasonable steps to resolve the incident’,” it said.
An independent board should be formed to offer real-time recourse for a company subject to a direct action order, comprising judicial members and independent cybersecurity experts, and decision-making should be handed to the Attorney-General, rather than the Defence Minister as outlined in the draft bill.
“This would bolster the rigour and credibility of this layer of approval and afford genuine legal and constitution nous to the oversight process inherent in the legislation and remove the Defence Minister’s role in approving a domestic enforcement action,” the AIIA said.
The draft legislation also allows the government under certain circumstances to require a company subject to a direct action order to install a specific piece of software, something that AIIA said is very concerning.
“The mandatory installation of government-selected software in any entity’s systems on pain of civil penalty is troubling in itself, but the potential impacts on global interconnected businesses such as cloud providers is of particular concern,” it said.
A requirement for companies to notify the government of a significant cyber event in 12 hours is “unnecessarily short”, the organisation said.
“This requirement injects additional complexity at a time when critical infrastructure entities are faced with the difficult task of responding to a cyber incident. It also greatly increases the likelihood that the critical infrastructure entity will report inaccurate or inadequately contextualised information that could be shared with the government and other members of the industry,” the AIIA submission said.
A number of submissions to government have raised concerns that the government is rushing through the legislative process around these critical infrastructure reforms. After first revealing the plans in August, the government has already run two consultation processes, and is readying to have the new regime up and running by mid-2021.
This should be pushed back to the end of next year, the AIIA said, with more time given to the sector-by-sector rules and specific concerns of industry.
“The AIIA remains concerned that an important and critical area of policy is being rushed through to legislation when industry has significant questions around the detail, scope and remit of the proposed expansion as well as the operation of new direct action powers and avenues for recourse,” it said.