New rules for critical infrastructure covering a broad range of tech firms are being “rushed” without proper scrutiny being applied, according to a number of submissions to government.
The government this week released a draft version of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, implementing new positive security obligations for a broader range of businesses deemed to be critical infrastructure, enhanced obligations for national security businesses, and government powers to step in and take control of a company in the event of a significant cyberattack.
The draft legislation revealed that the rules will apply to a range of sectors deemed to be critical infrastructure, including communications, financial services, data storage and processing, defence industry, higher education and research and space technology.
These businesses will be subject to a new Positive Security Obligation, including a risk management program that will be rolled out industry-by-industry, along with mandatory cyber incident reporting. These companies will also have to provide ownership and operational information to a register of critical infrastructure assets.
There will also be stricter cybersecurity obligations for operators of systems of national significance in each of the listed sectors, such as the development of response plans, exercises and vulnerability assessments.
The draft legislation also hands the power to the government to take control of a company in the event of cyberattack as a last resort, or to direct the firm to do or not do something.
This could include providing the government with access to a computer, the analysis of computer data or the alteration of computer data or the functioning of a computer.
The new laws were first revealed in the government’s 2020 Cyber Security Strategy in August. A discussion paper was released for consultation in mid-September, followed by five weeks of consultation where Home Affairs received just under 200 submissions.
These submissions raised numerous concerns, particularly around the large number of companies that would now be subject to them, as well as with the government’s new powers to intervene and take control of a company as a last resort.
There will only be two weeks of consultation on the draft legislation, with the federal government seeking to get it through both Houses of parliament this year.
A broad coalition of tech giants, large universities, state governments and law institutes raised concerns that the government is moving too fast and not properly considering the reforms.
The Australian Information Industry Association (AIIA) said there needed to be thorough economic impact assessments completed prior to the legislation being introduced to Parliament.
“The AIIA is concerned that an important and indeed critical area of policy is being rushed through to legislation in the next few months when industry has a number of concerns and questions around the detail, scope and remit of the proposed expansion as well as the operation of new direct action powers,” the AIIA submission said.
“We do not accept that the threat of non-action exceeds the threat of unintended consequences and potentially poor drafting.”
Amazon Web Services (AWS) called for a “robust” consultation process, including a regulatory impact statement and a review by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
“Given the significant changes to the scope, application and content of the laws, it is important that the government, and the Parliament, work methodically through the new framework and the regulatory regime,” AWS said in the submission.
“We encourage the government to take the time required to get this reform right,” AWS said.
The Software Alliance, whose members include global platform providers like Adobe, Slack, Salesforce and Oracle, also shared these concerns.
“Given the importance and potential impact of these changes, BSA is concerned that the government has not allocated sufficient time to fully consult on these changes. We respectfully recommend that the Australian government provide adequate opportunities for further consultation as the legislation and associated policies are considered particularly on whether and how to address cloud computing and data-related services under this proposal,” the Software Alliance said.
Local cyber conglomerate CyberCX said a more detailed discussion is needed to prevent any regulatory duplication, reduce technical barriers and examine its potential impact on data security and privacy.
“The wide-ranging proposals need further detail and consideration. Imposing new obligations across the economy and significantly expanding the power and responsibilities of the government, particularly the Australian Signals Directorate, deserves an extended consultation,” the CyberCX submission said.
“CyberCX can appreciate the govenrment’s urgency to legislate. But we believe there is merit in undertaking further engagement prior to enacting legislation, to enhance government’s visibility of critical infrastructure and its understanding of assistance during an incident.”
The quick process in which the legislation is being developed means it won’t be properly scrutinised, the Law Council of Australia told the government.
“The Law Council is concerned that the intended timeframe and consequential truncation of pre-legislative consultations are not conducive to effective scrutiny of the proposed measures, which are likely to intrude significantly on business interests and individual rights and liberties,” the Law Council submission said.
The Victorian government also said that things are moving too quickly.
“The proposed passage of legislation prior to resolving complex implementation challenges presents significant risks. Further detail and consultation will be essential to be able to offer a view on the proposed approach as a whole, whether it will lead to better security and resilience outcomes for infrastructure, and whether it is the most appropriate path for future reform” the state government said in a submission to the federal government.
The submissions raised a number of concerns with the discussion paper on the new critical infrastructure powers that they called to be discussed over a longer consultation period.
These included over the broad definition of companies to be subject to the new rules. The Australian Investment Council said the changes are “unncessarily broad and unclear” and that they “risk increasing the burden on Australian businesses, both directly and indirectly, now and in the future”.
“The private capital industry’s main concern is that, as currently drafted, the definitions incorporated in these reforms would likely capture a wide range of firms, many of which are small and pose no security risk in our view,” the Australian Investment Council submission said.
A number of submitters also question the direction action powers handed to the government as part of the reforms, calling for evidence that these are needed, and stringent checks and balances surrounding their use.
CyberCX’s submission said the company has “reservations” about these takeover powers.
“The transfer of this power to government has the potential to result in significant unintended consequences and transfers responsibility in a way that oversteps the reasonable role of government,” it said.
“The establishment of a direct-action power may also result in some owners and operators failing to invest sufficiently in their own capabilities based on the belief that government will come to the rescue.”