The federal government will urgently get new powers to intervene as a “last resort” if a critical infrastructure company is subject to a cyber-attack, after the powerful national security committee called for the Critical Infrastructure bill to be carved in two to allow for its “swift” passage through Parliament next month.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) tabled an advisory report on the Critical Infrastructure bill on Wednesday morning, calling for the legislation to be split in two to allow for some of the most urgent new powers to be passed quickly in the coming Spring sittings.
The PJCIS called on the government to further consult with industry on the other aspects of the legislation before introducing it to Parliament in a separate bill.
In additional comments to the PJCIS report, participating Labor members agreed with and endorsed the recommendations, but flagged concerns over the absence of independent authorisation and the “wholesale exclusion” of statutory judicial review around the new powers.
The critical infrastructure reforms, unveiled late last year, significantly expand the scope of companies covered by the regime to include the likes of communications, financial services, data storage and processing, defence industry, higher education and space technology.
The reforms include a new positive security obligation for these businesses deemed to be operating critical infrastructure, enhanced obligations for those named as national security businesses, and “last resort” powers for the government to step in and take control of a company in the event of a cyber-attack.
The PJCIS has recommended that the expansion to the other sectors, the mandatory reporting obligations and the “last resort” government powers be passed by Parliament as a matter of urgency.
The other changes, including declaring new systems to be of national significance, enhanced cybersecurity obligations and the positive security obligations, should be deferred with more consultation to take place, the committee recommended.
There is an urgent need to pass some of these powers to protect Australia’s critical infrastructure from cyber-attacks, PJCIS chair and Liberal Senator James Paterson said.
“The Committee received compelling evidence that the complexity and frequency of cyber-attacks on critical infrastructure is increasing globally. Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” Senator Paterson said.
“The Committee’s recommended solution allows for the urgent measures to pass now to equip the government with the emergency powers it needs while allowing additional time for co-design to overcome the concerns of industry about the regulatory impact.”
Senator Paterson said numerous businesses had asked the government to put the whole legislation on hold due to the ongoing COVID-19 pandemic and its impact on industry, but this was rejected by the PJCIS, which has instead given more time for elements of the framework to be designed.
“While sympathetic to the concerns of industry leaders, the Committee does not believe that pausing the entire bill is in Australia’s national interests given the immediate cyber threat that our nation faces,” he said.
And if only the first section of the legislation is passed, it would send the wrong message to the industry that cybersecurity is a matter just for the government, he said.
“The passage of both bills is essential because cybersecurity is not just the government’s job. Industry has a role to play too and the second bill which imposes obligations on businesses is an important part of a comprehensive response to the serious challenges we face,” Senator Paterson said.
The PJCIS plan would see the government soon handed new powers to take control of companies deemed to be operators of “national security businesses” in the event of a cyber-attack, potentially compelling them to install government software on their networks.
Under this “last resort” power, the Australian Signals Directorate or Australian Cyber Security Centre would be able to gain access to a computer, analyse data and order the company to do, or not do, something.
Several heavyweight tech companies have raised significant concerns with this power, with the likes of Google and Atlassian previously telling the PJCIS that there would be no realistic situation that this would be more useful than their own defences.
The tech giants said that the use of these powers could actually make things worse in the event of a cyber-attack, while Amazon said it could lead to “unintended negative consequences”.
Soon after, Home Affairs secretary Mike Pezzullo defended the new powers, saying it was urgent that they are passed by Parliament.
Do you know more? Contact James Riley via Email.