Legislation allowing the government to take control of a company’s network as a “last resort” in the event of a cyberattack has sailed through the lower house despite a group of tech heavyweights labelling it “highly problematic”.
The critical infrastructure bill was debated in the House of Representatives on Wednesday afternoon, with the Coalition moving amendments meeting the recommendations of the Parliamentary Joint Committee on Intelligence and Security (PJCIS), primarily to split the legislation in two and pass some of the powers urgently.
The legislation put forward by the government significantly expands the scope of companies covered by the critical infrastructure regime to include communications, financial services, data storage and processing, defence industry, higher education and space technology, and introduces a new positive security obligation for them.
The bill also includes enhanced obligations for national security companies and “last resort” powers for the Australian Signals Directorate or Australian Cyber Security Centre to step in and take control of a company in the event of a cyber-attack.
This would potentially see a company compelled to install government software on their networks, with the agencies gaining access to their computers, analysing their data and ordering them to do or not do something.
Last week a group of international technology associations, including the Australian Information Industry Association and the Information Technology Industry Council wrote to the government with concerns the legislation is “highly problematic” and would set a “troubling global precedent”.
These concerns were swiftly rejected by home affairs minister Karen Andrews, who likened the new rules as similar to fire codes and building regulations.
“If we don’t act now, we risk our cybersecurity falling further behind,” Ms Andrews said.
During the lower house debate, several Labor MPs raised concerns with the “shambolic” process behind the critical infrastructure bill and the lack of judicial oversight, but the Opposition will ultimately support its passage through Parliament.
Shadow assistant minister for cybersecurity Tim Watts criticised the government’s approach which led to the legislation being split in two.
“The process that has brought this bill to the House today has been shambolic, to say the least, and it has left the Parliament with significant additional work to achieve the aims of this bill,” Mr Watts said.
“This was a crazy approach to such a consequential and complex piece of legislation. Industry was aghast and warned in the most urgent terms that the government’s rushed approach could do more harm than good.
“This really is an extraordinary indictment of the Morrison government’s failure to work in partnership with the broader Australian cybersecurity ecosystem in our shared task of protecting the nation from cyberthreats.”
Shadow defence minister Brendan O’Connor suggested the controversial “last resort” powers will be used “sparingly, if ever”, and the PJCIS will be notified each time they are.
“In supporting this legislation, Labor is relying upon the intention stated in the bill and as given by the department and indeed by agency heads – that these powers will only be used as a last resort,” Mr O’Connor said.
The federal government has “fallen behind” in taking meaningful action on cybersecurity, Mr O’Connor said.
“While Labor supports this important bill, I can’t overstate the need for more attention to be focused on reducing cyberattacks and protecting the critical infrastructure and essential services that all Australians rely upon,” he said.
Independent MP Andrew Wilkie questioned the urgency of passing the bill when the ASD has previously said the chance of the new powers being used was “very rare”.
“Why are we continuing to act with such urgency, when we would slow it down and make sure that the provisions in these reforms are really well crafted, watertight and effective?” Mr Wilkie said.
“I think we’re missing an opportunity there. We’re creating perhaps to some degree too much concern about getting this through this week. I think it does give excessive power to the government and the minister in particular because the people who are affected by the decisions of the government and the minister don’t have any resort to judicial review or any sort of effective independent oversight of the decisions of the government or the minister.”
Mr Wilkie also said the government is not providing adequate funding for the new critical infrastructure regime.
“When it comes to cybersecurity, let’s properly fund what’s before us today. Let’s talk to stakeholders and ensure that concerns that still exist about the bill before the House today, including the fact that there’s no judicial review of ministerial decisions, are addressed,” he said.
The new powers are a “vital step” towards improving the security of critical infrastructure in Australia, Ms Andrews said.
“The Morrison government is committed to uplifting the security of critical infrastructure and safeguarding the essential services they provide for all Australians,” she said.
“The government has introduced the Critical Infrastructure Bill 2020 to enhance the security of critical infrastructure in Australia, to build situational awareness and to enable the government to assist industry to effectively prevent, defend against and recover from serious cybersecurity incidents.”
The bill will now likely be debated and passed in the Senate when it next sits in November.
Do you know more? Contact James Riley via Email.