The government will be able to step in and take control of critical infrastructure owned by the private sector as a “last resort” in the event of a cyber attack under laws passed by Parliament on Monday, despite being labelled “highly problematic” by a group of technology heavyweights.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020, which significantly expands the number of sectors classified as critical infrastructure, enforces mandatory reporting and gives “last resort” powers to the Australian Signals Directorate, passed the Senate on Monday night with bipartisan support.
While Labor backed the bill, it was rejected by the Greens, who labelled it a “greedy little power grab” and said that it was not supported by key stakeholders.
Companies operating in the communications, financial services, data storage and processing, defence industry, higher education and space technology sectors will now fall under the critical infrastructure regime and will be subject to mandatory reporting.
Under the laws, the ASD and Australian Cyber Security Centre will be able to step in and take control of a company’s systems if it is subject to a cyber-attack. This means the company could be compelled to install government software on their networks, letting the government gain access to their networks, analyse their data and direct the firm to do something or not do something.
Other critical infrastructure reforms, including the designation of nationally significant systems, enhanced cyber obligations and positive security obligations have been separated from the bill and will be moved at a later date following a recommendation from the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
Last month a group of international tech associations, including the Australian Information Industry Association and the Information Technology Industry Council wrote to the government with concerns that the legislation is “highly problematic” and would set a “troubling global precedent’.
Home Affairs Minister Karen Andrews quickly responded to the letter, saying the reforms are akin to fire codes and building regulations.
“If we don’t act now, we risk our cybersecurity falling further behind,” Ms Andrews said.
“We’re facing a clear threat, and we need to be resolute in tackling it. Cybercrime, ransomware and attacks on critical infrastructure are already occurring – both in Australia and overseas.
“Businesses will continue to have frontline responsibilities for their own cybersecurity, but – in the event of a major attack – emergency assistance legislation will enable the capabilities and expertise of the ASD to be called in as a last resort.”
In the lower house, Labor members raised concerns with the “shambolic process” behind the bill’s introduction to Parliament and the lack of judicial oversight, but ultimately supported its passage.
Shadow home affairs minister Kristina Keneally said the legislation had been greatly improved following recommendations by the PJCIS, and that this “underscores the importance” of that process.
“This bill is so different to the government’s original legislation because the committee unanimously agreed that, quite simply, the Morrison government has not finished its work on this bill, and the work it had done, it hadn’t done well enough,” Senator Keneally said.
Greens Senators tried to amend the legislation to have the Senate note that the bill is not supported by “key stakeholders in the logistics, technology and education sectors, among others”, that there was insufficient consultation on it, and that it would give the minister “considerable powers under the guise of protecting the security of critical infrastructure”.
“The government as usual is bringing even more half-baked legislation that no-one actually wants so they can stand here and pretend to be doing something,” Greens Senator Lidia Thorpe said.
“This legislation is a greedy little power grab and the Greens cannot support it in its current form.”
The Greens Senators were the only ones to vote in favour of the amendment.
A number of big Australian tech firms have also warned against the legislation, saying it is poorly defined and government intervention would be of no use for companies of their size.
Google and Atlassian told an inquiry into the bill that there was no realistic situation where software provided by the ASD would be any more useful than their own defences, while Amazon said it was unreasonable for the government to expect it could use the new powers effectively and that they would not lead to “unintended negative consequences”.
Do you know more? Contact James Riley via Email.