The carving out of companies holding or processing government data from the federal government’s critical infrastructure scheme is a “serious omission” that represents a “significant and dangerous” reduction in the scope of the protective scheme, according to the Macquarie Telecom Group.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is currently inquiring into the last tranche of the federal government’s critical infrastructure reform.
The bill introduces powers to require “nationally significant” companies to install software to share data with Australia’s spy agency, new positive security obligations for critical infrastructure companies and increased responsibilities.
Under the current critical infrastructure regime, a data storage or processing service provider that supplies a service to the Commonwealth government or a state or territory government is defined as a critical infrastructure provider, making it subject to the security regime.
But the government’s legislation amends this definition so the critical infrastructure designation won’t apply to companies storing government data unless it is “business critical data”.
This is a “serious omission” that makes little sense, Macquarie Telecom Group told the PJCIS in a submission to the inquiry.
“This is a significant and dangerous reduction in the scope of the Security of Critical Infrastructure (SOCI) Act because business critical data does not describe the type of information that is most commonly held by government departments and agencies nor what is crucial to the functioning of government,” the Macquarie submission said.
“The security, integrity and accessibility of that government data is no less critical to the continuous functioning of society. The gaps and consequences arising from the proposed changes to the definition are significant and, in the circumstances, seem absurd.”
According to the submission, companies storing or processing highly classified government information, the entirety of the National Archives of Australia or official company records for ASIC would not be captured under the new critical infrastructure scheme.
“The data storage or processing service provider in these scenarios would not be required to do anything under the SOCI Act – not even report a cyber-attack on its systems that potentially or actually affected the integrity or availability of the government data,” the submission said.
The bill also exempts companies from completing risk management projects if they are certified under the Commonwealth’s hosting certification framework, but Macquarie Telecom Group argued this should not be the case until that framework is formalised in the protection security policy framework.
The critical infrastructure scheme should also be amended to be applied extraterritorially to the offshore storage and processing of the business critical data of Australian critical infrastructure providers, the submission said.
“The SOCI Act will not help secure Australia’s critical data and will become digitally irrelevant if it is not applied consistently to critical data storage and processing assets, wherever they may be located,” it said.
“It would be far better to ensure that all such relevant assets are within the scope of the SOCI Act even if some of them subsequently have to be excluded through regulation. To do so otherwise is to surrender Australia’s sovereignty over its critical data assets when it has never mattered more.”
The Information Technology Industry Council (ITI), which represents 80 global tech companies, also made a submission on the critical infrastructure powers, raising concerns with the “unprecedented and far-reaching” powers to be handed to the government.
Do you know more? Contact James Riley via Email.