Proposed powers for the government to step in and take over a piece of critical infrastructure is of “great concern”, according to the Communications Alliance, with a rushed process behind the reforms also raising worries.
The Home Affairs department is seeking feedback on proposed reforms to uplift the security and resilience of critical infrastructure, measures that apply to private companies operating in banking and finance, communications, data and the cloud, defence industry, education, research and innovation, energy and space.
Under the new laws, the government would be given the power to take control of a company operating critical infrastructure in the face of an “imminent cyber threat or incident that could significantly impact Australia’s economy, security or sovereignty”.
This would happen if the government identified an “immediate and serious cyber threat”, and would enable it to legally declare an emergency and take control of the systems and networks.
“The primary purpose of these powers would be to allow government to assist entities take technical action to defend and protect their networks and systems, and provide advice on mitigating damage, restoring services and remediation,” a government discussion paper said.
“There may be cases where entities are unwilling to work with government to restore systems in a timely manner. Government needs to have a clear and unambiguous legal basis on which to act in the national interest.”
The Communications Alliance said in a submission that the proposal is “of great concern”, with little detail given on how the laws would be implemented.
“While we have, unfortunately, not been able to gain a better understanding as to what such powers entail and how those would be translated into regulation in the telecommunications and data/cloud sectors, we highlight the inherent risks that may be attendant to a direct action power,” the Communications Alliance submission said.
“We cannot envisage a scenario in which a government agency would be better placed than the operator of critical infrastructure to take direct action to protect the infrastructure or system.
“The complexity and dynamic nature of the systems necessitate reliance on the expertise of the operator of the system, especially in times of crises where time is likely to be of the essence and decisions need to be taken under significant pressure.”
This new power needs to be subject to “stringent and independent governance arrangements and should apply in only the rarest of situations”.
“This power should not derive from a belief that government is better placed to take action, but rather from an absence of the preferable alternative. Directions action should only be contemplated after the operator has failed to comply with a direction,” the Communications Alliance said.
This should require approval from an independent judicial authority with access to expert technical advice.
The current proposal “significantly lacks detail” around how the reforms would actually work and how they would be translated into rules for individual companies, the organisation said.
“While we recognise that government sees an urgent need for reform, especially for sectors less advanced than the telecommunications sector from a security perspective, we believe that more extensive consultation, particularly with respect to the specific requirements envisaged for individual sectors, is required to ensure that the reforms create a practical, effective and proportionate framework,” it said.
The timeline proposed, with legislation to be introduced this year and the rules in place from mid next year, is also “significantly too short”, the Communications Alliance said.
The telecommunications sector specifically already has significant rules in place around security, and any new reforms should be applied sector-by-sector, it said.