A coalition of Australian and US tech industry groups representing hundreds of companies has called on the Federal government to revise its Critical Infrastructure Bill, saying some elements are “problematic”.
The Information Technology Industry Council (ITI), Cybersecurity Coalition and the Australian Information Industry Association (AIIA) have written to minister for home affairs, Karen Andrews, arguing the provisions to allow government takeover of critical infrastructure assets and require security incidents to be notified within a 12-hour period will have a negative impact on national security, business and trade.
The coalition said that despite extensive feedback from its member organisations to the government, these provisions have not been amended in the bill.
According to the group, should the bill become law it will create unintended consequences that would actually decrease security in practice.
“Without significant revision, the bill will create an unworkable set of obligations and set a troubling global precedent,” they wrote in the joint letter.
The groups from across the industry have come together to seek changes to the proposed mandates, wanting the incident reporting time increased and judicial oversight if the takeover provisions are passed, and warning there will be unintended consequences that would actually decrease security.
Critical infrastructure bill
The Critical Infrastructure Bill 2020 will amend the Security of Critical Infrastructure Act 2018, expanding its coverage from four sectors to a further eleven designated as critical infrastructure sectors, including communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.
It’s part of a $1.6 billion spending commitment over ten years that was introduced with the Federal government’s 2020 Cyber Security Strategy that warned critical infrastructure was being threatened by international cyber attacks.
As part of the standard review process, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has been examining the proposed bill and in its recent advisory report recommended a two-stage process that would spilt the bill and enable emergency powers be swiftly legislated in a standalone bill.
It wants “quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design the most effective regulatory framework to ensure long-term security of our critical infrastructure”.
In particular, the committee wants the first bill to be marked for rapid passage to expand the critical infrastructure sectors covered by the act, introduce government assistance measures to be used as a last resort in crisis scenarios as well as mandatory reporting obligations.
The prospect of these contentious provisions being passed quickly has raised the concerns of the industry coalition.
The second part of the original bill is set for further consultation and would include declarations of systems of national significance, enhanced cyber-security obligations and positive security obligations which are to be defined in delegated legislation.
Tech giants urge change
The coalition is concerned about fast tracking a separate bill without further public consultation that enacts the government assistance powers and incident reporting obligations.
It is urging the government to reject this recommendation and seriously consider its recommendations.
It argues information gathering, direction and intervention powers will not be subject to reasonable due process, which would normally enable organisations to appeal or have the decisions independently reviewed.
“[These] can impact the networks, systems and customers of domestic and international entities, and should be subject to a statutorily-prescribed mechanism for judicial review and oversight,” the letter said.
The group believes if these new laws come to pass, it will have a global impact and undermine Australia’s role in helping to limit the threats posed by companies at the behest of extrajudicial direction by other governments.
“The signal sent by these measures is that these rules do not apply to Australia. This undermines the Government’s good work internationally on these issues and sets a disturbing precedent for other governments facing similar national security challenges.”
Changes industry groups want to see
The groups wants to see the window for mandatory reporting of an incident extended from within 12 hours to at least 72 hours or without undue delay.
The mandatory 12-hour reporting timeframe diverges from global best practices and will inhibit its ability to focus on truly critical incidents, according to the coalition.
“Our member companies would collectively block millions of threats a week; if required to report these, the Australian Government would likely be inundated with data,” the letter noted.
They also want the requirement to report imminent cyber incidents removed, arguing it will lead to inadequately contextualised information or misinterpretation of the event being reported where accuracy is of great importance, which will not provide useful or actionable information to the recipient government entity.
“We strongly urge the Australian Government to consider the precedent the Bill sets for Australia’s trade partners in addressing national security risks, as well as the challenges Australian companies may face in other markets if these requirements are replicated by other governments,” they said.