A slew of Australia’s critical infrastructure service providers and union groups have lambasted the federal government’s critical infrastructure cyber laws due to it requiring organisations to install third-party software onto their systems if they are deemed to not be “technically capable” of managing cyberthreats.
Roger Somerville, Amazon Web Services’ (AWS) ANZ public policy head, said the need for new cybersecurity laws was apparent, but he remained critical of the software installation scheme contained within the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.
The Bill contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the parliamentary committee that is currently reviewing the laws. Among these outstanding elements are requirements for entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software.
Addressing the parliamentary committee that is reviewing the Bill, Somerville said there is a lack of clarity on how the software installation scheme would operate, and that the federal government saying it would only be used as a “last resort” is not sufficient.
“We do acknowledge that the Australian government has told us that those sorts of powers would be more relevant for less sophisticated cyber security entities than ourselves. But from our perspective, I think we’re very concerned that we still do need to see clear, practical guidance on how this would work,” Somerville said.
Somerville added that if the federal government was adamant in pushing ahead with establishing the software installation scheme, a technical support body that exists as an independent statutory office holder should be created to oversee the scheme’s operation.
“This body would also perhaps create an avenue for contestability of those decisions, particularly on the questions of technical feasibility,” he said.
AWS was not alone in sharing its concerns, as Palo Alto Networks ANZ public policy head Sarah Sloan, who also appeared before the committee, said the software installation scheme introduces unnecessary security risks into critical infrastructure environments.
This security concern was echoed by Communications Alliance CEO John Stanton, who provided an example of how the scheme could be dangerous.
“The danger is probably more when information is combined with other information sources, so we don’t necessarily hold a list of the people’s names behind IP addresses, but other organisations do. So if you combine data [from critical infrastructure entities] with telecommunications service providers data, because they know who the service providers are of those IP addresses then you’re able to effectively put together personal information,” Stanton said.
Software Alliance COO Jared Ragland, meanwhile, noted that the security issues with the scheme did not stop there as the installation of the software could lead to more issues across critical infrastructure supply chains.
“In addition to concerns about what kind of information might have legitimate access to the software, a real concern is that if the software is installed at each stage along this chain and it operates improperly, then there could be accidental problems. Perhaps it could be data leakage, but it could also be operational interruptions of other sorts,” Ragland explained.
For each of these organisations, trust appeared to be a core issue in their opposition to the software installation scheme. To address this lack of trust, not-for-profit advocacy group Internet Association of Australia (IAA) said the federal government should amend the proposed cyber laws to allow critical infrastructure entities to heavily test code.
“It’s highly, highly important that we need to have to trust the type of software that goes on to manage this. And we need the opportunity to be able to read the code, assess the code, test the code against other things,” IAA CEO Narelle Clark said.
The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture.
Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second trance of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies.
Home Affairs believes the second critical infrastructure Bill would create a common framework for preventing cyber attacks.
The cloud and data provider also sees a potential future where critical infrastructure providers and their suppliers shift data stores and processing functions offshore to avoid being regulated.
This new Bill contains obligations that were excluded from the Security Legislation Amendment (Critical Infrastructure) Act 2021.