The proposed measures go too far and need stronger guardrails, otherwise they could adversely affect Australia’s critical infrastructure operators.
Sarah Sloan, Head of Government Affairs and Public Policy in Australia and New Zealand for cyber security leader Palo Alto Networks, has called for greater checks and balances on certain powers in the government’s proposed Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.
The Bill, in its current form, is intended to provide an enhanced regulatory framework designed to uplift security and resilience across Australia’s critical infrastructure assets.
In the words of the Bill’s explanatory memorandum, the framework, when combined with better identification and sharing of threats, will ensure that Australia’s critical infrastructure assets are more resilient and secure.
However, Sloan, who appeared to give evidence at a public hearing of the government committee tasked with reviewing the Bill on 16 March, has cautioned that some of the measures outlined in the proposed legislation could adversely impact the nation’s critical infrastructure operators.
When speaking about the software powers, Ms Sloan also said “We are concerned that there is no independent review process articulated in the bill, and we believe this is contrary to some of the approaches taken in like-minded jurisdictions, which ordinarily would see the granting of a warranty or similar process in order to execute on that power”
Specifically, Sloan called for stronger checks and balances on powers for issuing ‘System Information Reporting Notices’ and recommended the removal of the Bill’s software installation power, which would see the government able to deploy third party software on private entities’ IT systems.
Sloan went on to say “perhaps the most important point we would make is that the provision potentially creates an international precedent that may, if adopted by other global and regional actors, impact Australia’s interests and values. As the Committee knows, we are in a period of geostrategic competition that is inherently linked to issues of technology and values, such as the separation of powers, rule of law – including checks and balances on the execution of Government power. ”
“While we understand and appreciate the relevance of system information in detecting and responding to cyber incidents and threats, we would recommend stronger checks and balances on the powers granted by the Bill to issue system information reporting notices (both ‘system information periodic reporting’ and ‘system information event-based reporting’),” Sloan said in her opening statement. “This will ensure that these notices are clear, proportionate, transparent and meet the Government’s needs without unduly burdening industry.”
Sloan encouraged the Committee to reconsider the maximum time frame – currently at 12 months under the Bill – for which a system information periodic reporting notice, or a system information event-based reporting notice, can be in force.
She also recommended notices be regularly reviewed to see if they are still necessary, proportionate and reasonable, and called for additional detail on the collection of data to be provided to companies likely to be impacted by the legislation, along with other measures to ensure industry is not unduly burdened by the proposed laws.
Additionally, Sloan called for the removal of provisions in the Bill that would give the Government the ability to install system information software on infrastructure it believed the respective ‘System of National Significance’ (SoNS) entity would not technically be capable of otherwise provisioning itself.
“The installation of what constitutes third-party software has the potential to create vulnerabilities that could adversely impact the security of a SoNS entity as well as, by default, the Government’s systems and client systems,” Sloan told the Parliamentary Joint Committee on Intelligence and Security (PJCIS). “Entities would need to review this software prior to putting it on their networks and this could take considerable time and effort.
“It is also unclear who would be responsible for ongoing product support and maintenance – including vulnerability management and patching. Finally, we note that this could expose the Government to liability for any adverse impacts arising from the installation of this software,” she added.
