Critical Infrastructure Bill should be split to swiftly give government step-in powers: PJCIS

Among the measures the PJCIS wants to have introduced immediately are step-in powers and mandatory reporting requirements.

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended for the Bill that would provide government with step-in powers whenever an organisation suffers from a cyber attack to be swiftly passed.

"The committee received compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally. Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure," committee chair Senator James Paterson said.

The Bill in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, as currently drafted seeks to provide government with powers to step in and provide "assistance" to entities in response to significant cyber attacks on Australian systems, create enhanced cybersecurity obligations for those entities most important to the nations, and introduce sector-specific positive security obligations (PSO) for critical infrastructure entities.

The PJCIS noted in an advisory report [PDF], however, that only portions of the Bill that focus on government assistance mechanisms and mandatory notification requirements should be passed, with the "less urgent" aspects of the Bill to be introduced under a second, separate Bill following further consultation.

The PJCIS believes this two-step approach would enable the quick passage of laws to counter looming threats against Australia's critical infrastructure, while giving businesses and government additional time to co-design a regulatory framework that provide long-term security for the country's critical infrastructure.

Along with this main recommendation, the advisory provided other recommendations detailing how the Bill should be split.

The powers that the PJCIS wants to see passed immediately are the government assistance mechanisms, colloquially termed as "last resort" powers, which entail giving government powers to direct an entity to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks. This also includes the proposal for software to be installed that the Department of Home Affairs claims would aid providers in dealing with threats.

It also wants one of the PSOs in the current Bill, which seeks to require organisations to formally notify government if they experienced a cyber attack, to be immediately passed.

While the PJCIS supports the introduction of the "last resort" powers, tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with them, saying more clarity is needed regarding how and when those powers can be exercised.

Meanwhile, Google believes the assistance mechanisms would only provide more problems.

"I do not believe that there is a situation where installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems, and it's not going to help the solution and it's not going to help the problem at hand," Google threat analysis group director Shane Huntley said in July.    

"The committee acknowledges that affected entities will still have reservations with the enablement of the assistance measures, especially within the technology sector. However, the committee recognises that the potential threat faced to critical infrastructure assets is too great to stall introduction of these essential measures for any longer," the committee wrote in response to those concerns.

Among the less urgent powers that the PJCIS would like to see introduced in a later Bill are the enhanced cybersecurity obligations and remaining PSOs in the current Bill. These PSOs are adopting and maintaining an all-hazards critical infrastructure risk management program, and providing ownership and operational information to the Register of Critical Infrastructure Asset.

The PJCIS said this second Bill should be drafted through consultation with industry.

Since the Bill's introduction into Parliament at the end of last year, the Department of Home Affairs has repeatedly requested for it to be rushed through, saying the sector-specific rules could be nutted out later.

MORE ON THE BILL