Tech giants say government cyber assistance would simply cause more problems

Google, Microsoft, AWS, and Atlassian all believe they are best placed to respond to cyber incidents and that installing software from the Australian government would only increase the risk in their respective platforms and systems.

An Australian intelligence and security committee has been told by technology giants that they foresee no scenario where the installation of government software would be of benefit and do not require assistance from the government in responding to cyber incidents.

"I cannot think of a situation where installing ASD software on our networks would be of assistance," director of Google's threat analysis group Shane Huntley said.

"We have a good working relationship with the ACSC and there has been productive threat sharing, and we believe that there is a productive means to collaborate as collaborators, not as coercion or them stepping in to operate our systems and to install stuff on our systems.

"That is where we draw the strong line."

Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide "assistance" to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that is touted as aiding providers in dealing with threats.

Huntley on Thursday told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) -- which is looking into the Bill -- that if there was an incident, Google would absolutely work with the Australian Signals Directorate (ASD) to help respond if required, however that is where it would end.

"I do not believe that there is a situation where installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems, and it's not going to help the solution and it's not going to help the problem at hand," he continued.

Appearing alongside Huntley was Atlassian director of global public policy David Masters, who echoed much the same -- that it's not that his company wouldn't want to work with the Australian Cyber Security Centre (ACSC), but allowing officials into his company's networks to install software and somewhat pick up the running of services and processes is not a scenario he could see Atlassian wanting or even requiring.

The tech sector has raised concerns with government step in powers from day one. Amazon Web Services (AWS) previously said government "assistance" or "intervention" powers could give it overly broad powers to issue directions or act autonomously and Microsoft previously told the PJCIS it would prefer the government stay out of its incident response.

When Atlassian and Google were testifying that the views of the panel were that government assistance would not be required, AUCloud stepped in to say "never say never".  

Senator James Paterson said it was remarkable that Atlassian and Google saw no scenario where assistance would help and asserted it was the view of witnesses other than AUCloud. He then gave Microsoft and AWS the opportunity to clarify their position, but the two companies chose not to do so, although after the hearing, AWS has disassociated itself from the comments.

Earlier in the hearing, AWS director of Australia and New Zealand public policy Roger Somerville said there was a risk of the government stepping in.

"There's a deeper underlying assumption in the entire Bill here that seems to be that if something bad happens to a critical piece of Australia's infrastructure then the government is capable of stepping in and fixing that thing, and in many instances we think that's a really big risk of the government stepping in and misunderstanding how the regulated entity operates, maybe making things worse, so creating more or new problematic security and systemic risks in the process," Somerville said.

"We think that could have really significant consequences for Australia's economy and should be avoided."

Similarly, Hasan Ali, assistant general counsel in Microsoft's office of critical infrastructure, said prior to Google and Atlassian's remarks that "installation of any type of software, particularly in a complex and interconnected network will have severe adverse consequences".

"Doing so in the data storage or processing sector with hyperscale cloud providers, these are interdependent systems, they will introduce vulnerabilities, and we think it's going to be potentially a source of substantial third-party risk that we may have to mitigate for, from the government, if there is uncertainty with how these powers may be used," Ali said.  

While Huntley accepted that installing software to allow for monitoring and detection of threats and for data collection would be beneficial for those without a sophisticated IT environment and a lack of internal capability, that isn't the case with the likes of Google.

"We have 1,000s of security engineers, we have our own systems for monitoring, threat analysis, detection, and the best way -- and really, the only feasible way to do this sort of monitoring -- would be with our own systems and our own tools," he said. "I really can't imagine the situation where there is some software from ACSC or ASD which installing on our systems wouldn't even work, let alone be safe."

Instead, he would prefer the government provide threat information.

"If ASD wants to say, 'Here's what to look for on your systems, here is the IP addresses, here's the signatures of the malware, here is data to help in this instance', we always want to see that information," he said.

"What we need is information and collaboration, because the only real software that's safe to operate in a sort of Google or hyperscale cloud environment is our software and our systems that have been tested and vetted.

"I don't think there was a gap that can be filled by the government here."

Speaking following the tech giants, auDA CEO Rosemary Sinclair said the Department of Home Affairs had taken on its recommendation for the domain name system to be treated as a subsector, rather than being "caught up" in the broader communications sector.

Sinclair added the domain administrator was already adhering to cybersecurity standards such as the Essential Eight and ISO27001, using DNSSEC, and working with parts of its supply chain and registry operators on cyber assessments and red team exercises. She said AuDA will be auditing them every 12 months, with the potential penalty for failure to comply being the loss of accreditation.

"If needed we have our own disaster recovery arrangements and could step in should a register or the registry fail. All that is already in place and is quite extensive in its operation and effective," Sinclair said.

"All those relationships and processes are in place, and one of the things that strikes us about the legislation is that it's focusing on a problem of the unwilling and trying to address that. Whereas I suspect that ... the vast majority of people who have been engaging in this process are in fact, the willing."

In response, Senator Paterson pointed back to a large company that refused assistance from ASD.

"Unfortunately, we do have to legislate ... for those worst case scenarios, and we are already aware of, at least, one instance, of the significant entity failing to cooperate when they should have in a serious cybersecurity incident," he said.

"And so, unfortunately, the Parliament can't ignore that -- we have to balance the impact that it has on those of you who do have better practice."

Sinclair said that the government should be careful about creating a solution to the wrong problem, but that she appreciated the problem of "somebody reaching for the lawyers, rather than actually reaching for the cybersecurity experts".

"Nonetheless, the powers that are being proposed are very significant and require proportionate use and scrutiny."

Updated 9 July 2021 at 4:00pm AEST: Added quote from AWS representative Roger Somerville and clarified that AWS and Microsoft had the ability to counter the claims made by Atlassian and Google but chose not to.

MORE ON THE CRITICAL INFRASTRUCTURE BILL