The Australian government is looking to pass the Security Legislation Amendment (Critical Infrastructure) Bill 2020, an overhaul which is aimed to help Australian businesses fend off cyberattacks. The Bill expands the business sectors that were previously defined as critical infrastructure by adding, amongst others, Food and Grocery, Finance and Banking, Universities, Communications, Defense, Energy, and Transportation to the list. It would also impose strict 12-hour reporting requirements for cyberattacks as well as allow the Australian Signals Directorate to ‘step in’ to protect networks during or following a significant cyberattack.
In a letter to a member of the Australian Parliament, the Information Technology Industry Council, the Australian Information Industry Association, and the Cybersecurity Coalition, which represent multiple technology firms including Google, Microsoft, Intel, Adobe, and Amazon, said, “Without significant revision, the Bill will create an unworkable set of obligations and set a troubling global precedent.” Also, “We are also concerned by the global impact that such a Bill will have and how it undermines the values that Australia promotes internationally.” The letter goes on to declare that, “This undermines the government’s good work internationally on these issues and sets a disturbing precedent for other governments facing similar national security challenges”.
Government Intervention or Market Systems
This is not the only instance of Australia setting a global precedent in opposition to technology leaders. In early 2021, Australia became the first country to require Facebook and Google to pay for news content provided by media companies under a royalty-style system. In her statement to the Senate Economics Committee, Melanie Silva, managing director of Google Australia and New Zealand, said, “in its current form, the Code remains unworkable.” “The principle of unrestricted linking between websites is fundamental to Search. Coupled with the unmanageable financial and operational risk if this version of the Code were to become law it would give us no real choice but to stop making Google Search available in Australia.”
In response to that proposed digital media law, Facebook removed news content from Australian users. This lasted a full week before Facebook stated that “it had been reassured by recent discussions with the Australian government” and would restore news content to its users in Australia. It looks increasingly likely that Australia’s critical infrastructure overhaul will unfold in a similar way with the three industry bodies stating that “the Bill remains highly problematic and largely unchanged despite extensive feedback from our organizations.”
While the Australian government claims that the power to forcibly enter networks would be used only as a last resort, tech groups are concerned this provides “unprecedented and far-reaching powers, which should be subject to a statutorily prescribed mechanism.” The industry bodies have also been critical of the reporting deadlines. Stating that these should be extended from “within 12 hours” to “at least 72 hours” or “without undue delay.”
What Does This All Mean
The Bill is unlikely to become law as it is drafted. A bipartisan Bill with similar requirements, the Infrastructure Investment and Jobs Act, recently passed the U.S. Senate. This Bill, while not for critical infrastructure organizations that already have strict 12-hour reporting requirements to the Department of Homeland Security, would afford more reasonable reporting requirements of 24-hours and the continued sharing of information for 72-hours after the breach is reported. The legislation includes the provision of a secure mechanism allowing the government to receive these reports within 180 days as well as liability protections for businesses that come forward with data breach reports, exempting them from lawsuits. Such considerations are not appropriately encapsulated in the Australian Bill.
If the Australian government attempts to progress without genuinely considering and addressing issues shared by the tech industry, it is likely that we will see similar push-back from these bodies and subsequent closed-door negotiations. Inevitably, the two parties – government and tech – will meet somewhere in the middle, with the government possibly extending the reporting deadlines and agreeing to more conservative directives around if, when, and how they will enter networks. As a consequence of any concessions, the government could seek to impose larger fines and the loss of government contracts for organizations that fail to comply with reporting requirements. It could also compound the fines against businesses that it deems to have failed to be proactive with their cyber security.
When Jack isn’t working, he is a Board member at the women’s international cycling union (The Cyclists’ Alliance), contributor to various cycling websites, hockey player in the Bundesliga, and involved in various InfoSec and FinTech conferences.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.