Part 3A of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Bill) was introduced to set up a regime for the Australian government to respond to serious cyber security incidents. This includes broad powers of intervention in relation to critical infrastructure assets that could, per Section 35AC, enable the government to:

  • install, access, restore, copy, alter or delete software;
  • access, add, restore, copy, alter or delete data; and
  • alter the “functioning” of hardware or remove it entirely from the premises of a private company.

This raised the question of whether such broad "step-in" rights would be appropriate or effective to mitigate critical infrastructure cyber risks, particularly in relation to cloud service providers that fall within the scope of the Bill.

Last week, the Parliamentary Joint Committee on Intelligence and Security (Committee) answered that question with a resounding "yes" in its Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.

In its report, the Committee cites the "serious and rapidly deteriorating cyber security environment" as demanding "a swift and comprehensive response". As the Committee "does not believe both [a swift and comprehensive response] can be done at the same time" the Committee recommends that the Bill be "split in two, so that the current Bill can be amended (Bill One) to allow urgent elements of the reforms such as government assistance mechanisms, mandatory notification requirements and related measures to be swiftly legislated." (emphasis added)

These "urgent elements" are also arguably the most controversial elements of the Bill, including the "last resort" or "step-in" powers which entail giving government powers to direct an entity to gather information, undertake an action, authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks, and even install software at private companies (including cloud service providers) with the intention to help them deal with threats.

While both government and industry would agree with the seriousness of the "threat of cyber-enabled attack and manipulation of critical infrastructure assets" identified by the Committee, rushing through extensive government intervention powers without broad industry support may not be the most appropriate or effective response to this threat. Industry participants have already raised legitimate concerns about whether proposed government intervention powers would actually help to resolve a cyber risk or incident rather than causing more problems or introducing new vulnerabilities into complex and interconnected networks which are, in some cases, already managed by thousands of highly skilled network engineers. The Committee itself has acknowledged that "there is significant disagreement between industry and government on the exact response required" and the "ongoing considerable workload of the Committee [has] constrained its ability to engage with all interested parties". 

This disconnect is problematic because the exercise of the government's proposed powers (if enacted) will rely on cooperation and collaboration with industry, potentially in a high pressure crisis situation such as in the heat of a cyber incident. In such a setting, unilateral intervention powers introduced swiftly without thorough industry consultation and alignment are unlikely to be the most effective. 

If both a swift and comprehensive response cannot be achieved due to parliamentary constraints, a comprehensive and effective response may be preferred to a swift but possibly ineffective one. The high stakes context of a serious and pervasive threat only demands more, rather than less, scrutiny and industry alignment to ensure that any measures implemented are workable in practice and enable government and industry to mount an effective and coordinated response to the threat of cyber attacks on Australian critical infrastructure assets.