Multiple organizations have called for the federal government to clarify how to install cyber attack management software onto critical infrastructure systems.
A slew of Australia’s critical infrastructure service providers and union groups have criticized the federal government’s essential infrastructure cyber laws. It requires organizations to install third-party software onto their systems if they are deemed not to be “technically capable” of managing cyber threats.
Roger Somerville, Amazon Web Services (AWS) ANZ public policy head, said the need for new cybersecurity laws was apparent, and AWS supported the Bill. Still, he remained critical of the software installation scheme contained within it.
The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the parliamentary committee that is currently reviewing the rules. Among these distinctive elements are requirements for entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software.
Addressing the parliamentary committee reviewing the Bill, Somerville said there is a lack of clarity on how the software installation scheme would operate and that the federal government saying it would only be used as a “last resort” is not sufficient.
“We acknowledge that the Australian government has told us that those powers would be more relevant for less sophisticated cyber security entities than ourselves. But from our perspective, I think we’re very concerned that we still need to see clear, practical guidance on how this would work,” Somerville said.
Somerville added that if the federal government was adamant about establishing the software installation scheme, a technical support body that exists as an independent statutory office holder should be created to oversee the scheme’s operation.
“This body would also perhaps create an avenue for contestability of those decisions, particularly on the questions of technical feasibility,” he said.
AWS was not alone in sharing its concerns. Palo Alto Networks ANZ public policy head Sarah Sloan, who also appeared before the committee, said the software installation scheme introduces unnecessary security risks into critical infrastructure environments.
This security concern was echoed by Communications Alliance CEO John Stanton, who provided an example of how the scheme could be dangerous.
“The danger is probably more when information is combined with other information sources, so we don’t necessarily hold a list of the people’s names behind IP addresses, but other organizations do. So if you combine data [from critical infrastructure entities] with telecommunications service providers’ data because they know who the service providers are of those IP addresses, then you can effectively put together personal information,” Stanton said.
Meanwhile, software Alliance COO Jared Ragland noted that the scheme’s security issues did not stop there, as the installation of the software could lead to more problems across critical infrastructure supply chains.
“In addition to concerns about what kind of information might have legitimate access to the software, a real concern is that if the software is installed at each stage along this chain and it operates improperly, there could be accidental problems. Perhaps it could be data leakage, but it could also be operational interruptions of other sorts,” Ragland explained.
Trust appeared to be a core issue for these organizations in their opposition to the software installation scheme. The not-for-profit advocacy group Internet Association of Australia (IAA) said the federal government should amend the proposed cyber laws to allow critical infrastructure entities to test code to heavily address this lack of trust.
“It’s highly, highly important that we need to trust the type of software that goes on to manage this. And we need the opportunity to be able to read the code, assess the code, test the code against other things,” IAA CEO Narelle Clark said.
The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as its primary regulatory efforts for bolstering Australia’s cybersecurity posture.
Last month, labelled by Home Affairs Secretary Mike Pezzullo as the government’s defence against cyber threats, the federal government is hoping the second tranche of cyber laws will create a standardized critical infrastructure framework for Australia’s intelligence agencies.