Friday, 15 October 2021 10:39

Tech industry bodies urge government to revise emergency powers bill Featured

Tech industry bodies urge government to revise emergency powers bill Image by Steve Buissinne from Pixabay

Three technology industry bodies have urged the Federal Government to significantly revise the Security Legislation Amendment (Critical Infrastructure) Bill 2020 before it is voted on, as it would otherwise "create an unworkable set of obligations and set a troubling global precedent".

The Information Technology Industry Council, the Australian Information Industry Association and the Cybersecurity Coalition wrote to Home Affairs Minister Karen Andrews on Thursday, saying that while their members shared the government's commitment to protecting critical infrastructure against cyber threats, the bill remained "highly problematic and largely unchanged despite extensive feedback from our organisations".

The bill in question was reviewed by the Parliamentary Joint Committee on Intelligence and Security which said, on 30 September, that it be split up into two, in order to pass what it characterised as "urgent reforms".

The PJCIS said it had made 14 recommendations about the bill, including that it be split into two parts:

"Bill One for rapid passage – to expand the critical infrastructure sectors covered by the Act, introduce government assistance measures to be used as a last resort in crisis scenarios as well as mandatory reporting obligations; and

"Bill Two for further consultation – including declarations of systems of national significance, enhanced cyber-security obligations and positive security obligations which are to be defined in delegated legislation."

The bill greatly increases the sectors that are covered by the law, to include communications, financial services, data storage and processing, defence industry, higher education and space technology.

Companies in these sectors would have to compulsorily report to the government if they suffered cyber attacks. They would also have to allow government security experts to step in and do what whatever was deemed necessary to stop an attack progressing.

This power is similar to what the FBI exercised in April this year, when it accessed servers to clean up the mess left by attacks on on-premise Microsoft Exchange Server installations.

This was done after obtaining court orders to access hundreds of vulnerable machines in the US and remove Web shells.

But the Australian bill does not require any court order for intelligence agencies to act in this manner. The Opposition Labor Party has expressed concern about the lack of any independent permission for, or judicial review of, such actions. But it agreed with the government on everything else.

Technology firms have pointed out, in submissions, that government intervention of this kind could often make matters worse. But that has so far fallen on deaf ears.

"We are disappointed by the recent report... which recommended that the elements of the bill which caused the most concern for industry stakeholders – namely the government assistance powers granted under Part 3A and incident reporting obligations - be fast-tracked and pushed through as a separate bill, without further public consultation," the three organisations said.

"As representatives of member companies that include both Australian and international companies, we urge the Australian Government to reject this recommendation and to seriously consider our recommendations below."

They said in its current form, section 3A would give the government information-gathering, direction and intervention powers that were not subject to reasonable due processes, which would normally allow affected entities to appeal or have these decisions independently reviewed.

"While the government asserts that this power is intended only as a measure of last resort to address 'cyber security incidents', the bill provides the government with unprecedented and far-reaching powers, which can impact the networks, systems and customers of domestic and international entities, and should be subject to a statutorily-prescribed mechanism for judicial review and oversight," the three organisations said.

They also expressed concern about the global impact that such a bill would have and how it undermined the values that Australia promotes internationally.

"The Australian Government has been a global leader in policymaking around technology and security, specifically addressing threats posed by companies that may be subject to extra-judicial direction by a government," the three bodies said, in a clear reference to the Chinese telecommunications equipment vendor Huawei Technologies.

"The signal sent by these measures is that these rules do not apply to Australia. This undermines the government’s good work internationally on these issues and sets a disturbing precedent for other governments facing similar national security challenges. We strongly recommend the Australian Government amend the Bill to provide for a statutorily prescribed right of appeal and review of the Part 3A powers."

They also asked that the mandatory cyber incident reporting timeline be extended from "within 12 hours” to “at least 72 hours” or “without undue delay.”

"The mandatory 12-hour reporting timeframe diverges from global best practices and will inhibit our ability to focus on truly critical incidents. Additionally, we recommend removing the requirement to report 'imminent' cyber incidents.

"Our member companies would collectively block millions of threats a week; if required to report these the Australian Government would likely be inundated with data. The current reporting requirements of the Bill will likely lead to the reporting of inadequately contextualised information or misinterpretation of the event in a situation where accuracy is of great importance, which will not provide useful or actionable information to the recipient government entity."

Home Affairs Minister Karen Andrews said the Morrison Government was committed to benefitting, not burdening Australian businesses.

"That's why I'll always listen to industry and give their recommendations due weight," she said in a statement sent to iTWire.

"At the same time, we're facing a clear threat, and we need to be resolute in tackling it. Cyber crime, ransomware, and attacks on critical infrastructure are already occurring – both in Australia and overseas. If we don't act now, we risk our cyber security falling further behind.

"Fire codes and building regulations are a critical first step that keep occupants safe and protect our assets. Once a fire takes hold though, we don't expect the occupants to fight it – they call the fire brigade.

"In the same way, businesses will continue to have frontline responsibilities for their own cyber security, but — in the event of a major attack — emergency assistance legislation will enable the capabilities and expertise of the Australian Signals Directorate to be called in as a last resort."

The bill was introduced into Parliament on 10 December last year. It is unclear whether the government will seek to pass it into law this year. Parliament is set to meet again on 18 October and has a further 11 sitting days of both houses after that for the year. The House of Representatives will sit for an additional four days in October.

Read 1586 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


If you're looking at enabling Microsoft Teams for your contact centre, you should bookmark this webinar.

Marketing budgets are now focused on Webinars combined with Lead Generation.

Our panellists from Whangarei District Council (NZ) and Maurice Blackburn Lawyers (Aus) were closely involved in recent projects to enable Microsoft Teams for their own contact centres.

They have kindly agreed to join Enghouse and Microsoft to talk about some of the things they would recommend as most critical for IT and CX professionals planning a Teams Contact Centre migration.

Date: 11 May 2022
Time: 12pm AEST | 2pm NZST | 10am SGT

We look forward to having you join us. Please click the button below to register.



The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News