The Parliamentary Joint Committee on Intelligence and Security said in a statement on Wednesday that emergency powers which were part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 should be passed immediately.
The bill expands greatly the sectors that are covered to include communications, financial services, data storage and processing, defence industry, higher education and space technology.
Companies from these sectors would have to compulsorily report to the government if they suffered cyber attacks. They would also have to allow government security experts to step in and do what whatever was deemed necessary to stop an attack progressing.
|
|
This was done after obtaining court orders to access hundreds of vulnerable machines in the US and remove Web shells.
But the Australian powers do not require any court order for intelligence agencies to act in this manner. The Opposition Labor Party expressed concern about the lack of any independent permission for, or judicial review of, such actions. But it agreed with the government on everything else.
Technology firms have pointed out that government intervention of this kind could often make matters worse. But that has fallen on deaf ears.
The PJCIS said it had made 14 recommendations about the bill, including a split into two bills:
"Bill One for rapid passage – to expand the critical infrastructure sectors covered by the Act, introduce government assistance measures to be used as a last resort in crisis scenarios as well as mandatory reporting obligations; and
"Bill Two for further consultation – including declarations of systems of national significance, enhanced cyber-security obligations and positive security obligations which are to be defined in delegated legislation."
Under the so-called last resort provision, the Australian Signals Directorate or Australian Cyber Security Centre would be able to gain access to corporate servers and tell the company what to do, or not to do, in the event of an attack.
The head of the PJCIS, Liberal Senator James Paterson, said: “The Committee received compelling evidence that the complexity and frequency of cyber-attacks on critical infrastructure is increasing globally. Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure.
“However, as the regulatory framework is still undergoing co-design with each of the eleven sectors and will not be finalised until after passage of the bill, many businesses have expressed concern about this uncertainty and asked for the entire bill to be paused in the current economic climate.
“While sympathetic to the concerns of industry leaders, the Committee does not believe that pausing the entire bill is in Australia’s national interests given the immediate cyber threats that our nation faces.
“The Committee’s recommended solution allows for the urgent measures to pass now to equip the government with the emergency powers it needs while allowing additional time for co-design to overcome the concerns of industry about the regulatory impact.
“The passage of both bills is essential because cyber-security is not just the government’s job. Industry has a role to play too and the second bill which imposes obligations on businesses is an important part of a comprehensive response to the serious challenges we face."
