AWS cautions gov against rushing in more cyber security regulations

Amazon Web Services has urged the federal government to hold off imposing any further cyber security regulations on businesses before a range of other recent reforms come into effect.

The hyperscale cloud provider made the comments in its response [pdf] to a proposal that would impose either voluntary or mandatory cyber security governance standards on companies.

“We caution against the introduction of additional measures…before existing reforms have been properly implemented, matured and evaluated,” AWS said in a submission to the Department of Home Affairs consultation.

“This process is critical for ensuring that any new policies are based on evidence; [are] consistent and complementary to existing policies; and are addressing a genuine policy gap.”

The comments, made by AWS A/NZ head of public policy Roger Somerville, follow a jam-packed 12 months of cyber security reforms in the wake of the government’s 2020 cyber security strategy.

Since August 2020, the government has introduced and passed controversial online account takeover powers in eight months, passed the Online Safety Act, and begun a long-awaited review of the Privacy Act.

It has also introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which will give the government the controversial power to defend networks of critical infrastructure providers under cyber attack as a "last resort".

Last week, the Parliamentary Joint Committee on Intelligence and Security recommended those last resort powers be "swiftly legislated", while consideration of other components of that bill are pushed back.

AWS said that many of the reforms were "substantial and meaningful" and would have “a significant impact on building Australia’s cyber security and boosting confidence in the digital economy”.

“However, these reforms need time to take effect – and impacted entities allowed sufficient time for implementation – before the introduction of any new regulatory instruments or initiatives," it said.

AWS has therefore asked that “existing reforms, frameworks and program… be allowed space to be implemented, matured and evaluated before the introduced of addition regulatory measures”.

It has similarly urged the government to simplify and harmonise the regulatory environment to help improve understanding of cyber security expectations in both business and government.

“As noted in the discussion paper, [there are] at least 51 Commonwealth, state and territory laws that create, or could create, some form of cyber security obligation. Consequently, the risk of confusion, conflicting or overlapping regulations is high,” Somerville said.

AWS was also one of a number of businesses to oppose plans to hold company directors accountable for failing to manage cyber risks, which it believes is already part of a director’s duties.