AWS, Google say cyber takeover laws could make incident response worse

Amazon Web Services and Google have criticised proposed powers that would allow the government to defend the networks of critical infrastructure providers, arguing such intervention could make an incident worse.

Fronting an inquiry into the Security Legislation Amendment (Critical Infrastructure) Bill on Thursday, representatives highlighted concerns with the broad-brush powers and whether they should apply to the data processing sector.

Both providers have previously raised issues with the bill, particularly the ability for the Australian Signals Directorate to defend networks and systems of critical infrastructure in exceptional circumstances.

One major concern is the ability for the government to install software, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from the premises of a private company under the guise of incident response.

AWS’ ANZ public policy director Roger Somerville told the Parliamentary Joint Committee on Intelligence and Security that there was an “underlying assumption… that if something bad happens to a critical piece of Australia’s infrastructure then the government is capable of stepping in a fixing that bad thing”.

“In many instances we think there’s just a really big risk of the government stepping in and misunderstanding how the regulated entity operates,” he said on Thursday.

“It may be making things worse, so creating more or new problematic security and systemic risks in the process.

“We think that could have really significant consequences for Australia’s economy and should be avoided.”

AWS’ view was shared by Google, with threat analysis group director Shane Huntley describing the step-in powers as a “one size fits all solution that doesn’t really fit” for global cloud providers.

“We can totally understand there might be a small provider in Australia without cyber capabilities where some powers might be necessary,” he said.

“But that is a very different world when you’re taking about a hyperscale international cloud providers with thousands of security professionals… and very complex systems that really require years of experience to even understanding how they work before anyone could step in.”

Huntley, who has previously worked at the Australian Signals Directorate, was particularly critical of any installation of software by the government, which he said would likely be used for the monitoring of threats.

“We don’t think the sort of step-in powers to install software under really any circumstance in our situation is going to do anything to make things better and has a very high probability, if not certainty, of making things worse,” he said.

He added that Google’s own tools for monitoring, threat analysis and detection were the “best way, and really the only feasible way” to monitor its systems.

“I really can’t imagine a situation where there is some software from ASD which we’re installing on our systems which would even work, let alone be safe,” he said.

Huntley instead called for better sharing of threat information, including IP addresses and malware signatures, to ensure Google knows “what to look for”, as well as collaboration.

“Partnership is what needs to happen here, not compulsion,” he said.

Somerville, however, said AWS “feel we know very little about what type of software we may be forced to install on our network”.

“We just don’t understand how the government, given all of the complexity of various assets, could reasonably believe that such powers could be exercised quickly, operate effectively and still achieve the government’s aims,” he said.

Microsoft’s Office of Critical Infrastructure assistant general counsel Hasan Ali also urged the committee to “recognise the unique characteristics” of cloud providers.

“Installation of any software, particularly in a complex and interconnected network, will have a severe adverse consequence,” he said.

“I think you’re talking about very different things when you’re talking about installation of software in an on-premises environment with a single customer.

“But doing so in the context of the data storage or processing sector with hyperscale cloud providers, these are interdependent systems.

"They will introduce vulnerabilities, and we think it’s going to be potentially a source of third-party risks that we may have to mitigate from the government if there is uncertainty around how these powers may be used.”