The government has introduced a cut-down version of critical infrastructure security laws intended to rush in new cyber security incident response takeover powers for Australia’s spooks.
The proposed laws are deeply unpopular among industry operators, including the tech giants, which say the takeover powers are “unworkable”.
However, they look set to pass owing to backing from the bipartisan Parliamentary Joint Committee on Intelligence and Security (PJCIS).
The PJCIS had been examining a package of proposed law changes that included the takeover powers since they were first introduced to parliament at the end of last year, but recommended that package be split up, with the takeover powers rushed in.
“Recent cyber-attacks and security threats to critical infrastructure, both in Australia and overseas, make these reforms critically important,” Home Affairs Minister Karen Andrews said in a statement.
“They will bring our response to cyber threats more into line with the Government’s response to threats in the physical world.”
Authorities are only meant to be able to inject themselves into an incident response as a “last resort” under the proposed powers; however, the targets themselves are concerned at having an outside party force themselves into a response during a critical time.
Andrews defended the need for the powers.
“These emergency measures will only apply in circumstances where a cyber attack is so serious it impacts the social or economic stability of Australia or its people, the defence of Australia or national security, and industry is unable to respond to the incident,” she said.
“Attacks on our critical infrastructure require a joint response, involving government, business, and individuals, which is why we are asking critical infrastructure owners and operators to help us help them by reporting cyber incidents to the Australian Cyber Security Centre.”
ASIO director-general of security Mike Burgess said in the organisation’s annual report [pdf], released yesterday, that he was concerned about the potential for attackers to insert malware into critical infrastructure that could be used to launch a future attack.
“I remain concerned about the potential for Australia’s adversaries to pre-position malicious code in critical infrastructure, particularly in areas such as telecommunications and energy,” he wrote.
“Pre-positioned malicious software - which can be activated at a time of a foreign power’s choosing - presents the potential for disruptive or damaging attacks.
“While we have not observed an act of sabotage in Australia by a foreign power, it is possible - and becomes more likely - when geopolitical tensions increase.”
The changes introduced by the government today would also create a cyber incident reporting regime for critical infrastructure assets.
In addition, they would expand “the definition of critical infrastructure to include energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors.”