Gov told don't "water down" public sector data protection

Macquarie Telecom has urged the government not to “water down” critical infrastructure laws so that only business critical public sector data held by service providers is regulated, describing the proposed changes as “dangerous”.

In its submission to the parliamentary joint committee on intelligence and security review of the Security Legislation Amendment (Critical Infrastructure Protection) Bill, the telco said the current definition of ‘critical data storage or processing asset’ should remain.

“As things stand today, a data storage or processing service provider is taken to be a critical infrastructure provider if it supplies a data storage or processing service to a Commonwealth or state and territory entity. The nature of the data concerned is immaterial,” it said [pdf].

“The proposed amendment in item 32 of the bill will change this so that the Security of Critical Infrastructure (SOCI) Act will no longer apply to such service providers except if the government data they store or process comprises ‘business critical data’.

“This is a significant and dangerous reduction in the scope of the SOCI Act because business critical data does not describe the type of information that is most commonly held by government departments and agencies nor what is crucial to the functioning of government.”

Macquarie Telecom said that if the proposed changes went ahead, data that is not business critical – a definition crafted specifically to “reflect the circumstances of commercially run critical infrastructure operations – would not be regulated.

It would mean that while personal information would be covered, highly classified government data, the “entirety of the National Archives” and company records for the Australian Security and Investments Commission would not.

“The data storage or processing service provider in these scenarios would not be required to do anything under the SOCI Act – not even report a cyber attack on its (or its suppliers) systems that potentially or actually affected the integrity or availability of government data,” the telco said.

Macquarie Telecom said the reason for the proposed change was “not obvious and is not explained”, even though the “gaps and consequences arising from the proposed change to the definition are significant and in the circumstances, seem absurd”.

It noted that it was possible that existing mechanisms under the hosting certification framework would continue to apply, but stressed that “HCF is not equivalent to the SOCI regime and is at best only a partial substitute”.

“Any reliance on the HCF in lieu of regulation under the SOCI Act may lead to those service providers that store or process government data being overlooked and excluded as, over time, other Commonwealth and state/territory laws attach new responsibilities and obligations,” it said.

Macquarie Telecom recommended the “proposed amendment in item 32 of the bill... not proceed”, or – at the very least – that the government amend the definition of business critical data to cover a greater scope of data.

“A data storage or processing service provider that stores or processes any form of government data should absolutely be recognised and regulated as a critical infrastructure provider,” the submission states.

“If the proposed amendment does proceed, then the definition of business critical data in section 5 of the SOCI Act must be broadened to reflect the types of sensitive and classified information that are commonly held by Commonwealth and state and territory government entities.

“At a minimum, that should include all security classified information and all operational data and systems of emergency service organisations.”

Macquarie Telecom has also asked that the bill be amended so that the SOCI Act applies “extraterritorially to the offshore storage and processing of the business critical data of Australia critical infrastructure providers”.

Changes to the SOCI Act last year defined “new critical infrastructure sectors by reference to assets that are located in Australia”, specifically ruling out assets that are located outside Australia.

In doing so, it “confuses the potential application to digital elements of critical infrastructure entities that have part of their functional infrastructure or data located offshore”, as highlighted in the PJCIS report last year.

“Consequently, although the SOCI Act is intended to apply extraterritorially where there a link between the conduct occurring overseas and the security of Australia’s critical infrastructure, it does not apply to data storage or processing assets that are outside Australia but nonetheless ‘wholly or primarily’ being used to store or process business critical data of Australian critical infrastructure providers,” Macquarie Telecom said.

“That is, the SOCI Act does not apply to data storage or processing service providers in Australia that are storing and processing Australian data overseas.”

Macquarie Telecom has similarly asked that the bill be amended to “give the minister a power to prevent nationally significant business critical data being stored or processed offshore”.