'Last resort' powers that would allow the government to intervene to contain a cyber attack on critical infrastructure should be "swiftly legislated", a parliamentary committee says.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) yesterday called [pdf] on the government to split a bill rushed before parliament last year in two, arguing that in its current form it may never pass.
Controversially, the part of the legislation that would be carved out and rushed through parliament is part 3A [pdf], which “sets up a regime for the Commonwealth to respond to serious cyber incidents” impacting the operators of critical infrastructure.
Critical infrastructure in this sense casts a wide net: encompassing sectors including communications, data storage or processing, financial services, health care and medical, higher education and research, utility services, transport, food and grocery, defence industry and space.
Under Ministerial direction, an operator would be compelled to provide information, take certain actions, or potentially have ASD insert itself into the incident response and provide direct “assistance” to counter the threat.
Industry has consistently pushed back against these proposed powers, wary of having a third-party without knowledge of its systems or architecture suddenly add itself to an incident response.
The PJCIS said that evidence from Home Affairs secretary Michael Pezullo had swayed it to believe government incident response takeover powers were needed sooner rather than later.
“… Once the bill achieves royal assent as an act of parliament it allows us to activate certain emergency procedures under the government assistance measures, and it is those measures that, frankly, I would prefer to have on the statute books tonight,” Pezzullo is quoted as saying.
In calling for the new powers to be split out into a separate bill and rushed through in the “small and rapidly diminishing window of opportunity to legislate”, the PJCIS is relying on the powers being used in limited to no circumstances.
“The committee expects that given the statements from witnesses regarding a willingness for cooperation with the department and ASD ... these measures will need to be used rarely, if at all,” it wrote.
“And if they are used, it will only be on those entities that are unwilling or unable to respond appropriately.”
The PJCIS “acknowledged” there would still be “reservations with the enablement of the assistance measures, especially within the technology sector.”
“However, the committee recognises that the potential threat faced to critical infrastructure assets is too great to stall introduction of these essential measures for any longer,” it said.
“In making these recommendations the Committee is relying on the intention stated in the … bill, and as outlined in evidence from the department, that these measures will only be used as a last resort.”
Also in the carved out and rapidly passed legislation would be new rules around mandatory reporting of cyber incidents.
Operators would need to tell the government of an incident having “a significant impact on the availability of the asset” within 12 hours, or 72 hours for lesser incidents.
Consideration of the remainder of the existing bill would be pushed back.
This would cover the “declaration of systems of national significance, enhanced cyber-security obligations and positive security obligations which are to be defined in delegated legislation,” the PJCIS said.
Many of these are undergoing parallel industry consultation through Home Affairs; the PJCIS said it wanted time to consider the full extent of the costs and obligations these proposals entailed, noting the “fragile” economic environment in Australia.