Qantas has joined other sectors in asking the government to at least partially cover the cost of complying with proposed laws aimed at better defending the country’s critical infrastructure networks and systems from cyber attacks.
In its submission to the parliamentary joint committee on intelligence and security review of the Security Legislation Amendment (Critical Infrastructure) Bill, the airline said funding was necessary to support the bill’s objectives.
“The group suggests that without government funding support, this new framework may not achieve its objective of materially improving critical infrastructure security and resilience,” Qantas said [pdf].
The bill, which is currently before parliament, would enabled Australia’s cyber spooks to direct operators of systems of national significant to undertake prescribed activities such as vulnerability assessments and cyber security exercises.
It will also require critical infrastructure operators to hand over ownership and operational information and, in exceptional circumstances, allow the government to intervene in a cyber incident deemed particularly serious.
The airline put the need for government funding down to the “economic pressures Australian businesses are currently under due to the Covid-19 pandemic”.
“To meet additional regulations and requirements under the bill, it is vital for the group to strike a balance between investing additional financial resources, with the need to remain viable and sustainable as a business in this challenging time,” it said.
The direct cost of the proposed legislation has also been questioned by AGL Energy, which last week similarly asked the government to bear at least some of the cost of a 'last resort' intervention or directive from the Australian Signals Directorate.
Qantas also lamented the lack of detail in the legislation around which companies would be prescribed as having systems of national significance as it made it difficult to comment on the powers during the consultation.
“Without knowing which assets or categories will apply, it has been difficult for companies to comment on how the bill may impact their operations; to calculate the potential financial implications of any security uplift; or to assess the unintended consequences,” it said.
The company also noted the short consultation period, and called on the government to assess the “impact of the legislation from multiple perspectives, including supply chain, industry, asset and IT – at a minimum – to ensure inclusion of the applicable industries, assets and thresholds”.
Overall, the company said it is “currently well-positioned to respond to a wide variety of security threats”, noting that its risk frameworks already closely align with the government’s proposed objectives.
“We have completed a cyber transformation program [since 2016] which has significantly uplifted the group’s ability to protect and respond to the dynamic threat environment,” the submission states.
Qantas said it supported the government’s “objective of uplifting the security and resilience of critical infrastructure in Australia” through the legislation.
“We support a broader uplift in security and resilience across all critical infrastructure sectors and believes this will be ultimately beneficial for the group, due to the interdependence of systems, services and operating networks.”