A coalition of global technology companies have expressed their concern about planned ‘last resort’ powers that would allow the federal government to intervene to contain a cyber attack on critical infrastructure.
A letter [pdf] from three industry bodies, including the US-based Information Technology Industry Council and the Australian Information Industry Association, comes after a parliamentary committee recommended the powers be “swiftly legislated”.
The industry bodies claim to represent some of the largest global technology companies, including Google, Apple, Amazon, Facebook, Microsoft, IBM, Salesforce, Cisco, Dell, Oracle, Intel, SAP, VMware, AMD, HPE and Accenture.
“Our members share the Australian Government’s commitment to protecting Australians and Australia’s critical infrastructure against cyber threats,” the letter to Minister for Home Affairs Karen Andrews reads.
“However, the [Security Legislation Amendment (Critical Infrastructure) Bill 2020] remains highly problematic and largely unchanged despite extensive feedback from our organisations.
“Without significant revision, the bill will create an unworkable set of obligations and set a troubling global precedent.”
The industry bodies, which also include the Cyber Security Coalition, expressed disappointment that the Parliamentary Joint Committee on Intelligence and Security had recommended rushing through Part 3A of the bill.
Part 3A will establish a regime for the government to respond to serious cyber incidents that impact critical infrastructure, which includes sectors like communications, data storage or processing and financial services.
The industry bodies said the powers “caused the most concern for industry”, as was highlighted earlier this year by Google and Amazon Web Services, and urged the government to reject the recommendation.
“As drafted, Part 3A of the bill provides the Australian Government with information-gathering, direction and intervention powers that are not subject to reasonable due process, which would normally allow affected entities to appeal or have these decisions independently reviewed,” the letter reads.
“While the government asserts that this power is intended only as a measure of last resort to address ‘cyber security incidents’, the bill provides the government with unprecedented and far-reaching powers, which can impact the networks, systems and customers of domestic and international entities, and should be subject to a statutorily-prescribed mechanism for judicial review and oversight.”
The industry bodies have also recommended a mandatory cyber incident reporting timeframe be extended to at least 72 hours, as the current 12-hour timeframe “diverges from global best practices and will inhibit our ability to focus on truly critical incidents”.
The requirement to report “imminent” cyber incidents should similarly be removed from the bill, the bodies said, as the government would likely be “inundated with data” from companies if this was introduced.
“We once again reiterate our request that the government reconsider its proposed path forward immediately on these two issues and address the significant concerns raised by industry,” the industry bodies said.
“Our member companies prioritise cyber security, both within our own businesses and for our customers, and we support the Australian Government’s goal to improve cyber security in Australia.
“However, these two proposals would not accomplish that goal, would have significant unintended consequences that would decrease security in practice, and would set dangerous global precedents.”