Microsoft, AWS, Telstra, Cisco and Salesforce reacted with alarm at the prospect of direct administrative intervention by Australian authorities to counter cyber security threats against certain customers.
Draft laws proposed by Home Affairs include “last resort” government assistance powers that, in “exceptional circumstances”, would allow the government to intervene in a particularly threatening attack scenario.
The powers are broad [pdf]: allowing the government to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from premises, according to an exposure draft of the bill published today.
Even before seeing the specifics, cloud and data centre operators expressed concern that these “enhanced cyber security obligations” could disrupt their own monitoring and defence operations, and put them in an awkward position as their customer is likely to be the subject of an attack and is therefore best placed to determine its severity.
Azure operator Microsoft called for more checks and balances before government intervention is allowed, fearing it could be drawn into an incident in which it is not a direct target.
“While we acknowledge that there may be emergency scenarios where the government may consider the need for direct action with critical infrastructure operators, we believe such actions must only occur as a last resort, under a framework that incorporates robust checks and balances, as well as the Commonwealth Ombudsman acting on behalf of the private sector that reflects the interests and risks of undertaking such an action,” it said. [pdf]
“The use of such powers should be subject to a significant threshold, time limited and require independent authorisation.
“In the rare instances where ministerial direction is warranted, we recommend that it be narrowed to apply to circumstances in which gaps in abilities to defend and repel cyber threat activity have been demonstrated during joint preparedness exercises among the government and private sector.
“We also recommend that such direct action should be limited to protective threat response activities and not be authorised to conduct, or compel private entities to engage in, cyber offensive activities from within the networks of critical infrastructure operators or their service providers.”
Salesforce said that customers and service providers should retain “flexibility” to deal with threats directly.
“Extraordinary circumstances that would require emergency government powers should be carefully defined to establish full clarity and mutual expectations of the standards, liability, and procedures that apply,” it said. [pdf]
“At a high level, a tiered system which establishes heightened obligations and enhanced cooperation for systems of national significance that pose the greatest risk is well conceived and will help to focus attention and resources where they are most needed.
“However, the criteria and process by which such systems would be designated should be clearer.
“Salesforce urges greater clarification of these questions, as well as close consultation with industry in determining the designations and categories.”
Cisco said it remained unclear how the Australian government could provide targeted intervention to infrastructure that ran across multiple geographies or regions.
“There must be checks and balances for all government assistance and especially step-in powers,” Cisco said. [pdf]
“Without a defined operating model on how the step in process would work, it is difficult to determine the checks and balances required.
“It is not clear yet what impact the government assistance powers to step-in could have on the operation of companies that are either not headquartered in Australia or operate in offshore markets.
“For example, Cisco provides standardised equipment and services across the globe and does not modify equipment or services.
“Similarly, in the multi-tenant public cloud model common across IaaS, PaaS, and SaaS cloud providers, the relevant operations and security teams not only protect ... entities but also other Australian and overseas organisations.
“Step-in powers in such an environment needs to be cognisant of the concerns, rights and legal arrangements of unrelated entities globally.”
Telstra said that any step-in power should remain collaborative, rather than a full takeover.
“We are of the view that even under an emergency declaration, the government’s approach to assistance should be collaborative and reserved to limited and unique circumstances,” Telstra said. [pdf]
“The approach should not be informed by the view that the government is better placed to take action, but rather from the perspective that government is required due to the failure of an entity to take such action.
“We also recommend that the government take reasonable steps to negotiate with the entity a time limit on its use of the power to take direct action and that exercise of this power be subject to independent authorisation.”
Amazon Web Services (AWS), meanwhile, worried that the powers would be overly broad and - like Cisco and Telstra - that a lack of guardrails and rules of engagement could sideline it - or its customer - at a critical time.
“We are concerned that the proposal for government ‘assistance’ or ‘intervention’ powers may give government overly broad powers to issue directions or act autonomously,” AWS said. [pdf]
“While we have not seen the draft law, the high level summary of these powers suggest they could be significant and exercisable across a broad swath of society, with unclear limitations or guardrails.
“We are concerned that the government’s power to take direct action in the event of an emergency is vague and undefined; that the government could use these new powers to either issue directions or take autonomous action to do virtually anything in response to cybersecurity threats.
“It is unclear whether: the triggers for exercising such powers are objective and specific; whether or how the government would objectively assess if its directions or assistance will improve the situation; what an entity can or cannot be directed to do or not do; what checks and balances will apply; and whether an entity has rights of review and appeal.”