Macquarie Telecom has labelled Australia’s critical infrastructure reforms as “watered down”, warning that many data storage or processing service providers may be able to avoid regulation due to the reforms’ primary focus on “business-critical data”.
“This is a significant and dangerous reduction in the scope of [Australia’s critical infrastructure laws] because business-critical data does not describe the type of information that is most commonly held by government departments and agencies nor what is crucial to the functioning of government,” the Australian cloud and data storage provider said.
Macquarie Telecom’s remarks were made to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which is currently reviewing the latest critical infrastructure reforms that were introduced into Parliament last month.
The reforms have so far come in the form of two pieces of legislation; the first became law in December to give government “last resort” powers to direct a critical infrastructure entity on how to intervene against cyber attacks; the second piece of legislation, which is what Macquarie Telecom has flagged as requiring amendments, looks to add requirements for critical infrastructure entities to have risk management programs in place and entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations.
Unpacking Macquarie Telecom’s concerns, the company said the second piece of legislation — known as the SLACIP Bill — seeks to amend existing laws so that critical infrastructure entity requirements do not apply to data storage providers unless the government data they store or process comprises “business-critical data”. According to the company, this would result in various types of data not being covered by the regulation’s risk management program requirement.
Examples of data that would not be covered by the critical infrastructure reforms are highly classified government information, the entirety of the National Archives of Australia, official company records for the Australian Security and Investments Commission, official records of deaths for a state registry office, official geophysical data, and the systems that underpin the operation of the video teleconference links used by the federal and state courts, Macquarie Telecom said.
“The gaps and consequences arising from the proposed change to the definition are significant and, in the circumstances, seem absurd,” it added.
In addition to not being happy about the “business-critical data” definition amendment, Macquarie Telecom said the reforms being geographically limited to Australia could create competitive disadvantages for data storage providers whose assets are based entirely in Australia.
The company explained this competitive disadvantage could arise as the “jurisdictional gap” would create an incentive for all types of critical infrastructure providers and their suppliers to shift data stores and processing functions offshore where they will be beyond the scope of Australia’s critical infrastructure laws.
It also said the geographic limit means that Australia’s critical infrastructure laws do not contain a mechanism to protect nationally significant critical data workloads from being transferred offshore where it could potentially be outside Australia’s jurisdiction.
“The rationale for excluding critical Australian data storage and processing assets located overseas has not been explained. It is in stark contrast to the approach adopted in other laws, which expressly apply to data stored overseas,” Macquarie Telecom said.
The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture. Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s “defence” against cyber threats, with the ransomware action plan forming the “offence”, he said the SLACIP Bill would ideally create a standardised critical infrastructure framework to enable Australia’s intelligence agencies to approach cyber attacks in a precautionary fashion due to the additional information it would receive.