The Department of Home Affairs has requested a rush for the passage of the country’s looming critical infrastructure Bill, saying the sector specific rules could be nutted out following Royal Assent.
Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that Home Affairs claims would aid providers in dealing with threats.
It would also introduce a positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements.
The sector-by-sector PSO rules are yet to be written, but Home Affairs secretary Mike Pezzullo said these could come after the Bill becomes law. He called for the law to be passed first, saying there was an urgent need for the assistance powers to allow the Australian Signals Directorate (ASD) to act lawfully and assist entities struck by a cyber attack.
“Those [are] measures that, frankly, I’d prefer to have on the statute books tonight,” Pezzullo told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Thursday.
“The government assistance measures are the ones that … certainly keep me awake at night, the inability — with all of the powers and capabilities that the ASD, as well as the reach that they have into our military information warfare capability, cannot by law be deployed onto our networks, right as we speak, right now — that is the pressing urgency.
“What I urge this committee to give clear and direct consideration to is the ability of Australia’s premier information operations agency, the Australian Signals Directorate, to be able to, in an emergency, render a more effective incident response than any company possibly could.”
Senators raised concern that the minister would be given the power to determine the rules, rather than the Parliament. Pezzullo said every Act of Parliament designates a decision maker, and in this instance it was the Minister of Home Affairs.
He argued that the minister has to make their determination against thresholds and definitions laid out in legislation and made the case that it would be a gruelling process if each rule had to come back to the Parliament.
“Would it be timely to have votes of the Parliament … in the instance where perhaps an obligation has to be moved quickly?” he asked.
Refuting the suggestion that the Bill was “half-baked” Pezzullo also noted the rules were being shaped in a co-designed fashion.
Consultation on the rules is already underway, with the department moving forward as if the law was passed.
Pezzullo said each designated sector was unlikely to have their respective rules finalised at the same time. Part of the issue, Pezzullo said, was the engagement from the other side.
“We’re in sort of a circular paradox until we understand what our legal obligations [are] going to be,” he said. “And not unreasonably, these are big companies that have got boards, they’ve got duties under corporations and other law … so we can turn up to meetings and we can say, ‘here is a draft rule, we’d like your comments’ and typically, the tracked changes come back not from the technicians but from the lawyers.
“That’s entirely understandable … but what I’m saying is that for so long, as you’ve got that spiral of ‘we’re not quite sure’ and the government saying ‘yes, but we’d like your technical view’, arguably, the rules will never be satisfactory because at some point, you’ve got to say, ‘pens down, exam over’.”
Without the Bill itself, however, the co-design processes would not be a legislative direction.
Taking that into consideration, Pezzullo argued that the department’s inability to answer specific questions from a specific sector does not take away the need for either the Bill to pass or the rule to be set.
Many submitters to the PJCIS are cautious that the Bill would duplicate existing legislative directions such as in telecommunications, health, and banking.
“The Department of Home Affairs is the regulator under the Telecommunications Act, of the TSSR Scheme, in fact, it’s on my pen … I happen to be that officer, and I can tell you, the TSSR is inadequate for this purpose, I can absolutely assure you because we are the regulator,” he said.
“If someone can assure me that whoever regulates those pharmacy agreements has got access to top secret code word information, that has got a deep understanding of the threat environment, and knows what defensive capabilities can be further mounted through ASD auspices, then I might come to a different view.”
He said he would advise against the primary legislation capturing the level of specificity that would be required in the rules for each sector — not because Home Affairs wanted to make them up as it goes along, nor that it doesn’t understand each sector.
“We have a strongly advanced view that we put respectfully to this committee about the relative balance that should be struck as to what’s in the primary legislation, and what should be available in the rulemaking process,” he reiterated.
The likes of Amazon Web Services, Microsoft, Google, and Atlassian have all weighed in on the looming Bill, with the latter two companies telling the PJCIS last month that they did not need assistance from the Australian government and that the installation of software would do more harm than good.
“The maturity and sophistication of the companies that we have heard from, my sort of immediate response is, well, I would hope not. That’s exactly what we hope their position is that they don’t need us to help them defend their networks,” ASD Director-General Rachel Noble told the PJCIS.
“Our preferential experience is that we would only install software, which happens at the moment with entities who work with us collaboratively when that entity doesn’t have the capability to provide the technical telemetry or system information, in order to assist them with an incident response.
“This sort of idea that ASD is going to run around and put software willy-nilly is a bit of a caricature. Our operational preference is that they can provide that to us without that needing to occur, and in many instances, it absolutely does.”
Pezzullo said the government’s first preference was working collaboratively and in partnership with the entity.
“However, the risks to Australia’s national interests, in the view of the government, are too great to not have a clear, established framework in place ahead of an incident to operate as a last resort in a national emergency, should an entity be unwilling or unable to do what is necessary,” he said.