Tech giants have warned the Australian government’s proposed legislation allowing it to step in and take control of a company during a cyber-attack is poorly defined and if used would be of no help to larger companies, and could even make incidents worse.
Representatives from Google and Atlassian on Thursday said there is no realistic situation where software provided by security agencies like the Australian Signals Directorate (ASD) or the Australian Cyber Security Centre (ACSC) during government assistance to a cyber attack on critical infrastructure would be any more useful than their own defences. Amazon said it was unreasonable for the government to expect it could use the powers effectively and they would lead to “unintended negative consequences”.
The warnings came in evidence to a parliamentary inquiry into the government’s proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020. The legislation would impose a new positive security obligation for a range of businesses deemed to be operators of critical infrastructure, including data storage and processing firms.
The new powers would also allow the government to take control of companies deemed operators of “national security businesses” in the event of a cyber-attack, including compelling them to install government software on their networks.
The bill has been criticised across industry for unworkable reporting times, the introduction of unprecedented compulsive powers, and a lack of defined rules, which the government intends to establish with regulations.
Stakeholders did however widely acknowledge the need for a coordinated response to protecting critical infrastructure from cyber threats.
At the latest public hearing on the legislation, Google threat analysis group director Shane Huntley said the bill would allow for security and cyber agencies to install their own software on the tech giant’s systems.
Mr Huntley, who previously held a senior technical role within the ASD, told the inquiry anything the government agencies did install would not be able to “match” Google’s own more “robust” cyber tools.
“The best way, and really the only feasible way, to do the sort of monitoring [needed] would be with our own systems and our own tools,” Mr Huntley told the inquiry.
“So, I really can’t imagine a situation where there is some software from ACSC or ASD which we’re installing on our systems would even work, let alone be safe. What would be useful is [agencies] actually giving us threat information.”
Mr Huntley said Google already shares and receives information with Australian security agencies on cyber threats, and a more useful defence for critical infrastructure would be to expand on that relationship and leverage it during cyber-attacks.
“But from a practical point of view, there is no way that software from their behalf is going to work,” he said.
“What we need is information and collaboration because the only real software that’s safe to operate in a sort of Google or hyperscale cloud environment is our software and our systems that have been tested and vetted. And I don’t think there is a gap that can be filled by the government here.”
Atlassian director of global policy David Masters said he could not envision a scenario where the government’s assistance with software would help the company’s response to a cyber incident, but some of the Atlassian’s own customers might benefit.
“There isn’t a scenario that I can see where we would need to reach out to the Australian Cybersecurity Centre for assistance on our network,” Mr Masters said.
Amazon Web Services ANZ head of public policy to Roger Somerville told the inquiry the cloud market leader still knows “very little” about the type of software it may be required to install on its own network under the proposed powers.
“That really goes to the heart of why we’ve been saying ‘this is how all of these unintended negative consequences can flow from this [legislation]’,” Mr Somerville said.
“We just don’t understand, really, how the government, given all of the complexity of the various [critical infrastructure] assets could reasonably believe that such powers could be exercised quickly, operate effectively and still achieve the government’s claims.”
AUCloud managing director Phil Dawson said government assistance may be useful in a situation where a retaliatory cyber-attack was warranted, because companies are limited to defence while government agencies can launch their own attacks.
“As companies, we’re in the process of defending. So there may be an insight under some circumstances where some government were able to bring something to one of us [companies] that was under attack, or one of our customers were… But that’s a hypothetical difference between what governments can do and companies can do,” Mr Dawson said.
Do you know more? Contact James Riley via Email.