By Staff Writer
Australia’s Parliament passed the controversial Critical Infrastructure Bill on Monday night despite concerns from industry stakeholders. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was back by Labor, giving the Bill the numbers to pass a Senate vote.
The expanded Bill allows the Australian Signals Directorate (ASD) to take control of critical infrastructure operated by several sectors in the event of a cyber-attack. The Bill expands the number of sectors subject to ASD oversight.
Passing the Bill is part of the Australian Government’s response to cyber threats, particularly against critical infrastructure and essential services.
On Monday morning, Home Affairs Minister Karen Andrews said the Bill was critical to Australia’s national security interests.
“We need powers for the Australian Signals Directorate so that if there is a significant cyberattack, they are able to step in and assist industry to resolve those issues,” the Minister said.
A bipartisan Parliamentary Joint Committee on Intelligence and Security (PJCIS) backed the Bill but recommended changes that helped bring Labor onboard.
The Bill expands the number of sectors falling under its provisions from four to eleven. Entities within the energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors are now subject to ASD oversight in the event of a cyber threat or attack.
Scott McKinnel, Australian and New Zealand Country Manager for cybersecurity consultancy Tenable welcomed the passing of the Bill and the broadened range of sectors captured by it.
“The extension of its definition, from four sectors to a further eleven, is key because as we’ve seen recently, attacks on any of these environments can have dire consequences,” Mr McKinnel said.
But Mr McKinnel also acknowledged the concerns surrounding mandated government assistance powers granted in the Bill. The ASD takeover powers remain deeply unpopular amongst much of the tech sector.
A letter to the PJCIS from tech industry bodies representing the likes of Google, Apple, Amazon, Facebook, Microsoft, IBM, and Atlassian said the Bill gave the Government “unprecedented and far-reaching powers, which can impact the networks, systems and customers of domestic and international entities.”
In its response, the Australian Government maintained they would only use ASD takeover powers as a last resort. Further, the Government said the powers targeted smaller entities lacking the sophisticated cyber threat response mechanisms of the bigger players making submissions to the PJCIS.
Scott McKinnel says entities large and small can ameliorate takeover concerns if they install their own monitoring software that meets government standards instead and shared the resulting data with the appropriate government entities.
“Greater emphasis on international collaboration, assessment of risk and collaborative incident response capabilities to tackle the ever-evolving threats can go a long way in bolstering the ability of industry and governments to prevent the most advanced attacks,” he said.
It’s equally critical that security requirements are grounded in consensus-based international standards to ensure alignment with global best practices.”
Having passed the Senate, the Critical Infrastructure Bill goes to the Governor-General for formal approval and passing into law.