The Australian Government’s Parliamentary Committee on Intelligence and Security is conducting hearings over Thursday and Friday as part of its review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the Security of Critical Infrastructure Act 2018.
Among the panel speaking on Thursday morning is Ron Gauci, CEO at the Australian Information Industry Association, auDU’s Rosemary Sinclair, Ryan Gillis from Palo Alto Networks, and the Information Technology Industry Council’s Courtney Lang.
‘It is vital that we hear from the companies and industries affected by the proposed framework under the Bill, to ensure that the serious cybersecurity risks we face can be met effectively with the lowest possible regulatory burden and cost to consumers,” says Senator James Paterson, Chair of the Committee.
The Australian Government wants to extend a regulatory cybersecurity framework across 11 critical sectors (up from the current four) and their attendant systems. The framework aims to protect key supply chains and infrastructure in the event of a serious security threat.
On Thursday, most panel participants acknowledged the Government’s rationale and motives behind the proposed legislation. But several raised questions concerning a lack of clarity and possible regulatory over-reach.
“The legislation has significant powers, and we should be very clear about how those powers will be used before the legislation is passed,” said Rosemary Sinclair.
“If you talk about every knock on every door being reported, you are going to drown in information,” said Palo Alto Networks’ Ryan Gillis. ”You’re likely to be diverting security resources away from the incident itself to compliance.”
Senator Paterson said most entities did the right thing when it came to managing and reporting cybersecurity risks. However, he said the proposed framework is designed to capture those who did not. He said critical industries needed to be protected, and the standards of some entities need to be lifted.
Eighty-one individuals and organisations have made submissions to the Committee, including the US Chamber of Commerce, Amazon Web Services, AustCyber, and Universities Australia.
In their submission, AustCyber said this week’s hearing was an opportunity for the complexities of the Bill to be more closely scrutinised, and suitable changes examined. AustCyber says the arrangements for Ministerial action direction and intervention requests can be improved. They say such intrusive action may not be appropriate in all circumstances.
Amazon Web Services wants the Bill to extend the definition of “data storage or processing sector.” They argue the current definition does not go far enough as it does not adequately cover the full scope of assets and entities in the data storage or processing sector, particularly relating to how the positive security obligations and enhanced cybersecurity obligations would apply.
Enterprise software company Atlassian in their submission, says the Bill should recognise and take account of pre-established engagement protocols. Further, Atlassian argues the notification threshold for the seriousness of an incident should be higher.
Further updates will be provided as the hearings continue.