SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Breach Prevention
#
Cybersecurity
#
Firewall
Greater balance needed in AU Critical Infrastructure Bill
Tue, 22nd Mar 2022
FYI, this story is more than a year old
Author image
By Shannon Williams, Journalist
Follow us

Palo Alto Networks is calling for greater checks and balances on powers in the Critical Infrastructure Bill.

The proposed measures go too far and need stronger guardrails, otherwise they could adversely affect Australia's critical infrastructure operators, the company says.

Sarah Sloan, head of government affairs and public policy in Australia and New Zealand at Palo Alto Networks, says there is a need for greater checks and balances on certain powers in the Australian government's proposed Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.

The Bill, in its current form, is intended to provide an enhanced regulatory framework designed to uplift security and resilience across Australia's critical infrastructure assets.

In the words of the Bill's explanatory memorandum, the framework, when combined with better identification and sharing of threats, will ensure that Australia's critical infrastructure assets are more resilient and secure.

However, Sloan, who appeared to give evidence at a public hearing of the government committee tasked with reviewing the Bill on 16 March, has cautioned that some of the measures outlined in the proposed legislation could adversely impact the nation's critical infrastructure operators.

"We are concerned that there is no independent review process articulated in the bill, and we believe this is contrary to some of the approaches taken in like-minded jurisdictions, which ordinarily would see the granting of a warranty or similar process in order to execute on that power," says Sloan.

Specifically, Sloan called for stronger checks and balances on powers for issuing System Information Reporting Notices and recommended the removal of the Bills software installation power, which would see the government able to deploy third party software on private entities IT systems.

"Perhaps the most important point we would make is that the provision potentially creates an international precedent that may, if adopted by other global and regional actors, impact Australia's interests and values," she says.

"As the Committee knows, we are in a period of geostrategic competition that is inherently linked to issues of technology and values, such as the separation of powers, rule of law - including checks and balances on the execution of Government power.

"While we understand and appreciate the relevance of system information in detecting and responding to cyber incidents and threats, we would recommend stronger checks and balances on the powers granted by the Bill to issue system information reporting notices (both system information periodic reporting and system information event-based reporting)," says Sloan.

"This will ensure that these notices are clear, proportionate, transparent and meet the Governments needs without unduly burdening industry."
 
Sloan encouraged the Committee to reconsider the maximum time frame currently at 12 months under the Bill for which a system information periodic reporting notice, or a system information event-based reporting notice, can be in force.

She also recommended notices be regularly reviewed to see if they are still necessary, proportionate and reasonable, and called for additional detail on the collection of data to be provided to companies likely to be impacted by the legislation, along with other measures to ensure industry is not unduly burdened by the proposed laws.

Additionally, Sloan called for the removal of provisions in the Bill that would give the Government the ability to install system information software on infrastructure it believed the respective System of National Significance (SoNS) entity would not technically be capable of otherwise provisioning itself.

"The installation of what constitutes third-party software has the potential to create vulnerabilities that could adversely impact the security of a SoNS entity as well as, by default, the Governments systems and client systems," says Sloan.

"Entities would need to review this software prior to putting it on their networks and this could take considerable time and effort.

"It is also unclear who would be responsible for ongoing product support and maintenance including vulnerability management and patching," she says.

"Finally, we note that this could expose the Government to liability for any adverse impacts arising from the installation of this software."

Related stories
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services
Half of online traffic in 2024 generated by bots, report finds
Cisco launches Hypershield for AI-driven security upgrade
Axis unveils hybrid cloud platform for adaptable security solutions
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Secolve & Asimily join forces to boost Australia's IoT security
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models