Critical Infrastructure #5
Critical Infrastructure – Part 5 Author: Mel Griffiths Dams and Dollars: The Impact of the Critical Infrastructure Bill on the Finance and Water Sectors The overall objective of the Government’s Security Legislation Amendment (Critical Infrastructure) Bill is to ensure that Australia’s Critical Infrastructure is secure; however, the expansion of critical sectors in the Bill has underscored not only the complex interconnections between industries and sectors, but also the number of existing regulatory frameworks that need to be leveraged, or at least considered, to make the amendments work as efficiently as possible. The co-design consultation for sector-specific obligations that will underpin the risk management program is currently underway for the Financial Services and Markets (payment systems) sector and has been completed for the Water and Sewage sector. However, some aspects of the Bill may be passed before others if the compromise suggested by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) is implemented. The PJCIS has recommended that the Government urgently pass the portions of the Bill that focus on Government assistance mechanisms and mandatory notification requirements, while introducing the remaining aspects under a separate Bill following further consultation. The thinking appears to be that this would enable the swift passage of laws to counter current threats, while also providing additional time for co-design with industry. However, many of the concerns of the Water, Finance, and other sectors, centre around the Government’s proposed intervention powers (assistance mechanisms) which essentially allow the Government to shut down, change, analyse, remove, and control a piece of infrastructure and its component parts if an attack on that asset is perceived to put national security at risk. When discussing the Government’s proposed intervention powers in the Security Legislation Amendment (Critical Infrastructure) Bill, it is important to be aware of the counterbalances in place. I’ve Got the Power Most of the intervention actions cannot be undertaken without ministerial authorisation approved by the Prime Minister and the Minister of Defence, and only in the event of an attack on critical infrastructure impacting national security. Affected organisations can be ordered to perform internal or external audit of the security of their systems, and to report on systems either regularly or based on an event. Interestingly, if the information in the reports is potentially incriminating to the company or an individual, it cannot be used for criminal or civil proceedings unless they relate to the Act. The Government can also require that an organisation install, maintain and, wherever possible, keep online software for collecting and recording computer operation information to determine if further powers under the act should be exercised. Personal information is still protected by the Privacy Act 1988 in these circumstances. The proposed powers also allow Government to intervene in systems for analysis including adding, removing, or modifying installed programs, and connecting computers to the organisation’s systems. Under some circumstances, the Government may order an organisation to take or refrain from taking certain actions, request access to premises, or take equipment for analysis. If access to premises is refused, the Government may engage the police, but cannot engage in force against an individual. Is All This Really Necessary? Most sectors have voiced their concern regarding the extent of the powers provided to Government in the Bill and the lack of conventional rights of appeal and oversight. The Water sector have stated that this “erodes natural justice and provides significant concerns in relation to potential regulatory over-reach and poor community outcomes”. For example, the Bill allows for Governmental intervention based on Ministerial authorisation, which would potentially allow an intervention order to be made prior to an event without the involvement or knowledge of the impacted organisation. The Water sector have argued that there needs to be provision for notification and cooperation prior to an intervention, which should only be implemented in the event of non-cooperation or lack of response capability on the part of the Critical Infrastructure owners and operators. The Australian Banking Association (ABA) have also voiced concern regarding the Step In powers, stating that the potential for implementing software and/or running scripts in intricate banking technology environments and networks is extremely high risk. Given the complexity and time-sensitive nature of banking systems and networks, there are fears that the potential impacts of interventions may not be easily defined and could unintentionally degrade system security or operate beyond the authorised scope. The Water sector have pointed out that Section 30DJ the legislation allows the Government to install software without any liability for potential damage that may be caused to systems, and has argued for a right of appeal or ability to recover costs. The powers of physical entry have also raised some questions for the Australian Banking Association (ABA). The Government has indicated that such powers of entry would only be enforced on Australian soil, however, as the ABA has noted that “entry and action on Australian premises could create a connection to… overseas data centres and raise questions about liability under foreign law including regulatory obligations and contractual liability”. Consider a hypothetical scenario in which an Australian financial sector entity is using Amazon to host both their critical systems and their main corporate portal for customers to access. The entities systems and data in the cloud are replicated across different regional availability zones and they use a Security as a Service (SaaS) product provided by a company located in India. If an attack were to occur within the Amazon infrastructure or against the SaaS in India in such a scenario, it is not clear whether the Government would seek to gain access to Amazon or the SaaS infrastructure and premises, where and how access might occur, and which entity would have obligations to ensure this would be possible. The Australian Financial Markets Association (AFMA) have called for robust checks and balances against these powers, particularly in regard to what clear evidential grounds would be sufficient to satisfy the Government that ministerial action would be warranted. The AFMA have made it clear that in their view, APRA regulated entities have the maturity and sophistication to warrant the ministerial ‘on switch’ for activating the Positive Security Obligations for a critical infrastructure to be kept ‘off’ for these entities. The AFMA have also warned that justified use of intervention powers should not promote distrust in industry cyber capabilities. Burn After Reading The Australian Banking Association (ABA) has noted that the information the Bill will require to be provided to government may be sensitive. They have raised questions over how such information will be protected throughout its lifecycle, arguing that legislation should detail its classification, handling, storage, retention and destruction. There is also concern from industry that the provision of the Bill to collect information may be broader than the stated intention of Government policy. Industry understands that the intention of the Government is to ask for data logs, excluding information or documents that may be under third party Intellectual Property. Given this understanding, the ABA has requested that an amendment be made to Section 30DB so that it expressly applies to data logs only, with third party IP exempted, and that entities may refuse to comply with some or all of a request for information that goes beyond this. The Critical Infrastructure legislation makes it an offence to disclose some protected information, such as when as asset has been declared by the Government to be a System of National Significance (SoNS). However, the ABA has asserted that not all scenarios where an entity has a legitimate reason for disclosing information have been addressed. They have proposed that section 46 be amended “to permit an entity to disclose protected information, if the entity reasonably believes that doing so would assist the entity to comply with its obligations under the SOCI Act, other Australian and overseas law, or if the entity reasonably believes doing so is required under contract.” The Financial Services Council (FSC) has rather gloomily predicted that, based on the exposure draft, the Bill will result in “another regulatory agency being imposed on financial services without a requirement for a streamlined approach with other agencies that already operate in financial services”. The FSC is not the first to note the degree of overlap and duplication of the Bill with existing frameworks. One Size Fits None The ABA has highlighted the need to eliminate differences between proposed requirements and existing regulatory regimes, particularly under prudential regulation. Financial Services Prudential regulations are the current benchmark in the Financial Sector. The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance, and superannuation, and is accountable to the Australian Parliament. Fundamentally, the Financial Services sector feels that the new regime under the Bill should defer to APRA’s existing financial sector regulatory obligations. These include CPS 220 Risk Management, CPS 234 Information Security, CPS 232 Business Continuity, and CPS 231 Outsourcing. Under the APRA prudential standard CPS 220, the Board of an APRA-regulated institution is required to provide APRA with a risk management declaration within three months of its annual balance date. As it currently stands, the Bill would require an additional annual risk management program report to be submitted within 30 days. There is concern that Prudential Standard overlap with the requirements of the Bill will result in organisations having to prepare two reports with substantially the same information and adopt two distinct procedures for approval and sign off for the reports. The Australian Institute of Superannuation Trustees (AIST) has stated that the requirement to produce an annual report in this timeframe will put significant pressure on superannuation fund staff during an already demanding period. Not only does the Financial Services sector feel that this would result in a substantial increase of the compliance burden without any meaningful difference in personal accountability of Board members, but that it is also inconsistent with the requirements under CPS 220 by requiring each Board member to sign the risk management program annual report. AIST has argued that such a requirement may be impractical, particularly if superannuation funds are required to do so 30 days after the end of the financial year. As a result, the Financial Services Sector has urged the Government to consider leveraging existing sector regulations covering similar board approval requirements. Another imposed timeframe raising concerns is the proposed six-month period which organisations have to comply with the provisions of the Bill. The Water Services Sector Group (WSSG) has suggested that the six-month timeframe for compliance with reporting obligations may be insufficient and has suggested that this be amended to provide organisations with six months to provide an agreed implementation timeline. We’ve Already Got One and it’s Very Nice In their responses to the Draft of the Bill, many industries have pointed out to Government that they already have existing regulatory regimes and standards that adequately manage the risks to their assets. For example, the New Payments Platform (NPP Australia) have suggested that an asset should only be identified as critical to a critical payment system if the asset is already identified as a SIPS (Systemically Important Payment System). A SIPS is a payment system which, if attacked, could potentially endanger the operation of the whole economy, and are expected to observe the Principles for Financial Market Infrastructures issued by the CPMI and IOSCO. The Reserve Bank Information and Transfer System (RITS), used by banks to settle payment obligations, is the only system that has been determined to be a SIPS. This is not the only example where industry feels that the Bill may disrupt current best practice. APRA Prudential Standard CPS 234 has been adopted as the cyber security benchmark for the Australian banking sector and is seen as driving appropriate levels of visibility, funding, and support to cyber security in the Financial Sector. As many organisations have undertaken significant work to respond to the APRA CPS 234 requirements, the Australian Banking Association (ABA) has asked Government to consider modifying the reporting requirements for cyber-security incidents in the Bill to match APRA CPS 234 for APRA regulated entities. However, there are several significant misalignments that need to be addressed. For example, APRA CPS 234 requires an entity to notify APRA as soon as possible and, in any case, no later than 72 hours of a cyber incident, whereas the Critical Infrastructure Bill will require critical cyber incidents to be reported within 12 hours. The Water Sector has noted that the 12-hour reporting timeframe is also inconsistent with international good practice, such as the US National Institute for Standards and Technology (NIST) 800-53 Standard. Both NIST and APRA standards require reporting within 72 hours and the Water and Finance sectors are agreed that this requirement in the Bill should be aligned accordingly. Apart from critical incidents, all other cybersecurity incidents are required by the Bill to be reported within 24 hours. The Water sector has argued that this obligation places additional regulatory burden on entities, particularly over weekends and holiday periods, and has recommended that the Government restrict reporting to significant risks only. Financial Services Council (FSC) has also urged the Government to revise these timeframes from 24 to 72 hours from the time of becoming aware of a confirmed incident. In addition to incident reporting timeframes, there have also been calls from both the Financial Services Council (FSC) and the Australian Banking Association (ABA) for Government to clarify the types of incidents that would be covered by sections 30BC and 30BD of the Bill, and to align them with the incidents covered by the term information security incident in CPS 234. Another suggestion aimed at reducing the burden on industry whilst maintaining the integrity of the regime, is that Government agencies share incident reports to avoid imposing duplicate reporting obligations under different regimes. For example, where information on serious cyber security incidents has already been reported to a government agency (such as reporting to APRA under CPS 234), other agencies should seek to obtain the information intra-governmentally. It Does Not Mean What You Think it Means As with other areas of industry, there has been much discussion in the Finance and Water sectors of the appropriateness of the definitions in the proposed legislation. The Water Services Sector Group (WSSG) summarised this issue, stating that the uncertainty created by the vague terminology of the Bill undermines industry’s capacity to assess potential compliance costs. This is particularly concerning given the provision for penalties for noncompliance. The consensus from industry indicates that the Government has some work to do to ensure that terms are clear, precise, and that sectors fully understand the activities and costs associated with compliance. For example, the definition of direct interest holder is expected to capture financiers, including banks, according to the Australian Financial Markets Association (AFMA). This is because banks may have a security position in assets that fall within the scope of the Bill, which means they would be subject to both the reporting requirements with respect to the Register of Critical Infrastructure, and the civil penalties for non-compliance. As a result, the Australian Financial Markets Association (AFMA) has suggested that banks and other lenders should be excluded from the definition of direct interest holder. The Australian Institute of Superannuation Trustees (AIST) has taken issue with the definition of a critical superannuation asset, which is intended to capture funds with Funds Under Management (FUM) of $20 billion or more. However, the AIST notes that a fund’s FUM can increase or decrease over time, where a fund may have FUM of $19 billion in one year and experience an increase the following year, putting the fund over the $20 billion threshold. The Australian Banking Association (ABA) has emphasised that the Bill’s definition of business critical data is overly broad and there are fears that, as it stands, the definition will capture a significant proportion of an organisation’s supply chain. In their submission in response to the exposure draft of the Bill, the ABA have also sought clarification as to whether or not the definition of the Data Storage and Processing Sector is intended to capture banks or other organisations that may hold data or provide data storage as an adjunct part of its business. The Writing on the Wall The consultation phase of the Security Legislation Amendment (Critical Infrastructure) Bill has underscored the complex interconnections between industries and sectors. It has also revealed that there are a number of existing regulatory frameworks that need to be leveraged, or at least considered, if the amendments are to work as efficiently as possible. It is unclear whether the Government will manage the differences between the Bill and existing regulatory regimes and standards through consultation and integration, or by imposing requirements regardless of existing benchmarks, overshadowed by the threat of penalties for non-compliance. Sectors have also raised a great deal of concern regarding the extent of the powers provided to Government and the lack of conventional rights of appeal and oversight. There has been no indication from Government that any amendment to rights of appeal is being considered. Many submissions in response to the Bill’s draft from across the impacted sectors have commented on the adversarial tone of the legislation, indicating that it lacks the spirit of cooperative engagement that Government and Critical Infrastructure owners and operators have a strong history of. The feedback from industry is that the Government needs to ensure that terms are clear and precise, that sectors fully understand the activities and costs associated with compliance, and that existing frameworks should be accommodated by, and integrated into, the legislation. If the Government is not able to achieve this, it may not only result in increased cost and regulatory burden, bureaucratic overlap, jurisdictional disputes, and unintentional non-compliance, but may also require the Government to use Step In powers to defend Critical Infrastructure whose security has suffered from these inefficiencies. However, the Government also needs to balance the potential of that outcome with the increasingly frequent and sophisticated cyber threats levelled against Critical Infrastructure. A compromise has been suggested by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), recommending that the portions of the Bill that focus on Government assistance mechanisms and mandatory notification requirements should be passed with urgency, while the remaining aspects of the Bill should be introduced under a separate Bill following further consultation. It remains to be seen whether this recommendation will be implemented by Government or welcomed by industry.