Critical Infrastructure #6
Critical Infrastructure – Part 6 Author: Mel Griffiths Preparing For a Cyber Pearl Harbour “What I’m worried about is a ‘cyber Pearl Harbor’ — an online attack that cripples our critical infrastructure and catches us all by surprise… That’s why we’re seeking to pass legislation that safeguards those critical assets that make up our digital economy and sovereignty.” – Andrew Hastie, Assistant Minister for Defence The Australian Government continues to reiterate the urgency of their plan to pass legislation intended to safeguard Critical Infrastructure in an increasingly hostile threat landscape. Industry sectors impacted by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 have called on the government for further consultation, offering a plethora of sector-specific recommendations designed to clarify responsibilities, leverage existing frameworks, and reduce the regulatory burden. In an effort to balance the urgent requirement to pass the legislation with industry concerns, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has suggested that the government urgently pass the portions of the Bill that focus on government assistance mechanisms and mandatory notification requirements, while introducing the remaining aspects under a separate Bill following further consultation. This move may raise further concerns from industry given the number of objections regarding the extent of the proposed government powers, as well as the lack of any avenue for appeal. For example, the Australian Information Industry Association (AIIA) has questioned the appropriateness of the powers inherent in the legislation for the data storage or processing sector, given its complexity, interconnectedness, overlapping regulatory regimes, and the potential global implications. Palo Alto Networks has gone so far as to recommend that the data storage and processing sector be removed from the Bill altogether, citing other governments who have avoided defining this sector as Critical Infrastructure due to its complex and interdependent nature. There are also many aspects of mandatory notification requirements that have been challenged by industry, such as who should report, to whom, how often, under what circumstances, and in what timeframe. The defence industry sector, the data storage and processing sector, and the space and technology sector are three areas targeted in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, although it appears the Bill is likely to impact businesses in these areas in very different ways. The government has stated that the current DISP defence security mechanisms are sufficient to manage obligations for the majority of the defence industry, and the infant space industry has no assets to regulate yet, aside from those already covered in other sectors. Conversely, the data storage and processing sector has warned that, given the degree of overlap in regulations and the number of cross-sector customers that use data storage and processing services, there is a high likelihood that the data storage and processing sector could be “subject to the regulations and responsibilities of all regulated sectors simultaneously”. DISP Sufficient for Defence Industry Little has been made available in relation to Defence Industry responses to the Bill, which may be among the 30 submissions to government that remain confidential. The Bill defines the defence industry sector as supplying or producing goods, technology and services that (a) maintain Defence’s capability advantage, or (b) are limited by Defence due to their potential impact on Defence interests. This definition is intended to exclude industry entities captured under other sectors, such as electricity or water, while including organisations which provide or support a critical defence capability. The Exposure Draft Explanatory document defines critical defence capability as including material, technology, platforms, networks, systems, and services that are required in connection with the defence or national security of Australia. Under the Draft Asset Definition Rules, any organisation providing or enabling a critical defence capability under a contract to the Department of Defence or the Australian Defence Force may be a critical defence industry asset. The government has noted that, while critical defence industry assets may be subject to each of the Positive Security Obligations, the Department of Defence may continue to manage obligations under its current Defence Industry Security Program (DISP) framework. The DISP framework manages the security and resilience of critical defence industry assets via a non-regulatory risk management program run by the Department of Defence. Defence industry stakeholders, including peak bodies and federal, state and territory representatives have been invited to work with government in co-designing the rules to shape the requirements for a risk management program that may be ‘switched on’, if required, under the Bill. However, the government has stated that the existing defence security mechanisms under the DISP are considered sufficient for the majority of the defence industry. As a result, it is unlikely that the risk management program will be ‘switched on’ for the majority of businesses that fall within the defence industry asset class. Can You Hear Me, Major Tom? The addition of the Space and Technology sector to the list of Critical Infrastructure is a move intended to future-proof the security of an industry that is expected to become increasingly critical. The Trusted Information Sharing Network Space Cross-Sectoral Interest Group have asserted that the legislation needs to cater for significant growth and transformation in the sector. The explanatory document accompanying the exposure draft of the Bill states that the space technology sector “involves the commercial provision of space-related services, and reflects those functions that are critical to maintaining the supply and availability of space-related services”. However, in sharing their views on the relevant aspects of the Exposure Draft of the Bill, the Philippines Space Agency suggested that the definition of the sector may not encompass critical non-commercial aspects, such as government owned satellites and other space technologies. It is anticipated that the types of space and technology assets that may be designated as critical will include assets relating to position, navigation, and timing of space objects, space situational awareness services, space weather, space communications, tracking and control, earth observation, and facilitating access to space. However, the Bill does not include a specific definition of a critical space technology asset, because the only existing critical space technology sector assets identified are communications assets which are already covered under the proposed definition of critical telecommunications assets. Further assets may be prescribed under subsection 9(2) of the current SOCI Act as the space sector evolves and more critical assets are identified. When Criticality Met Privacy The data storage and processing sector is defined as the sector providing data storage or processing services on a commercial basis. Data storage or processing services may include enterprise data centres, managed services data centres, colocation data centres, cloud data centres, infrastructure as a service (IaaS), software as a service (SaaS), or platform as a service (PaaS). To be classed as a critical data storage or processing asset, the asset must be owned by a data storage or processing provider and provide services either to government, a body corporate established by law, or a critical infrastructure asset which uses the service for business-critical data. AWS has suggested an amendment to the definition of critical data storage or processing asset in the Bill to include a simpler threshold, such as power usage or number of server racks, and that the definition of asset be limited only to physical infrastructure. Regardless of the threshold, organisations may not be aware whether they meet this definition or that they have Critical Infrastructure clients, as they often do not have visibility over client data due to privacy requirements. Subsection 12F(3) of the Bill requires entities responsible for Critical Infrastructure to inform their data storage or processing service provider if they meet the definition of a commercial service provider to Critical Infrastructure for business-critical data. However, CISCO has suggested that a more thorough approach would be for government and industry work together to map supply chains to enable the relevant regulators to notify cloud service providers that they are providing services to Critical Infrastructure. Critical Mass Every sector has raised concerns about broad and vague definitions within the Bill, and the data storage and processing sector is no different. According to AWS and the AIIA, there are a number of other definitions which, as drafted, are ambiguous, too easily triggered, confusing, and will lead to over-notification and increased compliance costs. For example, the government has stated that the intention of the definition for business-critical data is to capture a critical infrastructure asset’s crucial operational information which, if compromised, would affect the availability or reliability of the asset, or have national security implications. However, Amazon Web Services (AWS) asserts that the government’s intentions are not carried by the definition of business critical data as (a) personal information that relates to at least 20,000 individuals, (b) sensitive information, or (c) critical infrastructure information relating to research and development, operations, or risk management. It is anticipated that the proposed thresholds will capture a minimum of 100 data centres and at least 30 cloud service providers. The Australian Information Industry Association (AIIA) has asked the government to clarify the definition of ‘activities relating to business-critical data’, while AWS has labelled the definitions of critical data storage or processing asset and business-critical data as vague and unnecessarily broad. They argue that assets would fall into this category even if they are processing or storing business-critical data that is “only ancillary in nature”. In addition, AWS has recommended that the definition of cyber security incident should apply only if the incident has a systemic or broad impact to the relevant critical infrastructure asset and is a direct result of a third party’s malicious actions. That’s Not My Cloud Data storage and processing is a cross-cutting sector, a feature that appears to have been overlooked by government. In cloud environments, for example, responsibility for security is frequently shared between the provider and customer, where the cloud services provider is responsible for “security of the cloud,” and the customer is responsible for “security in the cloud”. Such sharing of security responsibility is not clearly reflected in the Bill. It has been recommended that an amendment be made to clarify that a cyber security incident only occurs in respect of a data storage or processing services provider or its customer when the incident occurs in their respective areas of responsibility. CISCO has further suggested that cyber security incidents for cloud and data processing entities continue to be reported to customers, who would then report to the Australian Cyber Security Centre (ACSC) as part of their own Positive Security Obligations. CISCO argue that this will maintain the confidentiality of customers while still providing the ACSC with appropriate visibility. Let’s Split the Bill The government continues to use strong language to emphasise the urgency with which it feels the Security Legislation Amendment (Critical Infrastructure) Bill must be passed in order to avoid a potential “cyber Pearl Harbor”. The task government originally set itself was to achieve sufficient security uplift across a disparate group of sectors and industries, using broad legislation, within a limited timeframe. Across the sectors, organisations have raised a chorus of objections to the lack of specificity, the degree of overlap with existing regimes, and the lack of guardrails on broad powers proposed in the Bill. Upon review of the situation, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has suggested splitting the Bill in order to satisfy the urgent requirement for intervention powers to counter any significant impending threat, while also addressing the legitimate concerns from current, and soon-to-be, Critical Infrastructure owners and operators. Whilst this compromise may be viewed more favourably than the alternative, it remains to be seen whether the numerous concerns about the government powers will be addressed to the satisfaction of the impacted sectors, if a splitting of the Bill occurs. Despite the benefits of splitting the Bill, there still remains a lack of clarity on reporting mechanisms and which existing regulatory regimes might be leveraged to avoid duplication of effort. Many sectors are also still very concerned about the prospect of government software and interference in systems and the associated business and risk impacts. Even with a splitting of the Bill, there is still the risk of a one-size-fits-all approach to the government assistance mechanisms and mandatory notification requirements that will have different implications for different sectors. Although still subject to the Positive Security Obligations, critical defence industry assets will likely continue to manage their obligations under the DISP framework, with the risk management program remaining switched off for the majority of defence industry businesses. Meanwhile, the application of government assistance mechanisms and mandatory notification requirements to the data storage and processing industry is fraught with difficulties due to its complex and globally distributed nature, existing privacy requirements, and the shared control and responsibility models used between providers and customers. The defence industry remains publicly mute on the Bill, while cloud and data storage providers are strongly calling out the shortcomings of the legislation as it applies to their business, some even calling for an elimination of the sector from the Bill entirely. If the PJCIS recommendation to split the Bill is undertaken, it remains unclear if and how this feedback will be managed by the government.