Greater balance needed in AU Critical Infrastructure Bill
Palo Alto Networks is calling for greater checks and balances on powers in the Critical Infrastructure Bill.
The proposed measures go too far and need stronger guardrails, otherwise they could adversely affect Australia's critical infrastructure operators, the company says.
Sarah Sloan, head of government affairs and public policy in Australia and New Zealand at Palo Alto Networks, says there is a need for greater checks and balances on certain powers in the Australian government's proposed Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.
The Bill, in its current form, is intended to provide an enhanced regulatory framework designed to uplift security and resilience across Australia's critical infrastructure assets.
In the words of the Bill's explanatory memorandum, the framework, when combined with better identification and sharing of threats, will ensure that Australia's critical infrastructure assets are more resilient and secure.
However, Sloan, who appeared to give evidence at a public hearing of the government committee tasked with reviewing the Bill on 16 March, has cautioned that some of the measures outlined in the proposed legislation could adversely impact the nation's critical infrastructure operators.
"We are concerned that there is no independent review process articulated in the bill, and we believe this is contrary to some of the approaches taken in like-minded jurisdictions, which ordinarily would see the granting of a warranty or similar process in order to execute on that power," says Sloan.
Specifically, Sloan called for stronger checks and balances on powers for issuing System Information Reporting Notices and recommended the removal of the Bills software installation power, which would see the government able to deploy third party software on private entities IT systems.
"Perhaps the most important point we would make is that the provision potentially creates an international precedent that may, if adopted by other global and regional actors, impact Australia's interests and values," she says.
"As the Committee knows, we are in a period of geostrategic competition that is inherently linked to issues of technology and values, such as the separation of powers, rule of law - including checks and balances on the execution of Government power.
"While we understand and appreciate the relevance of system information in detecting and responding to cyber incidents and threats, we would recommend stronger checks and balances on the powers granted by the Bill to issue system information reporting notices (both system information periodic reporting and system information event-based reporting)," says Sloan.
"This will ensure that these notices are clear, proportionate, transparent and meet the Governments needs without unduly burdening industry."
Sloan encouraged the Committee to reconsider the maximum time frame currently at 12 months under the Bill for which a system information periodic reporting notice, or a system information event-based reporting notice, can be in force.
She also recommended notices be regularly reviewed to see if they are still necessary, proportionate and reasonable, and called for additional detail on the collection of data to be provided to companies likely to be impacted by the legislation, along with other measures to ensure industry is not unduly burdened by the proposed laws.
Additionally, Sloan called for the removal of provisions in the Bill that would give the Government the ability to install system information software on infrastructure it believed the respective System of National Significance (SoNS) entity would not technically be capable of otherwise provisioning itself.
"The installation of what constitutes third-party software has the potential to create vulnerabilities that could adversely impact the security of a SoNS entity as well as, by default, the Governments systems and client systems," says Sloan.
"Entities would need to review this software prior to putting it on their networks and this could take considerable time and effort.
"It is also unclear who would be responsible for ongoing product support and maintenance including vulnerability management and patching," she says.
"Finally, we note that this could expose the Government to liability for any adverse impacts arising from the installation of this software."