Industry pushes back on Critical Infrastructure Protection Bill’s ‘software installation’ mandate

Critical Infrastructure Bill 2022 Amends

The tech industry has urged the Federal Government to scrap a clause in its Critical Infrastructure Protection Bill that could force essential services providers to install Government-procured software that tracks and reports on their computer systems’ operations – and potentially increase avenues of breach.

Tabling their concerns during a Parliamentary Joint Committee hearing on Wednesday, representatives from Australia’s information technology, cloud and internet industries warned that any requirement to install such software – referred to under Section 30DJ of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 – could undermine the security of these essential services providers, and ultimately run contrary to the overall objectives of the Bill.

As the Bill stands, critical infrastructure providers would be required – if requested by the Government – to install software that generates and delivers periodic reports on the operations of their computer systems. Reports would then be sent to the Australian Signals Directorate (ASD) for assessment.

These reports, the Bill states, “may assist with determining whether a power under [the Critical Infrastructure Protection] Act should be exercised in relation to the system of national significance”.

The Government regards the provision as a “last resort” power, adding that it has a “strong preference” for entities to provide information using their “own capabilities”.

Despite this, industry representatives remained concerned that, without a separate “judicial body” to adjudicate such a decision, such a power (beyond the potential vulnerabilities introduced) would ultimately “erode confidence” in critical infrastructure providers and undermine Australia’s global interests.

Sarah Sloan, head of government affairs and public policy, ANZ at security provider Palo Alto Networks called on the Government to immediately scrap its proposed “software installation powers”.

She warned that forced installation of “what constitutes third-party software” risks introducing security vulnerabilities into what are highly sensitive and internally regulated technology ecosystems.

Moreover, she said, the Bill provides no clarity on “who will deliver the support and maintenance patches [and] assessments of the particular software”.

John Stanton, chief executive of peak body Communications Alliance, echoed Sloan’s concerns.

“Certainly, if there is a requirement to install third-party software, and that can take place without coding and testing, there’s no doubt that vulnerabilities can be created.”

He added that the provision could also “erode confidence, nationally and internationally, in the integrity of services being provided by [those] that are being directed to install that software”.

Dr Bruce Tonkin, chief operating officer of .au Domain Administration, also flagged concerns around any expeditious demand from Government to implement such a program, noting that any software introduced into a critical infrastructure provider’s systems typically requires “rigorous and careful testing”.

“The idea of putting in third party software at short notice is generally extremely dangerous to anyone running critical infrastructure and should be avoided if at all possible.”

He further cautioned – “given the international nature of the traffic that we carry and hold” – that any such data-gathering program could potentially breach international laws, noting in particular the European Union’s General Data Protection Regulation (GDPR).

Sloan also foresees more far-reaching consequences, noting that, if adopted in its current form, the law would set a global precedent impacting “Australia and Australia’s interests”.

“The Committee knows we’re in a period of geostrategic competition, inherently linked to issues of technology and values – values such as the separation of powers, rule of law including checks and balances on the execution of government power.”

Demand for judicial oversight

Should the software clause remain in the legislation, Tonkin urged for decision-making powers to be left to an independent judicial review body.

Currently, as Sloan noted, the legislation lacks a mechanism for independent judicial review.

This, she added, is “contrary to some of the other approaches taken in other like-minded jurisdictions, which ordinarily would see the granting of a warrant or similar process in order to execute or deliver on that power”.

The open-ended structure of the clause also needs further review, Sloan said. It is, for instance, still unclear how collected data will be used, with no indication of the number of report notices the Government can issue at any one time or a specified time period within which regulated entities must aggregate and report such data.

As it stands, these limits “could be indefinite”, she said.

“We would welcome a regular and independent review process, including when a notice is in force. And we would also welcome an appeal right should an affected entity disagree with a decision of the Government to implement one of the notices.”

Roger Somerville, Amazon Web Service’s head of public policy (ANZ), also called for the creation of a Technical Support Body – “one that exists as an independent statutory office holder”.

“In addition to providing oversight on their use of government assistance measures and enhanced cybersecurity obligations, this body would also create, perhaps, an avenue for contestability of those decisions, particularly on the questions of technical feasibility.”

The second ‘half’ of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 was introduced to parliament on 10 February this year. The amended bill is currently before the Senate.

The Government opted to split the original Bill in two, “to allow urgent elements of the reforms” including mandatory notification requirements, “to be swiftly legislated”. The first half of the Bill was legislated in November 2021.

The Bill currently before parliament focuses on “less urgent measures”, the Government said, among which include risk management programs and declarations of ‘Systems of National Significance’, accompanied by enhanced cybersecurity obligations.