Search the Community
Showing results for tags 'critical infrastructure act'.
steven36 posted a topic in Security & Privacy NewsIt is worried about the potential overstepping that could occur if the government is able to provide assistance to entities in response to significant cyber attacks on Australian systems. The federal government recently closed consultation on a package of reforms focused on protecting critical infrastructure and systems of national significance. With that part of the process wrapped up, the government is now looking to introduce an enhanced regulatory framework, which would build on existing requirements under the Security of Critical Infrastructure Act 2018. This includes: A positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements; enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems. With the definition of what constitutes critical infrastructure and systems of national significance not yet fully defined, the federal government is seeking to determine who the enhanced framework would apply to, with one proposed sector covering data storage and cloud. Amazon Web Services (AWS) said that while it was broadly supportive of the proposal to expand the regime to include the data and cloud sector, the expansion raises questions such as what service providers should be included in the sector, what security standards should apply, and how the government can prevent over-regulation. In its submission [PDF] to the consultation, the cloud giant also raised concerns that the proposal for government "assistance" or "intervention" powers could give it overly broad powers to issue directions or act autonomously. AWS said the breadth of the newly regulated critical infrastructure sectors, coupled with seemingly broad powers described in the consultation paper [PDF], raised many issues and unknowns. The consultation paper said the government assistance would be provided to entities that are the target or victim of a cyber attack through the establishment of a government capability and authorities to disrupt and respond to threats in an emergency. "Critical infrastructure entities may face situations where there is an imminent cyber threat or incident that could significantly impact Australia's economy, security or sovereignty, and the threat is within their capacity to address. In these cases, we propose that government be able to provide reasonable, proportionate and time-sensitive directions to entities to ensure action is taken to minimise its impact," the government wrote. AWS is concerned that there isn't clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal. Elsewhere in its submission, AWS said it was unclear from the consultation paper whether and how the enhanced regulatory framework would apply, explaining that it was concerned the position of applying the enhanced regulatory framework at the "owner and operator level, not at [a] specific piece of technology" could lead to negative consequences. Instead, the cloud giant has recommended the enhanced regulatory framework only apply to specific critical infrastructure assets of a critical infrastructure entity. In order to avoid over-regulation, AWS said a technology service provider -- that is also a regulated critical infrastructure entity complying with its own sector PSO -- should not have to comply with additional security obligations imposed by another regulator that duplicates or builds upon that entity's PSO. It also wants clarification that entities will not be inspected, examined, or audited against the same requirements by multiple regulators. Acknowledging each sector is different, AWS said PSOs for one sector should not contradict or conflict with those in another sector, but it was concerned this approach could lead to a fragmented set of security requirements across different sectors. Asking for further clarity, AWS wants an appropriate scope of what entities and infrastructure are included in the "data and the cloud" sector. If there was to be a threshold, the cloud giant has suggested a test of "a data centre containing IT equipment capable of consuming more than 100kW of power in total" so that operators of infrastructure have clarity on whether they are covered. In addition, AWS said the PSO should reflect that an entity is only able to implement security processes that are within its control. Source