Microsoft has taken the opportunity to remind the federal government of the issues it takes with the proposed critical infrastructure legislation by flagging several aspects of the Bill that it believes could unintentionally make Australia’s security posture less secure.
The draft legislation in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, was published by the Department of Home Affairs in November. It was then introduced to Parliament in December, with Minister for Home Affairs Peter Dutton labelling it as a significant step in the protection of critical infrastructure and essential services that Australians rely upon.
The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure” that would extend the application of the Act to communications, transport, data and the cloud, food and grocery, defence, higher education, research, and health.
If passed, the laws would introduce a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD); enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
Having already highlighted concerns with the Bill before it entered Parliament, Microsoft in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has reiterated its belief that governmental intervention undermines the objectives of the proposed legislation.
“Microsoft has significant concerns about this authority … we believe that a policy allowing for direct governmental intervention would undermine the government’s objectives of defence and recovery,” it wrote.
“Rather, in many cases, it is the individual organisations themselves, and not the government, that are best positioned to determine how to appropriately respond to and mitigate the impact of cyber incidents.
“It would take a preclusive amount of time for the government to come into a live incident, properly understand the fact pattern, the technologies in play and the challenges of any decisions, and then be able to direct an appropriate response.”
According to Microsoft, this contributes to what military strategists have referred to as the “Fog of War”.
It’s a concept that has been applied to cyber incident responses, where additional risk is introduced during the initial phases of an ongoing crisis because the ability of subject matter experts and network defenders to adequately respond is hampered by an onslaught of information requests, speculation, and well-intended ideas from individuals or organisations when the malicious activity is yet to be fully understood by anyone.
It said further complicating any such operation is the fact that the government would be doing so without a thorough understanding of the specific resources and protocols available for deployment, and that the “resources required to obtain such knowledge would be prohibitively expensive, logistically complicated, and amount to an extremely invasive governmental intervention”.
“As such, the danger of having a government direct a private sector entity’s response without complete knowledge of the situation and the technology cannot be understated,” Microsoft said.
“Moreover, individual organisations are not only best positioned to respond; they also have as equal an incentive as the government to protect their own networks and maintain the trust of their customers.”
Microsoft added that the risk of unilateral intervention by the government greatly increases the risk of unintended collateral consequences, impacting customers directly and indirectly by undermining trust, and threatens to make entities less secure.
Microsoft’s remarks reflected many of its peers, such as Cisco, Salesforce, and Amazon Web Services (AWS) in their respective consultation submissions.
AWS is concerned that there isn’t clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal.
Cisco requested there be checks and balances for all government assistance, especially for step-in powers.
Taking this further, Microsoft said if the government believes it must retain authority to intervene in situations of extraordinary national emergency, it should also be prepared to assume full liability by indemnifying organisations for any collateral harm caused by its intervention.