Peak industry body the Communications Alliance, which represents the major telco companies, said the industry did not opposed the bill but was concerned its current drafting gave government a “blank cheque” to intervene in a company’s operations.
“There are no real limits on the actions that security agencies could require of industry and there is scope for government to take ‘direct action’ – to step in and take control of privately owned and operated telecommunications networks and alter the systems and software,” Communications Alliance chief executive John Stanton said.
“We need clarity around the proposed security obligations on industry, the checks and balances around the ‘direct action’ powers and around what will be classified as critical infrastructure assets and systems of national significance.”
Under the proposed laws, the minister must consult with the entity before intervening, unless the delay that would frustrate the effectiveness of the intervention.
Samuel Grunhard, head of the Department of Home Affairs Critical Infrastructure Centre, told a public consultation hearing on Thursday that the intervention powers were a “weighty step” that would only be used as a measure of last resort.
“There are a number of important safeguards built into the bill to ensure that could only happen in the very most extreme circumstances and where all other methods to resolve the incident and working with the entity had failed,” Mr Grunhard said.
The bill requires the minister to be satisfied there is a “a material risk” that the cyber attack will “seriously prejudice” Australia’s social or economic stability, or national security and that entity was “unwilling or unable take all reasonable steps to resolve the incident”.
The Group of Eight – which represents the eight institutions that account for 70 per cent of Australia’s university research, said the proposed legislation was “far too broad in its reach”.
“[It] does not take into account the fact that the Go8 already meets significant security compliance and regulatory criteria across multiple government agencies, and gives the government sweeping and unnecessary powers which put at risk our operational autonomy,” chief executive Vicki Thomson said.
Australian Technology Network of Universities Executive Director Luke Sheehy said universities could “better implement these security requirements if the government works with us, rather than instituting external controls without full consideration of the impact.”
Lisa Visentin is a federal political reporter at The Sydney Morning Herald and The Age, covering education and communications.