Mumbai Press Center
February 2, 2021 | [EDITORIAL] Concerns Over Unrestricted Access Granted by Australia's Critical Infrastructure Bill
Freedom Publishers Union has analyzed in detail the Exposure Draft of "Security Legislation Amendment (Critical Infrastructure) Bill 2020".
The Exposure Draft we obtained is 141-pages and contains amendments which would effectively allow authorized Australian Government cyber security departments to intervene in the event of what the Government refers to as "cyber security incidents" on targets determined as "critical" to the nation's infrastructure.
Freedom Publishers Union analyzed the contents of this bill, specifically, because we were alerted by its potential to violate the individual privacy of Australian citizens through government sponsored intervention or takeover of computer systems and/or networks.
Post assessment, we are satisfied.
There is minimal concern over its contents and the potential risk for the bill being used as a legal instrument to violate the individual privacy of Australian citizens is equally minimal.
However, there are some elements present which do concern us.
The bill declares, "The Minister may privately declare an asset to be critical infrastructure asset.".
Then, it is followed with the declaration, "The Minister may privately declare a critical infrastructure asset to be a system of national significance.".
The bill defines critical infrastructure and critical sectors to be that of:
- Communications
- Data storage and processing
- Financial services and markets
- Water and sewerage
- Energy
- Health and medical
- Higher education and research
- Food and grocery
- Transport
- Space technology
- Defense industry
The two aforementioned declarations, together with the extremely broad scope of many other elements contained in the bill are cause for concern.
As outlined, the list of sectors that are to be defined as critical infrastructure is extensive and the scope appears to have no limits.
Also consider the unrestricted power of "The Minister" to privately add an asset, he or she determines as necessary to be defined as "critical".
What we believe to be of most concern is the high level of open and unrestricted access to entities which must be provided, to comply with the bill, and to enable the authorized Australian Government departments access to computer systems and networks.
The entire process is referred to as "operational assistance".
There is no defined time frame which specifies how long operational assistance is engaged.
Said "assistance" may include installation of invasive software on computer systems or networks, of any of the defined entities.
Software that may be installed on these computer systems or networks, that may fall victim to serious cyber attack, will be specifically designed to counter potential, current or future cyber attacks.
This could potentially all be performed in secret and before entity owners can once again command control of their own systems or networks.
Software designed to counter cyber attacks also has the potential to be used for spying purposes to benefit the wider agenda of the intelligence community.
Freedom Publishers Union does not assert that spying on Australian computer systems and networks is or will occur under the Critical Infrastructure Bill.
However, we do raise concern because there appears to be nothing in the bill that eliminates the potential and nothing which specifies such activities would be prohibited.
Compliance from all defined entities is required, by force through legislation.
Entities are provided no choice as to whether they wish to participate in the program.
Freedom Publishers Union believes participation should be voluntary through an opt-in mechanism.
Entities should be under no obligation, by force through legislation, to open up their computer systems and networks for unrestricted access by government sponsored departments and intelligence agencies.
Also, we believe it could effectively risk compromising overall security of the computer systems and networks, and runs the additional risk of leaving network security even more vulnerable than prior to being forced to provide access.
Freedom Publishers Union does acknowledge that an opt-in mechanism could introduce an entirely different set of security questions which would need to be assessed and debated.
In the form of the Exposure Draft, Freedom Publishers Union assesses the balance of privacy to be unfair and favors government departments and the intelligence community too much.
Forced compliance could potentially lock out internal security teams, which traditionally have much better technical knowledge and understanding of the computer systems and networks they manage.
While Freedom Publishers Union has reason to believe it is technically possible for the responsible cyber security incident response units to access individual user accounts under the general provisions of Critical Infrastructure bill, we must acknowledge there is nothing that we observed during the process of our assessment that indicates any intent, motive or purpose for doing so.
As defined by the Critical Infrastructure Bill, cyber security incident response techniques include basically unrestricted access to provide modification of "computers", "devices" and "data" which "connect" or "interact with" the entity and its network(s).
This may also include activities of "accessing", "adding", "restoring", "copying", "altering", manipulating or "deleting" data from computers or devices.
It may also include "accessing", "restoring", "copying", "altering", manipulating or "deleting" a computer program or other software.
Furthermore, it may include altering the functions of computers or devices.
If determined as necessary, "physical removal" of computers or devices from the premises of the entity may be ordered.
Although, it's difficult to foresee any potential scenario serious enough to justify why such an extreme provision is necessary for inclusion in the bill.
At its core, the Critical Infrastructure Bill is about defense and protection of computer systems and networks in Australia.
It is not about targeted or dragnet domestic surveillance, or even harboring prolonged access to individual user account holders on the computer systems of affected networks which may fall victim to serious cyber attack.
The Critical Infrastructure Bill and its proposed amendments are broad and warrant a degree of caution before being embraced without appropriate Parliamentary scrutiny.
Asia/Pacific Press Office - Mumbai Press Center
Written by The Editorial Board.