The Department of Home Affairs has sought to downplay industry concerns over proposed laws that will limit the federal government’s critical infrastructure regime to only business-critical public sector data.
Macquarie Telecom raised concerns with the Security Legislation Amendment (Critical Infrastructure Protection) Bill (SLACIP) last month, arguing the changes were a “significant and dangerous reduction” in the scope of the Security of Critical Infrastructure Act.
The government proposed changing the current definition, that any provider supplying services to commonwealth, state or territory governments is classed as critical infrastructure, would be qualified by whether they were handling ‘business critical data’.
Macquarie said this change should be abandoned, because “business-critical data does not describe the type of information that is most commonly held by government departments and agencies nor what is crucial to the functioning of government”.
“A data storage or processing service provider that stores or processes any form of government data should absolutely be recognised and regulated as a critical infrastructure provider,” Macquarie said, adding that the “gaps and consequences arising from the proposed change… seem absurd”.
“If the proposed amendment does proceed, then the definition of business-critical data in… the SOCI Act must be broadened to reflect the types of sensitive and classified information that are commonly held by Commonwealth and state and territory government entities.”
At a hearing of the Parliamentary Joint Committee on Intelligence and Security last week, shadow attorney-general Mark Dreyfus confronted representatives from Home Affairs over Macquarie concerns, which had not addressed in the department’s supplementary submission.
“Why is the department apparently not interested in receiving notification about cyber incidents that affect their assets, or not interest in enabling [the Australian Signals Directorate (ASD)] to provide technical assistance to them in the event of a serious cyber attack?” he asked.
He requested the department to take on notice why the definition of business-critical data had not been broadened to reflect the types of data assets that might be relevant to the functioning of government.
In its answer [pdf], Home Affairs said the critical infrastructure regime was intended to complement “existing frameworks [that] govern governmental security, including the storage of government data”.
It said frameworks included the information security manual (ISM) and the protective security policy framework (PSPF), as well as other policies like the Digital Transformation Agency’s hosting certification framework (HCF).
“The SLACIP Bill adds to these frameworks by refining the data storage or processing assets as critical infrastructure,” the department said, adding that the suggested changes were the result of months of co-design with industry.
“The definition as proposed in the SLACIP bill covers business critical data of governments. This includes the rich source of data held on a large proportion of Australians or individuals.
“Both the Commonwealth government and state and territory government host a large amount of personal information, which is expressly captured as per… the definition of ‘business critical data’.”
Home Affairs said that should a “particularly sensitive data storage or processing provider” not be captured by the definition, the home affairs minister of the day could “capture the specific entity as a critical infrastructure asset under s51 of the SOCI Act”.
It did not address Macquarie’s claims that highly classified government data, the “entirety of the National Archives”, and company records for the Australian Security and Investments Commission would fall outside the SOCI regime.
Home Affairs has also defended the decision not to include government as a critical infrastructure in its own right, pointing to existing whole-of-government policies that apply to agencies like ISM, PSPF and the HCF.
“Governments already have in place a range of frameworks and initiatives to secure government institutions, and ensure these essential systems are appropriately protected,” the department said in a separate question on notice.
“For state and territory governments, the critical infrastructure assets are captured where they are state owned and defined as critical infrastructure.”