Tech giants call for changes to critical infrastructure Bill

Technology companies are calling on the government to make changes to the new critical infrastructure security legislation to clarify the powers government agencies have to compel companies to respond to security threats.

In its submission to the Parliamentary Committee on Intelligence and Security for the review of the legislation, Atlassian said the Bill should allow for judicial review of the government assistance powers granted under the legislation.

In addition, the company has recommended that the government and industry jointly develop predetermined, ready-for-action protocols for each individual industry classified as a provider of critical infrastructure.

Creating protocols and recognising them in the Bill would have the benefit of giving government greater capability to effectively carry out ministerial capability, as well as encouraging companies and industry bodies to get involved in the planning process, Atlassian said.

The company has also recommended that the threshold for what constitutes a ‘critical’ security incident should be higher, to prevent government and regulated bodies from being overwhelmed with incident reports and administrative burden.

The Cybersecurity Coalition — which consists of a number of major technology companies including Google, Cisco, Intel and Microsoft — meanwhile used its submission to recommend the incorporation of both critical infrastructure providers and cybersecurity companies into the sectoral co-design processes.

In addition, the Coalition is recommending the ‘grace period’ for enforcement of positive security obligations under the Bill be extended from six to 12 months, and that the Bill places a stronger emphasis on the declassification of threat information where possible so it can be used for threat intelligence.

Other recommended mechanisms for encouraging threat information sharing include assurances that any shared information be protected from Freedom of Information-like requests and providing limitations on liability and regulatory disclosures for entities that voluntarily share threat information.

Meanwhile the Coalition is calling for additional safeguards for the government assistance measures facilitated by the legislation, including a robust oversight process for the use of the powers, clear definitions of the powers granted to government officials, and strict penalties for abuse of the powers.

Finally, Palo Alto Networks mirrored the Coalition’s calls for security companies to be included in the stakeholder engagement co-design process.

The company also recommended that thresholds and timeframes for cybersecurity incident reporting provisions be revised. For example, Palo Alto recommended replacing the current reporting mandates of 12 and 72 hours for various incidents with a requirement for entities to report “as soon as is practically possible”.

On the government assistance powers, Palo Alto recommended that the legislation ensure that any companies compelled to take an action cannot be forced to breach a contractual relationship or be non-compliant with the laws of another jurisdiction.

Image credit: ©stock.adobe.com/au/bluebay2014