Credit: ID 86533115 © Semisatch | Dreamstime.com
Controversial proposed legislation recognising data centres and telecommunications as critical infrastructure has been introduced in Parliament.
Presented to the House of Representatives by the Department of Home Affairs, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 has been set to classify a number of new asset categories as “critical infrastructure,” giving them various protections in the process.
If passed through Parliament, the Bill would see the federal government recognise data centres and telecommunications as critical infrastructure, giving the government the power to step in and directly assist businesses operating such assets in response to 'significant' cyber attacks.
Among the industry categories that would constitute critical infrastructure under the proposed changes are the data storage and processing sector, as well as the telecommunications sector.
Additionally, the Bill sets out to bring out an “enhanced regulatory framework” that builds on the Security of Critical Infrastructure Act 2018.
Broadly, these changes will introduce more security obligations for critical infrastructure assets, with “enhanced cyber security obligations for those assets most important to the nation".
The inclusion of the data storage and processing sector is due to both government and industry relying on the availability of data and cloud services, according to the explanatory memorandum for the Bill.
“This includes enterprise data centres, managed services data centres, colocation data centres and cloud data centres,” the document noted.
Also covered are entities that offer their services through infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), as well as software-as-a-service if the software is relied on to store or process a government agency’s data or critical infrastructure asset’s business critical data as its primary function.
In the Bill’s case, business critical data is defined as personal information for at least 20,000 individuals, or information related to the research and development, operation, systems or risk management of a critical infrastructure asset.
In response to the Bill being introduced to the House of Representatives, David Tudehope CEO of Macquarie Telecom Group, said that the COVID-19 pandemic had highlighted the Australian economy’s dependence on data services and telcos.
While welcoming the legislation, Macquarie’s stance is that the security expectations about business critical data should apply across all critical infrastructure sectors.
“A critical infrastructure operator’s data should be treated as a critical asset regardless of whether it is kept in-house, hosted by a third-party cloud or data centre, or located offshore. It should be subject to the same security expectations and standards regardless of who is storing it or where it is located,” Tudehope said.
Meanwhile, the security and resilience of telecommunications infrastructure was also deemed to have a vital impact on the social and economic well-being of Australia, as well as also being vital for supporting other critical infrastructure assets.
“Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities. They are crucial to a functioning society and economy and by their nature, telecommunications networks and facilities hold sensitive information,” the document noted.
However, this does not cover 'over-the-top' (OTT) applications or services that operate over telco infrastructure without direct influence from network operators or internet service providers (ISPs).
This includes voice and messaging, content streaming or cloud-based storage services.
The changes included as part of the Bill, according to the document, are a part of a refreshed critical infrastructure resilience strategy.
The move comes roughly six months after it was publicly revealed by Prime Minister Scott Morrison that a "sophisticated state-based actor" had been attempting to hack a wide range of Australian organisations for months and had stepped up its efforts recently.
The attacks targeted all levels of the government, political organisations, essential service providers and operators of other critical infrastructure, Morrison said in a media briefing in Canberra.
"We
know it is a sophisticated state-based cyber actor because of the scale and
nature of the targeting," he said at the time.
