Microsoft has voiced criticism of the federal government's controversial cyber security legislation proposal that would see it granted powers to force tech players of note to transmit data to the Australian Signals Directorate (ASD).
Outlined in its submission to the federal government’s review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and statutory review of the Security of Critical Infrastructure Act 2018, the tech giant said that “several aspects of the proposed legislation could be improved, raise issues of serious concern or could unintentionally make Australia’s security posture less secure”.
Broadly, the Critical Infrastructure Bill, which reached Parliament in December 2020, would see the federal government recognise data centres and telecommunications as critical infrastructure, giving the government various new powers.
These powers include forcing the installation of software or devices that transmit system information to the ASD on computers that are deemed “a system of national significance”, as well as allowing the government to intervene when an entity is unwilling or unable to help with an incident.
Additionally, the Bill sets out to bring out an “enhanced regulatory framework” that builds on the Security of Critical Infrastructure Act 2018.
Part of Microsoft’s criticism with the proposed Bill focused on allowing the federal government to force the installation of software or devices on its networks, systems or assets — something it “strongly” opposed.
“We believe this authority, however narrow and theoretical, is misguided and urge the government to reconsider,” the tech giant claimed.
“Inclusion of third-party software on an operator’s network – particularly on the operator of a hyperscale cloud service – threatens to compromise the security and integrity of the network and creates additional points of vulnerability for the asset, function, or service that the government is seeking to protect.
“The introduction of any third-party device or software that the operator has not developed, tested or vetted will harm the safe and reliable operation of the system, thereby undermining the principal goals of the proposed legislation.”
It went as far as to say that the compelled installation of software or devices that transmit signals back to the government “threatens to undermine trust, integrity, and security of the very networks the government is seeking to protect”.
“We believe this to be the case for any system of national significance as currently defined, or against any function of national significance. Direct government access to the network, systems, and assets of data is a dangerous precedent and introduces risk to Australians worldwide," the submission said.
Microsoft also criticised the direct governmental intervention powers, claiming that it undermines the objectives of the proposed legislation itself of defence and recovery.
“Rather, in many cases, it is the individual organisations themselves, and not the government, that are best positioned to determine how to appropriately respond to and mitigate the impact of cyber incidents,” Microsoft’s submission claimed.
“This is because an individual organisation is more familiar with its own unique network and its configuration, risk profile, threat environment, security policies, customers, and cyber capabilities than is the government.
“It would take a preclusive amount of time for the government to come into a live incident, properly understand the fact pattern, the technologies in play and the challenges of any decisions, and then be able to direct an appropriate response.”
Additionally, the tech giant’s submission also said while it appreciates the authorisation for intervention is to determine a baseline procedure, it recommended instead that a public-private partnership be established instead to assist organisations to build their defence and response capacities.
However, if the government is adamant on holding onto its power to intervene, Microsoft recommended that it works with organisations “in a transparent and iterative consultation process” in order to establish procedures to figure out whether if an entity will not, or cannot, meet security and response baseline requirements.