Cloud giant Amazon Web Services (AWS) has once again expressed its concerns with the government's Critical Infrastructure Bill, as it fronts up to the Parliamentary committee reviewing the proposed legislation.
Although AWS said it “welcomes” the bill’s proposed reforms, the US company has issued concerns regarding part 3A of the bill, which give the government powers to gather information, issue directions, or act autonomously to directly intervene in an asset.
“This package of independently exercisable and unreviewable powers is too broad, is inconsistent with a healthy separation of powers, and should be reconsidered,” AWS head of Public Policy in Australia and New Zealand Roger Somerville said in an opening statement prepared for AWS' appearance at the committee's public hearing in Canberra on 8 July.
Sommerville’s statement claimed Part 3A gives the government “unprecedented assistance power” to intervene in an entity’s operations to take whatever action it deems appropriate to respond to a serious cyber security incident.
AWS also claimed it had little faith, “given the complexity of various assets”, that the government could “reasonably believe such step-in powers could be exercised quickly, operate effectively, and still achieve the government’s aim”.
As such, Sommerville said such powers could increase security risks and undermine trust in service providers who operate in or from Australia.
“We think the risk of unintended consequences from the government attempting to direct or operate systems that are not their own outweighs any benefit of the government’s intervention,” he added.
Considering this, AWS has called for parts 3 and 3A to be removed from the bill. If not, Sommerville, argued, “part 3A, then at a minimum there must be clearer limitations and guardrails to address the most significant issues with these powers”.
“It is important that the exercise of such broad and impactful powers is subject to a transparent process with strong checks and balances to protect regulated entities and the government and mitigate perceptions that such exceptional powers could be misused,” he continued.
AWS’ statement also said the company was concerned about the “lack of appropriate scoping”, claiming this would enable the bill to create “an unacceptable level of commercial risk and uncertainty for regulated entities”.
It argued the committee should make amendments to ensure its “provisions are more targeted, achievable, and unambiguous”.
This included re-defining the term “asset” to just refer to physical infrastructure and extending the timeframe for reporting cyber security breaches.
Other concerns centre around data storage and processing, claiming these facilities should be treated with the same “high level... regardless of whether a critical infrastructure entity chooses to manage, process, host, or store data in the public cloud, in third-party data centres, on-premises within its own data centres, or in some other hybrid model”.
As such, Sommerville’s statement argued that the bill should “clarify that a regulated entity is only required to comply with the data storage or processing sector’s ‘Positive Security Obligations’ for critical data storage or processing assets.
It also “importantly” argued for the removal of the government’s “ability to enact sector-specific rules without consultation”.
The government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 and statutory review of the Security of Critical Infrastructure Act 2018 was also criticised by fellow tech giant Microsoft earlier this year.
Microsoft said at the time that there were “several aspects of the proposed legislation could be improved, raise issues of serious concern or could unintentionally make Australia’s security posture less secure”.
AWS joined representatives of Microsoft, Atlassian, Google and other tech players at the committee's public hearing on 8 July.