Submitted via public consultation portal
Department of Home Affairs
Government of the Commonwealth of Australia
3 Lonsdale St,
Braddon ACT 2612, Australia
RE: Public Consultation on Protecting Critical Infrastructure & Systems of National Significance
The Cybersecurity Coalition (“the Coalition”) submits this comment in response to the Public Consultation launched by the Government of the Commonwealth of Australia’s Department for Home Affairs (“the Government”) on August 6, 2020 regarding the proposed Framework for Protecting Critical Infrastructure & Systems of National Significance (“the Proposal”). The Coalition appreciates the opportunity to comment on the Proposal and looks forward to working with the Government to establish a robust approach to protecting Critical Infrastructure and Systems of National Significance.
The Coalition is composed of leading companies with a specialty in cybersecurity products and services. We are dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies. We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management. We are supportive of efforts to identify and promote the adoption of cybersecurity best practices, information sharing, and voluntary standards throughout the global community.
As leaders in the cybersecurity industry, we recognize the complexity and importance of securing critical infrastructure. As such, the Coalition commends the Government’s thoughtful work in developing this Framework. In addition to answering the questions from the Call for Views below, we would like to highlight the following areas in which we believe that the Proposal could be further strengthened:
- Draw on Existing International Standards: We would encourage the Australian Government to draw on existing industry-led, globally-harmonized standards wherever appropriate and possible, to enable critical infrastructure entities to implement international cyber risk mitigation efforts seamlessly across borders.
- Release an Exposure Draft of the Legislation: Given the size and scope of the proposed regulatory framework, we would recommend that the Government make the time to share an exposure draft of legislation with affected industries, in addition to any review in Committees, ensuring that it’s potential impact is assessed in advance of legislation being finalized.
- Undertake Consultations with Cybersecurity Companies on the Exposure Draft of the Legislation: It appears the Government’s plans for further consultation will focus solely on the critical infrastructure sectors identified as directly affected by the proposed regulations. We agree that ultimately the CI owners and operators themselves must ensure compliance with regulations. However, we encourage the Australian Government to also engage proactively with the cybersecurity community throughout this process, as cybersecurity companies will play a critical role in the effective execution of the final legislation.
The Coalition thanks the Government for its careful examination of complex issues and the open and participative process used to solicit input on the ideas represented in the proposal. As the conversation around critical infrastructure security in Australia continues to evolve, we would welcome the opportunity to further serve as a resource on both technical and policy questions to ensure that the Proposal is successful in achieving the Government’s objectives.
The Cybersecurity Coalition
September 15, 2020
Ari Schwartz, Venable LLP
Alex Botting, Venable LLP
Call for Views Questions
- Do the sectors above capture the functions that are vital to Australia’s economy, security and sovereignty? Are there any other sectors that you think should be considered as part of these reforms (e.g. manufacturing)?
The sectors chosen largely capture the functions that are vital to Australia’s economy, security and sovereignty. The classification of “Data & the Cloud” as a critical infrastructure sector, however, is not aligned with international approaches, such as those taken in Europe or Japan. This sector would be better classified as a sub-section of Communications & IT critical infrastructure to ensure consistency and avoid misinterpretation of the intended scope of the proposal.
As written, the proposal may be interpreted to cover all infrastructure which holds data of any kind. In effect, wrapping in almost every company that operates in Australia. We do not believe that this is the Government’s intention and would thus propose that the sector be renamed as “Information Technology (IT)”.
In addition, the absence of mining or manufacturing form the list of critical infrastructure sectors is surprising. The Minerals Council of Australia estimates that “mining and the mining equipment, technology and services (METS) sector account for approximately 15 per cent of Australia’s gross domestic product and support (directly and indirectly) 1.1 million jobs – around 10 per cent of Australia’s total workforce.”1 Such significance to the Australian economy would merit its inclusion.
- Do you think current definition of Critical Infrastructure is still fit for purpose?
The definition of Critical Infrastructure itself is still fit for purpose. Yet, the government’s initial decision to designate only four critical infrastructure entities was far less than is typical among its peers. The designation of additional sectors, in line with this definition, brings Australia into greater alignment with international best practices in this area.
- Are there factors in addition to interdependency with other functions and consequence of compromise that should be considered when identifying and prioritising critical entities and entity classes?
- What are the common threats you routinely prepare for and those you have faced/experienced as a business?
The Cybersecurity Coalition comprises 16 member companies, each of which manages security risks according to their unique risk profile, making it difficult to provide an overarching perspective.
Should you wish to hear directly from individual members, we would be happy to facilitate discussions with individual member companies.
- How should criticality be assessed to ensure the most important entities are covered by the framework?
We agree that “interdependency with other functions” and “consequence of compromise” should be the overarching principles guiding the designation of critical infrastructure.
The latter can be assessed through estimating:
Number of individuals/organizations potentially impacted (quantitively assessed)
Significance of the compromise to those individuals/organizations and the broader economic or national security of Australia (qualitatively assessed)
The Government of the United Kingdom, among others, serves as an example of how this can be executed in practice. They empowered sectoral regulators to identify quantitative benchmarks for critical infrastructure designation, while establishing a process for designated entities to appeal their designation on a case-by-case basis.
The United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency, meanwhile, has adopted an approach focused on security for National Critical Functions, working closely with industry stakeholders to capture holistic, cross- cutting risks and dependencies that may have cascading impact within and across sectors.
In order to ensure that Government resources are dedicated to managing the most significant risks to Australia’s digital infrastructure, we strongly urge the government not to designate critical infrastructure in an unnecessarily broad manner.
- Which entities would you expect to be owners and operators of systems of national significance?
We decline to identify specific entities. The designation of critical infrastructure entities should be guided by sector designations (as discussed in Question 1), the relative criticality of individual entities (as discussed in Question 5), and critical functions with cross sector interdependencies (as discussed in question 5).
- How do you think a revised TISN and Critical Infrastructure Resilience Strategy would support the reforms proposed in this Consultation Paper?
- What might this new TISN model look like, and what entities should be included?
The Government may wish to consider whether the TISNs should also be expanded to reflect any additional CI sectors created under this new regulatory framework.
The ACSC should continue to be the main point of contact for industry on cyber - including with respect to information sharing and cyber resilience, cyber incident management and cyber exercises or playbooks. The CIC and the TISN can, however, play an important role in convening industry, running exercises based on scenarios that traverse all four key threats identified in the consultation paper (cyber, physical, personnel and supply chain protections), and sharing best practices across critical infrastructure entities.
- How else should government support critical infrastructure entities to effectively understand and manage risks, particularly in relation to cross sector dependencies? What specific activities should be the focus?
- Are the principles sufficiently broad to consider all aspects of security risk across sectors you are familiar with?
Yes – they are sufficiently broad to encompass all aspects of security risk.
- Do you think the security requirements strike the best balance between providing clear expectations and the ability to customise for sectoral needs?
The security requirements provide clear expectations as to the scope of activities. It is critical that these be tailored to the reality of each sector and the different risks that they face. To this end, we are glad to see that the Government will be taking a sectoral approach to developing security requirements.
Regulators should be wary, however, of standardizing a check-the-box approach to security, which emphasizes static compliance over ongoing cyber risk management best practices (identify, protect, detect, respond and recover). With this in mind, regulators should avoid implementing overly prescriptive security requirements where doing so will undermine the flexibility of critical infrastructure entities in responding to changing cyber threats.
Wherever possible, security requirements should be grounded in consensus-based international standards to ensure alignment with international best practices, avoid introducing unnecessary challenges or complexity into cybersecurity activities, and avoid unintentionally establishing non-tariff barriers to trade.
- Are organisations you are familiar with already operating in-line with these principles, or do you think there would be a significant time and/or financial cost to meet these principles?
International companies that have heretofore been designated as critical infrastructure entities will be accustomed to incorporating most, if not all, of the principles and requirements into their security risk management processes.
- What costs would organisations take on to meet these new obligations?
The cost of compliance will vary significantly according to the entity, it’s risk profile and the decisions that it makes from a risk management standpoint.
There are anecdotal examples of multinational critical infrastructure entities such as JP Morgan Chase spending as much as $600 million on cyber risk management activities annually.2 Even where global spending can be quantified, however, attributing portions to compliance with an individual country’s obligations is difficult, given the inherently global nature of cybersecurity activities such as threat monitoring and information sharing.
- Are any sectors currently subject to a security obligation in-line with these principles? If so, what are the costs associated with meeting this obligation? Does this obligation meet all principles, or are enhancements required? If so, what?
- Would the proposed regulatory model avoid duplication with existing oversight requirements?
Assuming that these proposals are designed to supersede the existing framework for managing security risks to critical infrastructure, there should be no direct duplication of efforts.
The Government should, however, consider how it will ensure consistency across sectors and with other countries in terms of security requirements and incident reporting mechanisms.
Guidance should be provided to regulators regarding how they can best meet their responsibilities in this regard – in particular through the use of consensus-based international standards – to ensure that they do not introduce unnecessary complexity into the risk mitigation activities of critical infrastructure entities.
Moreover, the government should ensure that critical infrastructure entities whose business spans multiple sectors are not forced to report to multiple regulatory entities or comply with divergent security requirements.
- The sector regulator will provide guidance to entities on how to meet their obligation. Are there particular things you would like to see included in this guidance, or broader communication and engagement strategies of the regulator?
We encourage regulators to take an outcome-based approach to sectoral security obligations. By clearly communicating desired outcomes and maintaining an open dialogue with critical infrastructure entities, while affording them flexibility in how the meet those outcomes, entities can best tailor risk management activities to meet specific needs.
Regulators’ can help companies to understand what is expected of them by providing guidance that:
Clearly identifies what outcomes they want entities to meet
Demonstrates how companies will be assessed against those outcomes or are able to demonstrate compliance with them
Provides examples or references to best practices (e.g. consensus-based international standards)
- Who would you consider is best placed to undertake the regulatory role for sectors you are familiar with? Does the regulator already have a security-related regulatory role? What might be the limitations to that organisation taking on the role?
Cybersecurity Coalition members operate in a number of sectors. Should you wish to hear directly from individual members, we would be happy to facilitate discussions with individual member companies.
As a general point, however, it should be noted that a number of regulators are already addressing cyber security risks under their current authorities, such as APRA and AEMO. The Government should avoid duplication or requiring industry to report to two different regulators, which would introduce unnecessary complexity into the cybersecurity activities of critical infrastructure entities, while wasting government resources. Regardless of which regulators are chosen, it’s important that they maintain close working relationships with the ACSC and Australian Signal Directorate - given their cybersecurity expertise.
- What kind of support would be beneficial for sector regulators to understand their additional responsibilities as regulators?
As stated in Question 15, regulators should seek to facilitate interoperability of security requirements across sectors and borders, where possible. In particular, they should be aware of widely utilized international standards and, where possible, enable their use as a means to compliance with security obligations.
In addition to the security benefits of interoperability, such an approach will also to avoid the establishment of unnecessary barriers to trade, which may have an adverse effect on Australia’s economy.
- How can Government better support critical infrastructure in managing their security risks?
In addition to the points outlined above, sharing relevant threat intelligence with critical infrastructure will provide them with a more holistic picture of the threat landscape. This is particularly relevant given the cross-border, cross-sector nature of many significant cybersecurity incidents.
- In the AusCheck scheme potential and ongoing employees in the aviation, maritime, health and major national event security sectors undergo regular national security assessments by the Australian Security Intelligence Organisation and criminal history assessments to mitigate the risk of insider threats. How could this scheme or a similar model be useful in the sectors you are familiar with?
Cybersecurity Coalition members operate in a number of sectors. Should you wish to hear directly from individual members, we would be happy to facilitate discussions with individual member companies.
- Do you have any other comments you would like to make regarding the PSO?
The comments above notwithstanding, it is positive to see that the Government is taking a sectoral approach to managing critical infrastructure security obligations. This will better enable regulators to assess and address security needs in a tailored fashion, improving security outcomes.
It is critical, however, that the desire to implement measurable security obligations not inadvertently become an exercise in check-the-box compliance, subordinating the iterative nature of risk mitigation to a rigid process of legal compliance.
This is particularly relevant to the proposed Board-approved annual reports. While we understand the desire to foster awareness of cybersecurity among senior officials in critical infrastructure entities, such a process in itself is unlikely to achieve this objective. We have the following concerns with this proposal:
These reports are likely to be a treasure trove of information for malicious cyber actors, as well as containing highly sensitive commercial information. Collating such information for potentially hundred of companies, to be retained by multiple government agencies risks creates a potential vulnerability which may well outweigh the benefits of the proposed approach.
Given that many critical infrastructure entities will be public companies, it’s unclear how this will fit with shareholder disclosure obligations of Board members, given that the information disclosed may be deemed materially relevant. Should the Government decide to implement the proposed approach, it’s critical that such information be exempted from such requirements to avoid creating additional security risks to critical infrastructure entities.
- Do you think there are other preparatory activities that would assist in proactively identifying and remediating cyber vulnerabilities?
- What information would you like to see shared with industry by Government? What benefits would you expect from greater sharing?
The over-classification of, or inability to declassify, threat intelligence can inhibit the ability of the Government to collaborate with industry to address threats. To more effectively collaborate on an operational level to address real-world cybersecurity challenges, the Government should look to establish a program in which private-sector experts can work alongside ACSC experts at a declassified level on a part-time base. The United Kingdom’s Industry 100 program provides an example of how this can be implemented in practice.
We would further encourage the Government to place a stronger emphasis on the declassification of threat information, where possible, to better facilitate the real-time sharing of information with industry. This would be invaluable in providing industry with timely and relevant information through which to detect and mitigate threats.
- What could you currently contribute to a threat picture? Would you be willing to provide that information on a voluntary basis? What would the cost implications be?
- What methods should be involved to identify vulnerabilities at the perimeter of critical networks?
- What are the barriers to owners and operators acting on information alerts from Government?
- What information would you like to see included in playbooks? Are there any barriers to co- developing playbooks with Government?
Depending upon their content and intent, playbooks can be a useful planning tool for responding to security incidents. They often have significant limitations, however, in terms of their utility, given the need to incorporate a wide range of (often unknowable) factors that may define a given incident, while requiring a significant investment of resources to develop and maintain. Moreover, the playbook itself can become a vulnerability – providing important information to would-be attackers.
Accordingly, the Government should carefully consider the relative merits and specific circumstances under which playbooks deliver a superior return on investment to critical infrastructure from a security perspective.
- What safeguards or assurances would you expect to see for information provided to Government?
Whenever critical infrastructure entities share information voluntarily with Government, they should have a clear understanding from the outset of how that information will be used and with whom it may be shared. Use of Traffic Light Protocol is one means to achieve this.
Government should provide assurances that under no circumstances will they be able to share information beyond the terms agreed without the explicit consent of the original source of information. Such an approach is an effective means to build trust across the critical infrastructure community.
Under no circumstances should the Government mandate timelines for critical infrastructure to share threat information. Mandates to share information by one government encourages other government to implement similar measures as each seeks ‘first access’ to indicators of compromise. Ultimately, this will lead to the mandatory sharing of information with untrusted entities.
Finally, the Government should provide assurances that information shared by critical infrastructure for the purposes of security risk management will be shielded from Freedom of Information-type requests. Failure to do so will provide a chilling effect on information sharing as companies risk sensitive security information making its way into the public domain.
- In what extreme situations should Government be able to take direct action in the national interest? What actions should be permissible?
The Government should apply a high threshold for when it can take direct action, with a strong preference in favor of directions to entities in the first instance. To maintain public confidence, the execution of the power should be rare, reasonable and proportionate.
All direct action should be tightly defined and controlled - articulating what the Government and its officials can do, for how long and why. This should also specify that Commonwealth officers cannot conduct offensive cyber activities from within private sector infrastructure.
Finally, given the extraordinary nature of the proposed powers, there should be strict penalties for officials that attempt to utilize these powers without appropriate authorization, or in a manner that exceeds the authorization granted.
- Who do you think should have the power to declare such an emergency? In making this declaration, who should they receive advice from first?
The declaration of a public emergency should require sign off at the highest levels of Government. At a minimum it should be approved at the ministerial level. The government may wish to go further and require sign off from both the Ministers of Defence and Home Affairs.
A dual sign-off approach is particularly relevant to the cyber context, as operations and policy currently sit across the two portfolios. It is reasonable to expect that in making a decision on ‘direct action’ that the Ministers from both portfolios are in agreement on the merits of direct action and its necessity.
- Who should oversee the Government’s use of these powers?
Should the Government decide to move forward with the development of powers to direct or take action on private sector-owned infrastructure, it is critical that a process be established for robust oversight of these powers. This should include both legal experts, who can determine the legality of decisions made, and technical experts, who can determine the need and proportionality of directives or direct government action.
Moreover, where possible, oversight of these new arrangements should be at a declassified level to maintain transparency of government, build public trust and confidence.
- If, in an exceptional circumstance, Government needs to disrupt the perpetrator to stop a cyber attack, do you think there should be different actions for attackers depending on their location?
- What sort of legal protections should officers (both industry and Government) undertaking emergency actions be afforded?
Liability from civil and criminal action against both companies and individuals, where their activities adhere to the intent of a government directive. Failure to provide such protections will place critical infrastructure entities and their employees in the unacceptable position of being liable to criminal or civil action whether they comply or not. This would potentially create a chilling effect on the relationship between the government and private sector, and may undermine the ability of companies to hire qualified employees for certain cybersecurity roles.
Moreover, it’s important that the Government clarify whether immunities are afforded to subcontractors of critical infrastructure entities. For example, whether immunities would apply to a cybersecurity company that takes actions on behalf of their client at the direction of the Government. It should also address liabilities and immunities in the event that a government directed change adversely impacts other customers or causes the entity or their vendors financial losses.
- What safeguards and oversight measures would you expect to ensure the necessary level of accountability for these type of powers?
While companies may in many cases welcome government support in response to an imminent or ongoing major security incident, it’s critical that entities have the ability to appeal a directive or direct government intervention to an independent arbiter, should they believe that the action is unnecessary, unfeasible or counter-productive in terms meeting the Government’s stated security objectives.
While we understand the need for speed and flexibility in responding to such threats, we believe that the process would greatly benefit from the ability of critical infrastructure to avail itself of an appeals process to avert the potential impact of a misdirected directive. Even in the domain of national security, some level of judicial recourse is critical to underpinning the rule of law.
One method for increasing public confidence in how these powers are used would be to publish an annual public report detailing the number of directives or instances of direct intervention that the Government has mandated each year. Even a high-level overview such as can provide critical insight into the proportionality with which the Government is using its extraordinary powers.
- What are the risks to industry? What are the costs and how can we overcome them? Are there sovereign risks to investment that we should be aware of?Depending upon the nature of the directives or direct action taken by government, the potential risks and costs to critical infrastructure entities are multifold. These include:
Potential civil or criminal legal action against the entity or its employees
Damage to equipment or infrastructure
Loss of revenue from disruption to service
Where other governments (such as the Government of Thailand) have proposed adopting similar powers, they have typically addressed these concerns by establishing a mechanism for reimbursing private entities for damages caused in the process of executing a directive or in which the government takes emergency actions on their networks.
Beyond the financial relief that this affords companies – reducing the risks associated with compliance – it also ensures that the Government is not blind to the material costs of compliance, encouraging them to balance those against the potential costs of a major security incident.
- Does this mix of obligations and assistance reflect the roles and responsibilities of Government and industry in protecting critical infrastructure? How would private sector management of risk change with the proposed increased role for Government?
1 Minerals Council of Australia: https://minerals.org.au/supporting-australians