The federal government recently closed consultation on a package of reforms focused on protecting critical infrastructure and systems of national significance.
With that part of the process wrapped up, the government is now looking to introduce an enhanced regulatory framework, which would build on existing requirements under the Security of Critical Infrastructure Act 2018. This includes: A positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements; enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
With the definition of what constitutes critical infrastructure and systems of national significance not yet fully defined, the federal government is seeking to determine who the enhanced framework would apply to, with one proposed sector covering data storage and cloud.
Amazon Web Services (AWS) said that while it was broadly supportive of the proposal to expand the regime to include the data and cloud sector, the expansion raises questions such as what service providers should be included in the sector, what security standards should apply, and how the government can prevent over-regulation.
See also: Amazon Web Services scores Australia-wide government cloud deal
In its submission [PDF] to the consultation, the cloud giant also raised concerns that the proposal for government “assistance” or “intervention” powers could give it overly broad powers to issue directions or act autonomously.
“While we have not seen the draft law, the high-level summary of these powers suggest they could be significant and exercisable across a broad swath of society, with unclear limitations or guardrails,” it wrote.
AWS said the breadth of the newly regulated critical infrastructure sectors, coupled with seemingly broad powers described in the consultation paper [PDF], raised many issues and unknowns.
“For example, we are concerned that the government’s power to take direct action in the event of an emergency is vague and undefined,” it said.
“A plain reading of the consultation paper suggests that the government could use these new powers to either issue directions or take autonomous action to do virtually anything in response to cybersecurity threats.”
The consultation paper said the government assistance would be provided to entities that are the target or victim of a cyber attack through the establishment of a government capability and authorities to disrupt and respond to threats in an emergency.
“Critical infrastructure entities may face situations where there is an imminent cyber threat or incident that could significantly impact Australia’s economy, security or sovereignty, and the threat is within their capacity to address. In these cases, we propose that government be able to provide reasonable, proportionate and time-sensitive directions to entities to ensure action is taken to minimise its impact,” the government wrote.
AWS is concerned that there isn’t clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal.
Elsewhere in its submission, AWS said it was unclear from the consultation paper whether and how the enhanced regulatory framework would apply, explaining that it was concerned the position of applying the enhanced regulatory framework at the “owner and operator level, not at [a] specific piece of technology” could lead to negative consequences.
AWS added that if the plan would be to regulate all of an entity’s facilities, infrastructure, products, or services — without considering the level of criticality — it could have unintended consequences and result in “over-burdensome regulation”.
Instead, the cloud giant has recommended the enhanced regulatory framework only apply to specific critical infrastructure assets of a critical infrastructure entity.
In order to avoid over-regulation, AWS said a technology service provider — that is also a regulated critical infrastructure entity complying with its own sector PSO — should not have to comply with additional security obligations imposed by another regulator that duplicates or builds upon that entity’s PSO.
See also: Amazon asks for clarification of data retention requirements under Australia’s encryption laws
It also wants clarification that entities will not be inspected, examined, or audited against the same requirements by multiple regulators.
Acknowledging each sector is different, AWS said PSOs for one sector should not contradict or conflict with those in another sector, but it was concerned this approach could lead to a fragmented set of security requirements across different sectors.
Asking for further clarity, AWS wants an appropriate scope of what entities and infrastructure are included in the “data and the cloud” sector.
If there was to be a threshold, the cloud giant has suggested a test of “a data centre containing IT equipment capable of consuming more than 100kW of power in total” so that operators of infrastructure have clarity on whether they are covered.
“Our recommendation is that the PSOs for the Data and the Cloud Sector apply to physical data centre security rather than software or services running in those data centres,” the company said.
“If a PSO applies to the software running in a data centre and the services of a cloud services provider (and not the physical data centres it uses) each of those services will need to meet the requirements even if it is not being used by a critical infrastructure entity. This approach will slow the pace of innovation, delay the launch of new services in Australia, increase the costs of compliance and drive up the cost of services to all Australian customers.”
In addition, AWS said the PSO should reflect that an entity is only able to implement security processes that are within its control.
“For example, it would not be possible for a cloud service provider to implement security controls for applications the customer controls. Instead, the law should specify that PSOs do not apply to aspects of security that are outside an entity’s control,” it added.