An Australian intelligence and security committee has been told by four technology giants that they foresee no scenario where the installation of government software would be of benefit and do not require assistance from the government in responding to cyber incidents.
“I cannot think of a situation where installing ASD software on our networks would be of assistance,” director of Google’s threat analysis group Shane Huntley said.
“We have a good working relationship with the ACSC and there has been productive threat sharing, and we believe that there is a productive means to collaborate as collaborators, not as coercion or them stepping in to operate our systems and to install stuff on our systems.
“That is where we draw the strong line.”
Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that is touted as aiding providers in dealing with threats.
Huntley on Thursday told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) — which is looking into the Bill — that if there was an incident, Google would absolutely work with the Australian Signals Directorate (ASD) to help respond if required, however that is where it would end.
“I do not believe that there is a situation where installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems, and it’s not going to help the solution and it’s not going to help the problem at hand,” he continued.
Appearing alongside Huntley was Atlassian director of global public policy David Masters, who echoed much the same — that it’s not that his company wouldn’t want to work with the Australian Cyber Security Centre (ACSC), but allowing officials into his company’s networks to install software and somewhat pick up the running of services and processes is not a scenario he could see Atlassian wanting or even requiring.
The tech sector has raised concerns with government step in powers from day one. Amazon Web Services (AWS) previously said government “assistance” or “intervention” powers could give it overly broad powers to issue directions or act autonomously and Microsoft previously told the PJCIS it would prefer the government stay out of its incident response.
AWS and Microsoft also provided testimony to the PJCIS on Thursday morning, as did Australian cloud services provider AUCloud. With the exception of AUCloud, who said “never say never”, the other two tech giants agreed with the characterisation put forward by Google and Atlassian.
“Installation of any type of software, particularly in a complex and interconnected network will have severe adverse consequences,” Hasan Ali, assistant general counsel in Microsoft’s office of critical infrastructure, said.
“Doing so in the data storage or processing sector with hyperscale cloud providers, these are interdependent systems, they will introduce vulnerabilities, and we think it’s going to be potentially a source of substantial third-party risk that we may have to mitigate for, from the government, if there is uncertainty with how these powers may be used.”
While Huntley accepted that installing software to allow for monitoring and detection of threats and for data collection would be beneficial for those without a sophisticated IT environment and a lack of internal capability, that isn’t the case with the likes of Google.
“We have 1,000s of security engineers, we have our own systems for monitoring, threat analysis, detection, and the best way — and really, the only feasible way to do this sort of monitoring — would be with our own systems and our own tools,” he said. “I really can’t imagine the situation where there is some software from ACSC or ASD which installing on our systems wouldn’t even work, let alone be safe.”
Instead, he would prefer the government provide threat information.
“If ASD wants to say, ‘Here’s what to look for on your systems, here is the IP addresses, here’s the signatures of the malware, here is data to help in this instance’, we always want to see that information,” he said.
“What we need is information and collaboration, because the only real software that’s safe to operate in a sort of Google or hyperscale cloud environment is our software and our systems that have been tested and vetted.
“I don’t think there was a gap that can be filled by the government here.”
Speaking following the tech giants, auDA CEO Rosemary Sinclair said the Department of Home Affairs had taken on its recommendation for the domain name system to be treated as a subsector, rather than being “caught up” in the broader communications sector.
Sinclair added the domain administrator was already adhering to cybersecurity standards such as the Essential Eight and ISO27001, using DNSSEC, and working with parts of its supply chain and registry operators on cyber assessments and red team exercises. She said AuDA will be auditing them every 12 months, with the potential penalty for failure to comply being the loss of accreditation.
“If needed we have our own disaster recovery arrangements and could step in should a register or the registry fail. All that is already in place and is quite extensive in its operation and effective,” Sinclair said.
“All those relationships and processes are in place, and one of the things that strikes us about the legislation is that it’s focusing on a problem of the unwilling and trying to address that. Whereas I suspect that … the vast majority of people who have been engaging in this process are in fact, the willing.”
In response, Senator James Paterson pointed back to a large company that refused assistance from ASD.
“Unfortunately, we do have to legislate … for those worst case scenarios, and we are already aware of, at least, one instance, of the significant entity failing to cooperate when they should have in a serious cybersecurity incident,” he said.
“And so, unfortunately, the Parliament can’t ignore that — we have to balance the impact that it has on those of you who do have better practice.”
Sinclair said that the government should be careful about creating a solution to the wrong problem, but that she appreciated the problem of “somebody reaching for the lawyers, rather than actually reaching for the cybersecurity experts”.
“Nonetheless, the powers that are being proposed are very significant and require proportionate use and scrutiny.”
MORE ON THE CRITICAL INFRASTRUCTURE BILL