The Commonwealth government’s proposed data security reforms are “timid” and should be expanded to adequately protect sensitive information from cyber attack, according to the CEO of a major stakeholder.
The spike in state-based cyber attacks over the past 12 months have prompted a wide-ranging government review of Australia’s critical infrastructure.
The Morrison government’s policy response has involved a new data sovereignty push, aimed at setting up a secure national framework managed by local actors.
The ‘Protecting Critical Infrastructure and Systems of National Significance’ reforms were recently introduced as part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
A new Hosting Strategy, overseen by the Digital Transformation Agency (DTA), has also been established, requiring all government data to be stored in onshore data centres with ‘Certified Strategic’ or ‘Certified Assured’ accreditation.
The framework also requires government data to be managed by cloud and managed service providers based in Australia, in a bid to bolster government controls across supply chains.
However, according to David Tudehope, CEO of Macquarie Telecom Group, the reforms do not go far enough.
“[The] bill only partly protects the data controlled by these sectors and treats it inconsistently, erroneously focusing on its physical nature,” he writes in ASPI’s The Strategist.
“This has the potential to create a dangerous gap in which we lose control of our data.”
Tudehope explains that in practice, critical infrastructure providers would manage and secure their own critical business data or outsource some or all of their responsibilities to a third-party data processor, cloud service provider or data centre operator.
“That third party may store and maintain the data in physical facilities in Australia or overseas,” he adds.
“A combination of these arrangements may be used for the primary and backup data stores to provide additional redundancy in case of disaster.”
In such a scenario, Tudehope continues, data would also be at risk, therefore requiring equivalent security expectations and standards to apply, irrespective of whether data is stored onsite, outsourced to a third party, or moved offshore.
“Unfortunately, the proposed legislation doesn’t consider this and creates very different expectations around data security depending on how and where it’s stored,” he writes.
As part of the government’s current proposal, an Australia-based third party would become a critical infrastructure provider if it stores government data or the critical business data of another provider.
“It’s a case of ‘tag, you’re it’. A critical infrastructure provider’s data is so crucial to national security that the mere fact that it’s stored with an Australian-based service provider makes that third party a provider, too,” Tudehope notes.
Accordingly, the provider would be subject to legal obligations under the legislation, requiring the provider to offer secure facilities, a protected supply chain, and qualified and accredited employees.
But Tudehope observes that while a critical infrastructure provider managing and securing data on-premises would be subject to a positive security obligation, the same standard would not apply to data held by third-party service providers.
“In stark contrast, a third party that stores and maintains a critical infrastructure provider’s critical business data overseas will not be expected to do anything to secure that data. This is because the new regime won’t apply to Australian data stored overseas,” he notes.
“Australia should not be so timid.”
Tudehope urges the Commonwealth government to expand reforms to include safeguards for data stored overseas, referencing the US CLOUD Act, which extends jurisdiction over all data in the possession or control of American cloud providers, irrespective of location.
He claims that under its current form, the proposed legislation creates a “perverse incentive” for critical infrastructure providers to relocate business data stores offshore to bypass regulation.
“This is at odds with the emphasis placed on data security when physical critical infrastructure assets are sold to foreign investors,” he writes.
“Whereas the draft legislation doesn’t safeguard Australian data stored overseas or require its repatriation, the Foreign Investment Review Board will often make its approval of investments in critical infrastructure conditional on the data being kept in Australia in certified secure facilities.
“There should be no inconsistency here. After all, it’s the same data, just different custodians.”
To address this, Tudehope proposes that a critical infrastructure provider’s data be treated as a critical asset regardless of whether it’s managed in-house, hosted by a third party or located offshore.
“Ensuring this data is always stored and secured in Australia will not in itself prevent it from being targeted or compromised. But if Australia’s laws and authorities are to help secure and defend Australia’s critical data, it must first be brought within the new security regulatory regime.
“To do otherwise is to surrender our sovereignty over data when it has never mattered more.”