auDA has an important role to play in protecting critical infrastructure.
As the .au domain administrator, we are endorsed by Government through formal Terms of Endorsement to keep the domain secure, reliable and trusted for all Internet users.
Our responsibilities include managing the operation of the critical technical functions associated with the .au domain name system (DNS). Security operations and standards are in focus for us every day and we operate at the highest level of international practice.
As one of many organisations that contribute to the secure operation of Australia’s critical infrastructure, we have a keen interest in the government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill).
The Bill is currently subject to a parliamentary inquiry by the Joint Committee on Intelligence and Security (PJCIS). Given our interest in this issue, auDA made a submission to the inquiry setting out some areas of concern. You can find our full submission here and a summary is provided below.
Support for the Government’s policy objectives
auDA recognises the Government’s policy objectives in presenting the Bill to parliament are to prevent, mitigate and defend critical infrastructure from cyber-attack and to enhance capability with accelerating digital transformation. This also aligns with the Government’s commitment to promote an open, free and secure Internet set out in its
International Cyber Engagement Strategy (2016) and reiterated in the Five Country Ministerial Communique 2018.
auDA strongly supports these overarching objectives. However, we believe certain provisions within the Bill could be clarified and improved to ensure while these aims are achieved, no unintended consequences arise in implementation.
Concerns about the Bill
auDA believes the Bill does not strike an appropriate balance between critical infrastructure protection, the rights and obligations of all parties, and the Australian Government’s commitment to an open, free and secure Internet.
Our concerns include:
- The breadth of the information gathering powers within the Bill
- Cyber security incident notifications
- The potential implications for privacy and surveillance, as well as the potential to inadvertently compromise network security
- The threshold for a critical infrastructure asset to be declared a system of national significance
- The removal of privilege against self-exposure to penalties for individuals.
Our recommendations to address the imbalance include:
- A statutory requirement for the Minister to consult with affected entities before making rules that apply to them to ensure that the rules are proportionate, effective and technically feasible and that the rules do not adopt a one-size-fits-all approach
- Requiring a threshold assessment of serious damage to Australia’s national interests before a critical infrastructure asset is declared a system of national significance
- Greater transparency and accountability around Ministerial declarations of systems of national significance, and a right of merits review the Administrative Appeals Tribunal
- A positive duty imposed on Government to take all reasonable steps to protect unauthorised access, use or disclosure of information collected pursuant to the Act.
Commitment to work with Government
auDA is committed to playing its part in preventing and defending Australia’s critical infrastructure from cyber-attack.
We look forward to working with Government through the inquiry process and more broadly in implementing security measures that will help keep Australian critical infrastructure, including the .au domain, secure.