auDA's opening statement to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 on 8 July 2021
The .au Domain Administration (auDA) is the administrator of, and the Australian self-regulatory policy body for, the .au country code Top Level Domain (.au ccTLD). auDA operates under an agreement with the Internet Corporation for Assigned Names and Numbers to manage the .au ccTLD as part of the global Domain Name System (DNS), and under terms of endorsement issued by the Australian Government which require auDA to manage .au in the public interest.
auDA recognises that the .au ccTLD is a critical domain name system, as it supports the stable, reliable and secure operation of the DNS in Australia, and we support the policy objectives of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 to protect and defend Australia’s critical infrastructure. We appreciate this opportunity to appear before the Committee.
auDA agrees that industry and government collaboration is essential to uplifting security standards across multiple critical infrastructure sectors through principles-based regulation. We have a long history of collaborating on security with the Australian Government, including the Australian Cyber Security Centre.
The DNS is a globally distributed system of nameservers and other infrastructure that is managed and operated by a range of parties. auDA’s DNS systems are distributed globally for scale and reliability, and to handle the high number of Australian and international DNS queries for .au domains.
A large proportion of registrars accredited by auDA to sell domain names to the public are foreign companies, with their domain name registration and DNS infrastructure located overseas. These registrars manage around two thirds of all .au domains.
auDA currently manages supply chain security risks via contracts with the .au registry operator and registrars. However, there are other DNS service providers that auDA does not contract with, such as Internet service providers, webhosting companies, telecommunications providers and DNS providers. auDA has limited visibility of these and their DNS infrastructure may be located overseas.
The global and decentralised nature of the Internet and the DNS is one of its strengths, but it also creates jurisdictional challenges since it crosses territorial borders. The ecosystem of technologies on which the Internet depends has evolved over time to maintain and improve the security, stability and resilience of the Internet. The governance of this ecosystem is an international issue, with implications for us all.
The Australian Government’s International Cyber and Critical Technology Strategy, launched in April, reaffirms Australia’s commitment to multi-stakeholder Internet governance and to opposing efforts to bring the technical management and governance of the Internet under government control. auDA supports this position.
While we support the Bill’s objectives, and will continue to work with the Government and other stakeholders to ensure the DNS is as secure as possible, the globally distributed nature of the DNS must be considered in any regulatory approach. For example, an impact (whether regulatory or a security incident) on one part of this global network may have flow on consequences for infrastructure and end users in another jurisdiction, making it difficult to regulate across borders.
auDA considers the government assistance measures in Part 3A of the Bill, if passed, will provide the government with significant additional powers. Accordingly, these should be subject to stringent safeguards and limitations. We note the Explanatory Memorandum indicates these powers are intended to be used only in the most serious circumstances and where an entity is unwilling or unable to act and welcome further discussion with government on these measures.
We support sharing information with the Government to assist in establishing a clearer picture of potential security threats. However, we are concerned by the provision in subsection 30DJ, which allows for the installation of third-party software on an entity’s system. This exposes significant risks to the entity, which may inadvertently threaten or compromise the security of the network.
We are also concerned to ensure that any access to systems information necessary to identify malicious activity does not lead to monitoring of users through DNS queries. Monitoring DNS traffic can potentially provide a wealth of information about a user’s habits and, when combined with other data sources, could identify individual users.
Accordingly, auDA considers that any use of these powers should have greater oversight, for example, be authorised by a judicial officer. This would provide a degree of independence and rigour.
In closing, we acknowledge the Department of Home Affairs’ willingness to engage with industry on these important legislative amendments. auDA has engaged in numerous productive conversations with the Department, and we look forward to continuing to engage with them on the development of sector-specific rules.