Australian Government Proposal to take Responsibility for Cybersecurity Incidents affecting Critical National Infrastructure
Today I came across the following article in ITNews
and it took me down a fascinating path on this topic.
AWS have responded to the proposed framework, which I’d like to review later. For today I’ve critiqued the article’s linked submission by Chevron.
Tl;DR
- Government want privesc for “direct action” when critical national infrastructure is under cyber attack, when deemed an emergency, with checks and balances
- Only floating the concept, with language and explanation actually sounding pretty reasonable and proportional
- Industry are cagey with some getting very handwavey and submitting logical-fallacy-ridden responses
Context
In August 2020 Australian Home Affairs released this paper on protecting critical national infrastructure:
The paper primarily introduces the concept of an “enhanced” regulatory framework that obliges critical infrastructure entities to have their sh*t together, and outlines how government will support them in cyber incidents.
It’s actually a very well-written paper; written in plain english with only considered and necessary content.
Page 29 is what the commotion is about. In summary
- Ability for Australian Government to take direct action where there is immediate and serious threat to national infrastructure
- To be limited by appropriate checks and balances
- To be executed (most likely) in a voluntary sense
In general — industry are understandably cagey around allowing Government to stick their fingers in to their systems when an emergency is declared.
My Thoughts
It’s an interesting question — how much responsibility — and power to execute that responsibility — should a government have, relating to infrastructure deemed critical to the nation it governs, in a time of emergency?
Myself I think the government position has merit; I expect our government to do everything in its power to address such.
The alternative aka “head in sand” — is to gamble that there will be no cyber compromise of critical infrastructure — and further to gamble that in such a situation the owning commercial entity (whose incentives & responsibilities may not necessarily align with those of the affected nation) is the most effective at mitigating this (more effective than government responders). This will normally be the case — which the proposal acknowledges.
I think until now Australia has been lucky to not have suffered major incidents; the risk has de-facto been accepted by the nation. But with growing activity (and awareness thereof) — we’re probably are at the stage where government must take responsibility for these risks.
Critiquing Chevron’s Submission
Frankly I find much of Chevron’s submission illogical and intended to support a pre-existing goal of attempting to limit Australian Government’s involvement in private enterprise’ cyber security concerns. I’d urge Home affairs to dismiss much of it as invalid.
Response to Question 3 on Factors to consider in evaluating criticality - Chevron recommends considering the owning entity’s cyber capability.
An owning entity’s cyber capability has no effect on the criticality of a piece of infrastructure; just because the maintainers of the Sydney Harbour Bridge are highly competent engineers does nothing to alter the reality that should said bridge collapse, the consequences would be terrible.
Response to Question 5 on How criticality should be assessed — Chevron recommends accounting for diversity in the sector.
In tech we call this “high availability”. And — the author being the Manager of Information Systems should know — that HA is a mitigation measure we put in place to mitigate risk and help ensure system continuity — but does nothing to decrease criticality of the system itself. Same as the previous point — conflation of mitigation measures with nature of the risk itself.
“There are more than 15 large companies involved in Australia’s LNG Sector” != “Australia’s LNG sector is not critical to the national interest”
Response to Question 6 on Which entities we would expect to be owning and operating systems of national significance — Chevron simply does not address the question instead attempting to reinforce the argument that diversity decreases criticality.
Response to Question 11 on Reducing oversight of companies at a “high level of maturity” — I really can’t see why you would reduce reporting requirements simply because a company has been evaluated (by a 3rd party?) to be at a “high level of maturity”. Regardless — if a company is indeed at a high level of maturity, has measured such, then reporting on such should be simple (a fact the author later states in response to Point 13).
Response to Question 14 is a leading question, in that it asks something to which the answer is already known — “Are any sectors subject to a security obligation?” i.e. are they required by Government to have these security practices in place. The answer is “no” — and is part of the reason for this initiative by Home Affairs.
I do appreciate the respondent ignoring this question and taking the opportunity to exhort their current security practices 😆
Response to Question 19 asks how Government can best-support Enterprise to manage their security risks. Again the author suggests that orgs mature in the space should be exempt. While it’s true that those with less capabilities will benefit most maturity does not equal infallibility and all organizations should be equally engaged (and evaluated).
Response to Question 22 Preparatory Activities — would have taken the opportunity to suggest a lightweight first pass to quickly identify highest value-to-effort items.
Response to Question 23 — I would have noted that information sharing should be two-way, as opposed to simply expecting Government to share down e.g. IoC from within an Ivory Vacuum.
Now the meat — Response to Questions 29, 30, 31, 32, 34 dealing with Government taking direct action in Cybersecurity incidents
- “Unilaterally” in this context is tautology — the proposal states “appropriate checks and balances” however the decision would necessarily be “unilateral”; how effective would legislation be if the owner of the infrastructure could simply insist “we all good here!” and Government could do nothing?
- Risk of damage to company systems — is not a barrier to Government intervention but simply another risk as is the case with any third-party involvement. What do we do with risks? We evaluate and mitigate. Off the top of my head, this one in particular may be mitigated e.g. by close involvement and consultation of the owning entity.
- Incident might not pertain only to Australian critical infrastructure — again this is an aspect of any third party engagement and changes nothing; Government still has responsibility — hence should have (only) jurisdiction — to take action to protect critical national infrastructure.
Specific scenarios where this might entail actions in systems outside of Australia’s critical infrastructure (say for example the company’s global AzureAD instance) should be preplanned, and expectations set in place (e.g. the managing entity might be required to enact any reasonable request to deactivate a compromised account). Not necessarily a barrier to what’s being proposed. - Hypothesized scenario in which Australian Government removes threat from Australian systems but it continues to exist in other systems, an edge case; following removal from Australian systems the owning entity would reasonably be expected to take further competent measures to remove it from systems in other regions (possibly in conjunction with other regional Governments).
In the (unlikely - assuming competence, action in good faith, and the possession of a self-preservation instinct) event such measures are ineffective and the risk still possesses a threat to critical national infrastructure, then perhaps government would be reasonably entitled to take further action. None of this precludes what’s being proposed. - On poo-pooing the concept of a government declaring an emergency and protecting critical infrastructure (“unusual”?) — there is already related legislation in place at both Federal and State levels. To claim such legislation does not exist in the United States is just wrong.
Conclusion
I think in a nutshell general industry logic here is — “We’re good thanks, we know what we’re doing, leave us alone. Offer help all you want but we’ll decide if we want it or not.”
I think that given the climate, and the types of scenarios we’re talking about, for the Australian Government (and the people to whom it is accountable) that’s a deeply unsatisfying answer.
Having said that I think it’s within the government’s mandate to progress this initiative, and given the open communication from all sides thus far actually do expect a positive outcome largely aligned to what’s proposed in the initial government paper. Until next time!