Tech giant Microsoft has expressed concern that proposed federal legislation submitted to Parliament in December to mitigate the impact of cyberattacks on critical infrastructure could “undermine the government’s objectives of defence and recovery.”
According to the Department of Home Affairs, the legislation in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, aims to “enhance the existing framework for managing risks relating to critical infrastructure” by introducing a positive security obligation (PSO) for infrastructure entities, enhanced cyber security obligations (CSO) for the most critical entities, and government assistance to respond to cyberattacks on critical infrastructure in a cyber emergency.
In a submission to the government, however, Microsoft warned that the potential risk of unilateral intervention by the government “greatly increases the risk of unintended collateral consequences, impacting customers directly and indirectly by undermining trust, and threatens to make entities less secure” and urged that government intervention authorities “must be carefully defined and restricted, and should not be used when organisations are capable of managing response and recover of their own networks.”
“We believe that a policy allowing for direct governmental intervention would undermine the government’s objectives of defence and recovery,” said Microsoft. “Rather, in many cases, it is the individual organisations themselves, and not the government, that are best positioned to determine how to appropriately respond to and mitigate the impact of cyber incidents.”
The tech giant also cautioned that it would take a “preclusive amount of time for the government to come into a live incident, properly understand the fact pattern, the technologies in play and the challenges of any decisions, and then be able to direct an appropriate response.”
“This contributes to what military strategists have referred to as the ‘Fog of War,’ which is a concept that has been applied to cyber incident response, where additional risk is introduced during the initial phases of an ongoing crisis because the ability for subject matter experts and network defenders to adequately respond is hampered by an onslaught of information requests, speculation, and well-intended ideas from individuals or organisations, when the malicious activity is yet to be fully understood by anyone,” said Microsoft.
