Google, Microsoft, and Amazon have unanimously fought to amend a proposed bill that could allow the Australian government to implant its own cybersecurity software onto the back of the cloud systems of the Big Tech companies.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (pdf) seeks to build on existing legislation to fortify Australia’s critical infrastructure against cyber attacks, with the inclusion of cloud services in the list prompting tech giants to raise serious privacy concerns.
The measures come amid mounting anxiety regarding the potential impact of a cyberattack on the nation’s arterial sectors—including energy, health, and food—many of which have already experienced such incidents since the start of the year.
“We strongly oppose the ability for the Australian Government to compel the installation of software on networks, systems, or assets,” Google stated in its submission (pdf) to the Australian intelligence and security committee.
The legislation outlines that the government could require an “entity for a system of national significance to install and maintain a specified computer program in limited circumstances.”
“The ability to undertake such an action, particularly in the data storage and data processing sector, could have unintended consequences to customer privacy and security (business and citizens) in Australia, and around the world,” Google said.
However, the bill also specified that the decision to carry out such a move was not preferred and merely a “provision of last resort,” with the option only considered if a relevant entity failed to provide the government with the information it required following a cyber attack.
It further outlined, that if providing the necessary information proved difficult—for example, if the reform or software was too expensive—the government would provide support and supply the necessary software for free given the information’s importance in handling cybersecurity risks.
Microsoft echoed Google’s message in its own submission (pdf), adding that large companies with a better understanding of their own software already had cyber security measures that were better suited than what the government had to offer.
“Organisations familiar with their own systems are inarguably best placed to do so, and this is particularly true for hyperscale cloud service providers that operate highly complex and interdependent systems,” Microsoft said.
The tech titan explained that third-party software developers who inherently lacked an understanding of the system’s structure would only introduce problems that could severely impact the operations and would require extensive testing.
“Introducing third parties unfamiliar with a cloud service provider’s systems and architecture risks compromising the security and integrity of these systems and creating collateral consequences, including the interruption of critical services and the creation of new vulnerabilities.”
Microsoft agreed that the intervention would be beneficial for some entities and supported the government’s push for strengthened cyber defence. However, like the other giants, it suggested that the cloud services sector be omitted altogether.
Matthew Warren, Director of the RMIT University Centre for Cyber Security Research and Innovation, welcomed the bill, saying that it facilitated an important partnership between industry and the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD).
“The bill will succeed in strengthening Australia’s overall cyber security and defence capabilities as critical infrastructure organisations can draw upon the expertise and capabilities of ASD / ACSC,” Warren told The Epoch Times.
Warren said that the government’s installation of software would not be for all critical infrastructure, and would only be in exceptional circumstances to help collect information on threats or block malicious attacks.
Warren also pointed out that the nature of Google Cloud’s globally interconnected infrastructure posed a significant problem, meaning the government could obtain sensitive information of Google’s customers domestically, and abroad.
He suspected that the monolithic corporation and Australian policymakers would inevitably come to a mutual agreement, particularly following Google threatening to withdraw its search engine in Australia earlier this year over another proposed law it had disagreed with.