Proposed changes to boost the nation's critical infrastructure laws will remove key oversight functions regarding decisions made by senior figures in Home Affairs and the Australian Signals Directorate, the government watchdog has warned.
The changes, first introduced to parliament in December 2020, would amend security legislation to allow the government to intervene in private companies who handle an expanded definition of Australia's critical infrastructure systems, including energy, communications, transport, data and the cloud as well as food and medical supplies.
The new powers would force companies to provide information to the government in the event of a major cyber attack and would be expected to take on directions or actions provided by the government's cyber security agencies.
In some cases, security agency officials could "step in" and take over a company's systems in order to fight off an attack.
Failure to comply with the government's requests could result in penalties totalling into the thousands.
But Commonwealth Ombudsman Michael Manthorpe said in a submission to a parliamentary committee examining the bill broader implications could affect the watchdog's ability to oversee the new powers.
He's concerned the amendments would limit the office's ability to investigate complaints about directions given by the Home Affairs secretary or staff within the Australian Signals Directorate.
Under the bill, Mr Manthorpe said, those directions to companies would fall under the expanded definition of "protected information", which is illegal for staff to disclose.
"If an entity that is subject to a direction of the secretary, or its staff, is unable to make a complaint to this office without breaching the protected information provisions in the Act, this would undermine the capacity of my office to provide the level of oversight anticipated in the explanatory memorandum," Mr Manthorpe wrote in his submission.
Mr Manthorpe urged the committee to recommend the bill be changed in order to allow for a legal complaints or whistleblowing mechanism to the ombudsman's office.
The bill's introduction follows a number of cyber attacks targeting key infrastructure in Australia in recent years.
Months into the COVID-19 pandemic, Prime Minister Scott Morrison revealed a large-scale malicious cyber attack had hit all levels of government as well as the business, education and health sectors.
Mr Morrison said the culprit behind the attacks was state-based with "significant capabilities" but would name the country nor what data had been accessed.
Former home affairs minister Peter Dutton introduced the bill nearly six months later in December 2020, arguing changes to the legislation were needed in order to prevent future attacks with more "catastrophic and far-reaching consequences".
"Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation's wealth and prosperity, and national security," Mr Dutton told parliament in late 2020.
"While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune.
"While private industry is best placed to protect critical infrastructure, some threats are too sophisticated or disruptive to be handled alone."
But the broad-reaching powers have a number a large tech companies concerned.
In a submission to the exposure draft, Microsoft said it welcomed the government's efforts but had issues with the significant powers given to the minister and agency officials.
"While we acknowledge that there may be emergency scenarios where the government may consider the need for direct action with critical infrastructure operators, we believe such actions must only occur as a last resort," the tech giant's submission read.
"[It should occur] under a framework that incorporates robust checks and balances, as well as the Commonwealth Ombudsman acting on behalf of the private sector that reflects the interests and risks of undertaking such an action."
Amazon Web Services, who supply the federal government with data and cloud services, voiced similar worries over the "overly broad powers" it could be granted and recommended extensive consultation with affected industry before it's passed.
Our journalists work hard to provide local, up-to-date news to the community. This is how you can continue to access our trusted content: