Canberra told to backpedal on cybersecurity intervention

An influential multi-party parliamentary committee has urged Australia’s government to tone down its legislative move to assume supervisory powers over universities’ cybersecurity.

The Parliamentary Joint Committee on Intelligence and Security has recommended that a bill amending the 2018 Security of Critical Infrastructure Act be split into two, with further consultation on parts of concern to universities.

The act gives Canberra a role in protecting the online security of ports, energy and water utilities. The amendment, introduced late last year, would beef up the government’s powers and extend them to other sectors including higher education.

Industry representatives lobbied for the legislation to be delayed, citing uncertain regulatory costs in an economy already suffering from Covid lockdowns and border closures. The committee has recommended a halfway approach, with the government hastening the “most urgent elements of the legislation” and leaving others to be “revisited” in a “consultative and collaborative” way.

“This will ensure…the government can exercise vital powers when ‘last resort’ circumstances arise,” the committee’s report says. The “rapidly deteriorating cybersecurity environment…demands both a swift and comprehensive response [and] both can [not] be done at the same time in the same bill”.

Under the compromise arrangement, the government would seek legislated powers to intervene, demand information and make enforceable directions when significant cyberattacks occur. Mandatory cyber incident reporting requirements would apply to organisations with important civil infrastructure, including universities.

But obligations to develop risk management programmes and register “critical infrastructure” facilities would be addressed in a new bill, following more consultation. The committee would undertake another review of these requirements before they were put to parliament.

The Group of Eight universities supported the compromise – particularly a recommendation that rules in the second bill be “co-designed” with affected industries, including higher education. Chief executive Vicki Thomson said the new approach would help avoid the “opportunity cost” of universities becoming “overwhelmed with red tape”.

Australian universities are bracing for a host of similar government interventions, including changes stemming from the committee’s inquiry into national security risks affecting higher education and research. Updated guidelines to counter foreign interference in universities are expected within days, and the sector is awaiting details of which foreign agreements will be subject to new government veto powers.

john.ross@timeshighereducation.com