The government’s one-response-fits-all-threats is too expensive and expansive
Late last year the Department of Home Affairs circulated a draft bill, “to protect critical infrastructure,” including universities, from cyber-attack. This included “mandatory risk management and incident reporting” and would place organisations covered under “enhanced cyber security obligations.”
And guess which organisation the Department of Home Affairs thought would be best placed to “regulate compliance” from “the education and research sector”? Jove, you are all quick, yes, the Department of Home Affairs.
Among many HE submissions on the bill, the ever-vigilant Innovative Research Universities responded that HE institutions are already doing what the bill wants from them and that, “the major challenge is the plethora of government agencies requiring action from universities with no coherence to these requirements,” (CMM December 1).
But the IRU’s hint was not taken – the circulating draft did not stay in circulation very long, with Home Affairs minister, Peter Dutton, commending the bill to the House in his second reading speech on December 10.
So that would have been that, except the Attorney General, (on December 18), referred the bill to the Parliamentary Joint Committee on Intelligence and National Security.
Which is now accepting submissions, and so universities are making the same points the drafters of the bill already appear to have ignored.
Griffith U submits the bill’s impact on universities is out of proportion and “it should be narrowed to allow risk-based targeting of critical capabilities and assets.”
Uni Sydney states, it understands and supports “the policy objectives” but “we are concerned about the likely additional compliance costs for public universities responsible for operating critical national research infrastructure.”
The Council of Australasian University Directors of IT points out that the bill applies a single model, which “risks implementing security obligations suited to those aimed at high-risk, research -intensive, defence-aligned institutions to all and hence applying too high an obligation on teaching-focused and dual-sector institutions.”
The submission from the Australian Technology Network (with its pal, Uni Newcastle) makes many similar points and ever-so politely suggests the Commonwealth should focus.
“A broad and un-targeted approach to designating critical infrastructure and entities (and the assets within them) risks diluting the effort and attention paid to aspects that are truly critical. Finite security resources should be directed to the areas of greatest risk and potential impact, such as defence research partnerships. … Applying the highest level of protection to all parts of universities because of the criticality of one part would not be proportionate.”
And the Group of Eight summed it up, suggesting, “the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector. “The Go8 asks the committee to consider why universities are in the bill at all.
“The Australian Government has in fact not yet identified any critical infrastructure assets in the higher education and research sector. … when to date no other Five Eye nation lists higher education and/or research among its critical infrastructure sectors.”