Microsoft tells Australia not to hamper its cyber attack response

After supporting the Australian News Media Bargaining Code, Microsoft has asked the federal government to stay out of its cyber attack response as this could complicate any attempt to mitigate hacking incidents in the country.

According to the tech giant, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 gives the government authority to intervene in certain circumstances involving serious cyber security incidents.

“Microsoft has significant concerns about this authority and would welcome the opportunity to better understand specific risks the government seeks to address as well as discuss alternative solutions that introduce less risk,” the company said in its submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

As an initial matter, Microsoft said it recognises the government’s interest in ensuring that critical assets can withstand major cyber incidents and that appropriate remediation tactics can be quickly deployed in the event of an incident.

“However, we believe that a policy allowing for direct governmental intervention would undermine the government’s objectives of defence and recovery,” the company said.

“The Proposed Legislation should not permit the government to mandate the installation of software on operator systems, as such software could result in interoperability, vulnerability management and maintenance challenges, while introducing additional risk and undermining the security of these systems,” Microsoft elaborated.

Rather, in many cases, it is the individual organisations themselves, and not the government, that are “best positioned to determine how to appropriately respond to and mitigate the impact of cyber incidents”.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was published by the Department of Home Affairs in November.

The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure” that would extend the application of the Act to communications, transport, data and the Cloud, food and grocery, defence, higher education, research, and health.

Microsoft said that the danger of having a government direct a private sector entity’s response without complete knowledge of the situation and the technology cannot be understated.

“Moreover, individual organisations are not only best positioned to respond; they also have as equal an incentive as the Government to protect their own networks and maintain the trust of their customers,” the company stressed.

Risk of unilateral intervention by the government greatly increases the risk of unintended collateral consequences, impacting customers directly and indirectly by undermining trust, and threatens to make entities less secure, it argued.