1/11: If you haven't read the (Aus) Critical Infrastructure Bill because (like me) you foolishly assumed it was about protecting critical infrastructure, now is ... probably too late.
aph.gov.au/Parliamentary_…
So here's a short summary of the "protections" you can't refuse #Auspol
aph.gov.au/Parliamentary_…
So here's a short summary of the "protections" you can't refuse #Auspol
2/11: Everyone agrees that the threat of cyberattack is serious, the results could be devastating, and Australia is woefully unprepared.
The question is whether forced "assistance" from @ASDGovAu and Home Affairs will make us more or less safe & secure.
The question is whether forced "assistance" from @ASDGovAu and Home Affairs will make us more or less safe & secure.
3/11: Critical infrastructure isn't just dams and power plants - it will also include financial systems, health providers, and "data processing" (i.e. almost anything). It's clearly important to protect them; less clear that forced "protection" from ASD is the right way to do so.
4/11: So what's in the bill? It gives the Secretary of Home Affairs, sometimes with Ministerial direction and sometimes not, *never* with the slightest obligation for judicial oversight, the power to make several kinds of "assistance" and "protection" offers you can't refuse.
5/11: An "intervention request" (which you can't refuse) comes from the Minister and can force you to modify your system or install their software on it.
Large fines for refusal.
Large fines for refusal.
6/11: An "Information gathering direction" (which you can't refuse) can include being forced to give information about your system to the Secretary of Home Affairs.
Slightly-less-large fines for refusal.
Slightly-less-large fines for refusal.
7/11: An "Action direction" is like an "intervention request" but with 2 years jail for refusal.
8/11: I don't usually agree with Google, they make a good argument that the power to interfere in their networks runs a large risk of making them *less* secure:
aph.gov.au/Parliamentary_…
aph.gov.au/Parliamentary_…
9/11: The opportunity for abuse is obvious. There are no practical constraints on the exercise of these powers. They do not require a warrant or have any kind of judicial oversight. They do not require a cyberattack to be occurring – it suffices to believe one to be "imminent".
10/11: @ASDGovAu may exfiltrate sensitive personal information (health records, financial info and communications) as long as it is de-identified enough to not be "personal information" under the Privacy Act. There's no requirement that they refrain from re-identifying it later.
11/11: So what can you do? Nothing. Get some solar panels, install Signal, tell your GP not to write notes into an electronic system.
As usual, the tragedy here is that we really do need to do something that actually protects our critical infrastructure. This is not it. #Auspol
As usual, the tragedy here is that we really do need to do something that actually protects our critical infrastructure. This is not it. #Auspol
• • •
Missing some Tweet in this thread? You can try to
force a refresh
