While the prospect of significant direct and consequential losses from a disruption are daunting enough, the possibility of permanent asset impairment complicates operational and financial considerations enormously. Impairment in this context is not just about losing assets through subversive actions, it also includes being compelled to remove equipment on the grounds of national security. While that seems like a drastic and overly alarmist scenario, it’s one that Australia and a number of other jurisdictions have already played out.
The rapidly changing geopolitical landscape has increased vendor risk especially in relation to nation states acting through increasingly global supply chains and dispersed technology stacks. This became starkly apparent when Australia and the USA chose to ban Huawei and ZTE from 5G cellular networks due to national security concerns. While the impact here has been relatively manageable, the Federal Communications Commission’s September 2020 estimates put US remediation costs at US$1.9 billion for small to medium network operators alone. The fact that the USA continues to add to its Entity List suggests a belief that the risk of foreign interference may be widespread, systemic and growing.
The Australian federal government relied on national security provisions within the telecommunications legislation to implement its 5G ban. The big question is whether the coercive powers in the new security Bill are broad enough to extend that type of power to all critical infrastructure? Could it be a beachhead for something that evolves into an equivalent of the United States Department of Commerce's Bureau of Industry and Security Entity List?
The implications of foreign interference on critical infrastructure are profound. While stakeholders might have a comprehensive risk framework, the posture of an asset functioning as intended could nevertheless conflict with sovereign interests, requiring it to be islanded or completely uninstalled with major unplanned costs. The Bill’s converged security approach is intended to help stakeholders uncover and counteract these more complex, multi-faceted hazards. That was no doubt a factor that helped shape the all-hazards framework. While the legislation aims to uplift resilience by compelling stakeholders to develop more comprehensive risk management programs, it’s the untested power of the Commonwealth to directly intervene and compel a relevant entity to do, or refrain from doing, an act or thing during a "serious cyber security incident" that complicates matters.
It’s clear the coercive powers could fundamentally impact ownership and the right to operate a critical infrastructure asset. Powers that help shore up relevant parties during an incident bring a lot of potential value, but they’re also somewhat opaque, making it difficult to determine their true breadth. Concerns exist around architectures and technologies that may already be in use, with hazards only now materialising based on current and rapidly evolving geopolitical circumstances. The Bill requires these to be identified in supply chains and technology stacks, but what if the risks found can only be remediated by removing particular assets entirely? The cost implications for stakeholders could be both significant and unavoidable if seriously prejudicing: the social or economic stability of Australia or its people; our defence; or national security. Those thresholds seem rather subjective and dangerously open to interpretation.
The ability for a nation state to access, influence or control assets presents a tremendous conundrum. Unlike other hazards, a significant risk can exist with a foreign vendor simply by virtue of its geography, supply chain and technologies. An attack vector could be exploited using existing data capabilities without having to necessarily sabotage a system. One of the most controversial aspects is that while a hazard can exist in theory, and could potentially be reduced to practice, there isn't necessarily any evidence it has, or will.
There’s no question a foreign power being able to reach out and disrupt critical infrastructure is unacceptable. Under the Bill, preliminary sector-specific rules require stakeholders to minimise and mitigate that potential by evaluating operational information pathways and high-risk vendors in accordance with the ACSC Supply Chain Risk Management Practitioners Guide (2019). That guide defines foreign interference as the exercise of: extrajudicial control over a vendor; extrajudicial influence over a vendor; or interference by a Foreign Intelligence Service in a supply chain.
Organisations face the difficult prospect of having to weigh-up the likelihood of foreign interference with the availability and cost of substitutes. They also have to consider the chances and consequences of a vendor becoming a security risk over time as geopolitical circumstances change. That’s quite a bit more onerous than it initially appears. Going with a global brand doesn’t necessarily defray that risk. The success of a manufacturer, its systems and global workforce can create the scale and opportunity to conduct larger and more coordinated operations, increasing the likelihood that they may be leveraged by a nation state. Additional complexity comes from those jurisdictions that follow a doctrine of "shared responsibility", where a state and industrials may be far more intertwined than Australia with its expectation of separation. Tight relationships between a state and a nation’s companies means there may be very few, if any, counterbalances to actioning directions even where those are extrajudicial and extend beyond the formal framework of laws.