Australian universities have bristled at yet another security-related intervention in their affairs as Canberra moves to assume supervisory powers over their cybersecurity arrangements – and, in extreme cases, take over their response to hackers.
The federal government wants to extend its 2018 Security of Critical Infrastructure Act, which currently applies to electricity, gas and water utilities and maritime ports, to higher education and research along with 10 additional sectors.
The amendment would require all 40 Australian universities to adopt and maintain “all-hazards” risk management programmes and report serious cybersecurity incidents to the government’s information security agency. Universities could also be directed to enter ownership and operational information about their facilities on a confidential government register of “critical infrastructure assets”.
The bill empowers the government to provide “direct assistance” to “protect assets” in the event of a “serious cybersecurity incident”. An explanatory document insists that this power would be asserted only as a last resort.
“Industry should, and in most cases will, respond to the vast majority of cybersecurity incidents,” it says. “However, government maintains ultimate responsibility for protecting Australia’s national interests.”
A draft of the amendment, released in November after consultations in August, outlines the scope of the “assistance powers” and when they can be applied. But the Innovative Research Universities (IRU) group said the proposal could constitute “an extensive intervention in university operations”.
In a submission on the draft legislation, the IRU says the government has not justified its “cumbersome” intervention, which would force universities to deal with a “plethora of government agencies…with no coherence to these requirements”.
Universities are “just as keen” as the government to keep their operations secure, the submissions says, and “are working with the government to reduce risks and to act when incidents occur” through mechanisms such as the University Foreign Interference Taskforce and the Australian Higher Education Cybersecurity Service. It says nothing has happened since the original act was formulated “to suggest that universities are not responding effectively”.
The IRU wants universities removed from the amendment. Failing that, the government should discuss implementation details in advance with the sector and “only take direct action over a university’s assets in a case of extreme risk, with consent from the vice-chancellor”.
The amendment is the latest government move to beef up security protections through measures that universities say duplicate existing safeguards and saddle them with mountains of red tape.
Parliament is considering a bill to give Canberra veto powers over universities’ foreign ties, and a joint committee is looking into national security risks affecting higher education and research. This follows the drafting of new guidelines to combat foreign influence on research and teaching, and a failed Department of Defence push for greater control over university research.
Meanwhile, scores of visa applications by foreign doctoral candidates are being delayed over security concerns, and 18 research projects endorsed by the Australian Research Council have been put on ice while they are scrutinised by security agencies.
But the explanatory document says a “partnerships” approach will underpin the latest proposal, with the government and sector stakeholders working together to “co-design” the requirements. They will be proportionate to the risks, avoid duplicating existing measures and “impose the least regulatory burden necessary”, the document insists.