Critical Infrastructure laws ignore key data assets

The Department of Home Affairs has sought to downplay industry concerns over proposed laws that will limit the federal government’s critical infrastructure regime to only business‑critical public sector data. Macquarie Telecom raised concerns last month, arguing the changes were a “significant and dangerous reduction” in the scope of the Security of Critical Infrastructure Act. 

The government has proposed changing the current definition.  It currently states that any provider supplying services to commonwealth, state or territory governments is classed as critical infrastructure.  It now proposes that the definition state that a provider would be qualified by whether or not they were handling 'business critical data'. Macquarie said this change should be abandoned, because business-critical data does not describe the type of information that is most commonly held by government departments and agencies nor what is crucial to the functioning of government.

Macquarie said a data storage or processing service provider that stores or processes any form of government data should absolutely be recognised and regulated as a critical infrastructure provider.  The bank also said that if the proposed amendment does proceed, then the definition of business-critical data must be broadened to reflect the types of sensitive and classified information that are commonly held by Commonwealth, state and territory government entities.

 - CyberBeat