The health sector has joined the telecommunications, broadcast and other industries in pushing back against the federal government's move to grant itself the power to effectively seize and control 'critical infrastructure' in response to cybersecurity risk.
Ramsay Health joined the pharmaceutical industry, Telstra, Optus, the broadcast radio and television industries, as well as the trade union and other sectors in appearing before Friday's public hearing of the Parliamentary Joint Committee on Intelligence and Security.
The committee is currently conducting an inquiry into the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The Bill will grant the federal Department of Home Affairs sweeping new powers over 'critical infrastructure' across multiple sectors, including the ability to 'step-in' to companies and organisations at risk of cyber-attack.
The new Bill effectively covers the entire health sector, including the "production, distribution or supply of medical supplies”.
The sector's companies would be required to have a critical infrastructure risk management program (CIRMP) and report on that program annually within 30 days of the end of the financial year. They could even be required to security check employees.
The industries that fronted the hearing were universally critical of the Bill. Most of the focus was on the lack of consultation, the fact it duplicates many existing requirements, and the lack of detail on how it will be implemented.
They told the hearing the most sectors are already covered by policy requirements in terms of cybersecurity, including annual risk assessments and audits, and suggested there needed to be a gap analysis to assess the need for the proposed changes.
Committee chair Senator James Paterson said the government may have formed the view that a single cross-sector requirement was preferred to a sector-specific approach.
However, representatives at the hearing suggested the government should have confidence in existing arrangements.
One specific concern expressed by all sectors was the risk to privacy, particularly in relation to the proposed 'step-in' powers. There was some discussion about the government indemnifying organisations against breaches of privacy law but some doubted this would be sufficient given the reputational risk.