Australian critical infrastructure operators urged to move off Chinese tech
A sweep of Chinese-made hardware and software from the federal government could be expanded to cover critical infrastructure operators as well, with the government already assessing its powers for “market intervention”.
The comments, made by Home Affairs officials at senate estimates yesterday, come as the government increasingly suspends its use of Chinese-made technology over security concerns.
So far this year, the government has targeted the use of CCTV cameras, TikTok on government devices, and, according to a report by The Australian earlier this month, DJI drones and accessories.
The DJI suspension has now expanded from Defence to Home Affairs, including the Australian Border Force, with the department’s chief operating officer Justine Saunders yesterday confirming trials had been iced.
“In light of the concerns that have been generated over recent weeks, we have actually suspended the use of that capability,” she said.
“We’ve had conversations with the ABF this week in terms of a departmental position, which they’ve responded to, so I actually issued a directive [last] week indicating that [DJI drones] are not to be used.”
Saunders said that Home Affairs is “live to Defence’s position” on DJI use, and said the department is engaging with Defence in a review of the technology.
“We’ll be working with them and other partners to make sure that we satisfy ourselves as to the implications of the use of this technology before it is used,” she said.
A government-wide ban on the use of DJI and other technologies appears to have been raised as a topic, though the decision-making for that would ultimately rest with the Attorney-General’s department, which has oversight of the Protective Security Policy Framework (PSPF) – central guidance used to keep government assets secure.
Shadow Minister for Home Affairs and Cyber Security, and Liberal Senator for Victoria, James Patterson, also quizzed Home Affairs officials on whether a ban on the use of Chinese-made hardware and software should also be expanded to critical infrastructure sectors as well.
In particular, Patterson was interested in whether the Security of Critical Infrastructure or SoCI laws contained provisions that could underpin a directive to ban the use of the technologies.
Pezzullo said he and the deputy secretary of the cyber and infrastructure security group at Home Affairs, Hamish Hansford, had “discussed this”.
“We think there’s sufficient ambit,” Pezzullo said.
Hansford said that risk management program (RMP) obligations on critical infrastructure operators, which came into effect earlier this year, could be one avenue to make a directive.
“In terms of the risk management program, a minister of Home Affairs could declare a particular device to be a material risk that then a company would have to mitigate so I think it could be done in that construct,” Hansford said.
“Another available technique might be using Section 32 of the SoCI Act which is a ministerial direction dependent on an adverse security assessment from ASIO, though.”
Patterson asked both Home Affairs and the government more broadly to consider an expanded ban to critical infrastructure operators.
“It seems to me as a matter of logic that if these products are not safe in the Australian government, that we shouldn’t be comfortable about them being used in critical infrastructure providers either, especially systems of national significance, as a subset,” Patterson said.
“Of course nothing precludes critical infrastructure operators in the meantime taking their own initiative and sensing the tea leaves and getting rid of these themselves, and I would encourage them to consider doing that before any punitive or regulatory action is necessary.”