In the recent JBS cyberattack, an American subsidiary of a Brazilian meat processor was hacked from Russia ^[1], causing operations in Australia, Canada and the United States to shut down. This crime provides a timely reminder that Australia’s critical infrastructure is only as strong as the weakest link in its international digital supply chains.

The government is proposing a complete overhaul of the way owners and operators of Australia’s critical infrastructure ensure the resilience of the physical facilities, supply chains and ICT they rely on, and on which our society and economy depend.

The proposed legislation before parliament will extend the regime under the Security of Critical Infrastructure Act 2018 ^[2] beyond its outdated narrow focus on utilities to include other critical sectors of the economy, such as communications, transport, banking, healthcare and groceries. Industry-specific rules and standards will follow to improve security and resilience across these sectors. For the most vital infrastructure systems, the legislation will give the government a ‘last resort’ power to intervene in their operations in order to defend against a serious cyberattack.

These reforms are a necessary response to the risks that now confront society given the interconnections and interdependencies between the physical and the digital. Data is the nexus between these worlds, from personal information and metadata about consumers, to internal corporate emails, information about research and development, and the supervisory control systems used to operate industrial infrastructure.

Indeed, data is effectively the economy’s critical infrastructure. The proposed legislation recognises this new reality by including data storage and data processing in the expanded list of critical sectors.

However, the bill only partly protects the data controlled by these sectors and treats it inconsistently, erroneously focusing on its physical nature. This has the potential to create a dangerous gap in which we lose control of our data.

In practice, a critical infrastructure provider will either manage and secure its own critical business data or outsource some or all of those responsibilities to a third-party data processor, cloud service provider or data centre operator. That third party may store and maintain the data in physical facilities in Australia or overseas. A combination of these arrangements may be used for the primary and backup data stores to provide additional redundancy in case of disaster.

Data faces similar risks under each scenario, so it’s reasonable that equivalent security expectations and standards apply whether it’s stored onsite, outsourced to a third party, or moved offshore. Unfortunately, the proposed legislation doesn’t consider this and creates very different expectations around data security depending on how and where it’s stored.

Under the bill as currently drafted, an Australia-based third party becomes a critical infrastructure provider if it knowingly stores government data or the critical business data of another provider. It’s a case of ‘tag, you’re it’. A critical infrastructure provider’s data is so crucial to national security that the mere fact that it’s stored with an Australian-based service provider makes that third party a provider too.

That provider (rightly) will be subject to stringent legal requirements concerning cybersecurity, the security of its physical facilities, the resilience of its supply chain, and the trustworthiness of its employees and contractors.

A critical infrastructure provider that manages and secures its own data on-premises will be subject to a positive security obligation to manage and mitigate risks to its critical data assets, but not necessarily to the same standard that applies to data held by third-party service providers. Hence, the Australian Cyber Security Centre advises ^[3] organisations to consider the security risks of not shifting data to the cloud.

In stark contrast, a third party that stores and maintains a critical infrastructure provider’s critical business data overseas will not be expected to do anything to secure that data. This is because the new regime won’t apply to Australian data stored overseas.

Australia should not be so timid. Under the US CLOUD Act ^[4], the US government extends its jurisdiction over all data in the possession or control of American cloud providers wherever in the world it’s stored. And the European Union’s General Data Protection Regulation applies to data processing undertaken outside the EU if it relates to the supply of products to Europeans.

Besides the obvious security gap, Australia’s proposed legislation creates a perverse incentive for critical infrastructure providers—and their suppliers—to shift critical business data stores offshore to avoid security regulation under the regime and the associated costs. This is at odds with the emphasis placed on data security when physical critical infrastructure assets are sold to foreign investors.

Whereas the draft legislation doesn’t safeguard Australian data stored overseas or require its repatriation, the Foreign Investment Review Board will often make its approval of investments in critical infrastructure conditional on the data being kept in Australia in certified secure facilities. There should be no inconsistency here. After all, it’s the same data, just different custodians.

The proposed reforms are necessary and overdue. But given the increasing importance of data from a national security perspective, a critical infrastructure provider’s data should be treated as a critical asset regardless of whether it’s managed in-house, hosted by a third party or located offshore. It should be subject to equivalent security expectations and standards.

Ensuring this data is always stored and secured in Australia will not in itself prevent it from being targeted or compromised. But if Australia’s laws and authorities are to help secure and defend Australia’s critical data, it must first be brought within the new security regulatory regime.

To do otherwise is to surrender our sovereignty over data when it has never mattered more.