The government wants to impose obligations on companies requiring them to report critical cyber security incidents within 12 hours.
Under the proposed laws, the government could also intervene in companies’ networks if there was a major cyber attack.
Shane Huntley from Google’s threat analysis branch said the government wrongly assumed it could intervene without making things worse.
“There’s a deeper underlying assumption that if something bad happens to a critical piece of Australia’s infrastructure, then the government is capable of stepping in and fixing that bad thing,” he said.
“There’s just a really big risk of the government stepping in and misunderstanding how the regulated entity operates and maybe making things worse.”
At the moment, companies share information with security agencies informally and without triggering notification thresholds and want to keep it this way.
They also want the government to better define what it considers a critical cyber security incident, and to give companies more time to assess and report problems.
Huntley said the proposed 12-hour time frame meant security agencies would be flooded with a constant stream of small reports about potentially insignificant things.
Appearing before parliament’s intelligence and security committee, he said court approval should be required before the commonwealth could intervene in company networks.
“It seems odd to us that judicial authorisation is typically required to obtain and exercise a simple search warrant, yet it isn’t required for such intrusive government intervention using ministerial powers that are far more extensive and wide-reaching,” Huntley said.
Google is concerned the prospect of the Australian Signals Directorate being able to install software on its networks would also alarm foreign customers.
Huntley said this wasn’t necessary anyway.
“I’m not aware of any unique capabilities and software that cannot be matched by the most robust system that we’ve built for ourselves,” he said.
Similar powers already exist for electricity, gas and water networks as well as critical ports.
But the government wants to expand them to encompass 11 other sectors including communications networks and data storage or processing centres.