The next stage of the Australian Government’s ongoing reforms of the laws aimed at protecting Australia’s ‘critical infrastructure assets’ and ‘systems of national significance’ is underway, with the release of the Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the ‘Bill’) on 9 November 2020.
The Bill is part of a package of proposed reforms aimed at achieving the main objective of Australia’s Cyber Security Strategy 2020, being to protect Australian businesses (and in particular, critical infrastructure providers) from sophisticated cyber threats, by amending the Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’). The Bill follows in the footsteps of the reforms outlined in the Department of Home Affairs’ August consultation paper ‘Protecting Critical Infrastructure and Systems of National Significance’, the subsequent five-week consultation period with industry, and the nearly 200 submissions received in response.
The stated aim of the Bill is to introduce an enhanced regulatory framework to better protect essential services by uplifting the security and resilience of Australia’s critical infrastructure. The Bill aims to achieve this in three key ways:
Revised definition of the Critical Infrastructure Sector
The Bill introduces a revised definition of “Critical Infrastructure Sector” (and associated definitions of “Critical Infrastructure Sector Assets”) that will significantly expand the remit of the SOCI Act.
Whereas previously the SOCI Act covered specific assets in the electricity, gas, water and ports sectors only, the Bill expands the coverage to encompass 11 sectors deemed ‘critical’. These are:
- the Communications sector;
- the Financial Services and Markets sector;
- the Data Storage or Processing sector;
- the Defence Industry sector;
- the Higher Education and Research sector;
- the Energy Sector;
- the Food and Grocery sector;
- the Health Care and Medical sector;
- the Space Technology sector;
- the Transport sector; and
- the Water and Sewerage sector.
Within those ‘critical sectors’ the Bill introduces a broad definition of ‘Critical Infrastructure Sector Assets’, being “an asset that relates to a critical infrastructure sector’, as well as certain more specific and deemed definitions building on some of the existing SOCI Act definitions. The Bill also reserves a broad power for the Minister for Home Affairs to declare additional assets from those sectors as ‘critical’. Furthermore, a critical infrastructure asset can be declared as a ‘system of national significance’ by the Minister, rendering them subject to the enhanced cyber security obligations.
Further details can be found in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 Explanatory Document.
New and enhanced obligations
The Bill introduces new and enhanced obligations on entities operating within the critical infrastructure sector, including:
- A Positive Security Obligation (PSO), which builds on the existing obligations in the SOCI Act to “embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets”, thereby ensuring that the resilience of essential services is strengthened and providing greater situational awareness of threats to critical infrastructure assets. The PSO involves three aspects (each of which will only apply once a ‘rule’ is made in relation that aspect for a critical infrastructure asset or a class of critical infrastructure assets):
- Implementation of a Register of Critical Infrastructure Assets designed to assist Government in understanding who owns, controls and has access to critical infrastructure assets. Relevant entities will be required to provide “interest and control information” (i.e. basic details of any entity which has an ownership interest or the ability to control a relevant asset, along with the extent of that entity’s ownership or control over the asset) and “operational information” (e.g. the asset’s location, a description of the area the asset services, basic information about entities responsible for the operation of the asset and the arrangements in place with each operator) in relation to relevant critical infrastructure assets.
- Adopting and maintaining an all-hazards critical infrastructure risk management program, designed to require responsible entities of critical infrastructure assets to manage and mitigate risks. Risk management plans must be reported annually to the Secretary of Home Affairs. Failing to comply with developing, complying with, reviewing or updating a plan may result in a penalty of $44,400 (200 penalty units) per breach, and $33,300 (150 penalty units) for non-compliance with annual reporting obligations. Sector-specific rules will be developed with industry, requiring responsible entities to consider and address physical, cyber, personal and supply chain security risks.
- Mandatory notification of cyber security incidents to the Australian Signals Directorate, to facilitate the development of an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure, and to enable proactive and reactive cyber response options. A responsible entity must report that a critical cyber security incident has occurred or is occurring within 12 hours of the entity becoming aware that the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset. The entity must also report any other cyber incidents that have occurred, are occurring or are imminent within 24 hours of the entity becoming aware that the incident has had, is having, or is likely to have, a relevant impact on the asset. Failing to comply with the reporting obligation may result in a penalty of $11,100 (50 penalty units) per breach.
- Enhanced cyber security obligations to support the sharing of near-real time threat information to strengthen the cyber preparedness and resilience of entities that operate the most critical of the critical infrastructure assets (‘systems of national significance’). These obligations include the development of cyber security incident response plans, undertaking of cyber security exercises to build cyber preparedness, vulnerability assessments to identify remediation actions, and provision of access to system information to build Australia’s situational awareness. Failing to comply with an obligation may result in a penalty of $44,400 (200 penalty units) per breach.
Government assistance and intervention
The most controversial aspect of the Bill has been the establishment of a regime for government assistance and intervention to respond to serious cyber security incidents and significant cyber-attacks that impact on the ability of Australia’s critical infrastructure assets to deliver essential services.
The Government’s stated intention is to work in partnership with industry to collaboratively resolve incidents. However, in acknowledgement of the fact that “Government maintains ultimate responsibility for protecting Australia’s national interests”, the Bill also gives Government powers to intervene in the event of an incident. Government intervention may occur where:
- a cyber security incident has occurred, is occurring or is imminent;
- the incident has had, is having or is likely to have a relevant impact on a critical infrastructure asset;
- there is a material risk that the incident has seriously prejudiced, is seriously prejudicing or is likely to seriously prejudice:
- the social or economic stability of Australia or its people;
- the defence of Australia; or
- national security; and
- no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
If an incident meets these conditions, the Minister for Home Affairs may authorise the Secretary of Home Affairs to do one or more of the following for a certain period of time:
- give directions to a specified entity for the purposes of gathering information;
- give directions to a specified entity requiring the entity to take a specific action in response to the incident; or
- give a request to an authorised agency to provide specified assistance and cooperation in response to the incident.
To give an information gathering direction, the Minister must be satisfied that it is likely to facilitate a practical and effective response to the incident. An entity must comply with an information gathering direction to the extent that the entity is capable of doing so. Failing to do so can result in a penalty of $33,300 (150 penalty units).
To give an action direction, the Minister must be satisfied that all of the following criteria are met:
- the specified entity is unwilling or unable to take all reasonable steps to resolve the incident;
- the direction is reasonably necessary for the purposes of responding to the incident;
- the direction is a proportionate response to the incident, having regard to the impact of the direction on the activities carried on by the specified entity, the functioning of the asset concerned, the consequences of compliance with the direction and any other relevant matters; and
- compliance with the direction is technically feasible.
Failing to comply with an action direction can result in a penalty of 2 years imprisonment and/or a fine of $26,640.
In certain circumstances, the government may also authorise the Australian Signals Directorate to step in to respond to an incident including by accessing, modifying or analysing computer systems or data.
Following the current two-week consultation period, the Federal Government will introduce the draft Bill to Parliament, with hopes of it passing through both Houses by the end of 2020.
However, concerns have been raised by the Australian Information Industry Association, various technology companies (including Microsoft, AWS and the Software Alliance), several universities and other organisations over a number of aspects of the Bill, including the broad definitions used in the Bill (which will potentially subject a wide range of firms to the new rules, regardless of their nexus to the infrastructure sector), the operation of the Government’s new direct-action powers, and the speed at which the Government is seeking to push the legislation through the Parliamentary process. The emergency step in power, in particular, has caused significant concern, with industry players questioning what checks and balances are in place and what avenues of review or appeal an infrastructure operator would have if the power were exercised.
Recommendations thus far proposed include economic impact assessments, regulatory impact statements, a review by the Parliamentary Joint Committee on Intelligence and Security, and further opportunities for consultation.
Submissions can be made via the Department of Home Affairs submission form prior to 5pm on Friday 27 November 2020.
Authors: Lesley Sutton, Nikhil Shah, Mark Ferguson and Rachel Stanton