The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) is currently before Parliament and may increase the regulatory burden for those responsible for critical infrastructure assets in designated 'critical' sectors, as well as the government's powers over those assets.
- Amendments to the Security of Critical Infrastructure Act are one step closer with the Security Legislation Amendment (Critical Infrastructure) Bill 2020 being introduced to Parliament on 10 December 2020
- Changes include expanding coverage of the Act to critical infrastructure sectors, introducing positive security obligations and creating a government assistance regime
- Stakeholders should consider contributing to the co-design of sector-specific rules in relation to the Act
In December 2020, the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Bill) into Parliament, following a period of public consultation and the receipt of 194 public submissions. The Bill seeks to amend the Security of Critical Infrastructure Act 2018 (Cth) (the Act), which established a framework for managing risks to national security related to 'critical infrastructure assets'; most notably, by creating a Register of Critical Infrastructure Assets (Register). The Act was viewed as a way to enable the government to assess vulnerabilities across its high priority assets and work collaboratively with industry to address these vulnerabilities, while imposing only a minimal and targeted regulatory burden. The Act previously only applied to critical infrastructure assets across the electric, gas, water and maritime ports sectors.
In response to an increase in cyber attacks in Australia, the Bill seeks to increase the regulatory burden for critical infrastructure assets by:
- expanding coverage of the Act to a further 11 sectors, designated as 'critical infrastructure sectors', including:
- introducing definitions of 'critical infrastructure assets' specific to each critical sector; and
- designating some 'critical infrastructure assets' as 'systems of national significance' being subject to enhanced cyber security obligations;
- introducing a positive security obligation on those responsible for critical infrastructure assets, involving the following 3 aspects:
- adopting and maintaining a critical infrastructure risk management program;
- mandatory reporting of serious cyber security incidents; and
- in some circumstances, providing ownership and operational information to the Register; and
- establishing a government assistance regime which creates powers for the government to respond to significant cyber attacks impacting critical infrastructure assets and sectors.
This article will provide an overview of the proposed changes under the Bill.
Critical Infrastructure Sectors
The 11 'critical infrastructure sectors' which the Bill covers are as follows:
- financial services and markets;
- data storage and processing;
- defence industry;
- higher education and research;
- food and grocery;
- health care and medical;
- space technology;
- transport; and
- water and sewerage.
These are the only sectors which:
- will be subject to the government assistance regime; and
- may have designated or prescribed critical infrastructure assets.
Critical Infrastructure Assets
The Bill introduces definitions for critical infrastructure assets specific to each critical sector. However, the Minister for Home Affairs (Minister) will also have the ability to prescribe or declare other additional assets from these critical sectors as being 'critical infrastructure assets'. The significance of an asset being declared as 'critical' is that it will be subject to:
- the government assistance regime; and
- potentially, the positive security obligation.
Systems of National Significance
Some critical infrastructure assets will also be designated as 'systems of national significance' and be subject to enhanced cyber security obligations, such as:
- the development of cyber security incident response plans;
- cybersecurity exercises to build cyber preparedness;
- vulnerability assessments to identify vulnerabilities for remediation; and
- the provision of system information.
Positive Security Obligation
Those in critical sectors who are responsible for a critical infrastructure asset (whether by sector-specific definition in the Bill or prescription/declaration) may be subject to the positive security obligation. The positive security obligation involves 3 potential aspects:
- adopting and maintaining a critical infrastructure risk management program, requiring responsible entities to manage and mitigate risks by applying an all-hazards approach;
- mandatory reporting of serious cyber security incidents to the Australian Signals Directorate; and
- in some circumstances, providing ownership and operational information to the Register of Critical Assets.
Each aspect will not apply to all critical infrastructure assets and must be 'turned on' via rule for a specific critical infrastructure asset or a class of critical infrastructure assets.
Specific industry sectors may also have sector-specific requirements which will underpin the positive security obligation.
Government Assistance Regime
The Bill contains government assistance powers that may be invoked where serious cyber security incidents occur in relation to critical infrastructure sector assets. Where the Minister for Home Affairs is satisfied that:
- a cyber security incident has occurred, is occurring, or is imminent; and
- is likely to impact a critical infrastructure asset; and
- there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice:
- the social or economic stability of Australia or its people; or
- the defence of Australia; or
- national security; and
- there is no existing regulatory system to be used to provide a response to the incident, the Minister may invoke its government assistance powers in relation to that critical infrastructure asset. These powers may include:
- information-gathering directions;
- action directions; or
- an intervention request, whereby the Minister is able to access, alter, remove or disconnect parts of the asset in various ways.
Some public concern has been expressed regarding the extent of these powers; in particular, the power to intervene with a critical infrastructure asset.
Who is responsible for compliance with the Bill?
'Responsible entities' for a critical infrastructure asset will be responsible for compliance with the Bill and may be subject to the positive security obligation. The Bill creates definitions of 'responsible entities' specific to each critical sector; however, it is generally the entity that operates or is responsible for that asset. The Minister is also able to prescribe entities as being 'responsible' via rule.
In December 2020, the Bill was introduced into Parliament, with consultation to be conducted by the Department of Home Affairs at some point early this year through a staged, sector-by-sector approach to co-design elements of the Bill with relevant stakeholders. Although at this stage it is unclear when the Bill will be passed by Parliament, those with a vested interest in a critical infrastructure sector should consider engaging with the Department of Home Affairs or their industry association in order to contribute to the co-design process of the Bill.