The Commonwealth Attorney-General has released a draft Security of Critical Infrastructure Bill 2017 (Bill) for public consultation, seeking comments by 10 November 2017. The proposed legislation is one element of the Government’s strategy to manage national security risks relating to Australia’s critical infrastructure. The draft Bill highlights that the owners and operators of such assets, including designated assets in the electricity, water and ports sectors, need to take proactive steps to ensure the security of those assets, including by implementing cybersecurity protections.
Critical Infrastructure Resilience Strategy
The Critical Infrastructure Resilience Strategy was first announced by the Australian Government in May 2015. The aim of the Strategy is to ensure, to the extent possible, that Australia’s critical infrastructure continues to operate in the face of all hazards. In January 2017, the Australian Government announced the establishment of the Critical Infrastructure Centre. The Centre is a core part of the Strategy and was established in response to a perceived need to establish a mechanism for owners and operators of critical infrastructure to work with the Federal and State/Territory Governments to protect critical infrastructure assets from national security risks, particularly espionage, sabotage and coercion. The proposed Bill is a further element of the Critical Infrastructure Resilience Strategy.
Assets to be regulated
The Bill applies to “critical assets” in the electricity, water and ports sectors. The Government estimates approximately 100 assets will be subject to the Bill, though there is scope for additional infrastructure to be added. Specific ports that are vital for defence purposes, liquid fuel imports and bulk cargo exports are “critical assets”. The ports that the Bill applies to are listed here. Other ports may be added under rules that may be put in place under the proposed legislation.
The electricity and water infrastructure that will be subject to the new regime is described generically. Critical electricity assets are networks etc for the transmission or distribution of electricity and critical water assets are water or sewerage infrastructure that services at least 100,000 connections. Although the Government also considers that telecommunications infrastructure is critical infrastructure, there is no need for that infrastructure to be subject to the proposed Bill, as it is subject to its own regime (see our briefing on the telecommunications security sector reforms here).
Key provisions of the Bill
Under the Bill:
- A critical assets register will be created to capture ownership/control and operation arrangements (this will not be public). This will give the Government (including the Critical Infrastructure Centre) greater information regarding those critical assets.
- The relevant Minister (currently the Commonwealth Attorney-General) will be able to, subject to certain preconditions being met, issue a direction to an owner or operator of a critical infrastructure asset to mitigate significant national security risks. This is referred to as the “last resort power”.
The critical assets register is primarily intended to inform the Australian Government of the foreign ownership or control of critical assets, given the Government does not currently have a comprehensive understanding of ownership and control arrangements for these assets (or regulation allowing it to seek this information). This reflects the Government’s belief that foreign involvement in critical infrastructure may increase national security risks of espionage, sabotage and coercion.
Although the type of direction that may be issued in exercise of the last resort power is broadly defined, the Bill provides that this power may only be used where there is a significant national security risk, the relevant entity does not take steps to mitigate that risk and there are no other existing regulatory frameworks that can be used to require the relevant entity to take mitigation action.
The Bill provides a reminder, if one is needed, of the importance of operators of critical infrastructure to implement robust cybersecurity measures.
The Australian Government has highlighted its concerns that national security risks for critical infrastructure are increasing, including as a result of increased cyber connectivity. Ensuring protection of critical assets from any form of cyber attack is therefore high on the Government’s agenda. As a result, the Government has stated in the explanatory material for the Bill that one area where directions may be given is to implement cyber security measures.
For owners and operators that are potentially the subject of the Bill, the best way to ensure that there is no risk of the last resort power being used in the cyber area is to ensure that appropriate cyber security measures are in place and regularly tested and updated as technologies change.