As part of a broader strategy to strengthen the cyber security resilience of Australia’s infrastructure, the Government introduced the Security Legislation Amendment (Critical Infrastructure) Bill (the Bill) into Parliament on 10 December 2020. In response to a range of client queries on the implications of the Bill, we provide a short insight.
The Bill proposes to substantially broaden the application of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) to 11 sectors of critical infrastructure;
The Bill gives the Federal Government wider powers, including the ability to intervene and direct organisations to provide information or do specified acts when responding to cyber security incidents; and
Proposed new obligations include:
a 'positive security obligation' for critical infrastructure, including mandatory cyber incident reporting and a risk management program; and
enhanced cyber security obligations for systems deemed to be of 'national significance'.
Who is subject to the changes?
The SOCI Act currently applies to operators of assets in only four critical infrastructure sectors - electricity, gas, water and ports.
The Bill introduces an expanded definition of 'critical infrastructure sector', which will broaden the application of the SOCI Act to 11 classes of critical infrastructure, including:
- data storage and processing;
- financial services and markets;
- food and grocery;
- health care and medical;
- higher education and research;
- space technology; and
- water and sewerage.
What are the new obligations?
Positive Security Obligations
The Bill introduces positive security obligations where the Minister for Home Affairs (the Minister) has made a rule or determination turning the specific obligation "on" for particular critical infrastructure assets. These positive security obligations may require entities to:
- adopt, comply with and regularly review an all-hazards critical infrastructure risk management program;
- report cyber security incidents to the Australian Signals Directorate (within 12 or 24 hours, depending how critical); and
- provide ownership and operational information to the Register of Critical Infrastructure Assets.
Systems of National Significance
The Minister may declare a critical infrastructure asset a 'system of national significance', having regard to the nature and extent of interdependencies between the asset and other critical infrastructure assets. At this stage, no systems of national significance have been declared.
If declared a system of national significance, an entity may be subject to enhanced cyber security obligations, including requirements to:
- adopt, comply with, regularly review and provide to the Secretary of Home Affairs (the Secretary) an incident response plan for cyber security incidents;
- undertake a cyber security exercise to test response preparedness and mitigation, and provide an evaluation report to the Secretary;
- undertake a vulnerability assessment to be reported to the Secretary; and
- provide the Government with access to system information (excluding personal information).
Importantly, if the Secretary believes that a responsible entity would not be technically capable of preparing such system information reports, the Secretary may require an entity to install and maintain a specified computer program to collect, record and transmit the required system information.
Government Directions and Requests
The Bill introduces a Government assistance regime which permits the Secretary to enact one or more of the following directions and requests during and after a cyberattack that significantly prejudices Australia's social or economic stability, or national security:
- information gathering direction – direct an entity to disclose to the Secretary information that may assist with determining whether a power under the SOCI Act (as amended by the Bill) should be exercised in relation to the incident / asset;
- action direction – direct an entity to do one or more specified acts or things in response to the incident; or
- intervention request – request that the Australian Signals Directorate step in to do one or more prescribed acts or things (e.g. accessing, modifying or analysing computer systems or data)
What are the key industry concerns?
Concerns have been raised by organisations over the Bill – in particular, over the Government’s new direct-action powers and the wide range of organisations which will become subject to the new rules (regardless of their nexus to the traditional infrastructure sector).
Businesses and the Government have differing priorities in a cyber-attack, including:
- Private Sector – resume business as soon as possible; contain consequences of a breach; avoid reputational damage.
- Government – enhance Government-industry partnership; protect national interests.
Limited Rights to Appeal / Review
- Entities have limited rights to appeal a decision to impose directions and requests – for example, in circumstances where the organisation believes the direction or request is neither proportionate nor reasonably necessary, or where compliance with the direction is not technically feasible.
- The Minister and Secretary are not required to consult the affected entity if it would frustrate the effectiveness of the authorisation, direction or request.
- Judicial review under the Administrative Decisions (Judicial Review) Act 1977 (Cth) is not available for such decisions (due to national security considerations and concern with making information about cyber security incidents public).
- What is next?
From January 2021, the Department of Home Affairs has been working to implement the reforms through consultation.
The Parliamentary Joint Committee on Intelligence and Security has commenced a review into the operation, effectiveness and implications of the Bill, due to be completed by 11 April 2021.