Disruptive technologies and geopolitical competition are giving rise to a more intense cyber and physical threat landscape. Globally, we are seeing an increasing number of attacks against and probing of critical infrastructure. Motivations for these attacks vary from financial gain to causing damage and destruction to another nation.
The Security of Critical Infrastructure Act 2018 (SOCI Act) seeks to manage national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Security Legislation Amendment (Critical Infrastructure) Bill 2021 was passed by Parliament on 22 November 2021 (New Bill), substantially increasing the Federal Government’s power to impose obligations in relation to ‘critical infrastructure’ assets.
In this article, we consider the likely impact of the New Bill, which reviews and revises the SOCI Act.
What is the SOCI Act 2018?
The SOCI Act was passed in 2018 to manage national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The SOCI Act applies to a range of specific assets.
The SOCI Act and its obligations for owners and operators commenced on 11 July 2018 and are about to be expanded under the New Bill.
On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (Committee) published its Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Initial Bill) and statutory review of the SOCI Act.
The Committee recommended that the Initial Bill be split into two separate bills (i.e., the New Bill and a second bill (Second Bill)) to expand the critical infrastructure sectors covered by the SOCI Act, introduce mandatory reporting obligations and prioritise government assistance measures.
On 22 November 2021, the Australian Parliament passed the New Bill setting out these urgent security upgrade measures. Subject to Royal assent, the SOCI Act will be amended accordingly.
Past: Listed critical infrastructure assets and limited power to protect under the SOCI Act 2018
Register of Critical Infrastructure Assets
Since 2018, owners and operators of relevant critical infrastructure assets have had six months from the acquisition of critical infrastructure assets, or from the start of the asset operation, to register ownership and operational information on the Register of Critical Infrastructure Assets (Register). The Register is designed to provide the Government with a more detailed understanding of who owns and controls critical infrastructure assets, to support control in high-risk sectors and proactive management of the risks these assets face.
Information gathering power
The Secretary of the Department of Home Affairs has the power to request detailed information from owners and operators of assets in certain circumstances.
Ministerial directions power
The Minister for Home Affairs has the ability to direct an owner or operator of critical infrastructure to do, or not do, specific things to mitigate against a national security risk (where all other mechanisms to mitigate the risk have been exhausted).
Present: Expansion, control and security of critical infrastructure assets under the New Bill
Under the New Bill, key amendments to the SOCI Act include:
- broadening the definition of critical infrastructure sectors (from the original electricity, gas, water, and port sectors) to the following 11 sectors of the economy:
- the communications
- the data storage or processing
- the financial services and markets
- the water and sewerage
- the energy
- the healthcare and medical
- the higher education and research
- the food and grocery
- the transport
- the space technology
- the defence industry sector.
- expanding the definition of critical infrastructure assets to 22 different classes
- enforcing mandatory cyber incident reporting to the Australian Cyber Security Centre relating to critical infrastructure assets
- enlivening the Register of Critical Infrastructure Assets mentioned above
- creating a ‘Government assistance measures’ cyber incident response regime. This regime works as a default mechanism where there is no other regulatory system to provide a response to a cyber incident impacting a critical infrastructure asset which involves a material risk that the incident is seriously prejudicing, or is likely to seriously prejudice, the social or economic stability of Australia or its people, the defence of Australia or Australia’s national security. The regime increases the information gathering power of the Department of Home Affairs, which can provide directions and intervene to respond to an incident with strict approvals and legislative thresholds to be met.
Future: Risk management and cyber security obligations under the Second Bill
The New Bill is limited to the topics described above and is expected to be followed by the Second Bill and new rules in 2022.
The intention is for the Second Bill to include a risk management program that will require responsible entities of specified critical infrastructure assets to manage and mitigate natural and human-induced risks. Furthermore, the Second Bill is likely to introduce a ‘System of National Significance’, to which the prescribed ‘Enhanced Cyber Security Obligations’ will likely apply upon the Second Bill becoming law.
The Second Bill will be designed in consultation with industry.
What does this mean for owners and operators of relevant critical infrastructure assets?
The changes substantially widen the scope of what has been considered to be ‘critical infrastructure’ and increase the Federal Government’s power to impose obligations in relation to ‘critical infrastructure’ assets and sectors.
It is important to understand if the new regime applies to your assets or could apply to your Australian project and how to comply with the new rules.