The Federal Government has released an exposure draft of the Security of Critical Infrastructure Bill 2017 (Bill) and invited stakeholders to provide submissions on the Bill by 10 November 2017. The Bill provides for the creation of a register of critical infrastructure assets and requires owners and operators of those assets to provide information for the register. The Bill also provides the Government with a power to exercise control over critical infrastructure assets under certain circumstances.
If the Bill is enacted in its current form:
- owners and operators of prescribed ports, electricity and water assets will be required to provide information detailing the operational and ownership/control arrangements of their assets;
- the Government may direct these owners and operators to do or not do certain things with respect to their asset where there is a perceived risk to national security; and
- compliance costs may be substantial for some industries.
Who is this update relevant to?
Owners and operators of ports, assets involved in the generation or transmission of electricity, and water or sewerage infrastructure.
Why is the Government proposing the Bill?
The Government believes that increased foreign involvement in Australia’s critical infrastructure exposes that infrastructure to sabotage, espionage and coercion, specifically through ownership, offshoring, outsourcing and supply chain arrangements. The Bill is said to manage this risk by providing increased visibility as to the ownership, access to and operation of critical infrastructure assets, and the power to direct the owners and operators of those assets to act on the instructions of the Government under certain circumstances.
Application and key requirements under the Bill
The Bill is concerned with Australia’s critical infrastructure assets and the entities that operate or control those assets.
Critical infrastructure assets are ports, electricity and water assets that meet the definitions or threshold requirements of the Bill, assets declared to be a critical infrastructure asset by the Minister, and asset types prescribed by the rules.
The Bill imposes obligations on reporting entities, which are either responsible entities or direct interest holders. Responsible entities are, for electricity and water assets, entities which hold the relevant licence, approval or authorisation to operate the asset or provide the service delivered by the asset and, for ports, the port operator. Direct interest holders are entities which have a prescribed level of interest in the asset. Separate to reporting entities, the Bill also imposes obligations on operators of critical infrastructure assets (noting that an operator of an asset may also be the responsible entity for the asset).
Register of Critical Infrastructure Assets
Central to the Bill is the establishment of the Register of Critical Infrastructure Assets (Register) and the requirement that reporting entities provide information to populate it, namely operational information from the responsible entity and interest and control information from the direct interest holder(s).
Operational information includes general information about the relevant asset and the responsible entity, and the arrangements for operating the asset. Interest and control information includes general corporate information about the direct interest holder (including their type and level of interest in the asset) and information as to the level of influence or control they have in relation to the asset. Notably, interest and control information must disclose the ability of the direct interest holder’s board members (and/or other persons that govern the relevant asset) to directly access networks or systems necessary for control of the relevant asset.
Reporting entities must also provide further or updated information whenever a notifiable event occurs, including where the operational information or interest and control information becomes incorrect or incomplete and when an entity becomes a reporting entity for the asset.
Powers under the Bill
Power to direct
The Minister may direct a reporting entity or an operator of a critical infrastructure asset ‘to do, or refrain from doing, a specified act or thing’ during a specified time period if:
… in connection with the operation of, or the delivery of a service by, a critical infrastructure asset the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security.
The explanatory document for the Bill (ED) provides guidance as to how this threshold test might be satisfied in practice. However, further guidance may be required to assess whether risks identified in the ordinary course of business might be a risk prejudicial to security, or may develop into a risk prejudicial to security. For example, the ED implies that a malicious data breach might require the exercise of the power, but a reporting entity may not identify the precursors to such an event (for example, intermittent issues with a data management provider) as sufficiently serious to attract the powers under the Bill.
Before exercising the power the Minister must give the relevant entity notice of the proposed direction, negotiate in good faith with the entity to eliminate or reduce the relevant risk, and consider the costs that will be incurred by the entity to comply with the Minister’s direction.
Power to declare an asset a critical infrastructure asset
In addition to those assets prescribed as critical infrastructure assets under the Bill, the Minister may declare other assets critical infrastructure assets. To do so, the Minister must be satisfied that the asset relates to a relevant industry (ie electricity, water, ports or an industry described by the rules), that the asset is critical infrastructure that affects national security, and there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security.
The ED indicates that one instance where this power may be exercised is where an asset has a link or connection to a critical infrastructure asset, and there would be a significant national security risk if that link were to become publicly known. This interpretation appears to leave open that the rules may, in the future, include industries that support (ie are connected to) those critical infrastructure assets currently prescribed by the Bill, for example technology service providers (cloud infrastructure storing critical infrastructure asset data) and resource suppliers (raw materials). To that end, clients that suspect (or, from the provisions of the Bill, know) they have a link or a connection to a critical infrastructure asset should follow the development of this Bill closely.
Use of information and protected information
Certain information provided under the Bill is deemed protected information, unauthorised disclosure or use of which is an offence. In general terms protected information includes information which is obtained in complying with the provisions of the Bill, and notably includes the fact that the asset has been declared a critical infrastructure asset under the Bill.
The provisions concerning the authorised use and disclosure of protected information will be of particular importance to reporting entities and operators. If the Bill is enacted, care will need to be taken to ensure that business processes are updated to address the access to and handling of protected information.
Cost of compliance
The ED provides indicative compliance costs for the establishment of the Register and the use of the directions power under certain scenarios. Detailed review of this section of the ED is encouraged, particularly to inform any submission to the Government on the content of the Bill.
Notably, use of the directions power may attract significant costs for electricity transmission/distribution assets in particular, with one-off costs of up to $34 million and ongoing (annual) regulatory costs of up to $2.8 million under the example scenarios explored in the ED.
If enacted, the Security of Critical Information Bill could have far-reaching implications for reporting entities and operators of critical infrastructure assets, as well as entities which own or operate assets connected to a critical infrastructure asset.
We suggest that clients affected by the Bill consider the general information above and if you are concerned about the operation of the Bill, seek further advice. In particular, clients should consider:
- the information requirements under the Bill, and how to brief stakeholders in order to comply with this requirement;
- their operational arrangements, particularly where they concern the involvement of foreign entities, which might attract the attention of the powers of the Government under the Bill;
- the timetable for delivering the prescribed information if the Bill is enacted;
- their ongoing compliance arrangements under the Bill if it is enacted, and the attending costs; and
- whether to make a submission to the Attorney-General’s Department by 10 November 2017 on the content of the Bill.