The Security of Critical Infrastructure Bill 2017 (Cth) and its associated draft Security of Critical Infrastructure Rules 2017 (Cth) propose the establishment of a register of ownership interests and key control and operational information for critical infrastructure assets.
The Register will be used by the Foreign Investment Review Board to assess national security risks in assessing applications for foreign ownership of critical infrastructure assets.
The Act and Rules (once enacted) will also allow the Government to identify threats of sabotage, espionage and coercion and require owners and operators to develop mitigation measures to address those threats.
The draft legislation comes after the Federal Government established the Critical Infrastructure Centre in January 2017. The Bill is still a draft and stakeholders are able to provide feedback on the Bill until 10 November 2017.
The Bill and draft Rules are accompanied by an 83-page Explanatory Document issued by the Government and Critical Infrastructure Centre.
What are critical infrastructure assets?
The Act will apply to “critical infrastructure assets” in the electricity, ports and water sectors. According to the Explanatory Document, these sectors have been identified because “their existing regulatory regimes do not directly manage security risks of sabotage, espionage and coercion”. The Act will create obligations on “direct interest holders” and “responsible entities” of these critical infrastructure assets.
Critical infrastructure assets comprise:
- Critical electricity assets – all electricity network assets or systems used for the transmission or distribution of electricity. It will currently capture 9 electricity transmission assets, 16 electricity distribution assets and 6 interconnectors. It will also include electricity generators that are “critical to ensuring the security or reliability of an electricity network in a State or Territory”. This is defined as any generators providing system restart (“black start”) ancillary services and synchronous generators with installed capacities of more than: in NSW – 1,400MW, in Victoria – 1,200MW, in Queensland – 1,300MW, in WA – 600MW, in SA – 600MW, in Tasmania – 700MW and in the NT – 300MW.
- Critical ports – specific Australian ports gazetted as “security regulated ports” under the Maritime Transport and Offshore Facilities Security Act 2003 (Cth) (MTOFSA). The Rules specifically refer to 20 ports.
- Critical water assets – water utilities servicing at least 100,000 water and/or sewerage connections and holding a licence agreement with a State or Territory, which if disrupted would significantly impact the operations of large population hubs, economic interests and Government operations. At this stage it is not clear whether this would include desalination plant and significant wholesale water infrastructure.
- Any other assets declared to be critical infrastructure assets, and assets prescribed by the Rules - the Bill notes that there will only be a limited number of assets within this category. Sectors that may potentially be covered by this category could include natural gas pipelines and coal delivery systems such as railroads (as key components of the fuel delivery systems for critical electricity assets). Assets may not be declared under this category unless the Minister has consulted with the relevant Minister of the State or Territory in which the asset is located.
Most of the assets affected by the Minister’s declaration rights will be made public. However, the Minister may privately declare an asset to be a critical infrastructure asset where the Minister assesses there to be a risk to national security if it were publically known that the asset is critical infrastructure.
The Bill is estimated to apply to approximately 100 assets in the electricity, ports and water sectors.
The telecommunications sector is also referred to in the Explanatory Document but is not mentioned in the Bill and Rules. Telecommunications are separately managed under the recent Telecommunications and Other Legislation Amendment Act 2017, which amends the Telecommunications Act 1997.
Direct interest holders
A direct interest holder is any person:
- holding a direct or indirect ownership interest of greater than 10% in a critical infrastructure asset (leasehold interests are expressly captured); or
- otherwise in a position to directly or indirectly influence or control the critical infrastructure asset.
Direct interest holders are required to report their interest and control information, which includes information about the control the direct interest holder has over decisions relating to the running of the asset (eg. voting and veto rights and the ability to appoint persons to the board), information about any person they have appointed to the body that governs the asset and the access that they have to operating systems.
The Bill contains specific provisions regarding the interests of superannuation funds and the treatment of trustees. It also includes provisions dealing with the compliance obligations of partnerships.
A responsible entity is the person with operational control of the relevant critical infrastructure asset. The Bill specifies that the responsible person:
- for critical electricity and water assets, is the person holding the licence, approval or authorisation to operate the asset or provide the service delivered by the asset,1 and
- for a critical port, is the “port operator” under the MTOFSA. The Explanatory Document also appears to indicate that this may include the operators of distinct facilities within individual ports.2
Responsible entities are required to report their operational information, which includes information about the location of the asset, a description of the area the asset services, information about the entity that is responsible for the asset, information about the chief operating officer of the asset, and a description of any operator arrangements for the asset. Operational information includes information in relation to systems access and the offshoring or outsourcing of controls and key operational matters.
The Register is intended to provide a deeper understanding of who owns, controls and has access to critical infrastructure assets. It requires interest and control information and operational information to be provided to the Government:
- direct interest holders in critical infrastructure assets will be required to provide interest and control information; and
- responsible entities will be required to provide operational information.
Direct interest holders and responsible entities will have six months to report, and are then obliged to notify the Government within 30 days of any change in this information or the occurrence of a “notifiable event”. The Centre also has the power to require a reporting entity or operator to provide any other information considered relevant to its functions.
The Register will not be made public.
The last resort power
The Act will include a power for the Minister to require direct interest holders and responsible entities to do, or refrain from doing, anything that the Minister considers to be a risk to security. This direction right will only apply if the Minister is satisfied that reasonable steps have been taken to negotiate in good faith with the relevant owner or operator to eliminate or reduce the security risk and other mechanisms, such as State or Territory powers, are unlikely to be effective.
The Minister must consult with the relevant State or Territory ministers having responsibility for the regulation or oversight of the relevant industry in which the critical infrastructure asset is located before this power is exercised.
The Bill provides for civil penalty provisions and the use of civil penalty orders or injunctions and enforceable undertakings. Certain provisions may attract criminal penalties.
The Explanatory Document includes the Government’s assessment of the likely annual compliance costs associated with the Act.
The Bill includes an obligation on “reporting parties” to report annually on their compliance with the Act. Direct interest holders and responsible entities are both reporting parties.
Separately, the Minister is required to report annually to the Federal Parliament on the use of the Minister’s various powers under the Act. This is intended to ensure the appropriate use of those power and oversight and accountability.
Relationship to foreign ownership
The Explanatory Document very clearly states that the Bill is “designed to strengthen the Government’s capacity to manage the national security risks of espionage, sabotage and coercion arising from foreign investment in Australia’s critical infrastructure”.
The linkage to foreign ownership in the Explanatory Document is interesting, as the Bill and Rules are of general application and barely mention foreign ownership (other than allowing access to the Register for the purposes of the FIRB process). The wording of the Explanatory Document is not likely to be helpful to already damaged foreign perceptions of Australia’s foreign investment regime in the wake of the Ausgrid decision.
The resilience of a critical infrastructure asset is not necessarily determined by foreign ownership or control of that asset. Emergency powers already exist under most State and Territory legislation for the Government to assume control of infrastructure assets in emergency situations. It is also interesting that the scope of the critical risk and resilience assessment does not at this stage include resilience of critical infrastructure assets in the face of other challenges such as natural disasters or climate change.
We noted in our article in February that the proposals differ from the equivalent critical infrastructure policies administered by the United States Department of Homeland Security. The US policies apply to 16 different industry sectors and are focussed on a broader range of events or circumstances that may affect the resilience and reliability of critical infrastructure. The US policies are not specifically linked to foreign ownership of the relevant critical infrastructure.
While obviously a relevant consideration to national security, the direct linkage to foreign ownership appears unnecessary. For example, why would a foreign party want to expend significant amounts of money to acquire an asset just to have the opportunity to then cripple it? Opportunities for cyber-terrorism and sabotage do not require ownership of the target assets. Further, domestic ownership of a critical asset does not make the relevant asset more resilient to external attack. On the other hand, the government does appear to be focussed on the access to data which ownership or control of some assets might provide.
However, the information in the Register regarding the sensitivities associated with critical infrastructure will be a valuable tool for the Foreign Investment Review Board in assessing foreign ownership applications. As seen in FIRB’s rejection of the foreign ownership of the Ausgrid electricity distribution network, a late appreciation of these sensitivities caused significant disruption to the New South Wales privatisation process and also caused significant concerns from foreign investors in Australian infrastructure assets. Pre-emptory understanding of risk issues should help streamline the FIRB process.
What it means for you
- a need for direct control investors to disclose interest and control information within 6 months of the Act becoming effective;
- a need to develop compliance and reporting systems regarding interest and control information and changes to that information; and
- the FIRB application process should become more streamlined and certain, as potential national security risks for critical infrastructure assets will have been previously identified. However, FIRB approval conditions may now include additional risk mitigation measures.
- a need for responsible entities to disclose operational information within 6 months of the Act becoming effective;
- a need to develop compliance and reporting systems regarding operational information and changes to that information;
- potential controls on offshoring and outsourcing of business operational control and access; and
- potential obligations to develop mitigation measures if the Critical Infrastructure Centre identifies any national security risks.
The exposure draft of the Bill is available here.
Please contact us if you require further information or if you would like to provide any feedback to include in a submission on the Bill and Rules. Submission must be made by 10 November 2017.