Parliament is proposing to split the Security Legislation Amendment (Critical Infrastructure) Bill, which will allow pressing reforms to be promptly legislated in the initial Bill, with further deliberation on less urgent elements.
Here’s why the Bill is being split
On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security tabled its Advisory Report on the draft Bill and the Statutory Review of the Security of Critical Infrastructure Act 2018 (Cth).
The Advisory Report is released as part of a concurrent review by the Joint Committee both of the draft Bill and the Act. This made sense from a timing perspective as the Statutory Review of the Act was required to be commenced by 11 April 2021, and the draft Bill seeks to amend the Act.
In the Advisory Report, the Joint Committee has proposed major recommendations, including splitting the draft Bill into two separate bills to expedite the passage of critical elements of the draft Bill.
The Joint Committee believes splitting the draft Bill will allow:
- Parliament to promptly legislate pressing reforms in an initial Bill (Bill One); and
- give the Government and relevant industries adequate time to further deliberate the less urgent elements of the draft Bill in the subsequent Bill (Bill Two).
Navigating the Joint Committee's Recommendations
In total, the Joint Committee made 14 recommendations in its Advisory Report:
- four general recommendations.
- seven specific recommendations for Bill One.
- three specific recommendations for Bill Two.
- Split the draft Bill into two separate bills and pass Bill One after the recommended amendments are made: (Recommendations 1 and 5).
- Amend section 13A(2) of the Intelligence Services Act 2001 (Cth) to restrict cooperation or assistance provided by an agency under that Act to agencies or other bodies by regulation only to the functions and extent authorised by other Commonwealth legislation: (Recommendation 11).
- Review the risks to democratic institutions and consider a way to protect them at all levels of government: (Recommendation 12).
- Review the protocols for classified briefings and how to make public announcements regarding such incidents: (Recommendation 13).
Bill One recommendations
- Pass the government assistance measures in proposed Part 3A of the draft Bill with the definitions and meanings of expanded critical infrastructure and assets (including other enabling provisions): (Recommendation 1).
- Make amendments to the notification period of cyber security incidents, requiring formal written notification to be made within 84 hours after oral notification (on top of the requirement for initial notification to be made within 12 hours): (Recommendation 2).
- Require any determination made under the government's new powers from Bill One to be reported to the Joint Committee as soon as practicable: (Recommendation 3).
- Require any requests by a government assistance measure to be notified to the Joint Committee in writing: (Recommendation 4).
- Reform the Cyber and Infrastructure Security Centre so that it may provide technical support and advice regarding the functions of Bill One: (Recommendation 6).
- Amend Schedule 2 relating to Australian Signals Directorate's liability when performing actions under the proposed Part 3A of the draft Bill and include this schedule as part of Bill One: (Recommendation 10) and.
- Include a provision for the Joint Committee to conduct reviews of its operation not less than 3 years from when it receives Royal Assent: (Recommendation 14).
Bill Two recommendations
- For the non-urgent elements (including risk management programs and declarations of 'Systems of National Significance') which did not form Bill One to be deferred and passed as Bill Two: (Recommendation 7).
- Amend Bill Two in consultation with key stakeholders, then release it for feedback and further consultation before being reintroduced to Parliament and the Joint Committee for review: (Recommendation 8).
- For rules under Bill Two to be co-designed, agreed and finalised as much as possible before the introduction of Bill Two and for this material to be made part of Bill Two's explanatory material: (Recommendation 9).
Bill One – Dealing with immediate threats
Overall, the Joint Committee recommends prioritising elements of the draft Bill which is relevant to dealing with immediate threats to Australia's national interest. In that light, passing Bill One in an expedited manner achieves two key things:
- it allows the government and Joint Committee to recognise the increased risk of cyber-related crimes and cyber susceptibilities which can impact Australia's infrastructure; and
- it will provide Australia with a more comprehensive framework to immediately deal with serious cyber incidents and ransomware attacks.
The most important element retained in Bill One is Part 3A of the draft Bill, which will provide governmental bodies such as the Department of Home Affairs' Cyber and Infrastructure Security Centre and the Australian Signals Directorate (ASD) substantive powers to respond to critical infrastructure threats expeditiously.
These powers include directing an entity to gather information, undertake an action, or authorise the ASD to intervene, when a cyber security incident has occurred, is occurring, or is likely to occur, and protect assets immediately. These government 'assistance measures', despite having been identified as provisions of 'last resort', have attracted significant concerns from the industry. The Joint Committee acknowledged those concerns on the one hand, but on the other recognised that the potential threat faced by Australia's critical infrastructure assets is too great to stall introduction of these measures.
Other key elements of the draft Bill to be retained in Bill One include:
- the expanded definition and meaning of what constitutes a critical infrastructure sector and asset, where we note that the new sectors to be classed as "critical infrastructure" include:
- financial services and markets;
- data storage and processing;
- higher education and research;
- food and grocery;
- health care and medical;
- space technology;
- transport; and
- water and sewerage; and
- changes to mandatory notification of cyber security incidents.
Bill Two – Less urgent elements
Bill Two is made of the non-urgent parts of the draft Bill, including:
- the requirement for responsible entities to have in place, and comply with, sector-specific risk management programs along with mandatory annual reporting (Part 2A of the draft Bill); and
- declaring 'Systems of National Significance', which are those assets that are the most critical to the security, economy and sovereignty of Australia, and will therefore attract enhanced cyber security obligations (Parts 2C and 6A of the draft Bill).
The aim of the delayed Bill Two is to address industry feedback that is not considered in the expedited passage of Bill One. The Joint Committee proposes Bill Two would take into account obligations which the industry and stakeholders have to their respective customers and follow a more collaborative process, incorporate various recommendations from industry representatives, and will be released as an exposure draft for extensive consultation with affected industries.
Subsequently, Bill Two will also revert back to the Joint Committee for comment and submissions before it makes its way to Parliament.
When the draft of Bill Two is released in the future, and the related consultation process commences, we encourage owners and operators to consider making a submission.
What this means and what the future holds for critical infrastructure
As this is a developing area of law, industry representatives must keep an eye on any changes. Significantly, the Joint Committee has proposed to expedite Bill One conscious that there is limited time left in the Parliamentary sitting calendar in 2021. It would be interesting to see whether Parliament does end up passing Bill One by the end of this calendar year in light of the urgency expressed by the Joint Committee and the general bipartisan support in regard to the Joint Committee's recommendations.
In the meantime, we recommend you have proper procedures in place to notify appropriate authorities of any critical cyber security incidents, and turn your mind to what the government's new powers may mean to your business.
Rest assured – we will continue to monitor and update you on any changes to the law.