On 22 November 2023, the Federal Government released the Australian Cyber Security Strategy and associated 2023-2030 Action Plan. The strategy and action plan address a wide range of practical and regulatory measures proposed to be taken to improve Australia's cyber resilience. Among the proposals are commitments to clarify and strengthen aspects of the Security of Critical Infrastructure Act 2018 (Cth) (the "SOCI Act").
As part of the strategy, the Federal Government has made five commitments involving further refinement of the SOCI Act.
The changes, described below, are only one aspect of the strategy – which sets out an ambitious slate of planned initiatives intended to create six "cyber shields" to protect Australia from cyber risks. While the action plan released alongside the strategy covers the period 2023-2030, the timing for implementation of specific items is not yet clear.
1. Ensure we are protecting the right entities
Currently, cyber security requirements for telecommunications providers are found in both the Telecommunications Act 1997 (Cth) and associated legislative incidents and the SOCI Act. To avoid duplication and reduce complexity for telecommunications providers who operate in multiple critical infrastructure industries, these obligations are proposed to be consolidated within the SOCI Act.
Obligations will also be clarified for entities who are a "managed service provider" for a critical infrastructure asset. While the strategy does not provide further detail regarding how the obligations will be clarified, it is possible that new standards for the management of security risks developed as part of shield 2 will apply to managed service providers.
Legislative reform is also expected to introduce stronger cyber security obligations in the aviation and maritime sectors. However, it appears that these reforms will sit outside of the SOCI Act in existing industry-based legislation.
2. Ensure we are protecting the right assets
Further industry consultation will be undertaken in relation to the application of the SOCI Act to data storage systems. Currently, the definitions of "critical data storage or processing asset" and "business critical data" present challenges for businesses providing data hosting or processing services, as they involve some ambiguity and may result in the legislation applying to a service provider with little or no forewarning. Clarification of these concepts, and the mechanisms by which the provisions become binding on a service provider, would provide greater certainty for data hosting and processing providers regarding the scenarios in which they will become subject to obligations under the SOCI Act.
3. Enhance cyber security obligations for Systems of National Significance
The SOCI Act already contemplates a regime to apply specifically to systems declared by the Minister for Home Affairs as being "systems of national significance". To date, no systems have been declared as such. As part of the strategy, the Government now plans to expedite the implementation of the 'systems of national significance' framework, which would include identification of assets to fall within the scope of the regime.
4. Ensure critical infrastructure is compliant with cyber security obligations
The strategy flags that the Government will continue to encourage awareness of existing obligations under the SOCI Act (including requirements relating to risk management programs). To achieve this, the Government will implement a compliance monitoring and evaluation framework. The framework is likely to include various compliance powers, including an ability for the Government to direct responsible entities to uplift any risk management plans which are considered seriously deficient.
5. Help critical infrastructure manage the consequences of cyber incidents
The strategy proposes that a new legislative power be introduced to allow the Government to help organisations deal with consequences of significant cyber incidents where no other Federal or State legislative levers are available. The power would allow the Government to authorise actions to be taken to manage consequences of nationally significant incidents. We expect that the power is also likely to include an ability for the Department of Home Affairs to provide binding directions to organisations in relation to their management of cyber security incidents, similar to the powers included in the existing SOCI Act.
Industry consultations will also be held to determine how the Government can assist organisations to better managed cyber incidents.