An exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill would significantly broaden the application of the existing Security of Critical Infrastructure Act 2018 (Cth) to many more sectors and activities beyond electricity, gas, water and maritime ports, and:
- give the Federal Government greater powers, including to intervene in breach responses;
- introduce a "Positive Security Obligation" for critical infrastructure, including mandatory cyber incident reporting and a risk management program; and
- enhanced cyber security obligations for "systems of national significance".
We encourage infrastructure owners and operators to review the Bill and consider making a submission by 5pm (AEDT) on Friday, 27 November 2020.
More sectors classed as "critical infrastructure"
Organisations operating in the following sectors:
- financial services and markets;
- data storage and processing;
- higher education and research;
- food and grocery;
- health care and medical;
- space technology;
- transport; and
- water and sewerage.
The Positive Security Obligation
COVID-19 has exposed potential vulnerabilities in Australia's critical infrastructure network including a potential domino effect of failure in one sector on the Australian economy and national security. The Federal Government has stated the new laws are necessary to ensure the resilience of Australia's critical infrastructure, particularly in the face of cyber-attack and natural hazards. The Bill introduces an "all-hazards" Positive Security Obligation involving three aspects:
- adopting and maintaining an all-hazards (both natural and human-induced) critical infrastructure risk management program, including an annual reporting obligation to the Secretary of Home Affairs;
- mandatory reporting of serious cyber security incidents to the Australian Signals Directorate; and
- where required, providing ownership and operational information to the Register of Critical Infrastructure Assets (which is not available to the public).
The Government is yet to detail the sector-specific rules for the risk management programs to be implemented, however such programs will be based on principles-based outcomes in consultation with industry, including identification of material risks, mitigation strategies and effective governance. The key areas of risk to be managed will include:
- physical security risks;
- cyber security risks;
- personnel security risks; and
- supply chain risks.
Federal Government intervention in serious cyber incidents
Part 3A of the Bill introduces an additional emergency regime to provide for government intervention in the event of a serious cyber incident, where the responsible entity is unwilling or unable to respond appropriately. Government may only intervene in the most serious of circumstances in which Australia's national interests are being seriously prejudiced. Such intervention may take the form of the giving of directions to the responsible entity requiring it to do certain things in response to the incident, including for the purposes of gathering information. The Minister for Home Affairs must consult the responsible entity in relation to the proposed directions unless the delay would frustrate its effectiveness.
Penalties for non-compliance
Part 5 of the Act contains the existing enforcement measures available to the government if the civil penalty provisions are contravened, including enforcing payment of a fine, acceptance of an enforceable undertaking relating to compliance with a civil penalty provision, and injunctions. In addition to these measures, the Bill proposes to enliven the monitoring (part 2) and investigation (part 3) powers under the Regulatory Powers (Standard Provisions) Act 2014 (Cth). If enacted, this will allow authorised persons, by consent or under warrant, to search premises, inspect documents, seize evidence and ask questions – which may be relied upon to investigate offences under the Act.
Next steps for infrastructure owners and operators
The Government is seeking public comment on the Bill by 5pm (AEDT) on Friday, 27 November 2020, before its introduction to Parliament in late 2020. The new law is expected to take effect in mid-2021, following the design of the sector-specific rules.
The Bill further strengthens the scope of the Government's powers in its monitoring and intervention of Australia's critical infrastructure, its oversight of which will extend to the operations of communications networks, airports, freight infrastructure, supermarkets, universities, hospitals and banks. The Government is redefining critical infrastructure in Australia and we encourage owners and operators to review the draft Bill and consider making a submission.