Introductory Info
Date introduced: 10
February 2022
House: House of
Representatives
Portfolio: Home
Affairs
Commencement: The
day after Royal Assent.
The Bills Digest at
a glance
Purpose
The Security
Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the
Bill) seeks to amend the Security of
Critical Infrastructure Act 2018 to implement additional
obligations on owners of critical infrastructure assets, particularly those
assets which are declared to be systems of national significance (SoNS) by the
Minister for Home Affairs.
History of
the Bill
While the majority of critical infrastructure assets in
Australia are owned or operated by the private sector and the states and territories,
the Australian Government has introduced a number of reforms aimed at
protecting and improving the resilience of Australia’s critical infrastructure.
The majority of the provisions of the Bill were originally
introduced into Parliament as part of the Security
Legislation Amendment (Critical Infrastructure) Bill 2020 [2021] (the 2020
Bill). Following consideration by the Parliamentary Joint Committee on
Intelligence and Security (PJCIS), the Government adopted a recommendation by
the PJCIS to amend the 2020 Bill to take out the provisions which required
further consultation with stakeholders. The remaining provisions were passed by
Parliament in November 2021 and are contained in the Security
Legislation Amendment (Critical Infrastructure) Act 2021.
Prior to reintroducing the deferred provisions, the
Department of Home Affairs undertook a consultation process which substantially
concluded on 1 February 2022. The Bill was then introduced into Parliament on
10 February 2022.
Parliamentary
Joint Committee on Intelligence and Security Inquiry
The PJCIS is currently conducting an inquiry into the Bill
and at the time of writing this Digest had received 48 submissions from
stakeholders.
Stakeholder
Comments
While stakeholders have generally supported the Bill in
principle, several broad concerns about the Bill have been raised, including
the timing of the introduction of the Bill; adequacy of consultation undertake
with industry; the level of overlap with existing cyber security obligations
imposed on industry and the need for merits review of certain decisions under
the framework. Stakeholders are also concerned with the likely regulatory
impact the Bill will have on their operating costs, particularly following the
COVID-19 pandemic.
With regards to the provisions contained in the Bill,
stakeholders are most concerned about the new power to be exercised by the
Minister to privately declare critical infrastructure assets to be SoNS and the
ability of the Secretary of the Department of Home Affairs to require a
relevant SoNS to install and maintain system information software that collects
and records system information to be transmitted to the Australian Signals
Directorate. Stakeholders also raised concerns about other aspects of the Bill,
including timing of the implementation period for critical risk management
programs and the ability for responsible entities to conduct background checks
of their employees under the existing AusCheck scheme.
Purpose of the Bill
The purpose of the Security
Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the
Bill) is to amend the Security of
Critical Infrastructure Act 2018 (the SOCI Act) to:
- require
responsible entities of certain critical infrastructure assets to adopt,
maintain and comply with a critical infrastructure risk management program
- require
responsible entitles for certain critical infrastructure assets to provide a
report to the Government where the assets are not covered by a critical
infrastructure risk management program
- allow
for responsible entities to conduct background checks on their employees under
the existing AusCheck
scheme
- amend
the relevant statutory liability exemptions to apply to personnel and
associates of entities that are related, or provide contractual services, to
responsible entities
- allow
the Minister to privately declare critical infrastructure assets to be systems
of national significance (SoNS)
- impose
enhanced cyber security obligations on entities responsible for SoNS, including
undertaking cyber security exercises and vulnerability assessments, and preparing
an incident response plan and
- amend
the current information sharing arrangements for protected information between
the Commonwealth, state and territory regulatory agencies.
The Bill makes a number of other amendments to various
definitions of critical infrastructure assets.[1]
The Bill also amends the AusCheck Act 2007
and the Criminal
Code Act 1995 to make consequential amendments to those Acts.
Background
Australia’s
critical infrastructure
What is ‘critical
infrastructure’?
The Australian and state and territory governments define
critical infrastructure as:
… those physical facilities, supply chains, information
technologies and communication networks which, if destroyed, degraded or
rendered unavailable for an extended period, would significantly impact the
social or economic wellbeing of the nation or affect Australia’s ability to
conduct national defence and ensure national security.[2]
Threats to
critical infrastructure
In justifying the need for recent reforms to further
regulate Australia’s critical infrastructure, the Government has stated that
‘Australia is facing increasing cybersecurity threats to essential services,
businesses and all levels of government’.[3]
The Prime Minister recently warned that cyberattacks are a ‘present threat’ and
a ‘likely response from Russia’ following the Government’s decision to impose
sanctions in response to Russia’s recent aggression against Ukraine.[4]
The Australian Signals Directorate (ASD) has stated that
‘Australia is facing increasing cyber security threats to essential services,
businesses and all levels of government’ and that ‘malicious cyber activity
against Australia’s national and economic interests is increasing in frequency,
scale, and sophistication’.[5]
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has also
noted that it has ‘received compelling evidence that the pervasive threat of cyber-enabled
attack and manipulation of critical infrastructure assets is serious,
considerable in scope and impact, and increasing at an unprecedented rate’.[6]
Over the 2020–21 financial year, the Australian Cyber
Security Centre (ACSC) received over 67,500 cybercrime reports, an increase of
nearly 13 per cent from the previous financial year, with self-reported losses
from cybercrime totalling $33 billion.[7]
The ASCS estimated that approximately one quarter of cyber incidents reported
during the reporting period were associated with Australia’s critical
infrastructure or essential services.[8]
Recent
reforms to critical infrastructure legislation
While the majority of critical infrastructure in Australia
is owned or operated by the private sector and the states and territories,[9]
the Australian Government has introduced a number of reforms aimed at
protecting, and improving the resilience of, Australia’s critical
infrastructure (as defined above).[10]
These have included strengthening foreign investment rules around who can own,
purchase or invest in critical infrastructure,[11]
and establishing the Critical Infrastructure Centre (which was replaced with
the Cyber
and Infrastructure Security Centre in September
2021).[12]
Passage of
the Security of Critical Infrastructure Act 2018
In March 2018, the Parliament passed the Security of
Critical Infrastructure Act 2018 (SOCI Act).[13]
The SOCI Act introduced significant new reforms to
allow the Government to manage critical infrastructure assets, including:
- establishing
a Register
of Critical Infrastructure Assets, which is not publicly accessible, setting
out information as to who owns and operates those assets[14]
and
- allowing
the Minister to give a direction to a reporting entity or an operator of a
critical infrastructure asset to do, or refrain from doing, a specified act or
thing within a certain timeframe.[15]
The SOCI Act commenced on 11 July 2018 and creates
a framework for the regulation of critical infrastructure assets across a
number of sectors.[16]
While the SOCI Act originally only covered specific assets in the electricity,
gas, water and maritime ports sectors,[17]
recent reforms (discussed further below) have expanded its coverage to include communications,
financial services and markets, data storage or processing, defence industry,
higher education and research, energy, food and grocery, health care and medical,
space technology, transport, and water and sewerage.[18]
Sections 10 to 12KA of the SOCI
Act define critical infrastructure assets by reference to specific
infrastructure that is core to the relevant sector. These definitions include
rule-making powers to prescribe requirements in relation to some of these
definitions (noting that some types of assets are defined as a critical
infrastructure asset without needing to be prescribed in the rules).[19]
The Security of
Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 prescribe
the circumstances when certain assets fall within the definition of a critical
infrastructure asset.
Paragraph 9(1)(f) of the SOCI Act gives the Minister
the power to prescribe an asset, or classes of assets, to be a critical
infrastructure asset provided the Minister is satisfied that the asset or class
of assets relates to a critical infrastructure sector and is critical to:
- the
social or economic stability of Australia or its people
- the
defence of Australia or
- national
security (subsection 9(3) of the SOCI Act).[20]
The Minister also has the power to privately declare an
asset to be a critical infrastructure asset where:
- the
asset is not otherwise a critical infrastructure asset
- the
asset relates to a relevant industry and
- the
Minister is satisfied that:
- the
asset is critical to the social or economic stability of Australia or its
people, the defence of Australia or national security and
- there
would be a risk to the social or economic stability of Australia or its people,
the defence of Australia or national security if it were publicly known that
the asset is a critical infrastructure asset.[21]
Declarations made by the Minister are not legislative
instruments, and for reasons of national security, are not published (though
the Minister must notify the responsible entity for the asset and the First
Minister of the state or territory in which the asset is located within 30 days
of making the declaration).[22]
Example of a critical infrastructure asset
Section 12K of the SOCI Act sets out the criteria for an asset to be a critical food and grocery asset.
Subsection 12K(1) currently provides that an asset is a critical food and grocery asset if it is a network that:
- (a) is used for the distribution or supply of:
- (i) food; or
- (ii) groceries; and
- (b) is owned or operated by an entity that is:
- (i) a critical supermarket retailer (which is an entity that is either specified in, or meets requirements set out in, the Rules)
- (ii) a critical food wholesaler (which is an entity that is either specified in, or meets requirements set out in, the Rules) or
- (iii) a critical grocery wholesaler (which is an entity that is either specified in, or meets requirements set out in, the Rules).
The Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 (LIN21/039) may prescribe that a specified critical food and grocery asset is not a critical infrastructure asset (subsection 9(2) of the SOCI Act).
Currently, LIN21/039 prescribes Aldi Pty Ltd, Coles Group Limited and Woolworths Group Ltd as critical supermarket retailers (subsection 15(1)) and MetCash Trading Ltd as a critical grocery wholesaler (subsection 15(2)). Note that the Bill proposes to amend subsection 12K(1) to only allow for networks which supply essential food or essential groceries to be prescribed (see Items 40–41 of the Bill).
For examples of where classes of assets have been prescribed see section 10 of LIN21/039, which prescribes requirements for critical financial market infrastructure assets.
|
History of the Bill
Security
Legislation Amendment (Critical Infrastructure) Bill 2020
On 10 December 2020, the Government introduced the Security
Legislation Amendment (Critical Infrastructure) Bill 2020 [2021] (the 2020
Bill) into the House of Representatives.[23]
The purpose of the 2020 Bill was to introduce an enhanced regulatory framework
for critical infrastructure assets, building on existing requirements in the SOCI
Act.[24]
The 2020 Bill, as introduced, contained the following provisions:
- proposed
amendments to the Administrative
Decisions (Judicial Review) Act 1977 and AusCheck Act to
exclude certain decisions from judicial review and require entities to
undertake background checks of their employees
- proposed
amendments to existing Part 2 of the SOCI Act to expand the number of
crucial infrastructure assets required to be included on the Register of
Critical Infrastructure Assets
- introduction
of proposed Part 2A to require entities to establish risk management programs
- introduction
of proposed Part 2B to require entities to report cyber incidents to the
Government
- introduction
of proposed Part 2C to require entities declared to be SoNS to undertake enhanced
cyber security obligations
- introduction
of proposed Part 3A to give the Government new powers in responding to serious
cyber security incidents (including intervention, information gathering and
action directions) and
- • introduction
of proposed Part 6A which would outline mechanisms for making SoNS
declarations.[25]
Review of
the Security Legislation Amendment (Critical Infrastructure) Bill 2020
The 2020 Bill was referred to the PJCIS by Christian
Porter, then Attorney-General, on 11 December 2020 for inquiry and report.[26]
As part of its inquiry, the PJCIS also conducted the required statutory review
of the operation of the SOCI Act in conjunction with the review of the
Bill.[27]
The PJCIS received 88 submissions and held four public
hearings into the Bill.[28]
The PJCIS noted that stakeholders were concerned with both the content of the Bill
and the way in which the Government had consulted on the Bill’s impact on
industry:
… most, if not all, companies and industry bodies, trade
unions, and critical infrastructure assets owners and operators expressed some
form of reservation with the Bill, its consultative development, the unknown or
unquantifiable regulatory impact, or the contemporary rules development that
has occurred while the Committee conducted this review.[29]
Stakeholders requested that the Government pause the 2020 Bill’s
progress through Parliament to allow time to deal with the issues raised by
stakeholders, however the Government maintained that an urgent response was
required to counter the immediate threat to critical infrastructure assets.[30]
In evidence to the PJCIS, the Secretary of the Department
of Home Affairs (the Department), Michael Pezzullo, stated:
… once the bill achieves royal assent as an act of parliament
it allows us to activate certain emergency procedures under the government
assistance measures, and it is those measures that, frankly, I would prefer to
have on the statute books tonight.[31]
Both stakeholders and the PJCIS were concerned with the broad
delegations of legislative power contained in the 2020 Bill.[32]
The Law Council of Australia described the Bill as ‘extraordinary in terms of
the number, breadth and gravity of legislative powers it proposes to delegate
to the Minister and Secretary’ and ‘that it proposes to enable some delegated
powers to be exercised via non-legislative instrument (Ministerial declarations
in relation to assets, and Secretary’s notices in relation to cyber security
obligations)’.[33]
In balancing the concerns raised by stakeholders and the
need for the ‘increasing threat of cyber-related crime and security threats to
critical infrastructure assets to be countered’,[34]
the PJCIS recommended that the Government split out the non-urgent provisions
in the Bill to allow for further consultation to be undertaken.[35]
Specifically, the PJCIS recommended that reforms contained in Part 3A of the
Bill, along with the expanded definitions and meanings of critical
infrastructure assets, and other enabling provisions in Part 1, Part 2B, and
Schedule 2, be retained in the 2020 Bill (subject to some amendments), with the
rest of the provisions to be deferred.[36]
Splitting of
the 2020 Bill
The Government accepted the PJCIS’s recommendation that
the 2020 Bill be split into two separate Bills and subsequently amended the
2020 Bill which was passed by both Houses on 22 November 2021.[37]
The Security
Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI
Act) amended the SOCI Act to:
- expand
the scope of the SOCI Act from applying to four asset classes to
applying to 11 sectors and 22 asset classes
- expand
the requirement for responsible entities to provide ownership, operation,
interest and control information to be included in the Register of Critical
Infrastructure Assets
- require
responsible entities to provide mandatory reports in relation to cyber security
incidents to the ACSC’s online cyber reporting portal and
- provide
the Government with broad powers to respond to cyber security incidents
immediately prior to, during or following a significant cyber security incident,
including through intervention, information gathering and action directions.
With respect to the provisions which were not included in
the 2020 Bill, the PJCIS recommended the Government consult further with stakeholders
(including industry) and reintroduce the provisions in a subsequent Bill.[38]
The PJCIS further recommended that these provisions be amended in accordance
with recommendations outlined by the Business Council of Australia, Law Council
of Australia, and other stakeholders, in line with the following principles:
- any
definitions or meanings introduced by [the 2020 Bill] that have been clearly
identified as requiring modification or clarification as part of rules
co-design or in evidence to this review, or that require reconsideration as to
scope, be captured in revised definitions
- any
elements of [positive security obligations] PSOs or enhanced cyber security
obligations that can be aligned to international standards or to align with
existing best-practice critical infrastructure programs in other international
jurisdictions (ISO 31000 is an international risk management standard already
applied by many entities)
- any
decision or determination made that will affect an entity be amended to not
only include the existing consultation by the Minister or Secretary, but also
require a right of reply by the affected entity and consideration of that reply
in the final determination
- consideration
of potential impacts of [the provisions] on foreign investment attractiveness
and Foreign Investment Review Board processes
- the
currently drafted secrecy around declarations of assets as SoNS under proposed
section 52B of the [2020 Bill], and current section 51 of the [SOCI Act],
be amended to require that such declarations only be confidential if the
Minister is satisfied on reasonable grounds, that there is a significant risk
of harm to Australia’s defence or national security as a result of the
disclosure of the regulatory status of the asset
- ensure that
protected information provisions enable the appropriate and lawful exchange of
information among oversight and compliance assurance bodies
- formulating
a merits review system of appeal to the security division of the AAT for any
determination … for declarations under proposed Part 6A and proposed Part 2C,
once revised, with requisite access to protected information
- more
generally, consideration of the issue of merits review rights in respect of the
administrative decisions of the Secretary or Minister under other aspects of
the expanded [2020 Bill] framework and
- reconsideration
of the suitability of the types and breadth of immunities afforded to entities
under the entirety of the [2020 Bill’s] proposed framework...[39]
The PJCIS also recommended that the new Bill be released
as an Exposure Draft prior to being introduced into Parliament to allow for
further consultations to take place and upon introduction, the Bill be referred
to the PJCIS for review.[40]
At the same time, the PJCIS recommended that it should also undertake a review
of the operation of the provisions contained in the 2020 Bill (now the SLACI
Act) ‘to ensure that it is operating as intended, and is indeed being used
only as a last resort’.[41]
The Department has stated that the provisions of the Bill
have been amended in line with the principles outlined above.[42]
An Exposure Draft of the Bill was released for consultation between 15 December
2021 and 1 February 2022 and the Department received 70 submissions.[43]
Parliamentary
Joint Committee on Intelligence and Security
The Bill was referred to the PJCIS on 10 February 2022. The
PJCIS received 50 submissions and held a public hearing on the 16 March 2022.[44]
Senate
Standing Committee for the Scrutiny of Bills
The Senate Standing Committee for the Scrutiny of Bills (Scrutiny
of Bills Committee) raised concerns regarding the number of matters the Bill
leaves to be prescribed in delegated legislation.[45]
The Scrutiny of Bills Committee reiterated its position that ‘matters which may
be significant to the operation of a legislative scheme should be included in
primary legislation unless sound justification for the use of delegated
legislation is provided’ and sought advice from the Minister as to why it is
considered necessary and appropriate to leave such matters to delegated
legislation.[46]
The Scrutiny of Bills Committee also raised concerns regarding
the abrogation of the privilege against self-incrimination provided for in proposed
sections 30DG and 30DN of the SOCI Act (at item 58 of the
Bill), which prevent an individual from refusing to provide a report or complying
with a system information software notice on the grounds it may incriminate
them.[47]
While proposed sections 30DH and 30DP provide that the report or
information obtained cannot be used in subsequent criminal proceedings, it does
not limit information or evidence indirectly obtained from being used in
criminal proceedings against the person (referred to as derivative use
immunity).[48]
The Scrutiny of Bills Committee left it to the Senate as a whole to determine
the appropriateness of abrogating the privilege against self-incrimination in
circumstances where no derivative use immunity is provided.[49]
Policy
position of non-government parties/independents
While the Opposition has stated that it ‘supports
effective and rational measures to secure Australia’s critical infrastructure’,[50]
it has reserved its final position on the provisions of the Bill until the
PJCIS has completed its review and raised concerns with the Government passing
the Bill in the House of Representatives ahead of the Bill being considered by
the PJCIS.[51]
During the second reading debate on the Bill, Brendan
O’Connor, the Shadow Minister for Defence, moved the following amendment:
… whilst not declining to give the bill a second reading, the
House is of the opinion that, in listing the bill for debate before such time
as the Parliamentary Joint Committee on Intelligence and Security can conduct
its inquiry and table its report, the Government has broken long-standing
convention on national security legislation and substituted a bipartisan
approach in the national interest for its own political expediency.[52]
The Member for Kennedy, Bob Katter, also moved a motion (which
was seconded by the Member for Clark, Andrew Wilkie):
… and the House notes that:
- this
bill seeks to enhance the regulatory framework for Australian critical
infrastructure assets, particularly to improve protection against cyber
attacks; and
- to ensure that the bill meets its stated objects,
modifications be made to allow:
- coverage for Commonwealth and state and
territory government data;
- coverage
for critical data of Australian critical infrastructure providers that is
stored offshore; and
- the
declaration of a particular business’s critical data to be of national
significance and to require that such data must not be stored, transferred or
accessed outside of Australia.[53]
Both amendments were defeated, and the Bill passed the
House of Representatives on
16 February 2022.[54]
Position of
major interest groups
While stakeholders generally supported the Bill in
principle, broad concerns about the Bill have been raised, including:
- the
level of consultation with industry[55]
- the
reliance on delegated legislation[56]
- the
level of overlap with other security obligations (for example, under the Telecommunications
Act 1997)[57]
- the
lack of an independent oversight mechanism[58]
and
- the
adoption of previous feedback provided by stakeholders.[59]
Stakeholders also raised concerns with specific aspects of
the Bill, which are discussed further in the ‘Key issues and provisions’
section of this Digest. A number of submitters also continued to raise concerns
regarding the reforms introduced via the passage of the SLACI Act,
including the mandatory cyber incident reporting timelines and existing
definitions of critical infrastructure assets.[60]
Adequacy of
the consultation process
As an overarching point, a number of stakeholders raised
concerns with the consultation process and how quickly the Government was
seeking to pass the Bill.[61]
The Internet Association of
Australia, whose members include small to medium sized internet service
providers (ISPs), noted that:
… the Bill has since been referred to the Committee only 10
days after submissions closed, and we further note that it has now already been
introduced to the Lower House despite the inquiry still currently under way by
the Committee, thus before the Committee’s final report. Therefore, we raise
our concerns that the implementation of the Bill may be being rushed and
sufficient review and proper consideration of the feedback provided on the Bill
is not being afforded. Given the scope and subject matter of the Bill, we
strongly advise that this could have numerous serious adverse consequences for
businesses as well as the wider Australian society and could furthermore result
in greater security risks in contrast with the object of the Bill.[62]
The Business Council of
Australia noted that while the Department had ‘sought to undertake further
and inclusive consultation’, due to compressed timeframes:
… there are still areas where businesses remain unclear on
the implications of the proposed approach, or where the regulatory costs are
still to be determined. We also consider areas remain that could be improved,
in both the proposed Bill and the reforms that have already been legislated -
particularly the government assistance measures. We continue to think that
greater oversight of these powers and opportunities for businesses to work with
government will be critical to balancing the needs of government, business, and
the community.[63]
Lack of
independent oversight
Stakeholders were also generally concerned with the lack
of an independent oversight mechanism given the broad powers delegated to the
Executive (either the Minister or the Secretary) under the SOCI framework.[64]
Palo Alto,
an American multinational cybersecurity company, stated that it was:
… concerned by the exclusion of merits review for section
30CB, other Part 2C decisions and decisions to declare a system of national
significance. Given the potentially unprecedented and broad nature of these
powers, it is critical that entities have an appeal mechanism available to them
should they disagree with a Government decision or request.[65]
The Law
Council of Australia noted that the Bill does not implement the PJCIS’s
recommendation to formulate a merits review system of appeal to the Security Division
of the Administrative Appeals Tribunal (AAT) for any declarations under
proposed Part 6A and proposed Part 2C, once revised, with requisite access to
protected information.[66]
While referencing the Government’s position that
implementation of this recommendation was not appropriate due to concerns
around access to sensitive information,[67]
the Law Council argued that this position ‘does not engage with the substance
of the Law Council’s submissions’ on the 2020 Bill.[68]
Given ASIO’s security assessments issued for the purpose of the Ministerial
direction power under Part 3 of the SOCI Act are subject to merits
review in the Security Division of the AAT, this ‘highlights that effective
procedural mechanisms are already available to manage the dissemination and use
of classified or otherwise sensitive information in the context of merits
review’.[69]
Financial
implications
The Explanatory Memorandum states that the Bill ‘does not
impose any new expenditure and the overall financial impact is low’.[70]
Regulatory
impact
With respect to the cost to industry arising out of the
provisions of the Bill, the Department has stated that:
… the average expected costs for responsible entities to
implement, and maintain, the risk management program rules is currently an
average one-off cost of $9.2 million followed by an average ongoing cost of
$3.7 million per annum (p.a.), from the data provided so far.[71]
The Department has maintained that these figures are
‘quite low’ when compared with the potential cost to industry in the event of an
incident which would impact their business.[72]
However, some submitters have raised concerns regarding
the regulatory impact of the proposed provisions. Uniting Care Queensland stated
that its own preliminary assessment ‘indicates a substantially larger
compliance cost’ and that paying the financial penalties associated with
non-compliance would be the more financially sustainable option.[73]
Catholic Health Australia
argued that the additional compliance requirements would necessitate funding
support from the Government, noting the impact the pandemic has had on operating
margins and overall staff welfare.[74]
The Water
Services Association of Australia anticipates that declaring a water
business as a SoNS ‘is likely to have costs in the order of several hundreds of
millions of dollars’ with the cost currently hidden because such a declaration
is not subject to a regulatory impact statement.[75]
The Association argued this would have particular impacts in the water sector,
as the majority of entities operate under a system of controlled pricing, with
cost-recovery actions subject to regulatory approval.[76]
Statement of
Compatibility with Human Rights
As required under Part 3 of the Human Rights
(Parliamentary Scrutiny) Act 2011, the Government has assessed the
Bill’s compatibility with the human rights and freedoms recognised or declared
in the international instruments listed in section 3 of that Act.[77]
The Government states that the Bill engages the following
rights:
However, the Government considers that the Bill is
compatible with human rights:
… because it will promote rights and, to the extent that the
Bill limits rights, those limitations are reasonable, necessary and
proportionate to the objective of reducing national security risks in relation
to critical infrastructure.[81]
Parliamentary
Joint Committee on Human Rights
At the time of writing, the Parliamentary Joint Committee
on Human Rights had not yet considered the Bill.
Key issues
and provisions
Requirement
to adopt critical infrastructure risk management programs
Key provisions
Who must
adopt a risk management program?
Proposed Part 2A of the SOCI Act, at item
49 of the Bill (which comprises proposed sections 30AA to 30ANC)
requires responsible entities for critical infrastructure assets to adopt, and
maintain, a written critical infrastructure risk management program (a risk
management program) unless an exemption applies to the entity.[82]
A responsible entity (as per section 12L of the SOCI
Act) is a body licensed to operate the critical infrastructure asset. Proposed
subsection 30AB(1) provides that assets or classes of assets which have
either been prescribed in the rules or declared by the Minister to be critical
infrastructure assets to which the Part applies, are covered by proposed
Part 2A.[83]
The Explanatory Memorandum states that the rules will
initially specify asset classes ‘where there are not already sufficient
regulatory or administrative arrangements in place’, and lists which asset classes
are intended to be initially captured:
- critical
electricity assets
- critical
energy market operator assets
- critical
gas assets
- critical
liquid fuels assets
- critical
water and sewerage assets
- critical
financial market infrastructure assets that are a critical payment system
(other critical financial market infrastructure assets will not be captured)
- critical
data storage or processing assets
- critical
hospital assets
- critical
domain name system assets and
- critical
broadcasting assets.[84]
The Government has stated that the rules will provide that
the abovementioned assets will be covered by proposed Part 2A:
- if
the asset is a critical infrastructure asset on or before the commencement of
the proposed section 30AB rule— six months after the rule commences or
- if
the asset becomes a critical infrastructure asset after the commencement of the
proposed section 30AB rule— six months after the asset becomes a
critical infrastructure asset.[85]
The Explanatory Memorandum provides that given the current
supply chain impacts arising from COVID-19, proposed part 2A would not
be applied to critical freight services assets, critical freight infrastructure
aspects, and critical food and grocery assets until at least 1 January 2023.[86]
The Government has also acknowledged that it does not intend to 'switch on' any
of the positive security obligations (including proposed Part 2A) for
critical education assets as the University Foreign Interference Taskforce ‘will
deliver the same outcomes as intended by the critical infrastructure risk
management program obligation for critical education assets’.[87]
Proposed subsections 30AB(3)–(6) exempt certain
assets from the operation of proposed Part 2A. This includes where:
- the
rules provide that proposed Part 2A does not apply to a critical infrastructure
asset for a specified period[88]
- a
critical infrastructure asset is certified as strategic under the Government’s Hosting
Certification Framework (HCF)[89]
- a
responsible entity is subject to a prescribed statutory scheme (either at the
federal or state/territory level)[90]
or
- a
critical infrastructure asset is subject to a prescribed statutory scheme
(either at the federal or state/territory level).[91]
However, a responsible entity holding a HCF or covered by an
alternative statutory scheme remains subject to the annual reporting
obligations set out in proposed Part 2AA. These exemptions were not
included in the 2020 Bill as introduced. The Explanatory Memorandum states that
the HCF exemption responds to recommendation 7 of the PJCIS report and has been
‘inserted to minimise the regulatory overlap between the critical
infrastructure risk management program obligation and the HCF in response to
feedback received from the data storage and processing sector’.[92]
What does a
risk management program cover?
The Bill does not specify the form a risk management
program must take other than that it must be written. The Explanatory
Memorandum states that this reflects the Government’s intention to allow
responsible entities discretion and ‘recognises industry’s expertise and deep
knowledge of the unique challenges faced by each critical infrastructure asset
and ensures there is no unnecessary regulatory burden’.[93]
Proposed section 30AH provides that the purpose of
a risk management program is to:
- identify
each hazard where there is a material risk that the occurrence of the hazard
could have a relevant impact on the asset
- minimise
or eliminate any material risk of such a hazard occurring (so far as it is
reasonably practicable to do so) and
- mitigate
the relevant impact of such a hazard on the asset (so far as it is reasonably
practicable to do so).[94]
This is known as the ‘all-hazards approach’ where the
focus is on the impact of the hazard on the critical infrastructure asset as
opposed to specifically identifying potential hazards.[95]
In determining what constitutes a material risk, regard
must be had to the likelihood of the hazard occurring and the relevant impact
of the hazard on the asset if the hazard were to occur (though the rules may
also specify that a specific risk is a material risk).[96]
By not defining the term ‘material risk’ the Government has stated that it has
left it to responsible entities to determine what constitutes a ‘material risk’.[97]
The Explanatory Memorandum provides some guidance on what
risks should be identified:
For example, an asset that is hundreds of kilometres inland
would not be required to take steps to mitigate the significant physical impact
of a tsunami on the asset. This is not to say that an unlikely event that would
have a substantial impact would not in all circumstances be regarded as a
material risk. The hazards that the COVID-19 pandemic (a once-in-a-century
event) may have on the availability of workforce and day-to-day operations of
an asset are an example of such an unlikely event with such a significant
outcome it could still be assessed as a material risk and therefore need to be
addressed in a critical infrastructure risk management program.[98]
The Minister may also make rules providing that taking a specified
action in relation to a critical infrastructure asset (whether the action
applies to a specific asset or all assets) is considered to be an action that
either:
- minimises
or eliminates any material risk that the occurrence of a specified hazard could
have a relevant impact on the asset or
- mitigates
the relevant impact of a specified hazard on the asset.[99]
The Explanatory Memorandum states that these amendments
will allow the Government:
- to
mandate the steps responsible entities should be taking through their critical
infrastructure risk management program to address a particular risk
- to
provide ‘safe harbour’ by specifying that the taking of certain actions will
acquit the entity of a specific obligation and
- to
de-conflict requirements for entities with assets which fall within more than
one definition of critical infrastructure asset.[100]
Risk management programs must comply with any other requirement
specified in the rules (these may be of a general nature or relate to one or
more specified assets).[101]
In specifying such requirements, the Minister must have regard to:
- any
existing regulatory system (either at the federal or state/territory level)
that imposes obligations on responsible entities
- the
costs that are likely to be incurred by responsible entities in complying with the
requirements
- whether
the requirements are reasonable and proportional with respect to the purposes
set out in proposed paragraph 30AH(1)(b) (that is the identification of
relevant hazards, the minimisation of the risk of the hazard occurring, and the
mitigation of the impact of the hazard on the asset, should the hazard occur) and
- any
other matters the Minister considers relevant.[102]
The rules may also require a risk management program to permit
background checks to be conducted on individuals who are associated with assets
covered by proposed Part 2A under the Government’s AusCheck scheme (established
under the AusCheck Act).[103]
The 2020 Bill, as introduced, allowed for the rules to prescribe that a
critical infrastructure risk management program include provisions requiring
background checks of individuals to be conducted under the AusCheck scheme.[104]
These provisions have been amended to enable but not require a responsible
entity to conduct background checks on their employees via the AusCheck scheme.
The Bill also makes consequential amendments to the AusCheck Act to
allow for such background checks to be conducted where permitted under a risk
management program.[105]
What are an
entity’s obligations with respect to a risk management program?
Proposed sections 30AC–30AF require responsible
entitles who have adopted a risk management program to maintain, comply with, review,
and update the program. These are all civil penalty provisions and the maximum penalty
for failing to either adopt and maintain, comply with, review or update a risk
management program is 200 penalty units ($44,400) for an individual or 1,000
penalty units ($222,000) for a body corporate.[106]
A responsible entity will be allowed to vary or revoke a risk management
program,[107]
provided the entity continues to maintain a risk management program and the
variation or revocation complies with any matters set out in the rules.[108]
The Explanatory Memorandum provides that the ability of the Minister to specify
in the rules certain matters that must be considered by a responsible entity
when adopting, reviewing and varying their critical infrastructure risk
management program has been included in response to stakeholder feedback (it
was not included in the 2020 Bill as introduced).[109]
Responsible entities required to maintain a risk
management program will also be required to prepare and submit an annual report
to either the relevant Commonwealth regulator,[110]
or the Secretary of the Department which includes:
- a
statement as to whether the program was up to date at the end of the financial
year, if the entity had the program in place at that time and
- a
statement about any hazard that had a significant impact on one or more
proposed Part 2A assets.[111]
The report must be in a form approved by the Secretary and
must be approved by the relevant board, council, or other governing body with
respect to the entity where one exists.[112]
Failure to meet these obligations is an offence punishable by 150 civil penalty
units ($33,300) for an individual or 750 penalty units ($166,500) for a body
corporate.[113]
Power of the
Minister to make rules
As discussed above, proposed sections 30AB, 30AH and
30AKA enable the Minister to make rules for the purposes of specifying:
- that
proposed Part 2A applies to an asset or class of assets
- requirements
with respect to risk management programs
- matters
that an entity must have regard to when adopting, reviewing or varying a risk
management program.
In making such rules, the Minister is required to publish
a notice setting out a draft version of the rules on the Department’s website
inviting stakeholders to make submissions within a specified period and to consider
any submissions received within the period.[114]
The Minister is also required to give copies of the notice to each
state/territory First Minister.[115]
The consultation requirement does not apply with respect
to rules made under proposed sections 30AH and 30AKA if the
Minister is satisfied:
- that
there is an imminent threat that a hazard will have a significant relevant
impact on a critical infrastructure asset or
- that
a hazard has had, or is having, a significant relevant impact on a critical
infrastructure asset.[116]
Where consultation does not occur before the rules are
made, the Secretary of Home Affairs must conduct a review of the rules pursuant
to proposed section 30AM. The Minister must table a copy of the
Secretary’s statement of findings in both Houses of Parliament within 15
sitting days of having received it.[117]
While subsection 14(2) of the Legislation Act
2003 generally prevents the rules from applying, adopting or
incorporating a matter contained in another instrument or document as in force or
existing from time to time, proposed sections 30AN and 30ANA allows for
the rules to apply, adopt or incorporate:
- any
matter contained in a state/territory law
- any
matter contained in a standard proposed or approved by Standards Australia or
- any
matter contained in a relevant document
as in force or existing from time to time.
Proposed subsection 30ANA(2) lists which documents
are considered to be a relevant document and allows for the rules
to prescribe other documents as a relevant document. In proposing
to prescribe a document as a relevant document, the Minister must
take undertake consultations.[118]
Proposed section 30ANC sets out the process for
disallowing rules made by the Minister which prescribe a relevant
document. This process excludes the operation of the general
disallowance provisions in section 42 of the Legislation Act. While it
is normal practice that a legislative instrument commences the day after it is
registered (or at a time specified in the instrument) and continues to have effect
until either House passes a resolution disallowing the instrument, proposed subsection
30ANC(3) provides that rules specifying a relevant document do
not take effect until the day after the last day the rules are subject to
disallowance.[119]
The Explanatory Memorandum states:
This is a distinct disallowance scheme that applies
specifically in relation to rules under paragraph 30ANA(2)(f), to afford
transparency and Parliamentary oversight of any document that may be prescribed
as a ‘relevant document’ that may be incorporated in rules made under sections
30AH and 30AKA as in force from time to time whilst still permitting those
rules to reflect best Australian and international risk management practices.[120]
Concerns raised by stakeholders
Stakeholders raised concerns about the six-month timeframe
to implement risk management programs for existing critical infrastructure assets.[121]
Catholic Health Australia argued that the additional requirements ‘could not
come at a worse time’ following the pandemic and an 18-month implementation
period would be more appropriate.[122]
Uniting Care Queensland (UCQ) submitted that the timeframe
was impractical and would result in ‘surge costs’:
…the proposed Bill could require UCQ to conduct AusChecks
over 4,200 staff (not including contractors) at the same time as many other
organisations are conducting the same checks. The inevitable backlog in
processing will result in costly delays impacting service delivery, staffing
and costs – in what is already a severely strained sector. In addition, the
proposed Bill could require UCQ to conduct physical access checks across its
sites and more than 4,200 staff (not including contractors) to ensure they do
not inadvertently have access to ‘critically’ deemed areas (e.g. a chemical
storage area).[123]
The Clean
Energy Council stated that ‘six months is insufficient to allow for the
required forward planning and essential budgeting across the coming financial
years’ and that the regulatory costs involved in preparing risk management
programs ‘has the potential to change the fundamental business case of smaller
projects, impede new investment, and ultimately outweigh the new benefits of
the Security of Critical Infrastructure framework’.[124]
Amazon Web
Services (Amazon) welcomed the recognition of strategic certification under
the HCF as meeting the requirements of the risk management program but sought
further clarification as to whether the annual reporting requirements are met
by ongoing certification under the HCF.[125]
Emergency Management Victoria advocated for State-based risk management
frameworks (including Victoria’s critical infrastructure resilience framework)
to also be recognised as meeting the requirements for a risk management program
under the SOCI Act.[126]
The Australian
Logistics Council questioned the drafting of proposed section 30AH
which sets out requirements for a risk management program. It considered that
as proposed subsection 30AH(1) references a written program, ‘this would
not allow an entity to compile a number of documents that, in concert, meet the
requirements for a risk management program’ (as suggested in the Explanatory
Memorandum).[127]
Further, even if this was legally feasible, the Australian Logistics Council
argued that this would not work in practice given the high penalties that apply
for failing to submit such a program and that legal advisors would require the
relevant Board to take a conversative view and adopt a specific purpose
designed document.[128]
Union groups such as the Australian Services Union, Electrical Trades Union
and the Australian Council of
Trade Unions (ACTU) continued to raise concerns regarding the provisions
allowing for responsible entities to conduct background checks on their
employees under the existing AusCheck scheme.[129]
It was argued that the provisions would ‘put too much power in the hands of
employers to collect personal information about our members’ and may lead to an
infringement of their workplace rights.[130]
In its submission, the ACTU raised concerns that some businesses may subject
their entire workforce to background checks and that the definition of ‘critical
worker’ in the draft rules ‘is insufficient protection against unnecessary
background checks or abuse of the system’.[131]
The ACTU recommended that ‘the definition of critical worker should be
strengthened and placed in primary legislation, and supplemented with
safeguards to prevent the unnecessary, unwarranted, or excessive use of
background checks’.[132]
Sunwater Ltd also noted the
limitations for employers in using the AusCheck scheme and cautioned against it
as a ‘default’ compliance mechanism.[133]
New
reporting obligations for assets not covered by a risk management program
Key
provisions
Proposed Part 2AA of the SOCI Act, at item
49 of the Bill (which comprises proposed sections
30AP to 30AQ) sets out reporting obligations for responsible entities
exempt from having to prepare a risk management program specified in proposed
subsections 30AB(4)–(6) (a responsible entity holding a HCF or covered by
an alternative statutory scheme).
These responsible entities must prepare and submit an
annual report to either the relevant Commonwealth regulator or the Secretary of
the Department which includes:
- the
reasons why the assets are covered by proposed subsections 30AB(4)–(6) and
- if
a hazard has a significant relevant impact on one more of those assets, a
statement identifying the hazard and evaluating the effectiveness of any
actions taken by the entity for the purposes of mitigating the significant
relevant impact of the hazard on the assets concerned.[134]
The report must be in the in a form approved by the
Secretary and must be approved by the relevant board, council, or other
governing body with respect to the entity, where one exists.[135]
Failure to meet these obligations is an offence punishable by 150 civil penalty
units ($33,300) for an individual or 750 penalty units ($166,500) for a body
corporate.[136]
Expansion of
civil immunities
Key
provisions
Items 54, 60, 62 and 63 of the Bill amend
the relevant statutory liability exemptions set out in sections 30BE, 35AAB,
35AW and 35BB of the SOCI Act to expand their application to:
- members,
officers and employees of related company groups (such as parent
or subsidiary companies of regulated entities subject to obligations under the SOCI
Act)[137]
and
- contracted
service providers to regulated entities.[138]
The Explanatory Memorandum states that the current
immunities in the SOCI Act ensure that entities, when acting in response
to a compulsory legal direction, are not subject to civil liability. Therefore,
entities are not forced to choose between complying with a lawful direction or
a contractual obligation.[139]
In response to stakeholder feedback, the PJCIS recommended
that the Government reconsider ‘the suitability of the types and breadth of
immunities afforded to entities under the entirety of the [2020 Bill’s]
proposed framework’.[140]
Concerns raised by stakeholders
While welcoming the proposed amendments, the Law Council
of Australia identified three gaps which would not be captured by the expanded
civil immunity provisions:
- contracted
service providers to ‘related companies’, where a ‘related company’ is
responsible for the activities which would enable the regulated entity to
comply with its obligations under the SOCI Act
- actions
of a regulated entity (or those of a related company or contracted service provider)
which are not clearly referable to one or more specific regulatory obligation
under the SOCI Act and
- acts
done in preparation for future regulatory obligations, which are not yet in
force.[141]
The Law Council of Australia also noted that immunity under
the SOCI Act only applies to ‘proceedings for damages’ and ‘it is
possible that other remedies and causes of action may be relevant in the types
of matters sought to be regulated by the newly expanded regime’.[142]
The Law Council recommended that the PJCIS consider this as part of its current
inquiry and that the Bill be amended to include additional causes of action.[143]
Microsoft
argued that the civil immunity provisions should be amended to remove the
qualifier that the individual or entity has acted in ‘good faith’:
It is currently unclear what constitutes good faith
and whether protections would be forfeited in the event Microsoft exercised
available legal remedies to enjoin certain government interventions that we may
believe are inappropriate. A liability exemption that requires an
organisation to forfeit fundamental legal rights and remedies or negotiate a
preferred course of action under the legislation would be deeply problematic.
Microsoft urges the Government to clarify the intended applicability of the
‘good faith’ standard and ensure that it does not undermine an entity’s legal
rights.[144]
[emphasis added]
Declaration
of systems of national significance
Key
provisions
Item 71 of the Bill inserts proposed Part
6A into the SOCI Act (comprised of proposed sections 52A to 52F)
which allows the Minister to privately declare, in writing, a critical
infrastructure asset to be a SoNS where the Minister is satisfied that the
asset is of national significance.[145]
In determining whether an asset is of national
significance the Minister must have regard to:
- the
consequences that would arise for the social or economic stability of Australia
or its people, the defence of Australia, or national security if a hazard were
to occur that had a significant relevant impact on the asset
- the
nature and extent of any interdependencies between the asset and another
critical infrastructure asset that the Minister is aware of and
- any
other matters the Minister considers relevant.[146]
The Minister must notify, in writing, within 30 days of
making the declaration:
- each
reporting entity for the asset and
- the
First Minister of the state/territory where the asset is located (if required).[147]
Before making a declaration, the Minister must give the
responsible entity a notice setting out the proposed declaration. This notice
must set out the reasons for making the declaration, unless the Minister is
satisfied that doing so would be prejudicial to security.[148]
The responsible entity then has 28 days (or less, where urgent circumstances
exist) in which to provide a submission.[149]
A responsible entity can also request, by way of written
notice to the Secretary of Home Affairs, to have a declaration reviewed. Such
an application may only be made once within a 12-month period.[150]
The review must be carried out within 60 days and in consultation with the
responsible entity.[151]
In reviewing whether the asset is of national significance the Secretary must
have regard to the same matters that the Minister must consider in deciding to
declare an asset (set out above) and must provide a report of the review and a
statement setting out their findings to the Minister.[152]
The Minister must revoke a determination where they are no longer satisfied the
asset is of national significance.[153]
Reporting entities for assets which have been declared to
be SoNs must notify the Secretary of Home Affairs if they cease to be a
reporting entity for the asset or where an additional entity becomes a reporting
entity.[154]
Failure to meet these obligations is an offence punishable by 150 civil penalty
units ($33,300) for an individual or 750 penalty units ($166,500) for a body
corporate.[155]
Concerns raised by stakeholders
A consistent theme amongst stakeholders was that the
minimum 28-day consultation period was too short and unreasonable given the
technical nature of the obligations.[156]
Stakeholders also recommended that the Bill be amended to
require the Government to engage with a responsible entity before the Minister
gave notice of a proposed SoNS declaration.[157]
Telstra noted that this would
likely happen in practice, given the Government would need to work with the
entity ‘to adequately understand the impacts if an asset is compromised and the
nature of any interdependencies with other critical infrastructure assets’.[158]
Stakeholders also proposed that the Bill be amended so
that any submissions made by an entity in response to a proposed declaration were
included in the matters the Minister must have regard to in determining whether
an asset is of ‘national significance’.[159]
This reflects the recommendation made by the PJCIS that ‘any decision or
determination made that will affect an entity be amended to not only include
the existing consultation by the Minister or Secretary, but also require a
right of reply by the affected entity and consideration of that reply in the
final determination’.[160]
In its report, the PJCIS also recommended that the
provisions (as introduced in the 2020 Bill) be amended to provide that
declarations will only be confidential if the Minister is satisfied on
reasonable grounds, that there is a significant risk of harm to Australia’s
defence or national security as a result of the disclosure of the regulatory
status of the asset.[161]
Amazon also argued that the Minister should be required to share the rationale
for the declaration of a SoNS with the impacted entity as withholding important
information on threats to the entity’s own assets may hinder the ability of the
entity to appropriately manage its cyber security risks.[162]
A number of stakeholders also raised concerns about the
lack of review of the Minister’s power to make a declaration. The UNSW Allens Hub for Technology,
Law and Innovation noted that that the primary check on the exercise of
that power lies with the Secretary under section 52E of the SOCI Act
and recommended that the Government appoint an independent reviewer, ‘like the
Independent Reviewer of Adverse Security Assessments, with the appropriate
security clearances in place’.[163]
Enhanced
cyber security obligations
Key
provisions
Item 58 inserts proposed Part 2C (which
comprises proposed sections 30CA to 30DA) into the SOCI Act
to create a number of enhanced cyber security obligations that the Secretary
may require the responsible entity for a SoNS to undertake.
These include:
-
statutory incident response planning obligations (proposed Part
2C, Division 2)
-
undertaking cyber security exercises (proposed Part 2C, Division
3)
-
undertaking vulnerability assessments (proposed Part 2C, Division
4)
-
providing access to system information (proposed Part 2C, Division
5).
Statutory
incident response planning obligations
Proposed section 30CB provides the Secretary with the
power to determine, by written notice to a responsible entity for a SoNS, that
statutory incident response planning obligations apply to the entity in
relation to the SoNS and cyber security incidents. The determination must not
take effect earlier than the end of the 30-day period that began when the
notice was given.[164]
In making the determination, the Secretary must have
regard to the following criteria:
-
the costs that are likely to be incurred by the entity in
complying with the statutory incident response planning obligations (specified
in proposed Division 2, Subdivision B)
-
the reasonableness and proportionality of applying the statutory
incident response planning obligations to the entity in relation to the system
and cyber security incidents
-
such other matters (if any) as the Secretary considers relevant.[165]
Proposed section 30CC allows the Secretary to
revoke a determination by giving written notice to the responsible entity.
Proposed sections 30CD–30CH create obligations a
responsible entity for a SoNS must comply with in the event they are subject to
a determination. These obligations are:
-
adopting and maintaining an incident response plan (proposed
section 30CD)
-
complying with the plan (proposed section 30CE)
-
reviewing the plan on a regular basis (proposed section 30CF)
-
taking all reasonable steps to ensure the plan is up to date (proposed
section 30CG) and
-
providing a copy of the newly adopted or varied plan to the
Secretary (proposed section 30CH).
Failure to comply with each of the above obligations may
attract a maximum civil penalty of 200 penalty units ($44,400) for an
individual or 1,000 penalty units ($222,000) for a body corporate.
Proposed section 30CJ defines an incident response
plan to mean a written plan that:
-
applies to an entity that is the responsible entity for a SoNS
-
relates to the system
-
relates to cyber security incidents
-
the purpose of which is to plan for responding to cyber security
incidents that could have a relevant impact on the system[166]
and
-
complies with such requirements (if any) as are specified in the
rules.
A responsible entity for a SoNS may vary an incident
response plan,[167]
or revoke and adopt another plan that applies to the entity.[168]
Cyber
security exercises
Proposed section 30CM provides the Secretary with the
power to require, by written notice, a responsible entity for a SoNS to
undertake a cyber security exercise in relation to the system and all types, or
one or more specified types, of cyber security incidents, within the time
specified in the notice.
The period specified in the notice must not take effect
earlier than the end of the 30-day period that began when the notice was given.[169]
However, before giving the notice, the Secretary must consult the entity and
the relevant Commonwealth regulator that has functions relating to the security
of the relevant system.[170]
In deciding whether to give a notice to an entity, the
Secretary must have regard to the criteria set out in proposed subsection
30CM(5) which are significantly similar to the criteria listed in proposed
subsection 30CB(4) (outlined above).
The notice may require the entity to do any or all of the
following:
-
allow one or more specified designated officers to observe the
cyber security exercise
-
provide those designated officers with access to premises for the
purposes of observing the cyber security exercise
-
provide those designated officers with reasonable assistance and
facilities that are reasonably necessary to allow those designated officers to
observe the cyber security exercise
-
allow those designated officers to make such records as are reasonably
necessary for the purposes of monitoring compliance with the notice
-
give those designated officers reasonable notice of the time when
the cyber security exercise will begin.[171]
Proposed subsection 30CN
defines a cyber security exercise to mean an exercise:
-
that is undertaken by the responsible entity for a SoNS
-
that relates to the system
-
that either relates to all types, or one or more specified types,
of cyber security incidents
-
the purpose of which is to (depending on whether the exercise
relates to all types or relevant specified types of cyber security incidents):
- test the
entity’s ability to respond appropriately to all types or relevant specified
types of cyber security incidents that could have a relevant impact on the
system
- test the entity’s
preparedness to respond appropriately to all types or relevant specified types
of cyber security incidents that could have a relevant impact on the system
- test the
entity’s ability to mitigate the relevant impacts that all types or relevant specified
types of cyber security incidents could have on the system and
- that
complies with such requirements (if any) as are specified in the rules.
The above definition is purposely non-prescriptive to
ensure that the focus is not on the form of the exercise but rather on the
purpose or outcomes the exercise is trying to achieve.[172]
A failure to comply with a notice issued under proposed
section 30CM may attract a maximum civil penalty of 200 penalty units ($44,400)
for an individual or 1,000 penalty units ($222,000) for a body corporate.[173]
Under proposed section 30CQ, the responsible entity
for a SoNS must prepare an internal evaluation report relating to a cyber
security exercise (that is undertaken under proposed section 30CM) and
provide a copy of the report to the Secretary, within 30 days after the
exercise’s completion or a longer period allowed by the Secretary. A failure to
do so may attract a maximum civil penalty of 200 penalty units ($44,400) for an
individual or 1,000 penalty units ($222,000) for a body corporate.[174]
However, if the Secretary has reasonable grounds to
believe that an evaluation report prepared or purported to have been prepared
by the entity under proposed section 30CQ was not prepared appropriately,
or the entity has contravened proposed section 30CQ, the Secretary may,
by written notice, require the entity to appoint an external auditor to prepare
a new evaluation report.[175]
Proposed section 30CS defines an evaluation report
to mean a written report, the purpose of which is to (depending on whether the
exercise relates to all types, or one or more specified types, of cyber
security incidents):
-
evaluate the entity’s ability to respond appropriately to all
types or relevant specified types of cyber security incidents that could have a
relevant impact on the system
-
evaluate the entity’s preparedness to respond appropriately to
any specified or all types of cyber security incidents that could have a
relevant impact on the system
-
evaluate the entity’s ability to mitigate the relevant impacts
that all types or relevant specified types of cyber security incidents could
have on the system and
-
that complies with such requirements (if any) as are specified in
the rules.
This definition of an evaluation report mirrors the
wording in proposed paragraph 30CN(1)(e) (a limb of the definition of a
cyber security exercise under proposed subsection 30CN(1)) but uses the
word ‘evaluate’ instead of the word ‘test’ in describing the purpose of an
evaluation report.
Vulnerability
assessments
Proposed section 30CU provides the Secretary with the
power to require, by written notice, a responsible entity for a SoNS to
undertake or cause to be undertaken a vulnerability assessment in relation to
the system and all types, or any specified types, of cyber security incidents,
within the time specified in the notice.
Proposed section 30CY defines a vulnerability
assessment as an assessment:
-
that relates to a SoNS
-
that either relates to all types, or one or more specified types,
of cyber security incidents
-
the purpose of which is to test the vulnerability of the system
to all types or any specified types of cyber security incidents and
-
that complies with such requirements (if any) as are specified in
the rules.
Before exercising their discretion, the Secretary must
have regard to the criteria set out in proposed subsection 30CU(3).
These criteria are significantly similar to those outlined in proposed
subsection 30CB(4) for statutory incident response planning obligations
mentioned above and identical to proposed subsection 30CM(5) for cyber
security exercises.
Before giving the notice, the Secretary must consult the
entity and the relevant Commonwealth regulator that has functions relating to
the security of the relevant system.[176]
Under proposed subsection 30CZ(1), an entity
undertaking or causing to be undertaken a vulnerability assessment must also
prepare, or cause to be prepared, a vulnerability assessment report (as defined
in proposed section 30DA) relating to the assessment and give a copy of
the report to the Secretary within 30 days after the assessment’s completion or
a longer period allowed by the Secretary.
Further, if the Secretary has reasonable grounds to
believe that an entity would not be capable of complying with a notice, or the
entity has not complied with a notice, the Secretary has the discretion to give
a designated officer a written request to undertake a vulnerability assessment
in relation to the system and all or any specified types of cyber security
incidents within a specified period.[177]
The Secretary must also give a copy of this request to the entity.[178]
Proposed subsection 30CW(4) outlines the same
consultation requirements for the Secretary as those under proposed
subsections 30CM(6) and 30CU(4).
If a request is given to a designated officer, the
Secretary may, by written notice, require the entity to provide the designated
officer with any or all of the below:
-
access to premises for the purposes of undertaking the
vulnerability assessment
-
access to computers for the purposes of undertaking the
vulnerability assessment
-
reasonable assistance and facilities that are reasonably
necessary to allow the designated officer to undertake the vulnerability
assessment.[179]
Under proposed subsection 30CZ(2), a designated
officer undertaking a vulnerability assessment must also prepare a
vulnerability assessment report and give a copy of the report to the Secretary—equivalent
to obligations for an entity under proposed
subsection 30CZ(1).
An entity’s failure to undertake a vulnerability
assessment, to prepare a vulnerability assessment report, or to provide reasonable
assistance may attract a maximum civil penalty of 200 penalty units ($44,400)
for an individual or 1,000 penalty units ($222,000) for a body corporate.[180]
Access to
system information
System information periodic reporting notices
Proposed subsection 30DB gives the Secretary power
to issue a system information periodic reporting notice if:
-
a computer is needed to operate or is a SoNS and
-
the Secretary believes on reasonable grounds that a relevant
entity for the SoNS is technically capable of preparing periodic reports
consisting of information that:
- relates to the
operation of the computer
- may assist with
determining whether a power under the SOCI Act should be exercised in
relation to the SoNS and
- is not personal
information (within the meaning of the Privacy Act 1988).
The Secretary has the power through a system information
periodic reporting notice to require the entity to prepare periodic reports
that comply with proposed paragraphs 30DB(2)(a)–(b) and give those
reports to ASD.
In deciding whether to give a system information periodic
reporting notice to the entity, the Secretary must have regard to the following
criteria:
-
the costs that are likely to be incurred by the entity in
complying with the notice
-
the reasonableness and proportionality of the requirements in the
notice and
-
such other matters (if any) as the Secretary considers relevant.[181]
System information event-based reporting notices
Proposed subsection 30DC gives the Secretary power
to issue a system information event-based reporting notice if:
-
a computer is needed to operate or is a SoNS and
-
the Secretary believes on reasonable grounds that each time a
particular kind of event occurs, a relevant entity for the system of national
significance is technically capable of preparing a report consisting of information
that:
- relates to the
operation of the computer
- may assist with
determining whether a power under the SOCI Act should be exercised in
relation to the SoNS and
- is not personal
information (within the meaning of the Privacy Act).
The Secretary has the power through a system information
event-based reporting notice to require the entity to prepare reports that comply
with proposed paragraphs 30DC(2)(a)–(b) and give those reports to ASD.
In deciding whether to give a system information event-based
reporting notice to the entity, the Secretary must have regard to the following
criteria:
-
the costs that are likely to be incurred by the entity in
complying with the notice
-
the reasonableness and proportionality of the requirements in the
notice and
-
such other matters (if any) as the Secretary considers relevant.[182]
Proposed sections 30DD and 30DE respectively set
out the consultation and notice duration requirements for a system information
periodic reporting notice or a system information event-based reporting notice.
A failure to comply with either a system information
periodic reporting notice or a system information event-based reporting notice
to the extent that the entity is capable of doing so may attract a civil
penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units
($222,000) for a body corporate.[183]
System information software notices
Proposed subsection 30DJ gives the Secretary power
to issue a system information software notice if:
-
a computer is needed to operate or is a SoNS and
-
the Secretary believes on reasonable grounds that a relevant
entity for SoNS would not be technically capable of preparing reports
consisting of information that:
- relates to the
operation of the computer
- may assist with
determining whether a power under the SOCI Act should be exercised in
relation to the SoNS and
- is not personal
information (within the meaning of the Privacy Act).
Proposed subsection 30DJ(2) gives the Secretary
power to require the entity that is given a system information software notice
to:
-
install a specified computer program on the computer within a
specified period
-
maintain the installed computer program
-
take all reasonable steps to ensure the computer is continuously
supplied with an internet carriage service that enables the computer program to
function.
In deciding whether to give a system information software
notice to the entity, the Secretary must have regard to the following criteria:
-
the costs that are likely to be incurred by the entity in
complying with the notice
-
the reasonableness and proportionality of the requirements in the
notice and
-
such other matters (if any) as the Secretary considers relevant.[184]
Further, a computer program may only be specified in a
system information software notice if the purpose of the computer program is
to:
-
collect and record information that:
- relates to the
operation of the computer
- may assist with
determining whether a power under the SOCI Act should be exercised in
relation to the SoNS and
- is not personal
information (within the meaning of the Privacy Act) and
-
cause the information to be transmitted electronically to the ASD.[185]
Proposed sections 30DK and 30DL respectively set
out the consultation and notice duration requirements for a system information
software notice.
A failure to comply with a system information software
notice to the extent that the entity is capable of doing so may attract a civil
penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units
($222,000) for a body corporate.[186]
Concerns raised by stakeholders
Risks of
system faults and vulnerabilities caused by the installation of computer
programs
Various stakeholders raised concerns with proposed section
30DJ, which provides the Secretary the power to require a relevant SoNS to
install and maintain system information software that collects and records
system information to be transmitted to ASD.[187]
Various stakeholders have noted the potential for this
system information software to lead to system faults and vulnerabilities which
may interrupt critical services.[188]
Communications
Alliance explained what some of the impacts might be on IT systems:
Introducing any software into an IT system without careful
coding and testing could result in system disruptions and vulnerabilities being
introduced into the system. In the case of complex IT systems run by cloud service
providers, improperly vetted software could lead to significant outages and
cybersecurity risks, not only to the systems of the cloud service providers,
but also to the systems of their customers. Additionally, the mandatory
installation of government software on any IT service provider’s system would
cause customers to doubt the integrity of the IT service provider’s services.[189]
BSA | The
Software Alliance (BSA), which represents members of the global software
industry, noted that the Bill ‘does not require the Secretary to consider the effects
that any potential software installation may have on the SoNS’.[190]
This therefore allows the Secretary to ‘require software to be introduced into
highly complex [critical infrastructure] systems without adequate testing or
vetting by SoNS staff, or knowledge of the asset and its interdependencies’.[191]
BSA recommended that the Government make a number of amendments to the Bill,
including providing the Secretary with the right to request, but not the
authority to compel, the installation of software in SoNS.[192]
The Information
Technology Industry Council was concerned about the broader impact of these
provisions, particularly ‘the precedent this would set for any government
intelligence agency to force private entities to install intrusive software on
their private networks’.[193]
The Business Council of Australia also noted that ‘the
potential costs of the use of this kind of power are well beyond the possible
benefits’ and ‘it will create concerns for international businesses considering
investing in Australia or considering purchasing Australian based services’.[194]
Liability
and indemnity issues arising from compliance with enhanced cyber security
obligations
Some stakeholders have pointed out that there is a lack of
clarity in the Bill regarding liability and indemnity issues in the event of
economic or non-economic loss suffered by an entity having complied with an
enhanced cyber security obligation directed by the Secretary.[195]
Amazon noted that the Bill ‘does not provide an entity
with any immunities when complying with a cyber security exercise,
vulnerability assessment, or information access request’ and ‘such compliance
may require an entity to provide confidential information of a third party
(which may or may not be in contravention of a non-disclosure agreement between
the entity and that third party)’.[196]
Amazon argued that this is not a reasonable position to be
placed in and that it is unacceptable:
… for an entity to accept given compliance with a Government
direction, in situations under the threat of civil penalty or imprisonment, may
have a material or significant impact on an entity’s business, operations, or
customers or require significant resources and cost. The Bill should allow an
entity to recover the reasonable and actual costs of compliance with a
Government direction.[197]
Similarly, the UNSW Allens Hub for Technology, Law and
Innovation also noted that ‘the Bill does not contain immunity or compensatory
provisions concerning harms causally related to the exercise of those powers
exercised under [proposed subsection 30DJ]’.[198]
In its submission on the Exposure Draft of the Bill, the Australian Industry Group
proposed that there should be appropriate legislative safeguards to ensure that
compliance with any enhanced cyber security obligations ‘cannot be used to
exclude an insurer's liability under a policy of insurance e.g. cyber insurance’.[199]
Amendments
to protected information provisions
The SOCI Act defines protected information
by reference to how the document or information has been obtained (for example,
where it is obtained by a person while exercising powers, or performing duties
or functions, under the SOCI Act).[200]
Items 18–20 of the Bill expand the definition of protected information
to reflect the amendments contained in proposed Parts 2A, 2C and 6A of
the SOCI Act.
There are circumstances where the use and disclosure of
protected information is authorised and permitted under the SOCI Act. Items
64–69 of the Bill amend existing provisions that authorise the use and
disclosure of protected information to facilitate information sharing between
responsible entities and state, territory and Commonwealth government agencies.
Item 64 inserts proposed section 42A, which
authorises the Secretary to disclose protected information for the purpose of
developing or assessing:
-
proposed amendments to the SOCI Act
-
proposed rules under the SOCI Act or
-
proposed amendments to rules under the SOCI Act.
The Secretary may also make a record of or use protected
information for the purpose of that disclosure.
Item 65 inserts proposed section 43AA, which
authorises the Secretary to disclose protected information to a Commonwealth
Ombudsman official for the purposes of exercising powers, or performing duties
or functions, as an Ombudsman official. This proposed section also provides the
Secretary with the power to make a record of or use protected information for
the purpose of that disclosure.
Item 66 inserts proposed section 43E, which
authorises an entity to disclose protected information that relates to the
entity to the following persons for the purposes of enabling or assisting them
to exercise their powers, or perform their functions or duties:
-
a Minister of the Commonwealth or a Minister of state or a territory
who has responsibility for the regulation or oversight of the relevant critical
infrastructure sector to which the protected information relates
-
a person employed in the applicable ministerial office or
-
the head of the applicable government agency or an officer or
employee of that agency.
Proposed subsection 43E(2) authorises an entity to
disclose certain protected information with the Secretary’s consent.
Item 69 inserts proposed subsection 46(5) which
provides an exception to the offence in section 45 of the SOCI Act for unauthorised
disclosure of protected information to the extent an entity discloses protected
information to a Commonwealth Ombudsman official for the purposes of exercising
powers, or performing duties or functions, as a Commonwealth Ombudsman
official.[201]
Concerns raised by stakeholders
Stakeholders raised several concerns about the proposed
amendments to the relevant disclosure mechanisms contained in the SOCI Act.
Sunwater submitted that the drafting of the provisions
fails to accommodate ordinary and operational use of information in achieving
information security:
…proposed section 43E over-regulates the use and disclosure
of ‘protected information’ by requiring Secretary consent for almost all
documents and information falling within the ‘protected information’
definition. This would have a significant impact on both asset operation and
the information provided to the Minister by entities in addition to causing
significant strain on the Secretary’s role.[202]
The Communications Alliance pointed out that the
definition of protected information has been drafted to fulfil
entities’ compliance obligations under the SOCI Act and the Bill, but
that:
… this information is not unique to the fulfilment of
compliance obligations, i.e. this information is necessary for the execution of
ordinary business processes and functions. As currently drafted, by using this
information for compliance with the requisite security obligations, entities
can no longer disclose this information in the ordinary course of business
operations. This is not practical and, consequently, not acceptable …[203]
The Australian Information Industry Association recommended
that the Bill be amended to permit entities to disclose SoNS declarations of
assets (subject to relevant confidentiality agreements et cetera.) to a limited
number of third parties and local government entities.[204]
The Water Services Association of Australia argued that the current definition
of ‘protected information’ does not allow for the disclosure of information to
contracted entities for the purpose of operating critical infrastructure assets
in the ordinary course of business and that the Bill should also be amended to
allow for disclosure to ‘relevant local government authorities which have
oversight of the relevant critical infrastructure sector to which the protected
information relates'.[205]
Further, independent regulators or office holders, namely
the Commonwealth Ombudsman, the Office of the Inspector-General of Intelligence
and Security (IGIS) and the Office of the Australian Information Commissioner
(OAIC), also proposed amendments to the Bill relevant to their functions.
The Commonwealth Ombudsman proposed a similar exception as
the one currently provided for the IGIS in subsection 47(2) of the SOCI Act
to the non-disclosure of information requirement in subsection 47(1) of the SOCI
Act, such that the SOCI Act ‘does not interfere with’ the Commonwealth
Ombudsman’s power to require the production of information under section 9 of
the Ombudsman
Act 1976.[206]
On the other hand, the IGIS pointed out that subsection
47(2) of the SOCI Act ‘provides that the IGIS may compel entities
to produce protected information where necessary to give effect to the IGIS
Act, or any other Act conferring functions, power or duties on the IGIS’,
but that ‘there is no comparable provision in the SOCI Act or the Bill
for voluntary disclosures of protected information to [the office of the
IGIS]’. It asked that the PJCIS consider inserting a comparable exception for
IGIS officials to that for Ombudsman officials in proposed subsection 46(5)
of the SOCI Act, at item 69 of the Bill.[207]
The OAIC recommended that Part 4, Division 3, Subdivision
A of the SOCI Act (which sets out authorised uses and disclosures of
protected information) be amended to provide for the authorised use and disclosure
of protected information to the Australian Information Commissioner, for the
purpose of notifying an eligible data breach under the Privacy Act. Similar
to the Commonwealth Ombudsman’s submission, the OAIC also recommended that subsection
47(2) of the SOCI Act be amended to allow entities to produce documents
and answer questions, where they relate to a notifiable data breach and other
regulatory functions of the OAIC under the Privacy Act.[208]
Concluding comments
While stakeholders are supportive of the need to protect
Australia’s critical infrastructure from various threats, there have
significant concerns raised regarding the timing of the introduction of the
Bill into Parliament and the ability of the Government to address issues
identified during Exposure Draft consultations on the Bill.[209]