Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022

Introductory Info

Date introduced:  10 February 2022
House:  House of Representatives
Portfolio: Home Affairs
Commencement: The day after Royal Assent.

 

The Bills Digest at a glance

Purpose

The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Bill) seeks to amend the Security of Critical Infrastructure Act 2018 to implement additional obligations on owners of critical infrastructure assets, particularly those assets which are declared to be systems of national significance (SoNS) by the Minister for Home Affairs. 

History of the Bill

While the majority of critical infrastructure assets in Australia are owned or operated by the private sector and the states and territories, the Australian Government has introduced a number of reforms aimed at protecting and improving the resilience of Australia’s critical infrastructure.

The majority of the provisions of the Bill were originally introduced into Parliament as part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 [2021] (the 2020 Bill). Following consideration by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), the Government adopted a recommendation by the PJCIS to amend the 2020 Bill to take out the provisions which required further consultation with stakeholders. The remaining provisions were passed by Parliament in November 2021 and are contained in the Security Legislation Amendment (Critical Infrastructure) Act 2021.

Prior to reintroducing the deferred provisions, the Department of Home Affairs undertook a consultation process which substantially concluded on 1 February 2022. The Bill was then introduced into Parliament on 10 February 2022.

Parliamentary Joint Committee on Intelligence and Security Inquiry

The PJCIS is currently conducting an inquiry into the Bill and at the time of writing this Digest had received 48 submissions from stakeholders.

Stakeholder Comments

While stakeholders have generally supported the Bill in principle, several broad concerns about the Bill have been raised, including the timing of the introduction of the Bill; adequacy of consultation undertake with industry; the level of overlap with existing cyber security obligations imposed on industry and the need for merits review of certain decisions under the framework. Stakeholders are also concerned with the likely regulatory impact the Bill will have on their operating costs, particularly following the COVID-19 pandemic.

With regards to the provisions contained in the Bill, stakeholders are most concerned about the new power to be exercised by the Minister to privately declare critical infrastructure assets to be SoNS and the ability of the Secretary of the Department of Home Affairs to require a relevant SoNS to install and maintain system information software that collects and records system information to be transmitted to the Australian Signals Directorate. Stakeholders also raised concerns about other aspects of the Bill, including timing of the implementation period for critical risk management programs and the ability for responsible entities to conduct background checks of their employees under the existing AusCheck scheme. 

Purpose of the Bill

The purpose of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Bill) is to amend the Security of Critical Infrastructure Act 2018 (the SOCI Act) to:

  • require responsible entities of certain critical infrastructure assets to adopt, maintain and comply with a critical infrastructure risk management program
  • require responsible entitles for certain critical infrastructure assets to provide a report to the Government where the assets are not covered by a critical infrastructure risk management program
  • allow for responsible entities to conduct background checks on their employees under the existing AusCheck scheme
  • amend the relevant statutory liability exemptions to apply to personnel and associates of entities that are related, or provide contractual services, to responsible entities    
  • allow the Minister to privately declare critical infrastructure assets to be systems of national significance (SoNS)
  • impose enhanced cyber security obligations on entities responsible for SoNS, including undertaking cyber security exercises and vulnerability assessments, and preparing an incident response plan and
  • amend the current information sharing arrangements for protected information between the Commonwealth, state and territory regulatory agencies.

The Bill makes a number of other amendments to various definitions of critical infrastructure assets.[1] The Bill also amends the AusCheck Act 2007 and the Criminal Code Act 1995 to make consequential amendments to those Acts.

Background

Australia’s critical infrastructure

What is ‘critical infrastructure’?

The Australian and state and territory governments define critical infrastructure as:

… those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.[2]

Threats to critical infrastructure

In justifying the need for recent reforms to further regulate Australia’s critical infrastructure, the Government has stated that ‘Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government’.[3] The Prime Minister recently warned that cyberattacks are a ‘present threat’ and a ‘likely response from Russia’ following the Government’s decision to impose sanctions in response to Russia’s recent aggression against Ukraine.[4]

The Australian Signals Directorate (ASD) has stated that ‘Australia is facing increasing cyber security threats to essential services, businesses and all levels of government’ and that ‘malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, and sophistication’.[5] The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has also noted that it has ‘received compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate’.[6]

Over the 2020–21 financial year, the Australian Cyber Security Centre (ACSC) received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year, with self-reported losses from cybercrime totalling $33 billion.[7] The ASCS estimated that approximately one quarter of cyber incidents reported during the reporting period were associated with Australia’s critical infrastructure or essential services.[8]

Recent reforms to critical infrastructure legislation

While the majority of critical infrastructure in Australia is owned or operated by the private sector and the states and territories,[9] the Australian Government has introduced a number of reforms aimed at protecting, and improving the resilience of, Australia’s critical infrastructure (as defined above).[10] These have included strengthening foreign investment rules around who can own, purchase or invest in critical infrastructure,[11] and establishing the Critical Infrastructure Centre (which was replaced with the Cyber and Infrastructure Security Centre in September 2021).[12]

Passage of the Security of Critical Infrastructure Act 2018

In March 2018, the Parliament passed the Security of Critical Infrastructure Act 2018 (SOCI Act).[13]

The SOCI Act introduced significant new reforms to allow the Government to manage critical infrastructure assets, including:

  • establishing a Register of Critical Infrastructure Assets, which is not publicly accessible, setting out information as to who owns and operates those assets[14] and
  • allowing the Minister to give a direction to a reporting entity or an operator of a critical infrastructure asset to do, or refrain from doing, a specified act or thing within a certain timeframe.[15]

The SOCI Act commenced on 11 July 2018 and creates a framework for the regulation of critical infrastructure assets across a number of sectors.[16] While the SOCI Act originally only covered specific assets in the electricity, gas, water and maritime ports sectors,[17] recent reforms (discussed further below) have expanded its coverage to include communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.[18]

Sections 10 to 12KA of the SOCI Act define critical infrastructure assets by reference to specific infrastructure that is core to the relevant sector. These definitions include rule-making powers to prescribe requirements in relation to some of these definitions (noting that some types of assets are defined as a critical infrastructure asset without needing to be prescribed in the rules).[19] The Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 prescribe the circumstances when certain assets fall within the definition of a critical infrastructure asset.

Paragraph 9(1)(f) of the SOCI Act gives the Minister the power to prescribe an asset, or classes of assets, to be a critical infrastructure asset provided the Minister is satisfied that the asset or class of assets relates to a critical infrastructure sector and is critical to:

  • the social or economic stability of Australia or its people
  • the defence of Australia or
  • national security (subsection 9(3) of the SOCI Act).[20]

The Minister also has the power to privately declare an asset to be a critical infrastructure asset where:

  • the asset is not otherwise a critical infrastructure asset
  • the asset relates to a relevant industry and
  • the Minister is satisfied that:
    • the asset is critical to the social or economic stability of Australia or its people, the defence of Australia or national security and
    • there would be a risk to the social or economic stability of Australia or its people, the defence of Australia or national security if it were publicly known that the asset is a critical infrastructure asset.[21]

Declarations made by the Minister are not legislative instruments, and for reasons of national security, are not published (though the Minister must notify the responsible entity for the asset and the First Minister of the state or territory in which the asset is located within 30 days of making the declaration).[22]

Example of a critical infrastructure asset

Section 12K of the SOCI Act sets out the criteria for an asset to be a critical food and grocery asset.

Subsection 12K(1) currently provides that an asset is a critical food and grocery asset if it is a network that:

  1. (a) is used for the distribution or supply of:
    1. (i) food; or
    2. (ii) groceries; and
  2. (b) is owned or operated by an entity that is:
    1. (i) a critical supermarket retailer (which is an entity that is either specified in, or meets requirements set out in, the Rules)
    2. (ii) a critical food wholesaler (which is an entity that is either specified in, or meets requirements set out in, the Rules) or
    3. (iii) a critical grocery wholesaler (which is an entity that is either specified in, or meets requirements set out in, the Rules).

The Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 (LIN21/039) may prescribe that a specified critical food and grocery asset is not a critical infrastructure asset (subsection 9(2) of the SOCI Act).

Currently, LIN21/039 prescribes Aldi Pty Ltd, Coles Group Limited and Woolworths Group Ltd as critical supermarket retailers (subsection 15(1)) and MetCash Trading Ltd as a critical grocery wholesaler (subsection 15(2)). Note that the Bill proposes to amend subsection 12K(1) to only allow for networks which supply essential food or essential groceries to be prescribed (see Items 40–41 of the Bill).

For examples of where classes of assets have been prescribed see section 10 of LIN21/039, which prescribes requirements for critical financial market infrastructure assets.

 

History of the Bill

Security Legislation Amendment (Critical Infrastructure) Bill 2020

On 10 December 2020, the Government introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 [2021] (the 2020 Bill) into the House of Representatives.[23] The purpose of the 2020 Bill was to introduce an enhanced regulatory framework for critical infrastructure assets, building on existing requirements in the SOCI Act.[24]

The 2020 Bill, as introduced, contained the following provisions:

  • proposed amendments to the Administrative Decisions (Judicial Review) Act 1977 and AusCheck Act to exclude certain decisions from judicial review and require entities to undertake background checks of their employees
  • proposed amendments to existing Part 2 of the SOCI Act to expand the number of crucial infrastructure assets required to be included on the Register of Critical Infrastructure Assets
  • introduction of proposed Part 2A to require entities to establish risk management programs
  • introduction of proposed Part 2B to require entities to report cyber incidents to the Government
  • introduction of proposed Part 2C to require entities declared to be SoNS to undertake enhanced cyber security obligations
  • introduction of proposed Part 3A to give the Government new powers in responding to serious cyber security incidents (including intervention, information gathering and action directions) and
  • • introduction of proposed Part 6A which would outline mechanisms for making SoNS declarations.[25]

Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020

The 2020 Bill was referred to the PJCIS by Christian Porter, then Attorney-General, on 11 December 2020 for inquiry and report.[26] As part of its inquiry, the PJCIS also conducted the required statutory review of the operation of the SOCI Act in conjunction with the review of the Bill.[27]

The PJCIS received 88 submissions and held four public hearings into the Bill.[28] The PJCIS noted that stakeholders were concerned with both the content of the Bill and the way in which the Government had consulted on the Bill’s impact on industry:

… most, if not all, companies and industry bodies, trade unions, and critical infrastructure assets owners and operators expressed some form of reservation with the Bill, its consultative development, the unknown or unquantifiable regulatory impact, or the contemporary rules development that has occurred while the Committee conducted this review.[29]

Stakeholders requested that the Government pause the 2020 Bill’s progress through Parliament to allow time to deal with the issues raised by stakeholders, however the Government maintained that an urgent response was required to counter the immediate threat to critical infrastructure assets.[30]

In evidence to the PJCIS, the Secretary of the Department of Home Affairs (the Department), Michael Pezzullo, stated:  

… once the bill achieves royal assent as an act of parliament it allows us to activate certain emergency procedures under the government assistance measures, and it is those measures that, frankly, I would prefer to have on the statute books tonight.[31]

Both stakeholders and the PJCIS were concerned with the broad delegations of legislative power contained in the 2020 Bill.[32] The Law Council of Australia described the Bill as ‘extraordinary in terms of the number, breadth and gravity of legislative powers it proposes to delegate to the Minister and Secretary’ and ‘that it proposes to enable some delegated powers to be exercised via non-legislative instrument (Ministerial declarations in relation to assets, and Secretary’s notices in relation to cyber security obligations)’.[33]

In balancing the concerns raised by stakeholders and the need for the ‘increasing threat of cyber-related crime and security threats to critical infrastructure assets to be countered’,[34] the PJCIS recommended that the Government split out the non-urgent provisions in the Bill to allow for further consultation to be undertaken.[35] Specifically, the PJCIS recommended that reforms contained in Part 3A of the Bill, along with the expanded definitions and meanings of critical infrastructure assets, and other enabling provisions in Part 1, Part 2B, and Schedule 2, be retained in the 2020 Bill (subject to some amendments), with the rest of the provisions to be deferred.[36]

Splitting of the 2020 Bill

The Government accepted the PJCIS’s recommendation that the 2020 Bill be split into two separate Bills and subsequently amended the 2020 Bill which was passed by both Houses on 22 November 2021.[37]

The Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) amended the SOCI Act to:

  • expand the scope of the SOCI Act from applying to four asset classes to applying to 11 sectors and 22 asset classes
  • expand the requirement for responsible entities to provide ownership, operation, interest and control information to be included in the Register of Critical Infrastructure Assets
  • require responsible entities to provide mandatory reports in relation to cyber security incidents to the ACSC’s online cyber reporting portal and
  • provide the Government with broad powers to respond to cyber security incidents immediately prior to, during or following a significant cyber security incident, including through intervention, information gathering and action directions. 

With respect to the provisions which were not included in the 2020 Bill, the PJCIS recommended the Government consult further with stakeholders (including industry) and reintroduce the provisions in a subsequent Bill.[38] The PJCIS further recommended that these provisions be amended in accordance with recommendations outlined by the Business Council of Australia, Law Council of Australia, and other stakeholders, in line with the following principles:

  • any definitions or meanings introduced by [the 2020 Bill] that have been clearly identified as requiring modification or clarification as part of rules co-design or in evidence to this review, or that require reconsideration as to scope, be captured in revised definitions
  • any elements of [positive security obligations] PSOs or enhanced cyber security obligations that can be aligned to international standards or to align with existing best-practice critical infrastructure programs in other international jurisdictions (ISO 31000 is an international risk management standard already applied by many entities)
  • any decision or determination made that will affect an entity be amended to not only include the existing consultation by the Minister or Secretary, but also require a right of reply by the affected entity and consideration of that reply in the final determination
  • consideration of potential impacts of [the provisions] on foreign investment attractiveness and Foreign Investment Review Board processes
  • the currently drafted secrecy around declarations of assets as SoNS under proposed section 52B of the [2020 Bill], and current section 51 of the [SOCI Act], be amended to require that such declarations only be confidential if the Minister is satisfied on reasonable grounds, that there is a significant risk of harm to Australia’s defence or national security as a result of the disclosure of the regulatory status of the asset
  • ensure that protected information provisions enable the appropriate and lawful exchange of information among oversight and compliance assurance bodies
  • formulating a merits review system of appeal to the security division of the AAT for any determination … for declarations under proposed Part 6A and proposed Part 2C, once revised, with requisite access to protected information
  • more generally, consideration of the issue of merits review rights in respect of the administrative decisions of the Secretary or Minister under other aspects of the expanded [2020 Bill] framework and
  • reconsideration of the suitability of the types and breadth of immunities afforded to entities under the entirety of the [2020 Bill’s] proposed framework...[39]

The PJCIS also recommended that the new Bill be released as an Exposure Draft prior to being introduced into Parliament to allow for further consultations to take place and upon introduction, the Bill be referred to the PJCIS for review.[40] At the same time, the PJCIS recommended that it should also undertake a review of the operation of the provisions contained in the 2020 Bill (now the SLACI Act) ‘to ensure that it is operating as intended, and is indeed being used only as a last resort’.[41]

The Department has stated that the provisions of the Bill have been amended in line with the principles outlined above.[42] An Exposure Draft of the Bill was released for consultation between 15 December 2021 and 1 February 2022 and the Department received 70 submissions.[43]

Parliamentary Joint Committee on Intelligence and Security

The Bill was referred to the PJCIS on 10 February 2022. The PJCIS received 50 submissions and held a public hearing on the 16 March 2022.[44]

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) raised concerns regarding the number of matters the Bill leaves to be prescribed in delegated legislation.[45] The Scrutiny of Bills Committee reiterated its position that ‘matters which may be significant to the operation of a legislative scheme should be included in primary legislation unless sound justification for the use of delegated legislation is provided’ and sought advice from the Minister as to why it is considered necessary and appropriate to leave such matters to delegated legislation.[46]

The Scrutiny of Bills Committee also raised concerns regarding the abrogation of the privilege against self-incrimination provided for in proposed sections 30DG and 30DN of the SOCI Act (at item 58 of the Bill), which prevent an individual from refusing to provide a report or complying with a system information software notice on the grounds it may incriminate them.[47] While proposed sections 30DH and 30DP provide that the report or information obtained cannot be used in subsequent criminal proceedings, it does not limit information or evidence indirectly obtained from being used in criminal proceedings against the person (referred to as derivative use immunity).[48] The Scrutiny of Bills Committee left it to the Senate as a whole to determine the appropriateness of abrogating the privilege against self-incrimination in circumstances where no derivative use immunity is provided.[49]

Policy position of non-government parties/independents

While the Opposition has stated that it ‘supports effective and rational measures to secure Australia’s critical infrastructure’,[50] it has reserved its final position on the provisions of the Bill until the PJCIS has completed its review and raised concerns with the Government passing the Bill in the House of Representatives ahead of the Bill being considered by the PJCIS.[51]

During the second reading debate on the Bill, Brendan O’Connor, the Shadow Minister for Defence, moved the following amendment:

… whilst not declining to give the bill a second reading, the House is of the opinion that, in listing the bill for debate before such time as the Parliamentary Joint Committee on Intelligence and Security can conduct its inquiry and table its report, the Government has broken long-standing convention on national security legislation and substituted a bipartisan approach in the national interest for its own political expediency.[52]

The Member for Kennedy, Bob Katter, also moved a motion (which was seconded by the Member for Clark, Andrew Wilkie):

… and the House notes that:

  1. this bill seeks to enhance the regulatory framework for Australian critical infrastructure assets, particularly to improve protection against cyber attacks; and
  2. to ensure that the bill meets its stated objects, modifications be made to allow:
    1. coverage for Commonwealth and state and territory government data;
    2. coverage for critical data of Australian critical infrastructure providers that is stored offshore; and
    3. the declaration of a particular business’s critical data to be of national significance and to require that such data must not be stored, transferred or accessed outside of Australia.[53]

Both amendments were defeated, and the Bill passed the House of Representatives on
16 February 2022.[54]

Position of major interest groups

While stakeholders generally supported the Bill in principle, broad concerns about the Bill have been raised, including:

  • the level of consultation with industry[55]
  • the reliance on delegated legislation[56]
  • the level of overlap with other security obligations (for example, under the Telecommunications Act 1997)[57]
  • the lack of an independent oversight mechanism[58] and
  • the adoption of previous feedback provided by stakeholders.[59]

Stakeholders also raised concerns with specific aspects of the Bill, which are discussed further in the ‘Key issues and provisions’ section of this Digest. A number of submitters also continued to raise concerns regarding the reforms introduced via the passage of the SLACI Act, including the mandatory cyber incident reporting timelines and existing definitions of critical infrastructure assets.[60]

Adequacy of the consultation process

As an overarching point, a number of stakeholders raised concerns with the consultation process and how quickly the Government was seeking to pass the Bill.[61] The Internet Association of Australia, whose members include small to medium sized internet service providers (ISPs), noted that:

… the Bill has since been referred to the Committee only 10 days after submissions closed, and we further note that it has now already been introduced to the Lower House despite the inquiry still currently under way by the Committee, thus before the Committee’s final report. Therefore, we raise our concerns that the implementation of the Bill may be being rushed and sufficient review and proper consideration of the feedback provided on the Bill is not being afforded. Given the scope and subject matter of the Bill, we strongly advise that this could have numerous serious adverse consequences for businesses as well as the wider Australian society and could furthermore result in greater security risks in contrast with the object of the Bill.[62]

The Business Council of Australia noted that while the Department had ‘sought to undertake further and inclusive consultation’, due to compressed timeframes:

… there are still areas where businesses remain unclear on the implications of the proposed approach, or where the regulatory costs are still to be determined. We also consider areas remain that could be improved, in both the proposed Bill and the reforms that have already been legislated - particularly the government assistance measures. We continue to think that greater oversight of these powers and opportunities for businesses to work with government will be critical to balancing the needs of government, business, and the community.[63]

Lack of independent oversight

Stakeholders were also generally concerned with the lack of an independent oversight mechanism given the broad powers delegated to the Executive (either the Minister or the Secretary) under the SOCI framework.[64]

Palo Alto, an American multinational cybersecurity company, stated that it was:

… concerned by the exclusion of merits review for section 30CB, other Part 2C decisions and decisions to declare a system of national significance. Given the potentially unprecedented and broad nature of these powers, it is critical that entities have an appeal mechanism available to them should they disagree with a Government decision or request.[65]

The Law Council of Australia noted that the Bill does not implement the PJCIS’s recommendation to formulate a merits review system of appeal to the Security Division of the Administrative Appeals Tribunal (AAT) for any declarations under proposed Part 6A and proposed Part 2C, once revised, with requisite access to protected information.[66]

While referencing the Government’s position that implementation of this recommendation was not appropriate due to concerns around access to sensitive information,[67] the Law Council argued that this position ‘does not engage with the substance of the Law Council’s submissions’ on the 2020 Bill.[68] Given ASIO’s security assessments issued for the purpose of the Ministerial direction power under Part 3 of the SOCI Act are subject to merits review in the Security Division of the AAT, this ‘highlights that effective procedural mechanisms are already available to manage the dissemination and use of classified or otherwise sensitive information in the context of merits review’.[69]

Financial implications

The Explanatory Memorandum states that the Bill ‘does not impose any new expenditure and the overall financial impact is low’.[70]

Regulatory impact

With respect to the cost to industry arising out of the provisions of the Bill, the Department has stated that:

… the average expected costs for responsible entities to implement, and maintain, the risk management program rules is currently an average one-off cost of $9.2 million followed by an average ongoing cost of $3.7 million per annum (p.a.), from the data provided so far.[71]

The Department has maintained that these figures are ‘quite low’ when compared with the potential cost to industry in the event of an incident which would impact their business.[72]

However, some submitters have raised concerns regarding the regulatory impact of the proposed provisions. Uniting Care Queensland stated that its own preliminary assessment ‘indicates a substantially larger compliance cost’ and that paying the financial penalties associated with non-compliance would be the more financially sustainable option.[73] Catholic Health Australia argued that the additional compliance requirements would necessitate funding support from the Government, noting the impact the pandemic has had on operating margins and overall staff welfare.[74]

The Water Services Association of Australia anticipates that declaring a water business as a SoNS ‘is likely to have costs in the order of several hundreds of millions of dollars’ with the cost currently hidden because such a declaration is not subject to a regulatory impact statement.[75] The Association argued this would have particular impacts in the water sector, as the majority of entities operate under a system of controlled pricing, with cost-recovery actions subject to regulatory approval.[76]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011, the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act.[77]

The Government states that the Bill engages the following rights:

However, the Government considers that the Bill is compatible with human rights:

… because it will promote rights and, to the extent that the Bill limits rights, those limitations are reasonable, necessary and proportionate to the objective of reducing national security risks in relation to critical infrastructure.[81]

Parliamentary Joint Committee on Human Rights

At the time of writing, the Parliamentary Joint Committee on Human Rights had not yet considered the Bill.

Key issues and provisions

Requirement to adopt critical infrastructure risk management programs

Key provisions

Who must adopt a risk management program?

Proposed Part 2A of the SOCI Act, at item 49 of the Bill (which comprises proposed sections 30AA to 30ANC) requires responsible entities for critical infrastructure assets to adopt, and maintain, a written critical infrastructure risk management program (a risk management program) unless an exemption applies to the entity.[82]

A responsible entity (as per section 12L of the SOCI Act) is a body licensed to operate the critical infrastructure asset. Proposed subsection 30AB(1) provides that assets or classes of assets which have either been prescribed in the rules or declared by the Minister to be critical infrastructure assets to which the Part applies, are covered by proposed Part 2A.[83]

The Explanatory Memorandum states that the rules will initially specify asset classes ‘where there are not already sufficient regulatory or administrative arrangements in place’, and lists which asset classes are intended to be initially captured:

  • critical electricity assets
  • critical energy market operator assets
  • critical gas assets
  • critical liquid fuels assets
  • critical water and sewerage assets
  • critical financial market infrastructure assets that are a critical payment system (other critical financial market infrastructure assets will not be captured)
  • critical data storage or processing assets
  • critical hospital assets
  • critical domain name system assets and
  • critical broadcasting assets.[84]

The Government has stated that the rules will provide that the abovementioned assets will be covered by proposed Part 2A:

  • if the asset is a critical infrastructure asset on or before the commencement of the proposed section 30AB rule— six months after the rule commences or
  • if the asset becomes a critical infrastructure asset after the commencement of the proposed section 30AB rule— six months after the asset becomes a critical infrastructure asset.[85]

The Explanatory Memorandum provides that given the current supply chain impacts arising from COVID-19, proposed part 2A would not be applied to critical freight services assets, critical freight infrastructure aspects, and critical food and grocery assets until at least 1 January 2023.[86] The Government has also acknowledged that it does not intend to 'switch on' any of the positive security obligations (including proposed Part 2A) for critical education assets as the University Foreign Interference Taskforce ‘will deliver the same outcomes as intended by the critical infrastructure risk management program obligation for critical education assets’.[87]

Proposed subsections 30AB(3)–(6) exempt certain assets from the operation of proposed Part 2A. This includes where:

  • the rules provide that proposed Part 2A does not apply to a critical infrastructure asset for a specified period[88]
  • a critical infrastructure asset is certified as strategic under the Government’s Hosting Certification Framework (HCF)[89]
  • a responsible entity is subject to a prescribed statutory scheme (either at the federal or state/territory level)[90] or
  • a critical infrastructure asset is subject to a prescribed statutory scheme (either at the federal or state/territory level).[91]

However, a responsible entity holding a HCF or covered by an alternative statutory scheme remains subject to the annual reporting obligations set out in proposed Part 2AA. These exemptions were not included in the 2020 Bill as introduced. The Explanatory Memorandum states that the HCF exemption responds to recommendation 7 of the PJCIS report and has been ‘inserted to minimise the regulatory overlap between the critical infrastructure risk management program obligation and the HCF in response to feedback received from the data storage and processing sector’.[92]

What does a risk management program cover?

The Bill does not specify the form a risk management program must take other than that it must be written. The Explanatory Memorandum states that this reflects the Government’s intention to allow responsible entities discretion and ‘recognises industry’s expertise and deep knowledge of the unique challenges faced by each critical infrastructure asset and ensures there is no unnecessary regulatory burden’.[93]

Proposed section 30AH provides that the purpose of a risk management program is to:

  • identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset
  • minimise or eliminate any material risk of such a hazard occurring (so far as it is reasonably practicable to do so) and
  • mitigate the relevant impact of such a hazard on the asset (so far as it is reasonably practicable to do so).[94]

This is known as the ‘all-hazards approach’ where the focus is on the impact of the hazard on the critical infrastructure asset as opposed to specifically identifying potential hazards.[95]

In determining what constitutes a material risk, regard must be had to the likelihood of the hazard occurring and the relevant impact of the hazard on the asset if the hazard were to occur (though the rules may also specify that a specific risk is a material risk).[96] By not defining the term ‘material risk’ the Government has stated that it has left it to responsible entities to determine what constitutes a ‘material risk’.[97]

The Explanatory Memorandum provides some guidance on what risks should be identified:

For example, an asset that is hundreds of kilometres inland would not be required to take steps to mitigate the significant physical impact of a tsunami on the asset. This is not to say that an unlikely event that would have a substantial impact would not in all circumstances be regarded as a material risk. The hazards that the COVID-19 pandemic (a once-in-a-century event) may have on the availability of workforce and day-to-day operations of an asset are an example of such an unlikely event with such a significant outcome it could still be assessed as a material risk and therefore need to be addressed in a critical infrastructure risk management program.[98]

The Minister may also make rules providing that taking a specified action in relation to a critical infrastructure asset (whether the action applies to a specific asset or all assets) is considered to be an action that either:

  • minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset or
  • mitigates the relevant impact of a specified hazard on the asset.[99]

The Explanatory Memorandum states that these amendments will allow the Government:

  • to mandate the steps responsible entities should be taking through their critical infrastructure risk management program to address a particular risk
  • to provide ‘safe harbour’ by specifying that the taking of certain actions will acquit the entity of a specific obligation and
  • to de-conflict requirements for entities with assets which fall within more than one definition of critical infrastructure asset.[100]

Risk management programs must comply with any other requirement specified in the rules (these may be of a general nature or relate to one or more specified assets).[101] In specifying such requirements, the Minister must have regard to:

  • any existing regulatory system (either at the federal or state/territory level) that imposes obligations on responsible entities
  • the costs that are likely to be incurred by responsible entities in complying with the requirements
  • whether the requirements are reasonable and proportional with respect to the purposes set out in proposed paragraph 30AH(1)(b) (that is the identification of relevant hazards, the minimisation of the risk of the hazard occurring, and the mitigation of the impact of the hazard on the asset, should the hazard occur) and
  • any other matters the Minister considers relevant.[102]

The rules may also require a risk management program to permit background checks to be conducted on individuals who are associated with assets covered by proposed Part 2A under the Government’s AusCheck scheme (established under the AusCheck Act).[103] The 2020 Bill, as introduced, allowed for the rules to prescribe that a critical infrastructure risk management program include provisions requiring background checks of individuals to be conducted under the AusCheck scheme.[104] These provisions have been amended to enable but not require a responsible entity to conduct background checks on their employees via the AusCheck scheme. The Bill also makes consequential amendments to the AusCheck Act to allow for such background checks to be conducted where permitted under a risk management program.[105]

What are an entity’s obligations with respect to a risk management program?

Proposed sections 30AC–30AF require responsible entitles who have adopted a risk management program to maintain, comply with, review, and update the program. These are all civil penalty provisions and the maximum penalty for failing to either adopt and maintain, comply with, review or update a risk management program is 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.[106] A responsible entity will be allowed to vary or revoke a risk management program,[107] provided the entity continues to maintain a risk management program and the variation or revocation complies with any matters set out in the rules.[108] The Explanatory Memorandum provides that the ability of the Minister to specify in the rules certain matters that must be considered by a responsible entity when adopting, reviewing and varying their critical infrastructure risk management program has been included in response to stakeholder feedback (it was not included in the 2020 Bill as introduced).[109]

Responsible entities required to maintain a risk management program will also be required to prepare and submit an annual report to either the relevant Commonwealth regulator,[110] or the Secretary of the Department which includes:

  • a statement as to whether the program was up to date at the end of the financial year, if the entity had the program in place at that time and
  • a statement about any hazard that had a significant impact on one or more proposed Part 2A assets.[111]

The report must be in a form approved by the Secretary and must be approved by the relevant board, council, or other governing body with respect to the entity where one exists.[112] Failure to meet these obligations is an offence punishable by 150 civil penalty units ($33,300) for an individual or 750 penalty units ($166,500) for a body corporate.[113]

Power of the Minister to make rules

As discussed above, proposed sections 30AB, 30AH and 30AKA enable the Minister to make rules for the purposes of specifying:

  • that proposed Part 2A applies to an asset or class of assets
  • requirements with respect to risk management programs
  • matters that an entity must have regard to when adopting, reviewing or varying a risk management program.

In making such rules, the Minister is required to publish a notice setting out a draft version of the rules on the Department’s website inviting stakeholders to make submissions within a specified period and to consider any submissions received within the period.[114] The Minister is also required to give copies of the notice to each state/territory First Minister.[115]

The consultation requirement does not apply with respect to rules made under proposed sections 30AH and 30AKA if the Minister is satisfied:

  • that there is an imminent threat that a hazard will have a significant relevant impact on a critical infrastructure asset or
  • that a hazard has had, or is having, a significant relevant impact on a critical infrastructure asset.[116]

Where consultation does not occur before the rules are made, the Secretary of Home Affairs must conduct a review of the rules pursuant to proposed section 30AM. The Minister must table a copy of the Secretary’s statement of findings in both Houses of Parliament within 15 sitting days of having received it.[117]

While subsection 14(2) of the Legislation Act 2003 generally prevents the rules from applying, adopting or incorporating a matter contained in another instrument or document as in force or existing from time to time, proposed sections 30AN and 30ANA allows for the rules to apply, adopt or incorporate:

  • any matter contained in a state/territory law
  • any matter contained in a standard proposed or approved by Standards Australia or
  • any matter contained in a relevant document

as in force or existing from time to time.

Proposed subsection 30ANA(2) lists which documents are considered to be a relevant document and allows for the rules to prescribe other documents as a relevant document. In proposing to prescribe a document as a relevant document, the Minister must take undertake consultations.[118]

Proposed section 30ANC sets out the process for disallowing rules made by the Minister which prescribe a relevant document. This process excludes the operation of the general disallowance provisions in section 42 of the Legislation Act. While it is normal practice that a legislative instrument commences the day after it is registered (or at a time specified in the instrument) and continues to have effect until either House passes a resolution disallowing the instrument, proposed subsection 30ANC(3) provides that rules specifying a relevant document do not take effect until the day after the last day the rules are subject to disallowance.[119]

The Explanatory Memorandum states:

This is a distinct disallowance scheme that applies specifically in relation to rules under paragraph 30ANA(2)(f), to afford transparency and Parliamentary oversight of any document that may be prescribed as a ‘relevant document’ that may be incorporated in rules made under sections 30AH and 30AKA as in force from time to time whilst still permitting those rules to reflect best Australian and international risk management practices.[120]

Concerns raised by stakeholders

Stakeholders raised concerns about the six-month timeframe to implement risk management programs for existing critical infrastructure assets.[121] Catholic Health Australia argued that the additional requirements ‘could not come at a worse time’ following the pandemic and an 18-month implementation period would be more appropriate.[122]

Uniting Care Queensland (UCQ) submitted that the timeframe was impractical and would result in ‘surge costs’:

…the proposed Bill could require UCQ to conduct AusChecks over 4,200 staff (not including contractors) at the same time as many other organisations are conducting the same checks. The inevitable backlog in processing will result in costly delays impacting service delivery, staffing and costs – in what is already a severely strained sector. In addition, the proposed Bill could require UCQ to conduct physical access checks across its sites and more than 4,200 staff (not including contractors) to ensure they do not inadvertently have access to ‘critically’ deemed areas (e.g. a chemical storage area).[123]

The Clean Energy Council stated that ‘six months is insufficient to allow for the required forward planning and essential budgeting across the coming financial years’ and that the regulatory costs involved in preparing risk management programs ‘has the potential to change the fundamental business case of smaller projects, impede new investment, and ultimately outweigh the new benefits of the Security of Critical Infrastructure framework’.[124]

Amazon Web Services (Amazon) welcomed the recognition of strategic certification under the HCF as meeting the requirements of the risk management program but sought further clarification as to whether the annual reporting requirements are met by ongoing certification under the HCF.[125] Emergency Management Victoria advocated for State-based risk management frameworks (including Victoria’s critical infrastructure resilience framework) to also be recognised as meeting the requirements for a risk management program under the SOCI Act.[126]

The Australian Logistics Council questioned the drafting of proposed section 30AH which sets out requirements for a risk management program. It considered that as proposed subsection 30AH(1) references a written program, ‘this would not allow an entity to compile a number of documents that, in concert, meet the requirements for a risk management program’ (as suggested in the Explanatory Memorandum).[127] Further, even if this was legally feasible, the Australian Logistics Council argued that this would not work in practice given the high penalties that apply for failing to submit such a program and that legal advisors would require the relevant Board to take a conversative view and adopt a specific purpose designed document.[128]

Union groups such as the Australian Services Union, Electrical Trades Union and the Australian Council of Trade Unions (ACTU) continued to raise concerns regarding the provisions allowing for responsible entities to conduct background checks on their employees under the existing AusCheck scheme.[129] It was argued that the provisions would ‘put too much power in the hands of employers to collect personal information about our members’ and may lead to an infringement of their workplace rights.[130] In its submission, the ACTU raised concerns that some businesses may subject their entire workforce to background checks and that the definition of ‘critical worker’ in the draft rules ‘is insufficient protection against unnecessary background checks or abuse of the system’.[131] The ACTU recommended that ‘the definition of critical worker should be strengthened and placed in primary legislation, and supplemented with safeguards to prevent the unnecessary, unwarranted, or excessive use of background checks’.[132] Sunwater Ltd also noted the limitations for employers in using the AusCheck scheme and cautioned against it as a ‘default’ compliance mechanism.[133]

New reporting obligations for assets not covered by a risk management program

Key provisions

Proposed Part 2AA of the SOCI Act, at item 49 of the Bill (which comprises proposed sections 30AP to 30AQ) sets out reporting obligations for responsible entities exempt from having to prepare a risk management program specified in proposed subsections 30AB(4)–(6) (a responsible entity holding a HCF or covered by an alternative statutory scheme).

These responsible entities must prepare and submit an annual report to either the relevant Commonwealth regulator or the Secretary of the Department which includes:

  • the reasons why the assets are covered by proposed subsections 30AB(4)–(6) and
  • if a hazard has a significant relevant impact on one more of those assets, a statement identifying the hazard and evaluating the effectiveness of any actions taken by the entity for the purposes of mitigating the significant relevant impact of the hazard on the assets concerned.[134]

The report must be in the in a form approved by the Secretary and must be approved by the relevant board, council, or other governing body with respect to the entity, where one exists.[135] Failure to meet these obligations is an offence punishable by 150 civil penalty units ($33,300) for an individual or 750 penalty units ($166,500) for a body corporate.[136]

Expansion of civil immunities 

Key provisions

Items 54, 60, 62 and 63 of the Bill amend the relevant statutory liability exemptions set out in sections 30BE, 35AAB, 35AW and 35BB of the SOCI Act to expand their application to:

  • members, officers and employees of related company groups (such as parent or subsidiary companies of regulated entities subject to obligations under the SOCI Act)[137] and
  • contracted service providers to regulated entities.[138]

The Explanatory Memorandum states that the current immunities in the SOCI Act ensure that entities, when acting in response to a compulsory legal direction, are not subject to civil liability. Therefore, entities are not forced to choose between complying with a lawful direction or a contractual obligation.[139]

In response to stakeholder feedback, the PJCIS recommended that the Government reconsider ‘the suitability of the types and breadth of immunities afforded to entities under the entirety of the [2020 Bill’s] proposed framework’.[140]

Concerns raised by stakeholders

While welcoming the proposed amendments, the Law Council of Australia identified three gaps which would not be captured by the expanded civil immunity provisions:

  • contracted service providers to ‘related companies’, where a ‘related company’ is responsible for the activities which would enable the regulated entity to comply with its obligations under the SOCI Act
  • actions of a regulated entity (or those of a related company or contracted service provider) which are not clearly referable to one or more specific regulatory obligation under the SOCI Act and
  • acts done in preparation for future regulatory obligations, which are not yet in force.[141]

The Law Council of Australia also noted that immunity under the SOCI Act only applies to ‘proceedings for damages’ and ‘it is possible that other remedies and causes of action may be relevant in the types of matters sought to be regulated by the newly expanded regime’.[142] The Law Council recommended that the PJCIS consider this as part of its current inquiry and that the Bill be amended to include additional causes of action.[143]

Microsoft argued that the civil immunity provisions should be amended to remove the qualifier that the individual or entity has acted in ‘good faith’:

It is currently unclear what constitutes good faith and whether protections would be forfeited in the event Microsoft exercised available legal remedies to enjoin certain government interventions that we may believe are inappropriate. A liability exemption that requires an organisation to forfeit fundamental legal rights and remedies or negotiate a preferred course of action under the legislation would be deeply problematic. Microsoft urges the Government to clarify the intended applicability of the ‘good faith’ standard and ensure that it does not undermine an entity’s legal rights.[144] [emphasis added]

Declaration of systems of national significance

Key provisions

Item 71 of the Bill inserts proposed Part 6A into the SOCI Act (comprised of proposed sections 52A to 52F) which allows the Minister to privately declare, in writing, a critical infrastructure asset to be a SoNS where the Minister is satisfied that the asset is of national significance.[145]

In determining whether an asset is of national significance the Minister must have regard to:

  • the consequences that would arise for the social or economic stability of Australia or its people, the defence of Australia, or national security if a hazard were to occur that had a significant relevant impact on the asset
  • the nature and extent of any interdependencies between the asset and another critical infrastructure asset that the Minister is aware of and
  • any other matters the Minister considers relevant.[146]

The Minister must notify, in writing, within 30 days of making the declaration:

  • each reporting entity for the asset and
  • the First Minister of the state/territory where the asset is located (if required).[147]

Before making a declaration, the Minister must give the responsible entity a notice setting out the proposed declaration. This notice must set out the reasons for making the declaration, unless the Minister is satisfied that doing so would be prejudicial to security.[148] The responsible entity then has 28 days (or less, where urgent circumstances exist) in which to provide a submission.[149]

A responsible entity can also request, by way of written notice to the Secretary of Home Affairs, to have a declaration reviewed. Such an application may only be made once within a 12-month period.[150] The review must be carried out within 60 days and in consultation with the responsible entity.[151] In reviewing whether the asset is of national significance the Secretary must have regard to the same matters that the Minister must consider in deciding to declare an asset (set out above) and must provide a report of the review and a statement setting out their findings to the Minister.[152] The Minister must revoke a determination where they are no longer satisfied the asset is of national significance.[153]

Reporting entities for assets which have been declared to be SoNs must notify the Secretary of Home Affairs if they cease to be a reporting entity for the asset or where an additional entity becomes a reporting entity.[154] Failure to meet these obligations is an offence punishable by 150 civil penalty units ($33,300) for an individual or 750 penalty units ($166,500) for a body corporate.[155]

Concerns raised by stakeholders

A consistent theme amongst stakeholders was that the minimum 28-day consultation period was too short and unreasonable given the technical nature of the obligations.[156]

Stakeholders also recommended that the Bill be amended to require the Government to engage with a responsible entity before the Minister gave notice of a proposed SoNS declaration.[157] Telstra noted that this would likely happen in practice, given the Government would need to work with the entity ‘to adequately understand the impacts if an asset is compromised and the nature of any interdependencies with other critical infrastructure assets’.[158]

Stakeholders also proposed that the Bill be amended so that any submissions made by an entity in response to a proposed declaration were included in the matters the Minister must have regard to in determining whether an asset is of ‘national significance’.[159] This reflects the recommendation made by the PJCIS that ‘any decision or determination made that will affect an entity be amended to not only include the existing consultation by the Minister or Secretary, but also require a right of reply by the affected entity and consideration of that reply in the final determination’.[160]

In its report, the PJCIS also recommended that the provisions (as introduced in the 2020 Bill) be amended to provide that declarations will only be confidential if the Minister is satisfied on reasonable grounds, that there is a significant risk of harm to Australia’s defence or national security as a result of the disclosure of the regulatory status of the asset.[161] Amazon also argued that the Minister should be required to share the rationale for the declaration of a SoNS with the impacted entity as withholding important information on threats to the entity’s own assets may hinder the ability of the entity to appropriately manage its cyber security risks.[162]

A number of stakeholders also raised concerns about the lack of review of the Minister’s power to make a declaration. The UNSW Allens Hub for Technology, Law and Innovation noted that that the primary check on the exercise of that power lies with the Secretary under section 52E of the SOCI Act and recommended that the Government appoint an independent reviewer, ‘like the Independent Reviewer of Adverse Security Assessments, with the appropriate security clearances in place’.[163]

Enhanced cyber security obligations

Key provisions

Item 58 inserts proposed Part 2C (which comprises proposed sections 30CA to 30DA) into the SOCI Act to create a number of enhanced cyber security obligations that the Secretary may require the responsible entity for a SoNS to undertake.

These include:

  • statutory incident response planning obligations (proposed Part 2C, Division 2)
  • undertaking cyber security exercises (proposed Part 2C, Division 3)
  • undertaking vulnerability assessments (proposed Part 2C, Division 4)
  • providing access to system information (proposed Part 2C, Division 5).
Statutory incident response planning obligations

Proposed section 30CB provides the Secretary with the power to determine, by written notice to a responsible entity for a SoNS, that statutory incident response planning obligations apply to the entity in relation to the SoNS and cyber security incidents. The determination must not take effect earlier than the end of the 30-day period that began when the notice was given.[164]

In making the determination, the Secretary must have regard to the following criteria:

  • the costs that are likely to be incurred by the entity in complying with the statutory incident response planning obligations (specified in proposed Division 2, Subdivision B)
  • the reasonableness and proportionality of applying the statutory incident response planning obligations to the entity in relation to the system and cyber security incidents
  • such other matters (if any) as the Secretary considers relevant.[165]

Proposed section 30CC allows the Secretary to revoke a determination by giving written notice to the responsible entity.

Proposed sections 30CD–30CH create obligations a responsible entity for a SoNS must comply with in the event they are subject to a determination. These obligations are:

  • adopting and maintaining an incident response plan (proposed section 30CD)
  • complying with the plan (proposed section 30CE)
  • reviewing the plan on a regular basis (proposed section 30CF)
  • taking all reasonable steps to ensure the plan is up to date (proposed section 30CG) and
  • providing a copy of the newly adopted or varied plan to the Secretary (proposed section 30CH).

Failure to comply with each of the above obligations may attract a maximum civil penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.

Proposed section 30CJ defines an incident response plan to mean a written plan that:

  • applies to an entity that is the responsible entity for a SoNS
  • relates to the system
  • relates to cyber security incidents
  • the purpose of which is to plan for responding to cyber security incidents that could have a relevant impact on the system[166] and
  • complies with such requirements (if any) as are specified in the rules.

A responsible entity for a SoNS may vary an incident response plan,[167] or revoke and adopt another plan that applies to the entity.[168]

Cyber security exercises

Proposed section 30CM provides the Secretary with the power to require, by written notice, a responsible entity for a SoNS to undertake a cyber security exercise in relation to the system and all types, or one or more specified types, of cyber security incidents, within the time specified in the notice.

The period specified in the notice must not take effect earlier than the end of the 30-day period that began when the notice was given.[169] However, before giving the notice, the Secretary must consult the entity and the relevant Commonwealth regulator that has functions relating to the security of the relevant system.[170]

In deciding whether to give a notice to an entity, the Secretary must have regard to the criteria set out in proposed subsection 30CM(5) which are significantly similar to the criteria listed in proposed subsection 30CB(4) (outlined above).

The notice may require the entity to do any or all of the following:

  • allow one or more specified designated officers to observe the cyber security exercise
  • provide those designated officers with access to premises for the purposes of observing the cyber security exercise
  • provide those designated officers with reasonable assistance and facilities that are reasonably necessary to allow those designated officers to observe the cyber security exercise
  • allow those designated officers to make such records as are reasonably necessary for the purposes of monitoring compliance with the notice
  • give those designated officers reasonable notice of the time when the cyber security exercise will begin.[171]

Proposed subsection 30CN defines a cyber security exercise to mean an exercise:

  • that is undertaken by the responsible entity for a SoNS
  • that relates to the system
  • that either relates to all types, or one or more specified types, of cyber security incidents
  • the purpose of which is to (depending on whether the exercise relates to all types or relevant specified types of cyber security incidents):
    • test the entity’s ability to respond appropriately to all types or relevant specified types of cyber security incidents that could have a relevant impact on the system
    • test the entity’s preparedness to respond appropriately to all types or relevant specified types of cyber security incidents that could have a relevant impact on the system
    • test the entity’s ability to mitigate the relevant impacts that all types or relevant specified types of cyber security incidents could have on the system and
  • that complies with such requirements (if any) as are specified in the rules.

The above definition is purposely non-prescriptive to ensure that the focus is not on the form of the exercise but rather on the purpose or outcomes the exercise is trying to achieve.[172]

A failure to comply with a notice issued under proposed section 30CM may attract a maximum civil penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.[173]

Under proposed section 30CQ, the responsible entity for a SoNS must prepare an internal evaluation report relating to a cyber security exercise (that is undertaken under proposed section 30CM) and provide a copy of the report to the Secretary, within 30 days after the exercise’s completion or a longer period allowed by the Secretary. A failure to do so may attract a maximum civil penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.[174]

However, if the Secretary has reasonable grounds to believe that an evaluation report prepared or purported to have been prepared by the entity under proposed section 30CQ was not prepared appropriately, or the entity has contravened proposed section 30CQ, the Secretary may, by written notice, require the entity to appoint an external auditor to prepare a new evaluation report.[175]

Proposed section 30CS defines an evaluation report to mean a written report, the purpose of which is to (depending on whether the exercise relates to all types, or one or more specified types, of cyber security incidents):

  • evaluate the entity’s ability to respond appropriately to all types or relevant specified types of cyber security incidents that could have a relevant impact on the system
  • evaluate the entity’s preparedness to respond appropriately to any specified or all types of cyber security incidents that could have a relevant impact on the system
  • evaluate the entity’s ability to mitigate the relevant impacts that all types or relevant specified types of cyber security incidents could have on the system and
  • that complies with such requirements (if any) as are specified in the rules.

This definition of an evaluation report mirrors the wording in proposed paragraph 30CN(1)(e) (a limb of the definition of a cyber security exercise under proposed subsection 30CN(1)) but uses the word ‘evaluate’ instead of the word ‘test’ in describing the purpose of an evaluation report.

Vulnerability assessments

Proposed section 30CU provides the Secretary with the power to require, by written notice, a responsible entity for a SoNS to undertake or cause to be undertaken a vulnerability assessment in relation to the system and all types, or any specified types, of cyber security incidents, within the time specified in the notice.

Proposed section 30CY defines a vulnerability assessment as an assessment:

  • that relates to a SoNS
  • that either relates to all types, or one or more specified types, of cyber security incidents
  • the purpose of which is to test the vulnerability of the system to all types or any specified types of cyber security incidents and
  • that complies with such requirements (if any) as are specified in the rules.

Before exercising their discretion, the Secretary must have regard to the criteria set out in proposed subsection 30CU(3). These criteria are significantly similar to those outlined in proposed subsection 30CB(4) for statutory incident response planning obligations mentioned above and identical to proposed subsection 30CM(5) for cyber security exercises.

Before giving the notice, the Secretary must consult the entity and the relevant Commonwealth regulator that has functions relating to the security of the relevant system.[176]

Under proposed subsection 30CZ(1), an entity undertaking or causing to be undertaken a vulnerability assessment must also prepare, or cause to be prepared, a vulnerability assessment report (as defined in proposed section 30DA) relating to the assessment and give a copy of the report to the Secretary within 30 days after the assessment’s completion or a longer period allowed by the Secretary.

Further, if the Secretary has reasonable grounds to believe that an entity would not be capable of complying with a notice, or the entity has not complied with a notice, the Secretary has the discretion to give a designated officer a written request to undertake a vulnerability assessment in relation to the system and all or any specified types of cyber security incidents within a specified period.[177] The Secretary must also give a copy of this request to the entity.[178]

Proposed subsection 30CW(4) outlines the same consultation requirements for the Secretary as those under proposed subsections 30CM(6) and 30CU(4).

If a request is given to a designated officer, the Secretary may, by written notice, require the entity to provide the designated officer with any or all of the below:

  • access to premises for the purposes of undertaking the vulnerability assessment
  • access to computers for the purposes of undertaking the vulnerability assessment
  • reasonable assistance and facilities that are reasonably necessary to allow the designated officer to undertake the vulnerability assessment.[179]

Under proposed subsection 30CZ(2), a designated officer undertaking a vulnerability assessment must also prepare a vulnerability assessment report and give a copy of the report to the Secretary—equivalent to obligations for an entity under proposed subsection 30CZ(1).

An entity’s failure to undertake a vulnerability assessment, to prepare a vulnerability assessment report, or to provide reasonable assistance may attract a maximum civil penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.[180]

Access to system information

System information periodic reporting notices

Proposed subsection 30DB gives the Secretary power to issue a system information periodic reporting notice if:

  • a computer is needed to operate or is a SoNS and
  • the Secretary believes on reasonable grounds that a relevant entity for the SoNS is technically capable of preparing periodic reports consisting of information that:
    • relates to the operation of the computer
    • may assist with determining whether a power under the SOCI Act should be exercised in relation to the SoNS and
    • is not personal information (within the meaning of the Privacy Act 1988).

The Secretary has the power through a system information periodic reporting notice to require the entity to prepare periodic reports that comply with proposed paragraphs 30DB(2)(a)–(b) and give those reports to ASD.

In deciding whether to give a system information periodic reporting notice to the entity, the Secretary must have regard to the following criteria:

  • the costs that are likely to be incurred by the entity in complying with the notice
  • the reasonableness and proportionality of the requirements in the notice and
  • such other matters (if any) as the Secretary considers relevant.[181]

System information event-based reporting notices

Proposed subsection 30DC gives the Secretary power to issue a system information event-based reporting notice if:

  • a computer is needed to operate or is a SoNS and
  • the Secretary believes on reasonable grounds that each time a particular kind of event occurs, a relevant entity for the system of national significance is technically capable of preparing a report consisting of information that:
    • relates to the operation of the computer
    • may assist with determining whether a power under the SOCI Act should be exercised in relation to the SoNS and
    • is not personal information (within the meaning of the Privacy Act).

The Secretary has the power through a system information event-based reporting notice to require the entity to prepare reports that comply with proposed paragraphs 30DC(2)(a)–(b) and give those reports to ASD.

In deciding whether to give a system information event-based reporting notice to the entity, the Secretary must have regard to the following criteria:

  • the costs that are likely to be incurred by the entity in complying with the notice
  • the reasonableness and proportionality of the requirements in the notice and
  • such other matters (if any) as the Secretary considers relevant.[182]

Proposed sections 30DD and 30DE respectively set out the consultation and notice duration requirements for a system information periodic reporting notice or a system information event-based reporting notice.

A failure to comply with either a system information periodic reporting notice or a system information event-based reporting notice to the extent that the entity is capable of doing so may attract a civil penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.[183]

System information software notices

Proposed subsection 30DJ gives the Secretary power to issue a system information software notice if:

  • a computer is needed to operate or is a SoNS and
  • the Secretary believes on reasonable grounds that a relevant entity for SoNS would not be technically capable of preparing reports consisting of information that:
    • relates to the operation of the computer
    • may assist with determining whether a power under the SOCI Act should be exercised in relation to the SoNS and
    • is not personal information (within the meaning of the Privacy Act).

Proposed subsection 30DJ(2) gives the Secretary power to require the entity that is given a system information software notice to:

  • install a specified computer program on the computer within a specified period
  • maintain the installed computer program
  • take all reasonable steps to ensure the computer is continuously supplied with an internet carriage service that enables the computer program to function.

In deciding whether to give a system information software notice to the entity, the Secretary must have regard to the following criteria:

  • the costs that are likely to be incurred by the entity in complying with the notice
  • the reasonableness and proportionality of the requirements in the notice and
  • such other matters (if any) as the Secretary considers relevant.[184]

Further, a computer program may only be specified in a system information software notice if the purpose of the computer program is to:

  • collect and record information that:
    • relates to the operation of the computer
    • may assist with determining whether a power under the SOCI Act should be exercised in relation to the SoNS and
    • is not personal information (within the meaning of the Privacy Act) and
  • cause the information to be transmitted electronically to the ASD.[185]

Proposed sections 30DK and 30DL respectively set out the consultation and notice duration requirements for a system information software notice.

A failure to comply with a system information software notice to the extent that the entity is capable of doing so may attract a civil penalty of 200 penalty units ($44,400) for an individual or 1,000 penalty units ($222,000) for a body corporate.[186]

Concerns raised by stakeholders

Risks of system faults and vulnerabilities caused by the installation of computer programs

Various stakeholders raised concerns with proposed section 30DJ, which provides the Secretary the power to require a relevant SoNS to install and maintain system information software that collects and records system information to be transmitted to ASD.[187]

Various stakeholders have noted the potential for this system information software to lead to system faults and vulnerabilities which may interrupt critical services.[188]

Communications Alliance explained what some of the impacts might be on IT systems:

Introducing any software into an IT system without careful coding and testing could result in system disruptions and vulnerabilities being introduced into the system. In the case of complex IT systems run by cloud service providers, improperly vetted software could lead to significant outages and cybersecurity risks, not only to the systems of the cloud service providers, but also to the systems of their customers. Additionally, the mandatory installation of government software on any IT service provider’s system would cause customers to doubt the integrity of the IT service provider’s services.[189]

BSA | The Software Alliance (BSA), which represents members of the global software industry, noted that the Bill ‘does not require the Secretary to consider the effects that any potential software installation may have on the SoNS’.[190] This therefore allows the Secretary to ‘require software to be introduced into highly complex [critical infrastructure] systems without adequate testing or vetting by SoNS staff, or knowledge of the asset and its interdependencies’.[191] BSA recommended that the Government make a number of amendments to the Bill, including providing the Secretary with the right to request, but not the authority to compel, the installation of software in SoNS.[192]  

The Information Technology Industry Council was concerned about the broader impact of these provisions, particularly ‘the precedent this would set for any government intelligence agency to force private entities to install intrusive software on their private networks’.[193]

The Business Council of Australia also noted that ‘the potential costs of the use of this kind of power are well beyond the possible benefits’ and ‘it will create concerns for international businesses considering investing in Australia or considering purchasing Australian based services’.[194]

Liability and indemnity issues arising from compliance with enhanced cyber security obligations

Some stakeholders have pointed out that there is a lack of clarity in the Bill regarding liability and indemnity issues in the event of economic or non-economic loss suffered by an entity having complied with an enhanced cyber security obligation directed by the Secretary.[195]

Amazon noted that the Bill ‘does not provide an entity with any immunities when complying with a cyber security exercise, vulnerability assessment, or information access request’ and ‘such compliance may require an entity to provide confidential information of a third party (which may or may not be in contravention of a non-disclosure agreement between the entity and that third party)’.[196]

Amazon argued that this is not a reasonable position to be placed in and that it is unacceptable:

… for an entity to accept given compliance with a Government direction, in situations under the threat of civil penalty or imprisonment, may have a material or significant impact on an entity’s business, operations, or customers or require significant resources and cost. The Bill should allow an entity to recover the reasonable and actual costs of compliance with a Government direction.[197]

Similarly, the UNSW Allens Hub for Technology, Law and Innovation also noted that ‘the Bill does not contain immunity or compensatory provisions concerning harms causally related to the exercise of those powers exercised under [proposed subsection 30DJ]’.[198]

In its submission on the Exposure Draft of the Bill, the Australian Industry Group proposed that there should be appropriate legislative safeguards to ensure that compliance with any enhanced cyber security obligations ‘cannot be used to exclude an insurer's liability under a policy of insurance e.g. cyber insurance’.[199]

Amendments to protected information provisions

The SOCI Act defines protected information by reference to how the document or information has been obtained (for example, where it is obtained by a person while exercising powers, or performing duties or functions, under the SOCI Act).[200] Items 18–20 of the Bill expand the definition of protected information to reflect the amendments contained in proposed Parts 2A, 2C and 6A of the SOCI Act.  

There are circumstances where the use and disclosure of protected information is authorised and permitted under the SOCI Act. Items 64–69 of the Bill amend existing provisions that authorise the use and disclosure of protected information to facilitate information sharing between responsible entities and state, territory and Commonwealth government agencies.

Item 64 inserts proposed section 42A, which authorises the Secretary to disclose protected information for the purpose of developing or assessing:

  • proposed amendments to the SOCI Act
  • proposed rules under the SOCI Act or
  • proposed amendments to rules under the SOCI Act.

The Secretary may also make a record of or use protected information for the purpose of that disclosure.

Item 65 inserts proposed section 43AA, which authorises the Secretary to disclose protected information to a Commonwealth Ombudsman official for the purposes of exercising powers, or performing duties or functions, as an Ombudsman official. This proposed section also provides the Secretary with the power to make a record of or use protected information for the purpose of that disclosure.

Item 66 inserts proposed section 43E, which authorises an entity to disclose protected information that relates to the entity to the following persons for the purposes of enabling or assisting them to exercise their powers, or perform their functions or duties:

  • a Minister of the Commonwealth or a Minister of state or a territory who has responsibility for the regulation or oversight of the relevant critical infrastructure sector to which the protected information relates
  • a person employed in the applicable ministerial office or
  • the head of the applicable government agency or an officer or employee of that agency.

Proposed subsection 43E(2) authorises an entity to disclose certain protected information with the Secretary’s consent.

Item 69 inserts proposed subsection 46(5) which provides an exception to the offence in section 45 of the SOCI Act for unauthorised disclosure of protected information to the extent an entity discloses protected information to a Commonwealth Ombudsman official for the purposes of exercising powers, or performing duties or functions, as a Commonwealth Ombudsman official.[201]

Concerns raised by stakeholders

Stakeholders raised several concerns about the proposed amendments to the relevant disclosure mechanisms contained in the SOCI Act.

Sunwater submitted that the drafting of the provisions fails to accommodate ordinary and operational use of information in achieving information security:

…proposed section 43E over-regulates the use and disclosure of ‘protected information’ by requiring Secretary consent for almost all documents and information falling within the ‘protected information’ definition. This would have a significant impact on both asset operation and the information provided to the Minister by entities in addition to causing significant strain on the Secretary’s role.[202]

The Communications Alliance pointed out that the definition of protected information has been drafted to fulfil entities’ compliance obligations under the SOCI Act and the Bill, but that:

… this information is not unique to the fulfilment of compliance obligations, i.e. this information is necessary for the execution of ordinary business processes and functions. As currently drafted, by using this information for compliance with the requisite security obligations, entities can no longer disclose this information in the ordinary course of business operations. This is not practical and, consequently, not acceptable …[203]

The Australian Information Industry Association recommended that the Bill be amended to permit entities to disclose SoNS declarations of assets (subject to relevant confidentiality agreements et cetera.) to a limited number of third parties and local government entities.[204] The Water Services Association of Australia argued that the current definition of ‘protected information’ does not allow for the disclosure of information to contracted entities for the purpose of operating critical infrastructure assets in the ordinary course of business and that the Bill should also be amended to allow for disclosure to ‘relevant local government authorities which have oversight of the relevant critical infrastructure sector to which the protected information relates'.[205]

Further, independent regulators or office holders, namely the Commonwealth Ombudsman, the Office of the Inspector-General of Intelligence and Security (IGIS) and the Office of the Australian Information Commissioner (OAIC), also proposed amendments to the Bill relevant to their functions.

The Commonwealth Ombudsman proposed a similar exception as the one currently provided for the IGIS in subsection 47(2) of the SOCI Act to the non-disclosure of information requirement in subsection 47(1) of the SOCI Act, such that the SOCI Act ‘does not interfere with’ the Commonwealth Ombudsman’s power to require the production of information under section 9 of the Ombudsman Act 1976.[206]

On the other hand, the IGIS pointed out that subsection 47(2) of the SOCI Act ‘provides that the IGIS may compel entities to produce protected information where necessary to give effect to the IGIS Act, or any other Act conferring functions, power or duties on the IGIS’, but that ‘there is no comparable provision in the SOCI Act or the Bill for voluntary disclosures of protected information to [the office of the IGIS]’. It asked that the PJCIS consider inserting a comparable exception for IGIS officials to that for Ombudsman officials in proposed subsection 46(5) of the SOCI Act, at item 69 of the Bill.[207]

The OAIC recommended that Part 4, Division 3, Subdivision A of the SOCI Act (which sets out authorised uses and disclosures of protected information) be amended to provide for the authorised use and disclosure of protected information to the Australian Information Commissioner, for the purpose of notifying an eligible data breach under the Privacy Act. Similar to the Commonwealth Ombudsman’s submission, the OAIC also recommended that subsection 47(2) of the SOCI Act be amended to allow entities to produce documents and answer questions, where they relate to a notifiable data breach and other regulatory functions of the OAIC under the Privacy Act.[208]

Concluding comments

While stakeholders are supportive of the need to protect Australia’s critical infrastructure from various threats, there have significant concerns raised regarding the timing of the introduction of the Bill into Parliament and the ability of the Government to address issues identified during Exposure Draft consultations on the Bill.[209]