The Bill and its referral
On 7 December 2017, Senator the Hon Mathias Cormann, Minister for Finance and then Deputy Leader of the Government in the Senate, introduced the Security of Critical Infrastructure Bill 2017 (the Bill) into the Senate.
In his second reading speech, Minister Cormann stated that the Bill
will ensure the government has the necessary powers to protect Australia from the national security threats of sabotage, espionage and coercion stemming from malicious foreign involvement in our critical infrastructure.
On 11 December 2017, the then Attorney-General, Senator the Hon George Brandis QC, wrote to the Committee to refer the provisions of the Bill for inquiry and to request it report by 2 March 2018. He further requested that the Committee should, as far as possible, conduct its inquiry in public.
In the letter, the then Attorney-General informed the Committee that the Bill’s measures support the work of the Critical Infrastructure Centre (CIC). The CIC works across all levels of government and with critical infrastructure owners and operators to identify and manage national security risks of espionage, sabotage and coercion in the high-risk electricity, gas, ports and water sectors.
Context of the inquiry
In his second reading speech, Minister Cormann said that
increasing foreign involvement in our national critical infrastructure means that Australia's critical infrastructure is more exposed than ever to sabotage, espionage and coercion.
Minister Cormann explained:
Foreign involvement can increase a malicious actor's ability to access and control Australia's critical infrastructure. Such access could enable them to target activity in a way that can affect the continuity of services to citizens, as well as having extreme consequences for other dependant infrastructure or defence assets.
With respect to the national significance of critical infrastructure, Minister Cormann stated:
Critical infrastructure is integral to the prosperity of the nation. Secure and resilient infrastructure underpins the effective functioning of Australian society - ensuring we have continuous access to essential services for everyday life, such as food, water, energy and communications.
The CIC was established on 23 January 2017. The CIC collaborates with asset owners, asset operators and state and territory regulators to identify risks, implement asset-specific mitigation strategies, and develop sector-wide best practice guidelines. The CIC engages with asset owners and operators through the Trusted Information Sharing Network (TISN), and directly as needed.
The TISN is Australia's primary national engagement mechanism for business-government information sharing and resilience building initiatives for critical infrastructure. The TISN provides a secure environment for critical infrastructure owners and operators across eight sector groups to cooperate within and across sectors to address security and business continuity challenges.
The Bill builds upon the Telecommunications Sector Security Reforms (TSSR), which manage national security risks in the telecommunications sector. The Committee reviewed the Telecommunications and Other Legislation Amendment Bill 2016, which gave effect to TSSR, and tabled its advisory report on 30 June 2017.
Consultation on the development of the Bill
The development of the Bill was subject to consultation prior to introduction into the Senate. The Explanatory Memorandum refers to the release of a discussion paper in February 2017, separate rounds of consultation with states, territories and industry in March and June 2017, and the release of an exposure draft for five weeks of public consultation in October 2017.
In his second reading speech, Minister Cormann advised that the Bill introduced reflects consultation with state and territory governments and industry stakeholders:
The government has made some important changes to the bill in response to the exposure draft consultations. This includes refining key definitions, strengthening consultation requirements, and applying the legislation to specific critical assets in the gas sector.
Conduct of the inquiry
The Committee announced the inquiry by media release on 15 December 2017 and invited submissions from interested members of the public by 2 February 2018.
The Committee received 11 submissions and two supplementary submissions from industry, government and other organisations. A list of submissions received by the Committee is at Appendix A.
The Committee held a public hearing on 9 February 2018. The Committee also received one private briefing from relevant agencies in Canberra. A list of hearings and witnesses who appeared before the Committee is included at Appendix B.
Copies of submissions received and transcripts of public hearings can be accessed on the Committee’s website at: http://www.aph.gov.au/pjcis. Links to the Bill and the Explanatory Memorandum are also available on the Committee’s website.
Summary of the Bill
The Bill introduces two new key measures, namely a register of critical infrastructure assets and ministerial directions powers. In summary:
The Bill requires the Secretary to maintain a register and requires owners and operators of specified critical infrastructure assets to provide specific, high-level information concerning the ownership and operation of the asset, and
The Bill establishes a directions power, which will enable the Minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate national security risks that cannot be managed through cooperation or existing regulatory mechanisms.
Before being able to issue a direction, the Minister is required to be satisfied of certain matters, to consult with stakeholders, and give consideration to a range of factors.
The direction power is modelled on a similar power in the TSSR.
The Bill will apply to a specified set of critical infrastructure assets in the high risk electricity, water, gas and ports sectors (approximately 140 assets in total). Recognising the importance of responding to changes in the national security landscape, the assets, or categories of assets, captured by the legislation can be amended through rules or the Minister’s private declaration power.
The Bill also has protection and offence provisions for sensitive commercial information that entities provide as part of the reporting obligation or information-gathering power. Access to, and use of, this information is restricted to certain persons and specific purposes.
The Bill includes a transition period of three months following commencement, to allow entities time to gather information and report required information. Following initial reporting, entities must notify of changes within 30 days of a notifiable event.
Non-compliance with reporting obligations, a written requirement from the Secretary for information or documents, or a direction from the Minister will attract civil penalties, including civil pecuniary penalties, enforceable undertakes and injunctive relief.
This report consists of five chapters:
This chapter sets out the context and conduct of the inquiry, as well as a brief summary of the Bill,
Chapter 2 examines the case for the reforms,
Chapter 3 examines the definition of ‘critical infrastructure asset’ and the intended coverage of assets,
Chapter 4 examines the Register and other-information related provisions, including provisions that protect sensitive information from unauthorised use and disclosure, and
Chapter 5 examines the Minister’s ability to direct reporting entities and operators of critical infrastructure assets.