This chapter discusses the Minister’s powers, set out in the Bill, to issue written directions to reporting entities or operators of critical infrastructure assets. This chapter also discusses the power’s safeguards, consultation requirements prior to the power’s exercise, and oversight, review and reporting requirements for the regime.
Section 32 of the Bill enables the Minister to give a reporting entity or operator a written direction requiring that it do or refrain from doing a specified act or thing.
This power is subject to a number of safeguards under subsection 32(3) of the Bill, including:
the Minister must be satisfied that the direction is reasonably necessary for the purpose of eliminating or reducing the risk,
the Minister must be satisfied that reasonable steps have been taken to negotiate in good faith with the entity to achieve an outcome of eliminating or reducing the risk,
an adverse security assessment has been given to the Minister, and
the Minister must be satisfied that no existing regulatory system of the Commonwealth, a state or a territory could be used instead.
Under subsection 32(3) of the Bill, the Minister must also have regard to a number of factors before giving an entity a written direction, including:
the adverse security assessment,
the costs that would be likely to be incurred by the entity,
the potential consequences on competition in the relevant industry,
the potential consequences on the entity’s customers or services, and
any representations given by the entity or a consulted minister, which includes state and territory ministers.
The Bill requires that the Minister must give the greatest weight to the adverse security assessment. The Bill also allows the Minister to have regard to any other matter, he or she considers relevant.
The Explanatory Memorandum states the need for the directions power to be broad in scope:
Given the range of security risks that could arise, the directions power is designed to provide the Minister with the necessary scope to issue a direction that can sufficiently manage the risk.
The Explanatory Memorandum states that the safeguards are adequate in ensuring issued directions are proportionate to the risk:
However, to balance the breadth of the power, there are significant safeguards built into the use of the power at subsections 32(3), 32(4) and 33. These safeguards ensure that any direction issued is only after significant consultation, consideration and is proportionate to the risk being managed.
Energy Networks Australia supported the direction’s safeguards:
Due consideration to ‘the costs that would be likely to be incurred by the entity in complying with the direction’ is particularly welcome, given the already significant regulatory reporting which energy network service providers undertake.
The Law Council also supported the safeguards, with qualifiers:
The Law Council supports the inclusion of safeguards in the Bill to ensure the Minister only exercises the directions power as a last resort, and only after negotiation in good faith with the affected entity, and consultation with the relevant State or Territory Minister. However, the Law Council has concerns that uncertainty remains regarding the threshold for the Minister to exercise the directions power, in particular the definition of ‘prejudicial to security’ and the Minister’s consideration of an adverse security assessment.
APGA suggested the Bill should include an ability to issue a regulatory notice prior to the exercise of the Minister’s direction power. APGA argued that a regulatory notice would not be as extreme as a direction and provide an opportunity for infrastructure operators to discuss the most appropriate cost recovery approach with customers. In response, the Department of Home Affairs stated that
there would be nothing precluding the minister making a direction even though it was done in collaboration and voluntarily with an operator. It's not a requirement of the direction that the operator wouldn't undertake the activity voluntarily.
APGA had concerns with the lack of clarity of the circumstances that would lead to the Minister issuing a direction. In particular, APGA was interested in understanding the way that the Commonwealth may attempt to leverage existing mechanisms to resolve issues prior to the Minister relying on a direction. APGA suggested that the Department of Home Affairs could alleviate APGA’s concerns through publicly documenting the criteria for issuing directions, beyond the existing legislative safeguards.
In response, the Department of Home Affairs stated that it could provide broad guidance about of the kinds of things that would occur in the lead up to the Minister issuing a direction. The Department of Home Affairs also stated:
As part of the consultation process that will occur prior to a direction being issued, the Centre will work closely with the asset operator and both Commonwealth and state or territory regulators to gain a detailed understanding of:
the existing regulatory environment in which the asset operates, and
whether the mitigations could be implemented by leveraging existing regulatory mechanisms.
Adverse security assessments
As stated previously, the Bill requires that an adverse security assessment be given to the Minister, prior to the Minister issuing a direction.
Subsection 38(1) of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) requires that the Commonwealth agency must give the subject of an adverse security assessment, a copy of that assessment along with information on their right to appeal to the Administrative Appeals Tribunal.
Subsection 38(2) of the ASIO Act provides the power to the Attorney‑General to
withhold notice of the making of the assessment if the Attorney‑General is satisfied that it is essential to the security of the nation, or
exclude the statement of grounds, or part of the statement, if it would be prejudicial to the interests of security.
Section 38A of the ASIO Act allows the Attorney-General to exclude information in an adverse security assessment where the disclosure is prejudicial to the interests of security, but does not allow the Attorney‑General to withhold notice of a security assessment.
The Telecommunications and Other Legislation Amendment Act 2017, which gives effect to TSSR, amends section 38A of the ASIO Act, so that section 38A applies to the Attorney-General’s ability to issue directions as part of TSSR. The Department of Home Affairs stated that the Minister’s directions power is ‘modelled on a similar power in the TSSR’.
The Inspector General of Intelligence Security argued:
The critical infrastructure scheme is modelled on the TSSR measures. Aligning the notification requirements for ASAs [adverse security assessments] issued in connection with each scheme would ensure the equal treatment of regulated entities in this regard.
The Department of Home Affairs responded:
It was always the intention that an unclassified statement of the grounds for the adverse security assessment, which is included in the assessment, be provided to the affected critical asset owner or operator to assist them in understanding the security concern and need for a Ministerial direction. With the Bill as currently drafted, it would be open for the Attorney-General to withhold the notice on national security grounds. This was never the Department’s intent.
Threshold for exercising direction
In addition to the safeguards listed above, subsection 32(1) of the Bill requires that, prior to issuing a direction, the Minister must be satisfied that there is a risk of an act or omission that would be prejudicial to security.
The Explanatory Memorandum states:
The term ‘prejudicial to security’ is to be given its ordinary meaning, but interpreted in a manner that is consistent with the term ‘activities prejudicial to security’ contained in the ASIO Act. As a matter of guidance only, activities prejudicial to security may cover activities relevant to ‘security’, as defined under the ASIO Act, that could be considered capable of causing damage or harm to Australia, the Australian people, or Australian interests, or to foreign countries to which Australia has responsibilities.
The Law Council suggested that the term ‘prejudicial to security’ should be defined in the Bill to be consistent with the rule of law:
This [defining the term in the Bill] would also ensure that the term ‘prejudicial to security’ could not be later redefined without adequate Parliamentary scrutiny.
The Department of Home Affairs responded that
it would not be appropriate to introduce a definition of the phrase ‘prejudicial to security’… Defining the phrase ‘prejudicial to security’ may result in the phrase being given inconsistent meanings between different national security legislative frameworks [with reference to TSSR], thereby causing unintended operational consequences.
The Law Council also suggested that the required risk thresholds, prior to an exercise of the direction power, should be more transparent and embedded in the Bill:
The threshold for the exercise of the directions power should only be permitted where there is a sufficient level of risk to security to justify the exercise of the powers. This could be achieved, for example, by amending proposed section 32(3) of the Bill to require that the Minister is satisfied that there is substantial and imminent risk or unauthorised interference with, or unauthorised access to, a critical infrastructure asset that would be prejudicial to security.
The Department of Home Affairs argued that
the provision as drafted, including the requirement for an ASIO adverse security assessment already ensures that the Minister’s directions power is properly limited to circumstances where there is a sufficient level of risk …
However, including a temporal element to the test may unnecessarily limit the use of the power given the Bill is designed to enable action to be taken to prevent pre-positioning for acts of sabotage.
In these circumstances, it may not be possible to satisfy an ‘imminence’ test. Additionally, the requirement of ‘unauthorised’ access or interference may be difficult to satisfy in circumstances where the risk arises through legitimate involvement in the critical infrastructure asset, for example, through direct ownership or legitimate business activities.
The Committee considered a similar issue in its inquiry into the Telecommunications and Other Legislation Amendment Bill 2016. In that Bill, industry associations sought to define the meaning of ‘prejudicial to security’ in the legislation and increased transparency and scrutiny of the adverse security assessment process. In that inquiry, the Committee concluded that:
The Committee does not support further defining the term ‘prejudicial to security’ in the Bill.
In regards to whether the criteria for an adverse security assessment should be made public, there are national security considerations that must be taken into account. The risks include that such information could be used by those seeking to harm Australia’s security to act in a manner designed to avoid detection by ASIO.
Accordingly, the Committee does not support making the criteria for adverse security assessments available to industry.
Consultation requirements with states and territories
One of the safeguards mentioned above is that the Minister cannot give a direction unless he or she is satisfied that no existing regulatory system of the Commonwealth, state or territory could be used to eliminate or reduce the risk.
Section 33 of the Bill requires that before giving an entity a direction, the Minister must consult the First Minister of a state and territory, and each state and territory minister who has responsibility for the regulation or oversight of the relevant industry for the critical infrastructure asset. Each consulted minister has at least 28 days to provide written representations, or a shorter period if necessary because of urgent circumstances.
In relation to these consultation requirements with states and territories, the Explanatory Memorandum states:
This provision ensures the relevant state or territory minister, and Premier or Chief Minister have been directly consulted and have provided a formal state view on the proposed risk, how it could or should be addressed, including through a possible direction, and the impacts of such a direction.
The South Australian Government is concerned about the power for the Commonwealth to direct state and state instrumentalities regarding state‑owned asset operations:
It is recognised that safeguards are built into the Bill and the increased articulation of consultation requirements has strengthened these. However, the concern fundamentally remains, particularly considering the ability for the Commonwealth to privately declare assets as critical infrastructure assets without prior consultation with the state and the potential implications of directions, if made, on owners.
The Northern Territory Government also had concerns that states and territories may incur costs as a result of an entity complying with a ministerial direction:
the Northern Territory Government considers it appropriate that the Bill operate in a manner that ensures that it, as ultimate owner of critical infrastructure assets, is adequately engaged throughout consultation and negotiation processes relating to risk assessments and mitigations, and in respect of Ministerial directions, even in situations where the Minister may have identified the Port Operator as the entity best placed to manage the particular risk.
The Department of Home Affairs noted that it released an exposure draft of the Bill for five weeks of public consultation in October 2017 and ‘the Bill reflects the feedback received during these consultation sessions’. In particular, one of the refinements involved ‘strengthening consultation requirements’.
The South Australian Government acknowledged those changes to the Bill in its submission, but maintains its fundamental concern about the Commonwealth directing states:
It is pleasing that some feedback from jurisdictions and industry has been incorporated into the Bill, including strengthening the consultation requirements with states.
Secretary’s Annual Report
Section 60 of the Bill requires the Secretary to give the Minister a report on the operation of the Bill, for presentation to the Parliament, each financial year. Subsection 60(2) of the Bill requires that the report deal with:
the number of notifications that were made during the financial year to the Secretary for the register of critical infrastructure assets,
any directions given during the financial year by the Minister,
the use of the Secretary’s powers to obtain information or documents,
any enforcement action taken against an entity, and
the number of private declarations of critical infrastructure assets that were made by the Minister.
The Explanatory Memorandum states:
This annual overview on the operation of the Bill provides accountability and transparency of the Bill’s application to critical infrastructure assets, including how often the powers are used.
The Explanatory Memorandum clarifies that the report can deal with matters beyond the requirements under subsection 60(2) of the Bill listed above.
The Committee notes the similarities between the Minister’s directions power in this Bill and the Attorney-General’s directions power in TSSR. The Committee considers that the notification requirements for adverse security assessments should not differ between TSSR and this Bill.
The Committee recommends that the Bill be amended so that the Attorney-General cannot issue a certificate preventing the subject entity from knowing that it is the subject of an adverse security assessment.
The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the relevant Minister to provide, to the subject entity, notice of an adverse security assessment given in connection to the Bill and merits review rights.
The Committee considers that the Bill should be amended to align with requirements under section 38A of the Australian Security Intelligence Organisation Act 1979.
The Committee notes industry’s concerns about the lack of clarity of the circumstances that would lead to the use of the Minister’s directions power. The Committee’s expectation is that the Minister would only use his or her power to issue directions as a last resort.
The Committee notes that the Bill requires the Minister to table a report to Parliament each financial year. The report must contain information about any use of the Minister’s direction power and private declarations of critical infrastructure assets. The Committee supports these requirements, as they will provide the public confidence that the Minister uses these powers sparingly and as a last resort, as the Bill intends.
The Committee notes concerns about further clarity on the definition of ‘prejudicial to security’ and the need for greater transparency around this risk threshold. The Committee does not support further defining the term ‘prejudicial to security’ in the Bill.
The Committee notes concerns from some state and territory governments that the Commonwealth can direct reporting entities, which states and territories may ultimately own. The Committee notes that consultation requirements with states and territories under the Bill have strengthened during its development. The Committee supports ongoing collaboration between Commonwealth, state and territory governments in recognition that national security in Australia’s critical infrastructure is a shared concern. The Committee does not consider further change to the Bill is required.
The Committee notes that the Telecommunications and Other Legislation Amendment Act 2017 requires that the Committee review the operation of the legislation three years after Royal Assent. The Committee recommends that this Bill also be subject to a review, given the similarities in powers and the national security risks that both laws are designed to manage.
Given that the Telecommunications and Other Legislation Amendment Act 2017 received the Royal Assent on 18 September 2017, the Committee anticipates that its review would be holistic and consider the interaction between both laws. The Committee considers that the scope of the review should include whether further amendments are necessary. In particular, the Committee wishes to review the effectiveness of placing obligations upon private operators to manage national security risks, and whether a unified scheme should cover all critical infrastructure assets.
The Committee notes that its review of the Bill would also provide an opportunity to review the Minister’s power to declare critical infrastructure assets privately under section 51 of the Bill. The Committee considers that its review would strengthen oversight of the use of this declaration power, supplementing the annual reporting requirements.
The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the Parliamentary Joint Committee on Intelligence and Security to review the operation, effectiveness and implications of the reforms, commencing within three years of the Bill receiving Royal Assent.
The review should consider the appropriateness of a unified scheme to cover all critical infrastructure assets, including telecommunications assets.
The review should also consider circumstances that the Minister has used the private declaration power under section 51.
The Committee notes that the objective of the Bill is to provide a risk-based framework to manage national security risks arising from foreign involvement in critical infrastructure. The Committee has carefully considered the objective and has concluded that the Bill is a necessary and proportionate response. The Committee supports the intent of the Bill.
The Committee notes the industry consultation undertaken during the development of the Bill. The recommendations made in this report aim to enhance transparency and provide greater clarity to industry, as well as strengthen safeguards and oversight.
The Committee thanks all participants in the inquiry for their valuable contributions and constructive approach.
The Committee commends the report to the Parliament and recommends that, subject to the recommendations in this report being accepted, the Bill be passed.
The Committee recommends that, subject to the above recommendations being accepted, the Security of Critical Infrastructure Bill 2017 be passed.