- Evidence to the Committee
- This chapter summarises evidence received by the Committee in relation to the threebills comprising the Cyber Security Legislative Package.
General views on the legislative package
5.2There was strong in-principle support among participants of the intent underpinning the Cyber Security Legislative Package. There was also widespread appreciation for the consultative approach to developing the legislation taken by the Department of Home Affairs.
5.3At the same time, there were common concerns amongst submitters about the potentially broad application of some provisions and the need for further refinement in the rules, and through guidance from the Department of Home Affairs, to support their implementation. There were also broad concerns about the increasing compliance and reporting burden placed on affected entities, including the potential for duplicative reporting requirements.
5.4Submitters strongly encouraged ongoing consultation and engagement with industry by the Department and regulators, as well as supporting a phased implementation to ensure the new obligations are understood and implemented effectively.
5.5These general views are explored in greater detail throughout this chapter.
Timeframe for the inquiry
5.6Despite high levels of support for the legislative package, many submitters to the inquiry expressed concern about the short timeframe allowed for the Committee’s inquiry, noting that stakeholders were provided with only two weeks to prepare written submissions on an important and complex suite of bills.
5.7As an example of this concern, the Law Council of Australia (Law Council), which represents the legal profession at the national level, advised that, due to the ‘complexity of the consultation and the limited timeframe for providing feedback’ it was ‘unable to provide detailed comments on all aspects’ of the Cyber Security Legislative Package. The Law Council expressed concern about the timeframe in its submission:
[T]he Law Council is disappointed that a period of just over two weeks has been afforded between the tabling of the Package and the deadline for written submissions. We emphasise the complex nature of the legislation, which will have wide-reaching impact and consequences in a highly technical field. With respect, the current consultation period does not allow for meaningful and robust consultation with stakeholders to ensure the laws will work as effectively and efficiently as possible.
Previous consultation process
5.8The Cyber Security Legislative Package largely implements reforms that were foreshadowed in a December 2023 consultation paper in relation to the 2023–2030 Australian Cyber Security Strategy. The Department of Home Affairs received more than 130 written submissions in response to the consultation paper, which remained open for submissions until 1 March 2024. The Department also released a targeted exposure draft of the proposed legislation on 4 September 2024. The exposure draft period closed on 11 September 2024, with 61 written submissions received, and over 200 attendees at two closed door virtual town halls.
5.9Participants in the inquiry were generally satisfied with the consultation process engaged in by the Department of Home Affairs prior to introduction of the bills. Across a range of submitters, including industry representative bodies, there was a general consensus that the Department had consulted adequately throughout the process. While many submitters considered that there was still room for improvement in the construction of the laws and the proposed implementation process, most submitters agreed that there was nothing in the Cyber Security Legislative Package that was a surprise.
5.10During the Committee’s public hearings a number of submitters took the opportunity to praise the consultative process engaged in by the Department of Home Affairs. For example, the Cybersecurity Coalition stated:
I also want to commend the Australian Government for its approach on industry consultation leading up to the delivery of the current Australian Cyber Security Strategy as well as the consultation process that underpins this legislative package. The Cybersecurity Coalition engages with a lot of governments globally on development of policy and legislation, and Australia is an exemplar in this regard. In discussions with other governments, we often reference the approach to consultation and co-design used by the Department of Home Affairs.
5.11The Australian Institute of Company Directors (AICD) similarly expressed its appreciation for the consultative approach taken to the development of the legislative package:
We reiterate the close collaboration and consultation from Home Affairs with industry on these reforms and our real urging and support for a ‘team Australia’ approach which recognises that we can’t really build collective resilience without all parts of the ecosystem working together.
5.12The Chair of the Australian Information Security Association stated:
In my experience, the engagement has been really good, throughout, with the department. We were not surprised when the draft bill came out, in terms of the inclusions. It was communicated really well.
5.13Similarly, Universities Australia commended the whole-of-government collaborative approach:
I’ve found that, on both sides of politics, the engagement on this issue has been excellent. There is an enormous level of bipartisanship, particularly through this Committee.
5.14However, not all submitters were satisfied with the consultation process leading up to the Cyber Security Legislative Package being introduced to the Parliament. Geomastery Advisory’s submission stated:
Consultation in Australia generally falls far short of that undertaken in either the United Kingdom or the European Union. … That industry supports the intent of the Bill’s outcomes does not infer support of its methods to achieve those outcomes.
5.15Although appreciative of the opportunity to engage in consultation, the Internet Association of Australia commented that not all the feedback provided in previous consultations had been addressed in the current legislative package.
Need for future review
5.16Some inquiry participants suggested that components of the Cyber Security Legislative Package should be reviewed in future years.
5.17The Law Council recommended that, if passed, the Cyber Security Act 2024 should be reviewed after 3 years, stating:
[I]n light of the issues raised by [the Law Council] and others to this review, we think it would be prudent for the Cyber Security Bill to include a statutory review to be undertaken after three years to assess how the framework is operating in practice.
5.18Macquarie Technology Group highlighted that an independent review of the Security of Critical Infrastructure Act 2018 (SOCI Act), required by section 60A, is already due to commence shortly. It recommended that if legislative changes are not made as a result of the Committee’s review to address the matters raised in its submission (discussed below in relation to data storage systems), then a relevant recommendation should be made as part of the required independent review.
5.19As well as the independent review under section 60A, section 60B of the SOCI Act currently empowers the Committee to conduct a statutory review of the SOCI Act, so long as it begins its review before the end of three years after the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) received Royal Assent. This period expires on 2 December 2024.
5.20The Department of Home Affairs noted that it has been regularly reporting to the Committee on the conduct, progress and outcomes of consultations relating to the SLACI Act andthe Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), as required by section 60AAA of the SOCI Act. This reporting obligation remains in force until the Committee begins to conduct the review under section 60B. However, noting consultation on the SLACI Act and SLACIP Act is now complete, the Department suggested the Committee consider the utility and value of this ongoing reporting requirement.
Views on specific provisions
5.21While there was significant support for the initiatives behind the Cyber Security Legislative Package, submitters made specific comments in relation to the below areas of the three bills within the package. While this chapter does not capture all issues or comments raised by submitters, it does seek to reflect the major themes identified.
Mandatory security standards
5.22Section 14 of the Cyber Security Bill 2024 (Cyber Security Bill) would enable the relevant Minister to create rules mandating security standards for ‘relevant connectable products’, which includes internet-connectable and network-connectable products, such as Internet of Things (IoT) products and smart devices.
5.23Most submitters supported the introduction of mandatory security standards for relevant connectable products. CyberCX, for example, submitted:
The introduction of secure-by-design standards is a logical measure that should, in the first instance, have the effect of better protecting users from attacks exploiting fundamental design weaknesses in consumer IoT devices. It will bring Australia in-line with standards regulation occurring in other leading markets, namely the [European Union] and the United States.
5.24Ms Annie Haggar, representing the Law Council of Australia, compared the introduction of security standards for smart devices to existing standards for other items:
I actually think this is the most important, most impactful change introduced by the bill. It will have the most immediate and greatest impact on the safety of the Australian community, like introducing standards for car seats. You can’t buy a car seat in Australia that doesn’t meet standards. It is similar with bike helmets: we need to have certain standards. This is an incredibly important measure …
5.25While there was strong in-principle support for Australia to introduce mandatory standards for products, submitters urged the Government to adopt international standards when making the rules associated with this provision.
5.26For example, the Institute for Integrated Economic Research—Australia (IIER-A) stated that it ‘would be sensible’ to adopt international standards, ‘with the flexibility to change as the threat changes’, but that ‘it would be useful to set the one standard and enforce compliance’ rather than adopting multiple standards. Similarly, BSA | The Software Alliance (BSA) submitted that the Government should ‘take every effort to avoid a divergent approach from other like-minded countries’. Infoblox submitted that:
Aligning with international standards is not only beneficial for the impacted entities to comply but also essential for Australia to maintain global interoperability and consistency.
5.27Consumer Electronics Suppliers Australia recommended that ‘Australian requirements align with those of major overseas markets’ to ‘minimise the need for bespoke Australian solutions and ensure the future-proofing of regulations against technological advancements’.
5.28In relation to which international standards should be adopted, several submitters, including Samsung Electronics Australia, Amazon Web Services and IIER-A, amongst others, supported the use of the United Kingdom’s Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) standards in any rule making.
5.29The Department submitted that it intended the rules to align with international standards such as the PSTI Act:
Rules under this Part are intended to align with legislative approaches such as the UK’s Product Security and Telecommunications Infrastructure Act 2022, modelled off international standards, such as the ETSI EN 303 645 standard. It should be noted international standards are not static and can be updated based on new technical advice, industry and consumer expectations, and advances in technology.
5.30The Department of Home Affairs advised that it has built into the measure a one year phase-in time to enable the Department to continue ‘consulting industry and make sure that the design of the laws is fit for purpose’. However, some submitters considered a longer implementation period was needed. For example, the Australian Chamber of Commerce and Industry submitted that:
due to the major changes in product requirements under the Act, a 12-month transition period is insufficient to ensure businesses are ready to comply at the date of commencement.
5.31Samsung Electronics Australia advised that consumer electronics manufacturers, including Samsung, typically follow global planning, design and manufacture processes with variations ‘generally requiring lead times of at least 18–24 months’, depending on the product. Samsung suggested an extension to the commencement timeline for the new standards in Australia would be required if the rules differ from those in the PSTI Act and regulations.
5.32Ms Haggar, of the Law Council, suggested that the security standards for some internet-connected products would be able to be upgraded relatively quickly through firmware and software updates. However, she cautioned that it was important to ensure that impacted industries have time to consider how to deal with products that already exist in stockpiles which may become unsaleable in Australia when the new standards commence.
5.33Several submitters also expressed concern that mandatory security standards, if applied indiscriminately, could have a chilling effect on technology resellers and innovators in the Australian market. For example, Rebecca Trapani submitted that ‘the burden of compliance may outweigh the benefits of maintaining a presence in the Australian market’. Similarly, Geomastery Advisory saw the Cyber Security Bill’s attempt to mandate security standards as ‘overreach’ and suggested that:
if overly regulated, offshore manufacturers may find it easier simply to cease supply (as is already occurring), depriving Australian consumers of considerable benefit and industry of critical components.
5.34The Tech Council of Australia was concerned about the potential negative impact on start-up businesses focussing on hardware products. It submitted that there is:
no threshold for application of the standard, creating the possibility that startups creating and iterating new devices, while not incurring significant consumer exposure, could incur a regulatory burden. This burden would be disproportionate to the risk posed by those businesses at a delicate stage in their growth phase. … we encourage government to ensure the regulatory environment for these businesses is no more onerous than in equivalent jurisdictions.
5.35Several submitters commented that some definitions used in Part 2 of the Cyber Security Bill were not clear or could benefit from refinement, either in the legislation itself or via the rules and accompanying guidance on implementation.
5.36For example, Quokka submitted that the definition of ‘product’ is unclear and should be amended to make it clear that it is the combination of the smart device and its companion app. Quokka’s rationale for this was that ‘[i]n most cases, without the companion app, you don’t really have a usable product’. Quokka further submitted that companion apps for smart devices ‘are often a much higher security risk than other apps on a consumer’s smartphone’.
5.37Samsung Electronics Australia submitted that ‘clarification is needed either within the Bill and/or rules or the [Explanatory Memorandum]’ to provide certainty on laptops and certain tablet products being exempted from the definition of relevant connected product, in line with the UK’s PSTI Act regulations.
5.38Others were concerned to see that specific technology was clearly included within the rules. For example, VOICE Australia submitted that connected private vehicles should be explicitly included in regulations. Similarly, DLC Legal submitted that internet-connected vehicles should be subject to the security standards, stating:
The connectivity capability of most modern vehicles puts them at as much if not greater risk as all other ‘relevant connectable products’ …
5.39The Department of Home Affairs submitted that it would take an ‘exclusion-based approach’ and where there is already legislation to address the cyber security of a device, that would likely be excluded under the rules:
The proposed format of rules would take an exclusion-based approach for the coverage of devices for each specified security standard. Generally, devices will be excluded if: there is existing legislation that can adequately address the cyber security of these devices, there is work underway across Government to develop a higher or bespoke standard for these devices, or the complexity of these devices means that being mandated under these rules will risk a lower standard being met. The list of excluded devices for each standard can be amended to exclude further devices, or scope devices back under the coverage of the standard.
5.40There were also some submitters who specifically advocated for the inclusion of Vulnerability Disclosure Programs or similar in the proposed security standards. For example, HackerOne stated that it:
strongly advocates for the integration of Vulnerability Disclosure Programs (VDPs) as a critical component of the new IoT security standards in Australia—in keeping with the approach taken in the UK’s PSTI Act.
5.41A few submitters expressed concerns about how the standards would be enforced and made suggestions in relation to the interaction with other regimes responsible for enforcing regulations. The Australian Communications Consumer Action Network (ACCAN) made several suggestions in relation to the proposed measures for enforcing security standards for smart devices. ACCAN was concerned that consumers may not be aware of devices that were non-compliant and recommended that the Department of Home Affairs:
establish a public register of compliance notices, stop notices and recall notices to improve transparency and consumer visibility of relevant connected devices.
5.42Rebecca Trapani and Mark Piddington both submitted that greater consideration should be given to how these proposed laws intersect with Australian Consumer Law; both suggested that oversight of the security standards should sit with the Australian Competition and Consumer Commission (ACCC). Rebecca Trapani also suggested that there should be an ombudsman ‘to oversee the enforcement of the mandated cyber security standards’.
Ransomware reporting obligations
5.43The Cyber Security Bill proposes to establish a mandatory reporting obligation requiring entities that meet a specified annual turnover threshold, to be set out in rules made under subsection 26(2), to report to the Department of Home Affairs and the Australian Signals Directorate (ASD) when they make a ransomware or cyber extortion payment of money or an in-kind benefit in connection with a cyber security incident.
5.44Submitters were supportive of this initiative; however there were differing views on the appropriate turnover threshold for reporting entities and there was general concern about ensuring businesses were not over-burdened by reporting requirements.
5.45With the turnover threshold to be prescribed by the rules, the actual amount is not defined in the Cyber Security Bill. However, the Explanatory Memorandum to the Cyber Security Bill sets out the Government’s current view that the appropriate threshold for reporting entities is an annual turnover of $3 million or more. According to the Department of Home Affairs, this threshold aligns with the current small business definition in the Privacy Act 1988 (Privacy Act) and would be used as a starting point for consultation when the rules come into force.
5.46Some submitters, especially those representing smaller businesses, considered the proposed threshold to be too low. The Council of Small Business Organisations of Australia (COSBOA) submitted that ‘a $3 million threshold will capture far too wide a cohort of small businesses who are already struggling with running basic everyday operations of their business in the current environment’. COSBOA observed that the $3 million threshold in the Privacy Act has not been indexed since its introduction over two decades ago and ‘is more easily referenced to the [Australian Taxation Office]’s $2 million definition of micro-businesses’.
5.47On the other hand, others supported implementing a $3 million threshold in the rules or, in the case of some submitters, a lower threshold. BSA submitted that it supported the $3 million threshold because it would:
increase the sample size for ransomware data collection, which is of course important for threat identification and so on and so forth … [and] it will promote robust cybersecurity practices across all enterprises. It highlights that cybersecurity is not just a ‘big tech issue’ but one that affects enterprises of all sizes. … it also aligns with the ‘small business’ definition under the Privacy Act. This does promote greater harmonisation among different laws …
5.48The .au Domain Administration (auDA) considered that the reporting obligations should be expanded to capture more entities, including by taking a risk-based approach to the mandatory obligation rather than a minimum turnover approach, including small businesses that routinely handle sensitive information, such as medical clinics. auDA submitted that:
small businesses represent a significant proportion of the Australian economy and exempting them from the obligation may result not only in many attacks going unreported, but it may also make them a more attractive target for malicious actors.
5.49The Department of Home Affairs stated that the proposed $3 million turnover threshold was based on the ‘balance of feedback’ it had received, and advised that its proposal had been reduced from a $10 million figure that was previously proposed.
5.50The question of whether to require reporting of ransomware at the point of demand, or only at the point of a payment, was discussed in detail during the Committee’s public hearings. While the initial proposal was to require reporting at both instances, due to stakeholder feedback and concern about overburdening businesses with reporting requirements, the Department of Home Affairs opted to require reporting upon payment only. The Department of Home Affairs explained that:
in determining the types of information that we would like to be reported, we found that the same information would be covered under a payment as it would under a demand, and the time in between receiving a demand and making a payment is not so significant as to make that information less useful.
5.51The Australian Chamber of Commerce and Industry, among others, welcomed this approach. The Australian Information Security Association agreed that reporting a ransomware attack before a payment is made should remain voluntary, as several factors could influence an organisation’s decision-making when responding to the attack.
5.52The imposition of additional reporting requirements and the increase to the regulatory burden was consistently raised as an issue in the evidence presented to the Committee. For example, IIER-A regarded regulatory burden as a ‘significant concern’, and CyberCX stressed the
importance of aligning any new reporting requirements with existing obligations and ensuring that the procedures for reporting are as user-friendly as possible, for example by leveraging existing reporting systems such as ReportCyber. Insofar as possible, duplicative information requests should be eliminated and reporting timeframes consolidated.
5.53There was also a view amongst some submitters that imposing mandatory reporting requirements on businesses should require the Government, in turn, to share more cyber threat intelligence with affected entities. IIER-A, for example, considered that cyber threat intelligence sharing continued to be a ‘missing element’ across all critical infrastructure sectors. DLC Legal similarly supported cyber threat intelligence sharing, submitting that ‘all entities responsible for critical infrastructure should be included and by extension, cyber threat intelligence sharing between critical infrastructure entities should be required’.
5.54The Customer Owned Banking Association, while supportive of the adoption of ransomware reporting measures, was concerned that the proposed measures would duplicate obligations already imposed on banks by the Australian Prudential Regulation Authority (APRA) and that arrangements should be made so that APRA could share information with ASD and the Australian Cyber Security Centre.
5.55Submitters from the higher education sector were also concerned about new reporting obligations. For example, Universities Australia submitted that the ‘additional reporting obligation suggested by this legislative package adds to an already extensive and multifaceted cyber security reporting environment’. Macquarie University submitted:
Macquarie has identified at least four separate incident notification channels that belong to different Commonwealth agencies that could be used by an entity to share incident information with the Commonwealth, depending on the nature of the incident [and hopes that the changes will mean when] a notification is undertaken via one channel, all relevant parties within the Australian Government with a need to know will receive that information.
5.56The Insurance Council of Australia recommended that section 26 of the Cyber Security Bill be amended to explicitly clarify that the mandatory reporting obligation does not apply to cyber insurers who may reimburse ransomware or cyber extortion payments, but only applies to the extorted business.
5.57The Law Council and the Business Council of Australia (BCA) identified a potential issue arising out of the proposed extraterritorial operation of the ransomware reporting regime. The current construction of proposed section 26, read in conjunction with section 5, would mean that any entity that carries on business in Australia would be required to report if it met the turnover threshold. This would be linked to the turnover of the business as whole, not just the Australian revenue of the business, and many global digital business would have an annual turnover over $3million. The Law Council provided the following example:
If the business suffers a cyber incident that is solely confined to say the United States (or United States customers), and has no impact on the Australian business, it appears that it may still have to report a ransom payment made in relation to that incident.
5.58The Law Council acknowledged the rationale behind the extraterritorial application of the Cyber Security Bill and the need to engage with the ‘multijurisdictional context of cyber security incidents’; however, it suggested the Bill could be amended to ensure there is ‘sufficient nexus between an entity’s Australian operations and the cyber security incident’. The Law Council and the BCA recommended that section 26 of the Cyber Security Bill be amended by inserting the words ‘to the extent that it carries on business in Australia’ to the end of paragraph 26(1)(c).
5.59The BCA and the Law Council both also raised concerns in relation to legal professional privilege, which are discussed later in this chapter in relation to limited use provisions.
Cyber Incident Review Board
5.60The Cyber Security Bill proposes to establish a Cyber Incident Review Board (CIRB) as an independent, advisory body with a clear remit to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. Following such reviews, the CIRB would disseminate recommendations to both government and industry.
5.61There was widespread in-principle support for the establishment of a CIRB, especially the ‘no-fault’ approach. However, evidence received during the course of the inquiry indicated submitters were concerned about the proposed composition of the CIRB; the contradiction between the purported independence of the CIRB and the proposed involvement from the Minister, especially in relation to the Minister’s role in determining the terms of reference for a review; and insufficient provisions for oversight and accountability of the Board.
5.62Regarding the proposed composition of the CIRB, the Explanatory Memorandum to the Bill states:
The Board will be comprised of three parts: a Chair, standing members, and an Expert Panel who form a pool of members that can be called upon for individual reviews. The Board will also be allocated support staff from the Department of Home Affairs to assist the functions of the Board and administrative duties.
The Chair will be appointed by the Minister administering this Act and have the role of leading the Board and making decisions in response to powers granted within the legislation. In the event that there is a vacancy in the office of the Chair, the Minister may appoint an acting Chair to carry out the Chair’s duties.
The standing members will be members of the public service appointed by the Minister. Together, the Chair and the standing members will form the core component of the Board. Their terms are limited to a maximum of four years in the Bill when enacted.
The third component of the Board will be the Expert Panel, which will be drawn together for each individual review from a pool of industry experts with high levels of cyber security, legal or sectoral expertise and experience.
5.63Some submitters suggested it would be better if the CIRB was comprised of a mixture of public and private members. For example Palo Alto Networks encouraged the Government to:
include cyber security and incident response companies as standing members of the CIRB, rather than limiting their involvement to the Expert Panel. As standing members, these firms would provide continuous, real-time insights drawn from their extensive, day-to-day management of cyber security risks, preparedness and incidents across multiple sectors (government, telecommunications, energy and so on). Their presence would ensure that the CIRB benefits from a consistent, global and whole-of-economy perspective on emerging threats and evolving tactics, techniques, and procedures (TTPs) used by our adversaries as well as insights into leading international cyber best practice.
5.64CISO Lens submitted that persons selected for the Expert Panel, which will support the Chair and standing members in understanding the complexities of cyber security risk, must be genuine subject matter experts with lived experienced in their related domain(s). CISO Lens also commented that managing conflict of interest risks for the Chair, standing members and the Expert Panel will be central to the credibility of the Board and the appetite of private industry to accept the findings and recommendations of its reviews.
5.65The Committee put these concerns to the Department of Home Affairs, which explained that the proposed model for the CIRB was based on learnings from the Cyber Safety Review Board of the United States, which is composed of both industry and government members:
What we’re trying to do here is constitute a board that may involve independent experts who become APS members to attract the full immunities and liabilities that would apply to an individual as part of a board. So it is effectively saying, ‘This is your job as a member of the board—either the chair or a constituent part.’
The key lesson that we learnt from the American experience is that, given that industry in some areas would be conflicted on different inquiries, actually the better approach is to have an ability to surge on a particular inquiry where there are people who are not conflicted or who have conflict-of-interest arrangements in place, so that there’s maximum flexibility. It is actually much fairer for industry to be able to surge in and out of different inquiries.
5.66According to the Explanatory Memorandum to the Cyber Security Bill:
The Minister for Cyber Security will have an oversight role in relation to the appointments and dismissals of the Chair and standing members of the Board, as well as approving Terms of Reference for individual reviews. The Board will otherwise be independent and is not subject to direction from any person or body, including by the Minister for Cyber Security, in the performance of its functions.
5.67DLC Legal expressed a concern, with which a number of submitters agreed, that whilst the CIRB is given independence under the Cyber Security Bill, the requirement for Ministerial approval of the terms of reference for a review ‘risks undermining the public perception of this independence’. DLC Legal encouraged limiting the requirements for Ministerial approval to exceptional circumstances.
5.68This concern was echoed by the Social Cyber Institute, which argued that the Minister should either not have any involvement in the setting of terms of reference or should merely be ‘advised’ of the commencement of the review. It noted that it was:
entirely possible to imagine a scenario where the CIRB wishes to press ahead with a review into a cyber security incident but is prevented from doing so by a Minister who—whether with noble or malign intention—refuses to approve the Terms of Reference for that review. Another Minister might otherwise delay approving the terms of reference to a point that renders the review pointless.
The Minister should not be clothed in power to frustrate the operations of what is otherwise an independent body.
5.69This issue was similarly raised by the Law Council, which suggested that the issue could be addressed by administrative guidance provided under the rules setting out the considerations that must be taken into account by the Minister when determining the standing members of the CIRB and expert panellists to undertake each review:
These considerations could include the independence of the appointees, and satisfaction as to the knowledge and expertise of the individuals relevant to the proposed review.
Alternatively, the nomination of standing members of the Board to participate in a review (and selection of Expert Panel members) could be a matter determined by the Chair of the Board, which is likely to avoid any perception of a fettering of independence.
5.70Group of Eight Australia further expressed concern around the Minister’s responsibilities regarding the CIRB, noting that the CIRB could be reviewing the Government’s own response to a cyber security incident when the Government has wielded assistance powers.
5.71Some submitters also disagreed with proposed section 49, which would permit the Chair of the CIRB to compel entities to provide documents. For example, the Internet Association of Australia submitted that the proposed section 49 powers ‘should be subject to provisions that establish certain considerations that the CIRB must take into account before invoking this power’.
Limited use provisions
5.72The ‘limited use’ provisions of the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (ISA Bill), relating to information voluntarily provided to the National Cyber Security Coordinator (NCSC) or to ASD (respectively), were generally welcomed by participants in the inquiry. In short, these measures provide that certain information provided by Australian businesses to the NCSC or ASD in relation to a cyber security incident can only be used and disclosed for limited permitted purposes, and places similar limitations on use or disclosure by any secondary agencies who lawfully receive the information.
5.73The Department of Home Affairs advised that the provisions are intended to remove barriers to the ‘timely and fulsome provision of information’ to government agencies during a cyber security incident:
There have been some circumstances where cyber security incident response and recovery has been treated as a legal issue, with some entities routinely bringing legal counsel to engage with the Government directly, out of fear that any information they provide may be provided to regulators, to be used against them in future regulatory and law enforcement proceedings. A lack of timely information limits how the Government can respond to and help mitigate a cyber security incident, potentially leading to more severe consequences causing further harm to impacted entities.
5.74ASD, commenting on the ISA Bill, discussed the importance to its work of partnerships underpinned by high levels of trust, which help ‘enable the free flow of rich cyber security related information between industry and government’. ASD advised that it had observed an increasing trend of entities being hesitant, or unwilling, to share technical cyber security incident information with ASD in a timely manner, ‘principally due to concerns that information shared with ASD could be co-opted by other parts of Government to inform regulatory action’, presenting a ‘significant risk to Australia’s national cyber security posture’. ASD considered that the provisions would give:
further assurance to industry that the information they voluntarily report to ASD—information which is fundamentally important to ASD’s role in providing cyber security advice and assistance to all Australians—will not be co-opted to inform regulatory action or be used against them in civil proceedings.
5.75The Australian Industry Group supported the provisions in the bills, noting that:
When a business is in the midst of managing a cyber incident, they need to be confident that engagement with these entities is confidential and won’t lead to further negative impacts.
5.76The AICD similarly considered that the provisions ‘strike an appropriate balance between the necessary sharing of information, and providing a degree of comfort to businesses that information voluntarily provided will not be passed on for other regulatory purposes’.
5.77Other submitters, while supporting the intent of the provisions, suggested they may not go far enough to meet that intent. For example, the Internet Association of Australia argued that, due to the breadth of situations in which the NCSC would be authorised to share voluntary information with other agencies, the provisions ‘do not give enough assurance to encourage entities to share information to the NCSC’. For similar reasons, auDA submitted that the proposed limited use obligations are ‘unlikely to reduce any existing hesitation to share detailed information and will do little to achieve the objective of promoting open engagement with already reluctant stakeholders’.
5.78CyberCX proposed that some additional constraints be placed on the use of information provided to the NCSC and ASD ‘to better encourage industry participation and avoid unintended consequences that could be unfairly harmful to businesses’. It argued for a model that applies a general prohibition on the sharing of information, similar to prohibitions in electronic surveillance legislation, with targeted exemptions. Dr William Stoltz, Senior Manager at CyberCX, told the Committee that organisations should not be adversely affected for voluntarily sharing information with government:
[F]or example, if you’re a data centre business and you decide that you’re going to be very proactive and a good corporate citizen and report as much as you can voluntarily to the Government, that the reporting doesn’t adversely affect you in, say, a commercial relationship with the Commonwealth, that those insights aren’t shared so widely inside government that suddenly, because you’ve given all this rich insight about your organisation, you are now having adverse effects on yourself, even though you did the right thing.
5.79The Association of Superannuation Funds of Australia (ASFA) recommended an express provision stating that ‘no regulatory or enforcement action can be taken where information on a relevant incident has been provided to the NCSC’.
5.80In its submission, however, the Department of Home Affairs explained that while information provided under the limited use provisions will be inadmissible ‘in the vast majority of civil or criminal proceedings’, the provisions are not intended to provide a ‘safe harbour’ for entities and will ‘not restrict operational, regulatory or law enforcement agencies from using their existing powers to obtain information directly from the impacted entity and carrying out their legislated functions’.
5.81Noting this lack of a ‘safe harbour’ provision, Geomastery Advisory expressed concern that that the limited use provisions do not prevent the use of information provided for criminal prosecutions. It claimed that the provisions are ‘insufficient’ and ‘will not generate the needed level of trust between industry and government’.
5.82The Water Services Association of Australia and the Water Sector Services Group (Water Sector) was similarly concerned about the lack of a ‘safe harbour’. It called for ‘limitations regarding public disclosure of information that is sensitive, incriminating or could cause reputational impact’.
5.83BSA, in contrast, was generally satisfied with the provisions, reporting that it did not expect the voluntarily provided information to be admissible in most legal proceedings. However, BSA proposed that the NCSC or ASD should be required to seek the impacted entity’s consent to share the information provided and explain ‘why the information has to be shared, and with which specific agencies’. The Tech Council of Australia made a similar point, arguing that it is ‘vital that companies understand how their data is used, particularly in multi-stakeholder scenarios involving state and federal bodies’.
5.84The Social Cyber Institute described the limited use provisions as ‘appropriate and well-targeted’. However, noting media reports that had inaccurately stated that the Bill would create a ‘safe harbour’ regime, the Institute called for a clear statutory statement that this is not the case, as well as ‘significant education and improvement to the national cybersecurity narrative around the limited use provisions during the implementation phase of this legislation’. Similarly, Macquarie University submitted that:
there will be a need for a significant outreach effort by the Commonwealth to communicate what these changes mean to industry, and to build trust in the notification mechanisms so that they are fully adopted across different sectors.
5.85The Australian Information Security Association reported that, when it surveyed its members ‘about which specific initiative of the Cyber Security Legislative Package they believe will have the most positive impact’, the limited use obligation was ‘the least favoured compared to the other components of the package’. The Association attributed this to a lack of clarity and some misinterpretation within industry and media, and submitted that:
due to the absence of safe harbour provisions and potential civil penalties, organisations should be better educated on what this means. They should not view this framework as a means for the National Cyber Security Coordinator or any other regulatory bodies to use the information shared during a cyber incident against them for consequence management.
5.86The Cyber Security Bill distinguishes between information provided to the NCSC relating to ‘significant cyber security incidents’ and information about other incidents, with the permitted uses and disclosures being more limited for the latter. ASFA recommended that it be made ‘manifestly clear’ that the limited use protection applies to any information given to the NCSC, with further guidance in the Explanatory Memorandum on ‘the differences between serious cyber incidents and non-serious cyber incidents, and which of these need to be reported to the NCSC’. ASFA also called for greater definition of the circumstances in which the NCSC can determine that an incident requires a ‘whole-of-government response’ and further regulatory guidance on how legal liability could work in relation to third party service providers. The AICD similarly recommended that the legislation be accompanied by guidance on how it will be interpreted and implemented, including with respect to how ‘information’ will be defined.
5.87Noting most water utilities are State or local government controlled, the Water Sector supported including an ‘obligation for consultation and coordination with jurisdictions’, which appears to have been addressed by proposed section 11 of the Cyber Security Bill. A submission from the Department of Premier and Cabinet (Tasmania) said it welcomed ‘further engagement with the Department of Home Affairs’ on how the mechanism in proposed section 11 will ‘operate in practice’.
5.88In its submission, the Law Council raised concerns about the potential operation of the Cyber Security Bill’s limited use provisions in relation to legal professional privilege (LPP). The concerns related to information provided voluntarily to the NCSC, as well as information provided under the Bill’s ransomware reporting obligations or to the Cyber Incident Review Board. The Law Council submitted that, although sections 31, 42 and 57 of the Cyber Security Bill specifically provide that the provision of information ‘does not otherwise affect a claim of legal professional privilege’, there ‘may be confusion’ due to the Explanatory Memorandum’s suggestions that information subject to LPP will still be reportable. The Law Council explained that:
The application and waiver of LPP is complex and often fact-specific. In relation to the proposed sharing of information under the scheme, especially voluntary disclosures, critical questions arise as to whether disclosure could be regarded as inconsistent with the confidential nature of information, which may amount to a waiver of privilege.
5.89To remove ambiguity, the Law Council recommended that the Cyber Security Bill be amended to clarify that material identified as being subject to LPP is not subject to reporting requirements, and that the Bill ‘consistently include express statements to the effect that the disclosure of information does not amount to a subsequent waiver of privilege’.
5.90The BCA raised a similar point in its submission, arguing for a ‘clearer statement to the effect that neither initial disclosure by the company, nor its subsequent disclosure to another entity will impact a claim of legal professional privilege’.
5.91The Law Council also highlighted a concern about the Bill’s subclauses which state that the sections do not ‘limit or affect any right, privilege or immunity that the reporting entity has, apart from this section, as a defendant in any proceedings’. The Law Council argued that while these clauses are important, they ‘do not go far enough and need to cover all proceedings’, not only those where the entity is a defendant.
SOCI Act amendments
Critical data storage systems
5.92Schedule 1 to the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (ERP Bill) would amend the definition of ‘critical infrastructure asset’ in the SOCI Act to include ‘data storage systems’. A data storage system would be treated as part of the critical infrastructure asset where it met the four criteria set out in proposed subsection 9(7). ‘Data storage system’ is not itself a defined term in the SOCI Act or the ERP Bill and is intended to have its ordinary meaning.
5.93Many submitters supported further clarifying the definition of critical infrastructure asset and the inclusion of data storage systems within that definition. For example, DLC Legal stated that ‘this expansion acknowledges the increasing importance of data systems in the context of critical infrastructure security’. Telstra also welcomed the proposed change and submitted that ‘[t]hese are important limitations that prevent capturing systems that have no impact on Australia’s critical infrastructure or national security’.
5.94CyberCX expressed its support for the amendments to section 9 of the SOCI Act, and stated in the public hearing that:
The focus of the legislation should be about saying what data is so fundamental to the operation of these critical services, as opposed to the infrastructure, and the application, therefore, of capturing third parties that might be essential to providing data services to critical infrastructure and systems-of-national-significance entities is a prudent one.
5.95However, some submitters, while supportive of the intent behind the amendment, considered that further clarification was required. For example, Australasian Higher Education Cybersecurity Services submitted that ‘[t]he proposed amendments to data storage systems don’t help to clarify the requirements, rather, they appear to create further opportunities for ambiguity’. Similarly, Universities Australia submitted that ‘universities will need to be supported to implement amendments to data storage requirements within the SOCI Act, which continue to contain non-specific definitions and requirements’.
5.96Ausgrid supported the regulatory amendments proposed in the ERP Bill, but was concerned that there could be financial and non-financial impacts from the amendments because ‘they potentially broaden the types of data storage systems captured by the [SOCI] Act due to the proposed amendments to defined “business critical data”‘.
5.97Medicines Australia added that:
SOCI Act amendments continue to add cost and compliance burden to businesses within the supply chain of our health critical infrastructure.
5.98Several submitters commented that the legislation should include a definition of ‘data storage system’ rather than relying on its ordinary meaning. According to the Social Cyber Institute, the lack of definition is problematic and is ‘arguably broad enough to capture every conceivable form of data storage used in conjunction with a critical infrastructure asset’:
For example, not only will a data storage system include a server or network containing business-critical information, but any mobile device or USB drive held by an employee of that asset. So long as the threshold tests contained in the proposed section 9(7) of the Act are met, then the storage system will be captured.
5.99ASFA recommended, in relation to Schedule 1, that additional guidance be provided regarding how the terms ‘business critical data’, ‘hazard’ and ‘material risk’ will be applied in the context of data storage systems. ASFA recommended that:
Consideration should also be given to having sector-specific definitions of ‘business critical data’, rather than one across the board definition, so the unique characteristics of each industry can be handled as necessary.
5.100Macquarie Technology Group also expressed some concern about the definition of ‘business critical data’ and the types of data that would or would not be captured by that definition, including government data accessed by non-government entities.
5.101Other submitters raised concerns in relation to the potential for ambiguity about who would be a ‘responsible entity’ for a data storage system that is part of a critical infrastructure asset, especially in relation to data storage systems operated by third parties. Proposed paragraph 9(7)(a) provides that a responsible entity is the entity that ‘owns or operates the data storage system’. According to the Social Cyber Institute’s submission, it is common practice for critical infrastructure assets to outsource data storage or processing to a third party, which could lead to contractual dispute about who bears that responsibility. The BCA recommended that:
the Bill should clarify what ‘operated by’ means where a system (such as a cloud hosted platform as a service) is provided by a third party but forms part of a responsible entity’s asset.
‘All hazards’ incident responses: consequence management powers
5.102Part 3A of the SOCI Act currently enables the Minister to authorise the Secretary to give directions to the responsible entity for a critical infrastructure asset to provide information or to take action in response to a serious cyber security incident that has had, is having or is likely to have a relevant impact on one or more critical infrastructure assets.
5.103The amendments proposed in the ERP Bill would broaden the application of the Part 3A information-gathering and action directions powers to be available in response to any serious incident, not just a cyber security incident. This reflects the Department of Home Affairs’ transition to an ‘all hazards’ approach to critical infrastructure risk management.
5.104According to the Explanatory Memorandum to the ERP Bill:
The purpose of the amendments contained within [Schedule 2] is to facilitate management of multi-asset incidents and their consequences through the existing government assistance framework in Part 3A of the SOCI Act. Incidents in scope could be natural or man-made, so long as they impact the availability, integrity and reliability of the critical infrastructure asset. This includes incidents from all types of hazards, such as cyber and information hazards, physical and natural hazards, personnel hazards, and supply chain hazards.
5.105Many submitters expressed in-principle support for the expansion of the consequence management powers to include all incidents, rather than just cyber security incidents.
5.106However, despite the support for the intent underpinning these amendments, a number of submitters—including the AICD, the Governance Institute of Australia, the BCA, ASFA, and several others—expressed concerns about the broad nature of the expanded powers.
5.107Several submitters recommended that it should be made clearer that the powers are only to be exercised in exceptional circumstances. The AICD submitted that the current framing of the powers is ‘largely unfettered’, despite the purported policy intent of the consequence management powers to be a mechanism of last resort to be deployed in ‘very critical situations’. The AICD recommended that further detail be provided in the Explanatory Memorandum on the purpose and use of the expanded consequence management powers, including additional worked examples.
5.108The BCA recommended that any direction should be proportionate and adapted to the incident sought to be addressed.
5.109The Department of Home Affairs submitted that Schedule 2 of the ERP Bill does reflect stakeholder feedback on these issues ‘by ensuring the existing Part 3A framework applies to limit the scope and purpose of the powers’. The Department submitted:
The powers will remain last resort as they cannot be used unless the Minister is satisfied that no existing regulatory system of a state, territory or the Commonwealth could provide a practical and effective response, and the entity is unwilling or unable to take all reasonable steps to respond to the incident.
5.110There was also some concern about the use of language in the Explanatory Memorandum that is not replicated in the ERP Bill. The AICD submitted that, although the Explanatory Memorandum states that the powers would be utilised in ‘multi-asset’ incidents, the drafting of the ERP Bill ‘does not limit the use of the powers to incidents covering multiple critical assets’. Similarly, the Group of Eight submitted that the term ‘multi-asset incidents’ is not used in the ERP Bill and that ‘[f]urther qualification may also be needed as to whether the [consequence management power] is intended to chiefly deal with management of “multi-asset incidents”‘.
5.111The Internet Association of Australia submitted that it was concerned that the term ‘incidents’ is not defined under the ERP Bill and it is therefore ‘unclear in what situations certain powers could be invoked by the Secretary or minister in response to such “incidents” arising’. The Internet Association of Australia also raised concerns that the distinction between ‘serious incident’ and ‘incident’, which are both used in the ERP Bill, is not clear and could cause further confusion.
5.112Several submitters stated that there is the potential for an action direction to have significant implications for a responsible entity, including financial and legal implications. The BCA submitted that the ERP Bill should clarify the liability arrangements in the event of negative consequences arising as a result of a responsible entity executing an explicit direction. The BCA recommended that, before issuing such a direction, explicit consideration should be given to the:
- cost burden imposed on the entity in implementing the direction, and whether there are alternative measures that would achieve a similar outcome which are less cost burdensome,
- future commercial viability, and
- any permanent impact(s) of the short term direction.
- Similarly, the Governance Institute of Australia submitted that its members were concerned about the scope of the directions power, which is ‘potentially unfettered and sweeping’, and submitted that:
directions to suspend operations of a critical infrastructure entity at the discretion of government or Minister may be problematic in practice as this can be very costly to the entity and should be exercised in highly exceptional disaster scenarios. In circumstances where an entity is shut down over an extended period, directors remain responsible under s 588G of the Corporations Act to ensure that entities remain solvent. It is not clear how government directions that may threaten the solvent trading of a business will interact with director duties under this scenario.
5.114The Cybersecurity Coalition said it was concerned these powers could be used to direct ‘a non-impacted entity to make changes to their security posture based on the shortcomings in the initial affected entity’s security’ and that in ‘most circumstances, industry entities are best placed to make determinations around risks and manage their own networks’.
5.115The Department of Home Affairs submitted that it had taken into account the above feedback from stakeholders and was working to prepare policies and procedures to guide how these powers would be used in practice.
5.116Several submitters, including the Governance Institute of Australia, the Information Technology Industry Council and the Cybersecurity Coalition, expressed concern about the lack of oversight over the use of the consequence management powers. For example, BSA submitted that its members ‘support this amendment to the extent that it does not introduce a new, broadly-scoped power’ but ‘remain concerned about the lack of an independent oversight mechanism over the exercise of the broad powers under Part 3A of the SOCI Act’. BSA advised that:
While the SOCI Act provides safeguards, they only require the relevant minister to consult within the Government and the affected entity before the power is exercised. As such, there is no independent check on these broad powers to deter potential misuse. There are also no avenues for the affected entity to appeal the exercise of these powers. As a general matter, policies that introduce broad intrusive powers, even for the purposes of upholding national security, can compromise user confidence if they affect the entity’s products and services. These powers should therefore be subject to rigorous checks and balances.
5.117Similarly, Palo Alto Networks submitted that it remained ‘concerned about the exclusion of merits review for Part 3A’ of the SOCI Act. Palo Alto Networks stated:
Given the breadth and uniqueness of the proposed consequence management power, we continue to advocate for a legislated appeal and review right via the Administrative Decisions (Judicial Review) Act 1977 … Policies that introduce intrusive powers, even for the purposes of upholding cyber security, can compromise user confidence in the integrity and trustworthiness of products and services, and should therefore be subject to appropriate checks and balances via the ADJR Act.
5.118The Department of Home Affairs did not directly address oversight or appeal rights under Part 3A, but emphasised other safeguards in the SOCI Act in its submission:
In addition to existing safeguards in the SOCI Act, where an action direction requires the disclosure of personal information, as defined under the Privacy Act, the Minister administering the Privacy Act must agree. …
The Department remains committed to providing transparency and accountability to the Parliament and public on the operation of the SOCI Act. A copy of Ministerial authorisations given under Part 3A must be provided to the Inspector-General of Intelligence and Security within 48 hours after the authorisation is given. Additionally, under section 60 of the SOCI Act, the Secretary must give the Minister, for presentation to the Parliament, a report on the operation of the SOCI Act for each financial year including any authorisations given under Part 3A.
SOCI Act Part 4 information sharing provisions
5.119The proposed amendments to Part 4 of the SOCI Act—contained in Schedule 3 of the ERP Bill—are intended to clarify the disclosure provisions within the SOCI Act.
5.120There was in-principle support for clarifying information sharing under the SOCI Act and for introducing greater protections for commercial data. For example, the Department of Premier and Cabinet (Tasmania) submitted that it:
supports the move to provide assurances around the sharing of information for certain purposes, noting unclear protected information use and disclosure provisions in the existing Security of Critical Infrastructure Act 2018 (Cth) have created a reluctance to share information, reducing collaboration and interoperability.
5.121However, there was some suggestion that the disclosure of protected information under Part 4 of the SOCI Act should be subject to the same limited use obligations as were being introduced by the Cyber Security Bill. The Governance Institute of Australia submitted:
Any authorisation of disclosure of protected information as defined in the SOCI Act to allow for the sharing of information between government entities should also require agencies to exercise limited use obligations associated with the sharing of such information in relation to the targeted event.
5.122The Department of Premier and Cabinet (Tasmania) submitted that, while it supports the inclusion of emergency management in the disclosure of information provisions,
[t]hese provisions should be expanded to include First Ministers, as [the] Department is responsible for whole-of-government critical infrastructure policy and in some circumstances, the policy function during an emergency.
5.123Amazon Web Services submitted that, owing to the potential highly sensitive nature of some protected information, those who receive ‘protected information’ should be required to handle that information at a level commensurate with the handling requirements for information classified as SECRET under the Protective Security Policy Framework (PSPF). To this end, Amazon Web Services recommended that:
the Rules explicitly clarify requirements for appropriate handling of protected information by government, with relevant details, including a data lifecycle that confirms timelines for data deletion.
5.124ASFA recommended that ‘there should be detailed Rules and Guidance outlining the exact circumstances in which [authorised APS employees] can disclose otherwise “protected information”‘, noting that the terms used ‘are broad and open to myriad interpretations’.
5.125The Office of the Victorian Information Commissioner submitted that it was concerned about the ‘potential conflation’ of the term ‘protected information’, a defined term in the ERP Bill and the existing SOCI Act, with the definition of PROTECTED as used in the PSPF security classification system.
5.126The Department of Home Affairs submitted that ‘[t]hese provisions will be supported by guidance material to ensure stakeholders understand how to apply a harms-based test, and when protected information may be disclosed’.
5.127The ERP Bill proposes to allow the Minister to direct sharing of personal information under the SOCI Act in certain situations, with authorisation from the Minister administering the Privacy Act. Access Now submitted:
We recommend that the Office of the Australian Information Commissioner be involved in preparing guidance on the interaction between the SOCI Act and the Privacy Act, including on any and all directions seeking disclosure of personal information.
5.128A number of submitters recommended that, before sharing protected information obtained under the SOCI Act with other government entities, the affected entity’s consent should be sought. BSA submitted:
BSA supports requiring authorisation by the Secretary of Home Affairs before sharing protected information but further recommends that the Secretary of Home Affairs seek the affected entity’s consent to share the information with other government entities and, in the process, explain to the affected entity why the information has to be shared and with which government entities.
5.129There was also a view amongst some submitters that there should be greater transparency required from the Minister and the Secretary on the acquisition and sharing of protected information. Access Now made recommendations in relation to the transparency of information-gathering directions and individual rights. It considered that the Government should be required to make a statement as to the exercise of these powers that goes beyond acknowledging that they have been exercised, to the impact of such directions on people’s privacy and other rights.
5.130Access Now also submitted that where people’s personal information is involved, they should have a dedicated right to remedy or redress from the authority collecting such information. It drew a comparison with the US Cybersecurity and Infrastructure Security Agency (CISA), which maintains an Office of Privacy to ensure compliance with privacy policies within CISA and to provide guidance for individuals in relation to remedies or redress. Access Now recommended:
We recommend that people have a clear, accessible remedy in case of violations of their privacy or harms arising from the disclosure of personal information under the SOCI Act.
Directions powers for critical infrastructure risk management programs
5.131The ERP Bill proposes to amend Part 2A of the SOCI Act to introduce a new power authorising a ‘relevant official’ to order the variation of a responsible entity’s critical infrastructure risk management program (CIRMP) where a serious deficiency has been identified. The term ‘serious deficiency’ would be defined under proposed subsection 30AI(3) as a deficiency that poses a material risk to:
- national security; or
- the defence of Australia; or
- the social or economic stability of Australia or its people.
- According to the Department of Home Affairs, currently when a regulator identifies a risk management program is seriously deficient, there is no power to remedy the program other than a court action. These proposed powers are intended to address that gap in the SOCI Act by allowing the relevant official to direct that the CIRMP be remedied.
- The proposed power would contain a number of pre-requisites before the relevant official could issue a direction to vary a CIRMP. The relevant official must first consult with the responsible entity and must consider any written submission received or action done in response to that consultation process. According to the Department of Home Affairs:
these safeguards ensure this power is reserved for last resort action in rare circumstances where an entity is egregiously or wilfully non-compliant with their obligations, allowing for government to intervene when needed.
5.134For the most part, where submissions addressed this proposed amendment they were supportive, but stressed the need for the Government to continue to engage in ongoing consultation and education when it comes to implementing and addressing future deficiencies in CIRMPs.
5.135The Governance Institute of Australia submitted that its members ‘encourage maintenance of a regulatory posture that is committed to continual education and engagement with responsible entities with compliance and enforcement as a matter of last resort’ and that such a direction should only be made under ‘exceptional circumstances where serious and significant deficiencies’ are identified.
5.136The Department of Home Affairs submitted that it intended to take a consultative approach to remedying deficiencies in a responsible entity’s CIRMP:
Wherever possible, the [Cyber and Infrastructure Security Centre] seeks to work in partnership with industry to ensure regulated entities understand and effectively manage their risks, reserving compliance levels as last resort measures.
5.137Several submitters also expressed concern that ‘serious deficiency’ was insufficiently defined, or was defined too broadly. For example, ASFA recommended:
Further guidance needs to be provided on examples of the kinds of situations which would constitute a ‘serious deficiency’ … because the legislative language could cover a multitude of scenarios. This should be narrowed.
5.138The Cybersecurity Coalition also considered that the definition of serious deficiency ‘could be read very broadly—anything that has impact to the Government of Australia, an economic or individual harm’. Global Shield submitted that one way greater clarity could be provided as to what constitutes a serious deficiency is the creation of a ‘National Risk Assessment, which would allow critical infrastructure asset owners to more effectively deliver their risk management program and proactively address any potential deficiencies’.
5.139BSA, on the other hand, disagreed completely with the introduction of such a review and remedy power, stating: ‘There is no clear evidence that the Government needs this power and we remain concerned about the lack of effective checks.’
5.140The Department of Home Affairs expanded on the rationale for the new power at the Committee’s public hearing, as follows:
The critique that we had from some individuals was that, potentially, if boards and governing authorities did not take the obligation seriously, it could be a paper tiger, in some people’s view, and that there was no ability for the department to remedy a risk management program if there was a serious deficiency in an infrastructure asset. That’s why the power is being sought—to really have that lever if there was egregious and significant noncompliance, where there was a particular risk management program that was so deficient that it was potentially causing harm to the Australian economy or our security. That’s the context for the power and the policy rationale. The implementation, then, is determining and working with entities to say, ‘This is seriously deficient, and it’s actually causing harm to our economy.’ That’s the whole rationale.
Regulation of telecommunications sector security
5.141To the extent that submitters commented on the proposed reforms relating to regulation of the telecommunication sector, they were generally supportive of the reforms and the efforts to consolidate the requirements from Part 14 of the Telecommunications Act into the SOCI Act. Palo Alto Networks stated the proposed reforms would ‘streamline regulatory complexity in the cyber security landscape for the telecommunications sector’. Telstra supported the proposed replacement of the TSSR with the Enhanced Security Regulation in Part 2D of the SOCI Act, submitting that the change ‘removes duplication and provides industry with additional certainty around meeting the requirements’.
5.142IIER-A supported the proposed amendments but sought clarification of the meaning of ‘satellite-based facilities’, ‘submarine cables’, ‘telecommunications services’, and ‘telecommunications systems’.
5.143One concern raised in relation to the proposed reforms in Schedule 5 of the ERP Bill was in relation to the changes to the definition of ‘critical telecommunications asset’. The ERP Bill would amend the definition of critical telecommunications asset by removing the term ‘facility’ and replacing it with the term ‘asset’. In Telstra’s view, the term ‘facility’ is well understood within the telecommunications sector and Telstra argued that, even though the change would align the language with the language used in the SOCI Act, no change to the definition is actually required.
5.144Telstra recommended that, if the definition of ‘critical telecommunications asset’ is amended as proposed by the ERP Bill, the Explanatory Memorandum should be updated to:
- clarify that secondary data storage assets would only be captured as critical telecommunications assets where they met the criteria in section 9(7) of the SoCI Act; and
- [remove] the example about assets that don’t directly make up part of a telecommunications network but support its function or are critical to carrying on a carriage supply business.
- The Internet Association of Australia submitted that the proposed definition of ‘critical telecommunications asset’ is ‘too broad’ and not aligned with the Government’s purported desire to consolidate security obligations for the telecommunications sector. The Association considered that such a definition ‘would unnecessarily and likely inappropriately capture various telecommunications systems, given the similarly broad definition of “carriage service”‘.
- Aussie Broadband also highlighted the potential impact of differing terms between the Telecommunications Act and the equivalent provisions of the SOCI Act, depending on how they are interpreted:
For example, the requirement in Section 30EB (2) of the Bill requires that the responsible entity must, ‘so far that it is reasonably practicable’, protect the asset; in contrast to the existing obligation that the provider ‘do their best’. Aussie Broadband welcomes further guidance or clarifying Rules as to the measure of what is ‘reasonably practicable’ under the new requirement.
5.147On the other hand, Paul Wilkins told the Committee that the existing obligation, under subsections 313(1A) and (2A) of the Telecommunications Act, requiring carriers and carriage service providers to do ‘their best’, is ‘at best an arbitrary standard’. Mr Wilkins considered that the lack of definition ‘allows for individual interpretation by each carrier, preventing the development of uniform standards, architecture and processes’.
Additional amendments proposed by the Minister
5.148On 7 November 2024, the Minister for Home Affairs and Minister for Cyber Security, the Hon Tony Burke MP, wrote to the Committee to advise that the Attorney-General and the Minister had identified an additional issue which intersects with the amendments contained in the Cyber Security Legislative Package. The Minister’s letter stated the following:
As part of the Government’s arrangements for ensuring the security of Australia’s critical infrastructure, the Australian Security Intelligence Organisation (ASIO) is empowered to furnish security assessments to inform Government decisions, for example, about the ownership or operation of critical infrastructure.
The Australian Security Intelligence Organisation Act 1979 (the ASIO Act) provides the procedures for the notification to the applicant that ASIO has made an adverse or qualified security assessment, as well as processes related to protecting information for which the disclosure would be prejudicial to the interests of security. Notably, section 38 of the ASIO Act provides for these procedures generally, while section 38A of the ASIO Act provides for specific circumstances relating to the Telecommunications Act 1997 and the Security of Critical Infrastructure Act 2018.
Since the introduction of section 38A of the ASIO Act in the Communications Legislation Amendment Act (No. 1) 2004, Part IV of the ASIO Act has been subject to ongoing legislative reform. The cumulative effect of these reforms has rendered s38A of the ASIO Act redundant noting the general, and broadly consistent, operation of section 38 of the ASIO Act.For the avoidance of doubt, the Attorney-General and I consider there to be merit in legislative amendments to clarify the operation of the notification requirements and information protection provisions in relation to the recent and future adverse or qualified security assessments. Such changes will ensure processes remain effective and appropriate for managing threats to Australia’s critical infrastructure, complementing the broader Legislative Package. Should the Committee agree, Iask that you consider noting this in your report.
5.149No further detail on the specific amendments was provided to the Committee.