- Committee comments and recommendations
- This chapter contains the Committee’s comments and recommendations in relation to the three bills comprising the Cyber Security Legislative Package.
Overarching comments
6.2Cyber security and the protection of critical infrastructure are increasingly important components of Australia’s national security and economic resilience. As demonstrated by events in recent years, cyber security incidents have the potential to compromise the privacy and security of millions of Australians, enabling fraud and extortion on a scale that was not previously possible. Even more seriously, hostile nation states are increasingly seeing cyber vulnerabilities as a potential means to sabotage critical infrastructure and cause substantial damage to Australia’s interests in a time of conflict. As the Director-General of Security warned in his 2024 Annual Threat Assessment:
There aren’t a lot of things that terrorists and spies have in common, but sabotage is one of them. ASIO is seeing both cohorts talking about sabotage, researching sabotage, sometimes conducting reconnaissance for sabotage – but, I stress, not planning to conduct sabotage at this time.
The most immediate, low cost and potentially high-impact vector for sabotage is cyber. Our critical infrastructure networks are interconnected and interdependent, which increases the vulnerabilities and potential access points.
ASIO is aware of one nation state conducting multiple attempts to scan critical infrastructure in Australia and other countries, targeting water, transport and energy networks.
The reconnaissance is highly sophisticated, using top-notch tradecraft to map networks, test for vulnerabilities, knock on digital doors and check the digital locks.
6.3Hardening Australia’s cyber security against these threats is essential to Australia’s ongoing security and prosperity. To this end, the Committee supports the intent of the Cyber Security Legislative Package and the broader 2023–2030 Australian Cyber Security Strategy to strengthen Australia’s cyber defences and build cyber resilience to help Australia become a world leader in cyber security by 2030. This intent—and the general approach taken in the three bills that comprise the Cyber Security Legislative Package—was almost universally supported by participants in the inquiry.
6.4At the same time, the Committee has listened to the concerns raised by some organisations and individuals who made submissions and appeared at public hearings, particularly in relation to the importance of clear guidance and ongoing consultation during the implementation of the legislation. The Committee notes that the bills allow for implementation periods of between 6 and 12 months for each of the key measures, with the exception of the limited use provisions. As detailed below, the Committee encourages the Department of Home Affairs to use these periods to ensure that industry is supported with clear guidance materials, education and advice on the intended operation of the provisions.
The review process
6.5While there was strong in-principle support for the legislative package, some participants in the inquiry expressed concern about the short timeframe within which the Committee’s review was conducted. The Committee sympathises with these concerns. The Committee has only recently called upon the Government to ‘exercise realism’ in relation to requested timeframes for bill reviews:
The Committee notes that extremely short timeframes for examination of complex legislation not only place pressure on the Committee and its staff, but can also diminish the quality and quantity of evidence able to be gathered, and can even undermine relationships with key stakeholders.
While some new laws may be truly urgent, this is not always the case, and wherever possible a healthy democratic process and appropriate national security oversight requires that the Committee be provided the appropriate time and space necessary to do its work well.
6.6In the current instance, the period between the bills being introduced into the Parliament and the Minister’s requested reporting date was less than six weeks. This is an unusually short inquiry timeframe for a package of bills introducing more than 150 pages of complex legislation.
6.7Notwithstanding that, the Committee notes the broad support for the bills amongst inquiry participants, and the extensive and rigorous consultation process that occurred before their introduction into the Parliament. This ‘best practice’ consultation process has meant that there were few (if any) surprises for stakeholders in the bills that were introduced, and therefore there were fewer issues to be resolved by the Committee than would otherwise have been the case. Although some submitters held in-principle objections to aspects of the package, the majority of matters brought to the Committee’s attention concerned implementation or matters of detail.
6.8Despite the tight timeframes, the Committee received more than 60 high quality written submissions from industry, peak bodies, civil society and individuals, and held two days of public hearings. The Committee has taken these contributions into account in developing its conclusions and recommendations. The Committee expresses its gratitude to all those involved for their constructive efforts to assist the inquiry.
6.9Further, the Committee accepts that hardening Australia’s cyber resilience and implementation of the 2023–2030 Australian Cyber Security Strategy is an urgent priority of the Government and this Parliament, and the Committee considers that passing the legislative package before the rising of the 47th Parliament is necessary to avoid extended delays in its implementation.
6.10On this basis, the Committee supports the urgent passage of the bills, subject to the recommendations contained in the remainder of this report.
6.11The Committee recommends that, subject to implementation of the recommendations in this report, the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 be passed by the Parliament.
Security standards for smart devices
6.12The Cyber Security Bill 2024’s (Cyber Security Bill) proposed introduction of mandatory security standards for smart devices was one of the most strongly supported measures of the legislative package. The Committee likewise strongly supports this measure. Ranging from vehicles through to kitchen appliances and other household devices, Australians should be able to expect that the products they purchase meet minimum standards to ensure their safety, security and privacy. This is increasingly important with the growing array of devices that incorporate cameras and microphones.
6.13The Committee notes that many of the details of this measure—including the specific standards to be applied to specific classes of devices, the phasing of the introduction of those standards, and any exemptions—are proposed to be set out in the rules. This is appropriate, as it will give the Australian Government the flexibility to rapidly update technical standards in response to the changing technological environment and best-practice standards, and to address the specific security imperatives relating to each class of product. The Committee notes that the rules are subject to mandatory consultation requirements, as well as parliamentary disallowance procedures.
6.14Contributors to the inquiry argued for a phased approach to implementation of the new standards to allow time for manufacturers and suppliers to adapt. In evidence to the Committee, the Department of Home Affairs outlined how it had built a one year phase-in period into the reforms, during which it will continue to consult industry and ensure the implementation of the rules is fit-for-purpose. The Department of Home Affairs has published an explanatory document outlining its proposed approach to the rules. This document outlines the Department’s intention that the security standards will initially be applied to consumer-grade connectable products, with future applications of the rules to be considered as required.
6.15The Committee supports this phased approach and encourages the Department to continue to consult with stakeholders to ensure standards are applied in a way that is appropriate for each class of product.
6.16The Committee also supports the Government’s intention to align the mandatory standards with equivalent international standards. Standards that diverged from those applying elsewhere in the world to any significant degree would be highly problematic for suppliers of some types of products, potentially even leading to the withdrawal of those products from the mainstream Australian market and encouraging parallel imports from overseas.
6.17The Committee acknowledges concerns from a small number of submitters that security standards for vehicles are not expressly addressed by the Cyber Security Bill or its Explanatory Memorandum. However, the Committee notes that Part 2 of the Cyber Security Bill is intended to apply to all products meeting the definition of ‘relevant connectable product’, unless specifically exempted under the rules. The Committee also notes the Department of Home Affairs’ advice that devices will only be excluded if:
there is existing legislation that can adequately address the cyber security of these devices, there is work underway across Government to develop a higher or bespoke standard for these devices, or the complexity of these devices means that being mandated under these rules will risk a lower standard being met.
6.18While uplifting the security of connectable devices should remain the paramount goal, the Committee encourages the Department to work with industry to apply a reasonable approach to implementation and enforcement.
6.19Noting concerns from some submitters about the interpretation of some definitions used in Part 2, the Committee highlights the need for clear guidance to be developed, alongside outreach and education from the Department of Home Affairs, to ensure businesses are fully apprised of the proposed new requirements relating to their industry sector. As with other aspects of the Cyber Security Legislative Package, the Department should apply the ‘education first’ approach to enforcement of provisions.
Ransomware reporting
6.20The Committee supports the Cyber Security Bill’s proposed introduction of mandatory reporting obligations for ransomware payments by businesses. Ransomware attempts, and other digital extortion efforts, are a persistent security threat to Australian businesses and their productivity, as well as the broader community. The new reporting obligation will help shed light on the extent of payments being made by businesses, informing government efforts to combat this type of serious cyber crime.
6.21There were mixed views amongst contributors to the inquiry on the annual turnover threshold that should apply to the proposed reporting obligation. Some contributors considered the proposed $3 million turnover threshold—aligned to the definition of small business in the Privacy Act 1988—was too low and compliance would be too burdensome on smaller businesses. Other contributors felt that the proposed threshold should be lower or even be removed to ensure that the Government receives a more fulsome picture of the extent of ransomware payments being made. Still others supported the proposed turnover threshold as being an appropriate balance between providing enough data to meet the objectives of the reporting obligation and minimising the regulatory burden on small businesses.
6.22The Committee acknowledges these different viewpoints. However, the Committee notes that the precise turnover threshold will be set in the rules, not in the primary legislation that the Committee has been tasked to review. The rules are subject to mandatory consultation requirements prescribed in the Cyber Security Act and will be disallowable by the Parliament.
6.23There were also mixed views on whether only ransomware payments should be reportable, or if ransomware demands received by businesses should also be reportable (whether or not the demand resulted in a payment). The Committee notes that requiring reporting of ransomware demands would give government agencies a more complete view of the extent of the problem; however, it supports the Cyber Security Bill’s approach to only mandate reporting of ransomware payments to minimise the regulatory burden on businesses.
6.24On this point the Committee notes that there are existing mechanisms that enable businesses—including small businesses below the proposed turnover threshold, as well as individuals and other organisations—to report a ransomware demand and seek assistance from the Australian Cyber Security Centre (ACSC) on a voluntary basis. The Committee encourages organisations to make use of these services, and the ACSC to use the information received on a voluntary basis alongside the mandatory reporting to inform its broader analysis of the threat landscape.
6.25The Committee acknowledges concerns that the new ransomware reporting obligations will duplicate reporting obligations for some entities, in particular entities that have obligations to report cyber security incidents under the Security of Critical Infrastructure Act 2018 (SOCI Act). While the Committee does not consider that the broad reporting obligations under the SOCI Act should necessarily obviate the need for SOCI Act entities to provide discrete reports on ransomware payments under the Cyber Security Act, there is a clear need to avoid duplicative information requests from government and to streamline reporting tools. More broadly, the Committee considers it vital to the success of the ransomware reporting obligation that the tool used to facilitate reporting is easy to find, simple to use and easy to understand for the range of businesses who will be using the tool.
6.26The Committee notes that streamlining reporting processes is already an initiative of the 2023–2030 Australian Cyber Security Strategy. The Committee understands further work is underway to ensure that the ‘one-stop shop’ reporting facility at cyber.gov.au is as user-friendly and accessible as possible, including for smaller businesses.
6.27The Committee recommends that the Australian Government ensure that ransomware reporting mechanisms are as user friendly and accessible as possible for the range of businesses subject to the Cyber Security Bill 2024’s reporting obligations, and that the Australian Government continues to prioritise work to minimise duplication in cyber security incident reporting requirements for all businesses.
6.28The Committee was reassured to learn that the Department of Home Affairs intends to take an ‘education first’ approach to compliance, which will involve engaging with businesses in relation to instances of non-compliance before taking compliance action. The Committee emphasises the importance of providing education and clear guidance to businesses subject to the proposed ransomware reporting obligation, many of which are unlikely to be familiar with the proposed new legislation or to have been subject to similar obligations in the past.
6.29The Committee therefore regards it as important that the Department of Home Affairs dedicate sufficient resources to education and guidance both during and beyond the proposed six-month implementation period for the provisions. The Committee also encourages the Department to provide support to representative business organisations, including the Business Council of Australia and the Council of Small Business Organisations Australia, to educate and inform their members.
6.30The Committee recommends that the Australian Government ensure that the Department of Home Affairs and the Australian Signals Directorate are given adequate resources to educate businesses about the proposed ransomware reporting obligations and to provide clear guidance on interpretation of the legislation.
6.31The Committee notes concerns raised by the Business Council of Australia and the Law Council of Australia that the extraterritoriality provisions of the Cyber Security Bill may inadvertently extend the ransomware reporting obligations to overseas incidents that do not have any nexus to an entity’s Australia-based operations. The Committee notes that the Law Council of Australia proposed a small amendment to paragraph26(1)(c) of the Cyber Security Bill that would address this issue. The Committee recommends that the Government consider this suggestion, and amend the Bill as appropriate to ensure the ransomware reporting obligations apply only to the extent that a ransomware incident relates to the reporting business entity’s operations in Australia.
6.32The Committee recommends that the Cyber Security Bill 2024 be amended to ensure that the proposed ransomware reporting obligations apply only to the extent that a ransomware incident relates to the reporting business entity’s operations in Australia.
6.33The Committee also acknowledges views expressed by several contributors to the inquiry that, in exchange for the additional reporting obligations being placed on industry, the Government’s sharing of cyber threat intelligence back to industry should be enhanced. The Committee supports this notion in principle. As the information available to government improves, it is reasonable to expect that government agencies will alert industry partners—and the broader public, where applicable—to the existence of cyber threats and how to protect themselves against those threats.
6.34The Committee is aware that the ACSC has already been increasing its provision of threat intelligence in recent years, including through the recently established two-way Cyber Threat Intelligence Sharing (CTIS) platform. The CTIS platform is intended to enable businesses both to share threat intelligence with, and receive such intelligence from, the Australian Signals Directorate (ASD) and other industry partners. The ACSC also provides more general cyber security alerts and advisories to the general public through its cyber.gov.au website and an accompanying email alert service. The Committee did not receive evidence on the effectiveness of these existing services, but encourages the ACSC to continue to seek ways to enhance the two-way sharing of information in response to feedback from stakeholders.
Cyber Incident Review Board
6.35The Committee supports the Cyber Security Bill’s proposed establishment of an independent Cyber Incident Review Board (CIRB) to conduct post-incident reviews of significant cyber security incidents in Australia. Recent incidents have shown that there are important lessons to be learned in the wake of major cyber security incidents, and the CIRB will provide a mechanism to ensure that those lessons are independently identified and fed back to government, industry and the general public.
6.36Although some contributors to the inquiry considered the CIRB unnecessary, most contributors expressed at least in-principle support. However, the Committee acknowledges that a number of contributors expressed concern about the proposed structure and composition of the CIRB, as well as the role of the Minister in approving the terms of reference for individual reviews.
6.37Part 5 of the Cyber Security Bill proposes that the CIRB will consist of a standing membership as well as an Expert Panel, with members of the Expert Panel to be appointed to assist in each review. However, several contributors were concerned by the statement in the Explanatory Memorandum for the Cyber Security Bill that the standing members of the CIRB will be members of the public service. The Committee acknowledges these concerns and agrees that it is important that for each CIRB review there is a broad range of expertise, from both within and outside the Government.
6.38The Committee notes that there is nothing in the Cyber Security Bill that would require standing members of the CIRB to exclusively consist of public servants. While it is appropriate for senior public servants—including representatives of relevant statutory agencies such as ASD—to be included on the CIRB and in the exercise of its powers, the Committee has heard from some of a desire to also include representatives external to government.To allow for further consultations between the Government and others to account for and fully consider the merits of this contention, the Committee recommends that the Explanatory Memorandum should be amended to remove the current statement.
6.39The Committee recommends that the Explanatory Memorandum to the Cyber Security Bill 2024 be amended to remove the statement that standing members of the Cyber Incident Review Board will be members of the public service.
6.40The Committee also acknowledges the view expressed by contributors to the inquiry that the Cyber Security Bill’s proposal to require Ministerial approval of the terms of reference for each CIRB review may be seen by some to compromise the independence of the CIRB. The Committee respectfully disagrees. While the legislation confers independence on the CIRB in relation to how it conducts and reports on each of its reviews, it is appropriate that the Minister has a role in ensuring the terms of reference for each review are appropriate, including with respect to the particular members of the CIRB and its Expert Panel involved in the review. This will provide the Minister—as a democratically elected and accountable official with responsibility for cyber security policy—with the ability to ensure the review does not duplicate other review mechanisms or investigations that may be underway in relation to the incident, and that neither standing members of the CIRB nor members of the Expert Panel involved in the review have conflicts of interest.
6.41Nevertheless, the Committee expects the Minister to consult closely with the CIRB before approving any terms of reference. To provide assurance that this consultation will occur, the Committee recommends that the Cyber Security Bill be amended to make such consultation mandatory.
6.42The Committee recommends that the Cyber Security Bill 2024 be amended to require the Minister to consult the Cyber Incident Review Board before approving the terms of reference for a review.
Limited use provisions
6.43The Committee notes the strong support for the intent of the ‘limited use’ provisions in the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (ISA Bill), which are designed to give more assurance to entities who voluntarily disclose information to government agencies about cyber security incidents that the information they disclose will not be used against their interests in the future. The Committee also notes concerns from some contributors that the protections could go further still.
6.44Some contributors to the inquiry suggested that entities should be protected from any future regulatory or enforcement action in circumstances where they have provided information about a cyber incident to the National Cyber Security Coordinator (NCSC) or ASD. However, the Committee notes that it is not the intention of the provisions to create such a ‘safe harbour’, which would shield an entity from legal liability in relation to an incident merely because they had reported the incident to the relevant authorities. Rather, the intention of the limited use provisions is to ensure that the incident report itself is not admissible in any action against the entity and that the entity’s report will not be used by regulators for compliance action.
6.45Certain contributors to the inquiry called for additional constraints on the use or sharing of information, or requested that government agencies should be required to consult with impacted entities before on-sharing their information.
6.46The Committee considers that the provisions create an appropriately balanced and workable framework.
6.47Nevertheless, noting the concerns raised by some stakeholders and the apparent confusion in relation to the operation and intent of the provisions, the Committee considers that more efforts are needed to ensure industry partners understand the scope of the limited use protections. This may involve clearer statements in the Explanatory Memorandum setting out the limits of the provisions, including through the use of examples, as well as guidance and education going forward to help businesses understand how the provisions are intended to operate in practice.
6.48The Committee recommends the protections conferred by the 'limited use' provisions be more clearly expressed in the Cyber Security Bill 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and associated explanatory memoranda, and that the Department of Home Affairs develop guidance to ensure they are well understood by industry.
6.49The Committee notes concerns raised by the Business Council of Australia and the Law Council of Australia as to whether information that may be subject to legal professional privilege (LPP) is adequately protected by the provisions. The Committee understands that there is no intention for LPP to be waived in respect of any information that has been disclosed to the Government under either the Cyber Security Bill or the ISA Bill. The Committee supports the bills being amended to make this intention clear.
6.50The Committee also notes the Law Council of Australia’s suggestion for minor amendments to ensure that the bills’ protection of existing rights, privileges and immunities extends to all proceedings, not only proceedings where an entity is a defendant. The Committee supports the insertion of minor amendments to address this issue.
6.51The Committee recommends that the Cyber Security Bill 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 be amended to make clearer that:
- disclosure of information under the ransomware reporting obligation does not amount to a subsequent waiver of legal professional privilege; and
- the provisions do not limit or affect any right, privilege or immunity that the reporting entity has in respect to any proceedings.
SOCI Act amendments
6.52The Committee notes the substantial changes to the SOCI Act that would be introduced by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (ERP Bill). Many submitters expressed support for these changes, which include proposed amendments to:
- include data storage systems that hold ‘business critical data’ within the definition of ‘critical infrastructure asset’
- expand the SOCI Act’s existing information-gathering and action directions powers to be available in response to any serious incident, not just a serious cyber security incident
- clarify information sharing provisions and the associated administrative processes
- introduce a new directions power to require an entity to address a serious deficiency in its critical infrastructure risk management plan
- consolidate the Telecommunications Sector Security Reform (TSSR) provisions from the Telecommunications Act 1997 (Telecommunications Act) into the SOCI Act.
- However, as outlined in Chapter 5, some participants in the inquiry objected to certain parts of the provisions. Others were concerned about the potential scope of some of the key terms introduced into the SOCI Act by the ERP Bill, and requested greater clarity in relation to how the amendments are intended to be interpreted and applied. This was in relation to terms including ‘data storage system’, ‘business critical data’, ‘material risk’, ‘responsible entity’, ‘incident’, ‘serious incident’, and ‘serious deficiency’.
- The Committee welcomes the Department of Home Affairs’ advice that it is working to prepare policies, procedures and guidance material to guide how the various powers would be used in practice. The Committee encourages the Department, in consultation with industry, to include within those materials clear guidance, with examples, on how the above terms are intended to be interpreted and applied by entities.
6.55The Committee recommends that, in administrative guidance material to support the implementation of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, the Department of Home Affairs provide clear guidance and examples in relation to the intended interpretation and application of key definitions introduced into the Security of Critical Infrastructure Act 2018.
6.56Some participants in the inquiry also raised broad concerns about the existing operation of the SOCI Act. These included concerns about a lack of definitional clarity in relation to existing parts of the SOCI Act; concerns about the financial impact and regulatory impost on entities for complying with the SOCI Act; concerns about the scope of the directions powers available under the SOCI Act; and concerns about the absence of independent authorisation, oversight mechanisms or merits review in relation to those powers.
6.57It is not the Committee’s intention to attempt to address these broad concerns as part of the current inquiry. Although the ERP Bill amends, and in some cases expands, the powers available under the SOCI Act, the desirability or otherwise of any recommendations to fundamentally alter the current operation of the SOCI Act would be best considered in a separate, wider-ranging review. The Committee makes recommendations concerning the legislated independent review and the Committee’s statutory review of the SOCI Act below.
Statutory reviews
6.58The Committee supports calls for a statutory review of the Cyber Security Act, after an initial period of operation. The Cyber Security Bill’s measures in relation to security standards for smart devices, mandatory ransomware reporting and the Cyber Incident Review Board are entirely new in the Australian context and should be evaluated to ensure that the legislation is effective and is not burdening industry with obligations that are unnecessary or duplicative. Similarly, the limited use provisions should be reviewed to ensure they are working as intended to improve voluntary sharing of information with the NCSC and ASD.
6.59The Committee agrees with the suggestion by the Law Council of Australia that commencing the review in approximately three years would be appropriate. The review would provide an opportunity to assess whether the Cyber Security Act is operating as intended, effectively meeting its objectives, and has been reasonably and proportionately implemented.
6.60The Committee recommends that the Cyber Security Bill 2024be amendedto provide that the Committee may (if it resolves to do so), commence a review of the operation, effectiveness and implications of the Cyber Security Act 2024 as soon as practicable after 1 December 2027.
6.61The Committee is also conscious that the SOCI Act, which is proposed to be substantially amended by the ERP Bill, has been in operation for six years without any wide-ranging parliamentary or independent review of its operation.
6.62The Committee previously completed a statutory review of the SOCI Act in September 2021. However, due to the review coinciding with the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SLACI Bill), which introduced Part 3A into the SOCI Act, the then Committee found it was unable to effectively review the operation of the existing SOCI Act.
6.63The then Committee recommended that the legislation be amended to enable the Committee to conduct a further statutory review of the SOCI Act three years later. As a result, the Committee is currently empowered, under section 60B of the SOCI Act, to review the operation, effectiveness and implications of the SOCI Act so long as it begins its review before the end of three years after the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) received Royal Assent. As this period expires on 2 December 2024, this would require the current Committee to commence the statutory review imminently.
6.64The Committee considers a wide-ranging, holistic review of the SOCI Act remains necessary. As noted above, evidence to the current inquiry demonstrated that there continues to be concerns about aspects of the SOCI Act, including the lack of independent authorisation and review mechanisms in relation to the powers in Part3A. These concerns were broadly relevant to the ERP Bill, which further expands the powers introduced by Part 3A. However, the Committee considers addressing these concerns would be more suited to a holistic review of the SOCI Act that is completed over a longer timeframe than the current inquiry into the Cyber Security Legislative Package allows.
6.65Nevertheless, as occurred in 2021, the introduction of substantial amendments to the SOCI Act through the ERP Bill means that the SOCI Act is once again in a state of flux. Many of the key changes that the ERP Bill introduces are not intended to commence until after a 6 or 12-month implementation period. The anticipated election within the next six months is another complicating factor. As a result, the Committee is not well positioned to conduct a meaningful statutory review if it were to commence by the 2December 2024 deadline.
6.66The Committee considers that the date for its statutory review should be delayed until after the commencement of the next Parliament, and at such a time that the effect of the changes introduced by the ERP Bill can be fully assessed. The Committee therefore recommends that the commencement date for the statutory review enabled by section 60B of the SOCI Act be extended by 2 years, to 2 December 2026.
6.67The Committee also notes that an independent review under section 60A of the SOCI Act—which was recommended by the then Committee in March 2022 and intended to inform the Committee’s own statutory review—has not yet occurred. Section 60A required the Minister to cause an independent review to commence after 12 months following the section’s commencement on 2 April 2023, with a report to be provided to the Minister for tabling in the Parliament within 12 months of the review’s commencement. However, with no deadline to commence the independent review specified in the legislation, the Committee understands that the independent review has not yet been initiated.
6.68Although the then Committee in 2022 had envisaged the independent review being completed earlier, there would be little benefit in the independent review commencing imminently now, at a time when the changes introduced by the ERP Bill have yet to come into effect. However, to ensure the independent review is completed in time to inform the Committee’s next statutory review, the Committee recommends that the independent review be commenced no later than 1 November 2025.
6.69The Committee recommends that the Minister initiate the independent review of the operation of the Security of Critical Infrastructure Act 2018 required by section 60A of that Act by no later than 1November 2025.
6.70The Committee recommends that existing section 60B of the Security of Critical Infrastructure Act 2018 (SOCI Act) be amended to provide that the Parliamentary Joint Committee on Intelligence and Security may (if it resolves to do so) review the operation, effectiveness and implications of the SOCI Act, so long as the Committee begins its review by no later than 2 December 2026.
6.71The Committee notes that the Department of Home Affairs has been providing six-monthly reports to the Committee relating to the conduct, progress and outcomes of consultations undertaken by the Department in relation to the SLACI Act and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), as required by section 60AAA of the SOCI Act and in accordance with a previous recommendation of the Committee. This reporting requirement was due to expire when the Committee commenced its statutory review of the SOCI Act.
6.72Noting the Department’s advice that implementation of the SLACI Act and the SLACIP Act is now complete, the Committee considers that section 60AAA has served its purpose and it is no longer necessary for the Department to continue to provide these regular reports. The Committee therefore recommends that section 60AAA be repealed. In making this recommendation, the Committee notes that it has a standing power under section 30 of the Intelligence Services Act 2001 to request briefings from the Department of Home Affairs for the purpose of performing the Committee’s functions.
6.73The Committee recommends that the Security of Critical Infrastructure Act 2018 be amended to repeal the requirement in section 60AAA for the Department of Home Affairs to provide six-monthly consultation reports to the Committee.
Senator Raff Ciccone
Chair
14 November 2024