This report of the Parliamentary Joint Committee on Intelligence and Security comes almost six months after the Committee handed down its Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (SOCI Bill report).
That report recognised the complex and shifting nature of cybersecurity and the increasing threat to critical infrastructure assets within Australia, as well as globally. In the intervening six months, the threat environment has not lessened. As outlined by the Head of the Australian Cyber Security Centre, the Australian Government’s foremost cyber technical authority, ‘there has been no reprieve from the level of malicious cyberactivity impacting Australian networks both in terms of criminal cyberactivity and state-based activity. In fact, the invasion of Ukraine by Russia has marked an unprecedented level of malicious cyberactivity on a global level’.
The committee's report on the SOCI Bill recognised these threats and the importance of the proposed response, but ultimately concluded at the time that further consultation was required to overcome significant stakeholder and industry concern about the potential impact of the entire suite of reform to the Security of Critical Infrastructure Act 2018 (SOCI Act).
It was for this reason that the Committee recommended that the SOCI Bill be split into two Bills:
Bill One for rapid passage – to expand the critical infrastructure sectors covered by the SOCI Act, introduce government assistance measures to be used as a last resort in crisis scenarios, as well as mandatory reporting obligations; and
Bill Two for further consultation – including declarations of systems of national significance, enhanced cyber-security obligations and positive security obligations which are to be defined in delegated legislation. This Bill was to then be referred to the Committee for review.
Bill One became the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), Bill Two became the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, the SLACIP Bill that this report addresses.
The introduction of the SLACIP Bill, and the referral to the Committee to report before the 2022 Budget sitting week has occurred against the backdrop of a further deteriorating global security environment, underscored by Russia’s invasion of Ukraine and the subsequent global response to this aggression.
The pace of this inquiry has been a theme of key evidence to the Committee’s review, but the Committee has also received evidence during this review that outlines the necessity of completing these reforms as quickly as possible.
Further consultation with industry was a key pillar of the Committee’s SOCI Bill report recommendations. The Committee recognises that the Department of Home Affairs has undertaken concerted efforts to consult and improve the package of reforms presented in the SLACIP Bill, to the extent possible, noting that it is impossible to satisfy every stakeholder in a regulatory environment that will impact thousands of entities.
As previously indicated, the Committee heard significant classified and public evidence regarding the deteriorating cyber-threat environment, which necessitates the passage of this Bill in the shortest time possible. This accelerated need has driven perception that the Bill may have been rushed, or that the Department has not taken industry concerns seriously, but the Committee has ultimately concluded that this is not the case. Fear of the unknown is understandably driving some industry concern, however that fear should not dictate that the government do nothing and leave critical elements of our industry, services and economy exposed to attack.
Regulation like this comes with a cost, and the Committee acknowledges that cost will be borne by industry. The Committee believes that cost will be outweighed, however, by the resultant security uplift that will stem from risk management programs, and that the overall improvements to critical infrastructure security from these measures will offset the potential losses were a serious cyber incident to occur in their absence. Additionally, the Committee notes that this cost will not be immediate, and that the Department is committed, and will be legislatively required to, continue to consult with industry before any obligations are imposed.
Declarations of systems of national significance (SoNS) will ensure that the most structurally vital assets in Australia are recognised and protected to ensure that Australia continues to prosper and remains resilient in the event of a significant crisis.
The Committee is recommending the passage of the Bill, with appropriate recommendations regarding continued consultation and refinement of the discretionary and collaborative aspects of the Bill’s desired outcomes; appropriate reporting and notification to this Committee of discretionary SoNS declarations; as well as independent review of the reforms after one year of operation, to ensure that the intended operations, implications and effectiveness of the SOCI Act are being realised.
The Committee is then committed to undertaking its already legislated statutory review requirement no later than December 2024, while noting that it has the discretion to launch such an inquiry at any stage before this date, and will do so if it becomes aware that the reformed SOCI Act is operating in an unintended or disproportionate manner to that which has been assured by the government it will operate in.