3.1
The Committee repeats its acknowledgement of the compressed timeframe for the undertaking of this Bill review. What would normally be undertaken in three to six months has been compressed into less than six weeks due to the requested reporting date from the Minister, to allow passage of the Bill in the Autumn sittings.
3.2
The Committee would again like to thank the stakeholders, submitters and witnesses that provided their evidence and insight into this next tranche of critical infrastructure security legislation.
3.3
The Committee has received ongoing updates and briefings in recent years from the government, as well as interested non-government stakeholders, regarding the ever evolving and increasing threat of cyber-enabled sabotage, espionage and foreign interference. These threats become even more real when the potential targets are critical infrastructure providers and assets in Australia, many of which provide the essential services, utilities and communications that the Australian people, economy, and society rely on.
3.4
The recent events in Ukraine and the potential for cyber-enabled warfare and retaliation has brought into stark contrast the potential fragility of critical infrastructure assets. Many industry providers and entities do an excellent job in securing their assets and responding to threats, however some do not.
3.5
The evidence received from the ACSC regarding the decline in cyber order and the increase in the threat environment was a welcome and timely reminder of the reason that this proposed legislation has been brought before the Parliament and this Committee.
3.6
This threat and the potential effect on the way of life that Australians enjoy was also summarised by the Cyber Security Cooperative Research Centre:
The threat environment keeps expanding and expanding, and we've seen a rapid escalation of this as a result of the COVID-19 pandemic around the world. In Australia, we obviously haven't been immune from those impacts, so we've seen a huge rise in cyber incidents in Australia during this period. You only need to look at the ACSC reporting to see how much of an increase there has been. As we all know, that is probably just the tip of the iceberg, because so much of this activity goes unreported. We've seen critical infrastructure sectors impacted significantly as a result of this, by ransomware attacks, by general cybercrime and by infiltration by state and state-based actors. Health as a sector has been really targeted due to its criticality, especially during COVID-19. So, when it comes to this legislation, it really couldn't be more timely in terms of bringing Australian critical infrastructure entities up to the appropriate standard of cybersecurity that they have to be at. In relation to this threat, we can make no mistakes about it: this isn't just about lights switching on and water running; it comes down to the way of life that Australians enjoy, and this could ultimately be a threat to the lives of Australians.
3.7
On top of the general threat faced by all critical infrastructure assets, some are so crucial to the social or economic stability of the nation, its defence or national security, that they must be supported in preparedness and response, and this is what the SLACIP Bill proposes to do with the reforms contained within it.
SOCI Bill report outcomes
3.8
As indicated in Chapters 1 and 2, the Committee acknowledges the positive response that the government has had to its SOCI Bill report recommendations. The evidence received to this review has indicated that, while not perfect, the Department has made a concerted effort to engage extensively with most directly relevant stakeholders in developing the elements of both the SLACI Act introduced in December 2021 and those in the SLACIP Bill.
3.9
While some stakeholders have outlined concern regarding the scope and engagement of the consultation undertaken, the evidence provided to the Committee indicates that the Department has made itself available for entities to consult with, however some may have not taken up this opportunity, or have potentially not been adequately informed by their representative bodies or industry associations of the mechanisms available.
3.10
The ‘push’ mechanism utilised by the Department for consultation is the only reasonable one available to it regarding a reform with the scope of these critical infrastructure proposals, and it relies on industry to reply in kind with a ‘pull’ response to engage. The shared partnership that the Government and Department has committed to with industry requires investment from both sides.
3.11
The reforms proposed in the SOCI Bill and now the SLACIP Bill potentially affect thousands of entities, companies, individuals and systems. It is for this reason that the Committee acknowledges that regulation like that proposed in the SLACIP Bill has to strike a balance between the regulation that is imposed on already compliant assets (and the non-compliant) with the potential benefit to be gained by the regulation and obligations imposed.
SLACI Act
3.12
The separation of the most urgent elements of the framework into the SLACI Act has realised the majority of the recommendations of the Committee’s SOCI Bill Report related to expansion of asset sectors, cyber incident notifications and government assistance measures. These measures are still very much in their legislative infancy, so the Committee does not propose to address these in this report. It will revisit these when it undertakes a relevant statutory review of the SOCI Act, which will be covered later in this chapter, along with independent review mechanisms.
SLACIP Bill reforms
3.13
In the limited time that the Committee has had to analyse and test the scope of impact of the SLACIP Bill’s reforms, the Committee has had to pragmatically focus on the obvious industry-wide impacts and concerns that the Bill may pose. It is for this reason that the Committee posed five questions to potential submitters to try and capture consistent feedback on the potential areas that the Committee agreed may be of concern to affected entities.
3.14
Most submitters addressed the questions posed, but a number did not. The Committee has attempted to capture the feedback and concerns raised by submitters in Chapter 2, but due to the sheer scope of potential variation of concern that can relate to a specific asset sector, or even a specific company, the evidence and commentary has had to be thematic in nature, though the Committee has tried to identify the main points raised by most, if not all submitters.
3.15
The Committee wishes to stress the fact that if an issue raised by a submitter or a witness has not been outlined in this report it does not mean that that issue was not considered by the Committee in the evidence base for the review. For the reasons stated above, the Committee has had to narrow the review’s focus to the SLACIP Bill alone, and the major elements for analysis contained within.
3.16
The Committee notes that the majority of recommendations from the SOCI Bill report that relate to the content of the SLACIP Bill have been addressed fully, partially, or had a rationale put forward by the Department or Minister for Home Affairs as to why the recommendation has not been supported.
The way forward
3.17
The Committee is conscious that the issues raised by stakeholders to this review primarily reflect a hesitancy to enter into a regulatory framework that is unfamiliar and has unanswered questions from not fully formulated (draft rules) and has unknown application (Systems of National Significance (SoNS) declarations). The Committee accepts this commercial hesitancy, but believes that the underlying intent of the expansions of the security of critical infrastructure is sound and will ultimately result in the desired security uplift.
3.18
The potential harm to Australian society and its economy is too great to rely on the best endeavours of the market, with its greatly varied preparedness and willingness to engage. The SOCI Act and the SLACIP Bill’s proposals will ultimately bring all critical infrastructure assets to a unified state of preparedness, with extra protective layers for those assets that are central to the fabric, defence and national security of our nation. This protection will always come with a cost.
3.19
That cost will vary across industry, but is proportionate to the importance of the assets in question, or will reflect the unprepared state that some asset sectors are currently positioned in when it comes to cybersecurity posture.
3.20
What the Committee outlines below is the pragmatic changes it can identify to the Bill and operation of the SOCI Act that will build continued confidence around its collaborative and consultative regulatory core, as well as ensure that appropriate review can occur to confirm that the framework operates as intended.
Consultation, co-design and timeframes
3.21
The Committee is conscious that the main driver behind its split Bill response to the original 2020 SOCI Bill was to allow for measured and collaborative co-design of the measures now contained within the SLACIP Bill and associated draft Rules.
3.22
A large proportion of submitters expressed concern that this design process has been rushed by the Department, and that the Committee’s process is equally as rushed due to the short timeframe requested for this review.
3.23
The Committee agrees that the original intent of the recommendations regarding the design and review of ‘Bill 2’ in its SOCI Bill report was for a longer process to be undertaken. However, the Committee observes that two things have become apparent since September 2021:
the Department’s co-design process for risk management plans continued throughout the duration of the SOCI Bill review and when paired with the SLACIP Bill consultation process equals nearly ten months of negotiations; and
the deterioration in the security status of the world order, with the accompanying increased threat of cyber-enabled attacks on critical infrastructure assets has necessitated a more immediate response.
3.24
The Committee acknowledges that the shift in direction on risk management programs (RMPs) and the unfortunate Christmas/New Year alignment with exposure draft processes has lead to a perception of a lack of engagement, but the Committee does believe that the Department has made concerted endeavours to consult.
3.25
Every party is never going to be completely satisfied with a process such as this, but the Department and the Minister have made multiple statements that the process of industry consultation and collaboration will not cease with the potential passage of the Bill and the finalisation of Rules design.
3.26
The Committee believes that the undertakings of the Department and government to continue to consult and design the critical infrastructure framework are genuine. This is reflected in the great deal of flexibility that resides in the proposed amendments of the SLACIP Bill, as well as the continued collaboration that will occur around the finalisation of the rules for RMPs, as well as will be required before SoNS can be declared or ECSOs can be imposed.
3.27
However, to add more confidence to this process the Committee is making further recommendations below to reinforce the commitment for ongoing engagement and co-design, both in improving Rules and informing Ministerial declarations, as well ensuring that potentially unrecognised regulatory duplication (such as that identified by the Australian Airports Association) can be identified, but to also allow for the ongoing review of sector and asset definitions to ensure they are fit for purpose.
3.28
The Committee recommends that the Department of Home Affairs and the Cyber and Infrastructure Security Centre establish a fresh round of consultation with critical infrastructure industry representatives, relevant employee representative bodies, and trade unions to enable further feedback to be incorporated into the draft Rules for risk management programs under the proposed amendments.
This consultation can ensure that the timeframes established in the Rules for implementation and commencement of said Rules is agreed and may vary for specific assets.
3.29
The Committee recommends that the Department of Home Affairs and the Cyber and Infrastructure Security Centre continue industry roundtables for review and improvement of the Rules and guidance materials in alignment with the undertakings identified in its submission, in public hearing evidence, and in accordance with Recommendation 6 of the Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.
These roundtables can also be used for continued review of the ‘fit for purpose’ nature of sector and asset definitions to inform further potential legislative amendment or Ministerial declarations.
3.30
Additionally, in order to build stakeholder confidence that the Committee will continue to monitor that the above recommended consultation is undertaken in an appropriate manner, according to the recommended scope and purpose, the Department should provide a biannual report to the Committee on the progress or outcomes of consultations – including detail of participants and how stakeholder feedback has been incorporated – especially while RMP rules are under development.
3.31
Accordingly, the Committee is recommending that existing section 60 of the SOCI Act be amended to require the Minister to provide 6-monthly written reports to the Committee regarding the conduct and outcomes of ongoing consultation under the SOCI Act’s expanded legislative regime.
3.32
The Committee recommends that section 60 of the Security of Critical Infrastructure Act 2018 be amended to require the Minister to provide a written periodic report to the Parliamentary Joint Committee on Intelligence and Security regarding the conduct, progress and outcomes of ongoing consultations undertaken by the Department of Home Affairs or Cyber and Infrastructure Security Centre in relation to the expanded provisions included in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 as well as those enabled by the Security Legislation Amendment (Critical Infrastructure) Act 2021.
These reports should include detail regarding the participants involved and how stakeholder feedback has been incorporated into resultant rules, resources or proposed regulation or legislative change.
Risk management programs
3.33
Of most interest to the Committee regarding the content of the SLACIP Bill is the substantial recasting of the RMPs and associated rules in proposed Part 2A.
3.34
The 2020 SOCI Bill was intended to enable sector-specific rules to be co-designed to ensure that RMPs were catered to the needs and operations of each sector.
3.35
The shift to sector-agnostic rules to allow for the flexibility of assets and entities to cater existing mechanisms or develop new programs has been welcomed by most but criticised by others.
3.36
The Committee is conscious that with a regulatory program like that under the SOCI Act and the SLACIP Bill’s proposed reforms, there is rarely going to be a ‘one size fits all’ solution, or the realistic ability to create regulation for the sizable variation of assets that will be covered by the Act.
3.37
However, the shift to a flexible framework to focus on material risk to physical and natural, cyber and information, personnel, and supply chain hazards seems a sensible one and allows for those entities with existing programs to apply or adapt them, or will result in the desired uplift of risk management for those operators that do not have equivalents already in place.
3.38
The Committee accepts the Department’s assertions that existing mature risk management programs that sophisticated entities currently have in place will satisfy the Part 2A requirements and that the flexibility in the rules will allow for that to be realised. The distinct recognition of existing compliance with systems such as those required by APRA, of under the HCF, or even sophisticated ISO 31000 compliant programs will allow for entities to attest compliance or make the requisite adjustments to existing mechanisms.
3.39
The Committee also notes that the Minister must undertake a further mandatory 28 day consultation process on the rules for RMPs once the SLACIP Bill passes, which will allow for further refinement and adaptation.
3.40
The Committee recognises the continuing undertakings of the Department to work with and support affected entities and businesses in the introduction of this wide-reaching measure. The recommendations above will ensure that this collaborative process continues.
Workers’ rights and associated definitions
3.41
The Committee also recognises the concerns expressed by Trade Unions and other submitters regarding the potential impact of proposed AusCheck background checks of critical workers.
3.42
The Committee appreciates the response from the Department outlining that nothing in the SLACIP Bill negates responsibilities of employers under the Fair Work Act 2009, Work Health and Safety Legislation, or any other currently legally mandated or protected action, as well as the right to appeal decisions, as outlined in the evidence at paragraph 2.90 of this report.
3.43
The answer provided by the Department outlined that the EM could be amended to ensure this is made clear, and the Committee is therefore recommending that such clarification be added.
3.44
The Committee recommends that the Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be updated to confirm that the Bill does not negate responsibilities of employers under the Fair Work Act 2009, Work Health and Safety legislation, or any other currently legally mandated or protected action. This should include the detail that an employee who is subject to action as a result of an employer’s background check, AusCheck or otherwise, is protected by all existing rights at work, such as the right to appeal a decision with the Fair Work Tribunal.
3.45
The Committee also recognised the concerns that Trade Unions and other submitters expressed regarding the potential scope and application of definitions provided for in draft rules regarding critical workers and critical components.
3.46
The potential scope and impact of such definitions on large numbers of employees and employers, and the subsequent obligations under the proposed amendments in the Bill, is substantial. While the Committee recognises that the government desires flexibility in having such definitions included in the rules for RMPs, the Committee believes that simple and clear definitions of those elements in the Bill and SOCI Act itself would build clarity without being too prescriptive.
3.47
Accordingly, the Committee recommends that section 5 of the SOCI Act be amended to include the definitions of critical worker and critical component as currently proposed in the draft rules for risk management programs under the SLACIP Bill.
3.48
The Committee recommends that the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be amended so that section 5 of the Security of Critical Infrastructure Act 2018 include the definitions of critical worker and critical component as currently proposed in the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022
Regulatory costs
3.49
The Committee is conscious of the feedback from industry that the potential costs for establishing and implementing RMPs is considerable for some and that the unknown consequences or status of potential SoNS declarations brings uncertainty to forecasts and business activity.
3.50
The partial completion of regulatory impact statements (RIS) for the revised elements of the SLACIP Bill are somewhat concerning to the Committee, especially given the commentary and recommendations of its SOCI Bill Report.
3.51
The Department’s reliance on the original RIS from the SOCI Bill is only partially accurate for the SoNS declarations and obligations connected to that which have not changed substantively for those in the SLACIP Bill.
3.52
The indicative costs for RMPs included in the Explanatory Memorandum and Department submission do not have a lot of detail behind them, and the significant range of cost is rightfully causing industry concern, especially for smaller or not-for-profit operators.
3.53
The finalisation and publication of a fully informed and approved RIS regarding the RMPs after the potential passage of the Bill is not ideal, but the Committee understands why the Department cannot complete that until the rules for the RMPs are finalised.
3.54
Ultimately, despite reservations regarding cost, the Committee is conscious of the benefits, both immediate and longer-term, of the security uplift that will result from the full suite of SOCI measures. Such uplift does come with a cost and ultimately the Committee agrees with the Department that the potential cost to the economy of catastrophic critical infrastructure failure from not doing anything far outweighs the cost of complying with the measures proposed.
3.55
With regard to the concerns of cost for small or not-for-profit operators, the Committee encourages those entities to work collaboratively with the Department and the CISC to ensure that development and implementation costs are minimised, and that the flexibility regarding asset identification from the Minister can be informed and exercised if appropriate.
Systems of national significance
3.56
The Committee supports the intention of the proposed Part 6A declarations for SoNS and the resultant Part 2C enhanced cyber security obligations.
3.57
The Committee recognises that the assets that may be considered for declaration are so crucial to the social or economic stability, defence or national security of the nation that they need an extra layer of protection and preparedness.
3.58
Additionally, the consultation required and evidence provided from the Department regarding working with entities that may be affected has reassured the Committee that the small number of assets that might be affected by a SoNS declaration will be supported through any such process, with the ability to apply for judicial review if desired.
3.59
The obligations that may come with such a declaration have drawn concern from stakeholders, and for understandable reason. The regulation of a private or state-controlled entity is not something the government enters into on a whim and the Committee acknowledges the undertakings that the Department has given that they will work with entities before, during and after any such declarations or imposition of obligations.
3.60
The Committee noted that many IT stakeholders expressed a concern that access to system information provisions and the ability to install system information software under proposed section 30DJ raised concern regarding potential overreach and consequential impact on system integrity or function. As outlined in Chapter 2 the Committee sought assurances from the Department and ASD that the installation of system software would be used only as a ‘provision of last resort’ (as expressed at paragraph 505 of the EM), and received evidence from both the Department and ASD that most sophisticated entities would be able to provide section 30DB and 30DC reports through existing or current open-source tools.
3.61
However, the Committee would expect that rather than potentially waiting until the point that a section 30DJ notice might be imposed on an entity, that the Department and ASD would work with the entity at the point it is declared a SoNS to determine:
whether the entity has an existing tool that can be used to generate the potentially requested reports;
if no tool is currently available, the tool which they would be willing implement to enable the required reporting (if requested) and the timeframe for that implementation; or
the reasons why they are unable or unwilling to implement a suitable tool to generate the required reporting of systems information.
3.62
Accordingly, the Committee is recommending that paragraph 461 to 540 of the explanatory memorandum for the Bill be amended to provide more clarity regarding the circumstances and scope of the intended operation of Part 2C, Division 5 of the Bill, and outlining that the Department and ASD will work proactively with a SoNS declared entity to potentially avoid the imposition of section 30DJ notices wherever possible.
3.63
The Committee recommends that the Explanatory Memorandum for the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be amended at current paragraphs 461 to 540, as per the undertaking from representatives of the Department of Home Affairs at the Public Hearing of 16 March 2022, to clarify the circumstances and scope of the intended operation of Part 2C, Division 5 of the Bill, and outlining that the Department and the Australian Signals Directorate will work proactively with a proposed Part 6 systems of national significance declared entity to avoid the imposition of section 30DJ notices wherever possible.
3.64
The Committee also welcomes the indications from the Department that guidance material and other supporting resources are already being worked on and will be refined in consultation with interested parties.
Technical advice on enhanced cyber security obligations
3.65
Proposals for an independent technical support body to allow for advice, review and contestation of obligations on SoNS entities is noted by the Committee, however the initial scope and incidence of these obligations has been identified as being low, so the Committee does not currently believe that the creation of such a body is warranted.
3.66
However, the Committee believes that in the initial stages of the implementation of the expanded SOCI regime, the expanded role for the CISC as a result of Recommendation 6 of the SOCI Bill report is a good first mechanism to provide technical support for these expanded functions. This expanded function already will encompass such advice, as outlined in the Minister’s second reading speech:
Pursuant to the committee's advisory report recommendation 6, I have written to the Secretary of the Department of Home Affairs to outline my expectations that the Cyber and Infrastructure Security Centre within the Department of Home Affairs provide technical support and advice to industry regarding the functions of the SOCI Act.
Oversight of SoNS declarations
3.67
The Committee is conscious of concerns regarding the secrecy surrounding such declarations and the lack of oversight of the assets declared and the circumstances surrounding such declarations.
3.68
The Committee also recognises the reasoning behind keeping the identification of those assets as a matter of national interest, but does believe that some form of oversight on the occurrence and grounds for such declarations is required.
3.69
Recommendation 4 of the Committee’s SOCI Bill report resulted in the current section 35BK of the SOCI Act, inserted by the SLACI Act, to require the Secretary of the Department of Home Affairs to report the exercise of Part 3A government assistance measures.
3.70
When representatives of the Department were questioned at the public hearing whether a similar requirement following a SoNs declaration would be problematic, the response was somewhat reticent, with an indication of existing public annual reporting and other unrelated reporting as potentially sufficient, but that a notification would be technically possible, in consultation with the entity to be declared.
3.71
The Committee recognises that there are significant sensitivities regarding a SoNS declaration, however in reviewing proposed legislation and the potentially significant powers to government that these proposals creates, it is beholden on the Committee to provide confidence to the public that these powers are being used appropriately and sparingly. Being notified of the use of these powers is one such mechanism that the Committee can utilise to provide this confidence.
3.72
The concerns regarding the nature of the information and the details of the entity involved are not relevant, as this Committee is established under the Intelligence Services Act 2001 and has quite explicit controls on access to information provided to the Committee, as well as penalties for unauthorised disclosure. The Committee routinely receives highly classified material and understands the discretion and secrecy required of such information.
3.73
Despite this, the Committee also recognises that critical infrastructure entities may have reservations about their information being provided to the Committee. Any notification to the Committee could be limited to identification of the asset sector and entity, and only the detail that the entity is comfortable with being revealed. This way the Committee can remain informed regarding the exercise of this considerably distinctive power, without revealing any details of the capabilities or nature of the work of that entity that may cause sensitivities to arise – such as defence industry capabilities, or potential support services to intelligence agencies.
3.74
The Committee also notes that the current proposed section 52B of the SLACIP Bill already enables notifications of State and Territory First Ministers of the declaration of a tangible asset within that jurisdiction.
3.75
The Committee is therefore recommending that proposed subsection 52B(3) be amended to require the Minister to notify the Committee in writing of any declaration of a system of national significance, in the appropriately classified manner, identifying the asset sector and entity details, to the extent negotiated with the entity in regard to capability sensitivities. This way the Committee can be aware of the scope, number and circumstances of each asset being declared.
3.76
The Committee recommends that proposed subsection 52B(3) of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be amended to include a provision that after a critical infrastructure asset is declared as a system of national significance by the Minister, the Parliamentary Joint Committee on Intelligence and Security be notified in writing within 30 days, in the appropriately classified manner, identifying the asset sector and entity details, to the extent negotiated with the entity in regard to capability sensitivities.
Review rights
3.77
The Committee is conscious of the repeated calls of submitters and witnesses for increased merits review of decisions made under the SOCI Act and the expansions proposed in the SLACIP Bill.
3.78
The government has already outlined that it does not support the element of Recommendation 7 from the SOCI Bill report regarding merits review of Part 6a and Part 2C decisions in the security division of the AAT. However, the Committee does believe that the wide-ranging impact, both economic and operational, of many decisions under the SOCI Act and the SLACIP Bill warrant further investigation of an appropriate merits review process and is recommending that the government further consider this issue.
3.79
The Committee recommends that the Australian Government consider establishing a legislative basis for merits review for some or all of the decisions exercised by the Minister or Department of Home Affairs officials under the Security of Critical Infrastructure Act 2018 and the proposed amendments contained in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, noting the economic and operational implications of such decisions on Australian businesses.
Protected information
3.80
The Committee acknowledges the concerns from stakeholders that the status of some information under the current SOCI Act and proposed SLACIP Bill measures will cause entities to manage information in a new and secure manner.
3.81
However, the Committee accepts the assurances of the Department that the intention of Part 4, Division 3 of the SOCI Act is not to create an unworkable environment for entities and government agencies to operate under and perform their lawful and appropriate actions.
3.82
In creating a new regime of relevant records and information related to the operation of a statute such as the SOCI Act, there will always be hesitation regarding the potential impact of those requirements on use and disclosure of that information.
3.83
However, until that statute is in place and the relevant requirements borne out, the potential concerns or realisation of operational restrictions will not become truly evident. More commentary on reviewing these potential restrictions is made later in this chapter.
Accountability and reporting
3.84
The Committee acknowledges the numerous stakeholders who identified concern regarding the wide-ranging powers the Bill and current provisions of the SOCI Act invest in the Minister and the Secretary of Home Affairs.
3.85
The Committee also accepts that the nature of the provisions proposed and the overall criticality of these measures requires discretion and some operational protection to ensure that its appropriate function is not prejudiced.
3.86
However, the Committee also believes that the general quantum of the application of the proposed framework should not be without some measure of reporting to allow for general scrutiny. It therefore welcomes the amendments in the Bill to expand the current annual reporting requirements of the SOCI Act to include statistics on the notices issued under the SLACIP Bill’s measures.
3.87
This will allow interested parties and the Parliament the ability to see the scope of the impact and activity generated by the SOCI Act and its expanded framework. When paired with the existing notifications to this Committee and the expanded notifications in Recommendation 3, as well as the oversight of the Office of the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman, the Committee believes that oversight, accountability and reporting will be adequate for the initial growth stage of the proposed expanded SOCI regime. Any further expansion can be considered in future reviews.
3.88
Once the above measures are agreed and amendments have been made, the Committee recommends that the resultant amended SLACIP Bill be passed.
3.89
The Committee recommends that, subject to the amendments outlined above, the resultant Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be passed.
Review of the SOCI framework
3.90
The Committee acknowledges that other concerns from submitters have not been addressed in the commentary and recommendations above. This does not mean that the Committee has not considered these issues or does not believe they are of relevant concern to suggest change.
3.91
The Committee is not suggesting that the SLACIP Bill be passed with just the above amendments and then left to evolve without review until the Committee undertakes its statutory review in the future.
3.92
To ensure that the initial stage of development and implementation following the passage of the SLACIP Bill occurs in the manner envisaged, and as promised by the government, the Committee is recommending that the government commission an independent review of the operation of the SOCI Act after one year of its expanded operation – one year after the SLACIP Bill receives Royal Assent.
3.93
This review should look at the operation, effectiveness and implications of the Act as a whole, but also focus on the changes made by the SLACI Act and this Bill once passed. This can ensure that any untested concerns regarding the scope of definitions, quantum of cost to industry, the operation of protected information and disclosure provisions, potential impact on workers rights from background checks, application of immunities, potential impact on States and Territories, and ongoing consultation and declaration mechanisms are working as intended, as well as the reasonableness of any assistance measures or obligations exercised or imposed.
3.94
This review should encompass analysis of the government’s regulatory administration of the Act, as well as the views of critical infrastructure entities and operators, and any other interested stakeholders.
3.95
The separation of this review from the government and the Parliament will also ensure that any preconceived notions or historical bias can be countered in an objective review and analysis of the operation of the amended Act.
3.96
The report of this review should be completed within 12 months of its commencement, provided to the Minister, then tabled in Parliament within 30 days and made publicly available.
3.97
The Committee recommends that the government commission an independent review of the operation of the Security of Critical Infrastructure Act 2018 after one year of operation after the Bill receives Royal Assent.
This review must report within one year of its commencement to the Minister for Home Affairs, who must then present the report to Parliament within 30 days and cause it to be made publicly available.
3.98
The Committee also takes its statutory review responsibility seriously and notes that it has the discretion to launch the review enabled by section 60B of the SOCI Act at any time before the three year period after the SLACI Act received Royal Assent – 3 December 2024.
3.99
The review from the above recommendation should have been completed by that date and can inform this eventual process or its early commencement.
3.100
The Committee does note that the already existing statutory review provision for the original commencement of the SOCI Act still resides in the SOCI Act at section 60A, so is therefore recommending its repeal to avoid any confusion.
3.101
The Committee recommends that section 60A of the Security of Critical Infrastructure Act 2018 be repealed, to remove any confusion regarding the status of pending statutory reviews of the Act.
Senator James Paterson
Chair
23 March 2022