2.1
The following is an extract of the Bill outline from the Explanatory Memorandum, which has an almost identical rationale to the 2020 SOCI Bill, and a brief explanation of the reforms contained within.
The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve in light of COVID-19 and beyond, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver.
Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty.
Threats ranging from natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders) all have the potential to significantly disrupt critical infrastructure. Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, and the impacts of COVID-19 illustrate that threats to the operation of Australia’s critical infrastructure assets continue to be significant. Further, the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others.
The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life, causing:
shortages or destruction of essential medical supplies;
instability in the supply of food and groceries;
impacts to water supply and sanitation;
impacts to telecommunication networks that are dependent on electricity;
the inability of Australians to communicate easily with family and loved ones;
disruptions to transport, traffic management systems and fuel;
reduced services or shutdown of the banking, finance and retail sectors; and
the inability for businesses and government services to function.
While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune:
over the last three years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network;
malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities; and
key supply chain businesses transporting groceries and medical supplies have also been targeted.
Accordingly, Government is seeking to introduce an enhanced regulatory framework for Australian critical infrastructure assets, building on existing requirements in place under the Security of Critical Infrastructure Act 2018 (the SOCI Act). The Security Legislation Amendment (Critical Infrastructure) Act 2021 (the SLACI Act), which received the Royal Assent on 2 December 2021, has implemented key elements of the framework by amending the SOCI Act to introduce:
mandatory cyber incident reporting (Part 2B of the SOCI Act); and
government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact Australia’s critical infrastructure assets (Part 3A of the SOCI Act).
The 2021 Amendment Act implemented a number of recommendations the Parliamentary Joint Committee on Intelligence and Security (PJCIS)’s Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 of September 2021 (the PJCIS report).
Recommendation 1 of the PJCIS report was that the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the 2020 Bill) be split in two so that urgent elements of the reforms, mandatory cyber incident reporting and government assistance, be implemented as soon as possible. Government amendments to the 2020 Bill were moved, and that Bill subsequently passed after the amendments were made and became the SLACI Act, in line with this recommendation.
Recommendation 7 of the PJCIS report was that the remaining elements of the 2020 Bill be subsequently re-introduced in a separate Bill. Accordingly, the Government seeks to implement the remaining elements of the enhanced regulatory framework in a further bill, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Bill), which gives effect to this framework by introducing:
critical infrastructure risk management programs for critical infrastructure assets (proposed Part 2A of the SOCI Act); and
enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance (proposed Parts 2C and 6A of the SOCI Act).
These changes will be underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy and an expanded Trusted Information Sharing Network. This will include a range of activities that will improve the collective understanding of risk between Government and industry, and within and across industry sectors.
To counter the threats to critical infrastructure, an enhanced security framework is required which takes a holistic approach to what is regarded as critical infrastructure and the risks that need to be managed. Post incident consequence and response management alone is inadequate to truly ensure the protection of Australian critical infrastructure. Prevention and risk management is essential to truly make an impact on the security and resilience of Australian critical infrastructure.
The reforms in the Bill seek to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats.
Owners and operators of critical infrastructure assets are best placed to understand and manage the risks associated with their assets. The Government will continue to work closely with industry through an enhanced partnership to establish baseline standards for, and support the uplift of, security and resilience practices across critical infrastructure. These standards appropriately balance security and regulatory impost and are designed to assist Government to maintain a near-real time threat picture to assist entities in preventing and responding to vulnerabilities and incidents.
The enhanced framework will uplift security and resilience in across Australia’s critical infrastructure assets. This framework, when combined with better identification and sharing of threats, will ensure that Australia’s critical infrastructure assets are more resilient and secure. The Government will work in partnership with responsible entities of critical infrastructure assets to ensure the new requirements build on and do not duplicate existing regulatory frameworks.
The reforms
The Commonwealth needs to establish a clear, effective, consistent and proportionate approach to ensuring the resilience of Australia’s critical infrastructure. The amendments to the SOCI Act will drive further uplift of the security and resilience of Australia’s critical infrastructure. Should a particularly serious cyber emergency occur, the intention of these reforms is that Government has appropriate, pre-determined and transparent powers to ensure reasonable and necessary action is taken to protect Australia’s national interest.
Critical Infrastructure Risk Management Program
As outlined above, the SOCI Act currently contains two all-hazards positive security obligations: mandatory cyber incident reporting (Part 2B) and critical infrastructure asset register reporting (Part 2). The Bill creates an additional positive security obligation, for responsible entities to adopt and maintain an critical infrastructure risk management program. This measure is intended to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened.
Importantly, and in alignment with the other positive security obligations, the obligation to establish, maintain and comply with a critical infrastructure risk management program will only apply if the Minister has made a disallowable legislative instrument (rules) specifying that the obligation applies in relation to a critical infrastructure asset or class of critical infrastructure assets. The rules will specify if the obligation is ‘switched on’ for a critical infrastructure asset or class of critical infrastructure assets.
The critical infrastructure risk management program will require responsible entities of specified critical infrastructure assets to:
identify hazards for which there is a ‘material risk’ that the hazard impact their business operations;
minimise the material risks of those hazards occurring; and
mitigate the impacts of hazards on the operation of their critical infrastructure asset(s).
Responsible entities of critical infrastructure assets will be required to take an all-hazards approach when establishing their critical infrastructure risk management program—including consideration of both natural and human induced hazards. Required content of a critical infrastructure risk management program will be specified by legislative instrument, referred to as risk management program rules. Government has designed these rules in consultation with industry throughout 2021 and early 2022 in order to create a compliance framework that minimises duplication and regulatory burden.
Recommendation 9 of the PJCIS report outlined that any rules to be designed in relation to the critical infrastructure risk management program obligation be co-designed, agreed and finalised to the extent possible before the re-introduction of the obligation and made available as part of the explanatory material for the measures.
In accordance with recommendation 9, the rules proposed to be made to specify the required content of a critical infrastructure risk management program are included with this Explanatory Memorandum (see further concerning new section 30AH Act at paragraph 193 of Attachment A). The legislative instrument has been drafted after consulting with industry in late 2021 and early 2022.
Enhanced cyber security obligations for systems of national significance
The Bill also recognises those assets that are the most critical to the security, economy and sovereignty of Australia. These ‘systems of national significance’ will bear additional cyber obligations, recognising the deteriorating cyber threat environment we currently face.
The enhanced cyber security obligations in the Bill will support the development of a bespoke, outcomes-focused partnership between Government and Australia’s ‘systems of national significance’. These are a significantly smaller subset of critical infrastructure assets that are crucial to the nation, by virtue of their interdependencies across sectors and consequences of cascading disruption to other critical infrastructure assets and sectors.
Under the enhanced cyber security obligations, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more cyber security activities outlined in new Part 2C of the SOCI Act. These include the development of cyber security incident response plans, cyber security exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities for remediation, and the provision of system information to build Australia’s situational awareness.
The enhanced cyber security obligations will support the sharing of near-real time threat information to provide industry with a more mature understanding of emerging cyber security threats, and the capability to reduce the risks of a significant cyber attack against Australia’s most critical assets. The obligations that would apply to Systems of National Significance will give Australians confidence that there are well tested plans in place to recover from and prevent a cyber security attack.
The Bill will also establish a mechanism by which the Minister can personally and privately declare a critical infrastructure asset to be a ‘system of national significance’ (new Part 6A of the SOCI Act).
Detailed notes on the clauses of the Bill is included at Attachment A.
Other measures in the Bill
In addition to the primary measures outlined above, the Bill also contains other amendments to the SOCI Act in response to PJCIS recommendation 7 (and the principles referred to in paragraph 3.49 of the PJCIS report), feedback received from stakeholders and to improve the efficacy and efficiency of the statutory framework.
Recognition of the Digital Transformation Agency’s Hosting Certificate Framework (HCF) as a risk-management process similar to the critical infrastructure risk management program—by excluding responsible entities from the critical infrastructure risk management program obligation when an asset, or part of an asset, they are responsible for is ‘certified strategic’ under the HCF (new Part 2AA of the SOCI Act).
The Bill makes amendments to various definitions of types of critical infrastructure assets in response to stakeholder feedback.
Changes are made to the provisions governing the use and disclosure, and making records, of protected information to enable greater information sharing between responsible entities and Commonwealth, State and Territory regulatory agencies, notably including a specific provision enabling the Commonwealth Ombudsman to use and disclose, and make records, of protected information (by amendment to Part 4 of the SOCI Act).
The ability of rules specifying requirements in relation to critical infrastructure risk management programs to incorporate documents by reference is enhanced to ensure that such programs are aligned to international standards or to align with existing best-practice in the Commonwealth and other jurisdictions.
Clarifying certain consultation requirements of the Minister, including a right of reply for impacted stakeholders and for that reply to be considered before the Minister’s decision can be made.
Expanding the scope of immunities from prosecution or suit available to responsible entities, their employees, contractors and other agents, where they take actions under the government assistance measures in Part 3A of the SOCI Act.
Clarifying the exception from reporting obligations in Part 2 of the SOCI Act for moneylenders until they enforce their security in relation to a critical infrastructure asset, and extending the exception to custodial or depository service providers.
2.2
More specifically, the amendments included in Schedule 1 of the SLACIP Bill outline:
proposed amendments to the AusCheck Act 2007 to enable entities to undertake an AusCheck background check on employees relevant to a critical infrastructure risk management program and function, rather than requiring such a check (as was proposed under the 2020 SOCI Bill);
a technical amendment to the Criminal Code Act 1995 referencing the Australian Security Intelligence Organisation Act 1979;
propose the following amendments to the SOCI Act:
make amendments to preliminary provisions and various definitions (items 4-45);
make minor amendments to Part 2 concerning consultation requirements (items 46-48);
insert new Part 2A, which provides that specified critical infrastructure assets must adopt and maintain a critical infrastructure risk management program (item 49);
insert new Part 2AA, which provides for annual reporting obligations for assets that are exempt from the critical infrastructure risk management program obligation (item 49);
make minor amendments to Part 2B concerning consultation requirements and immunities (items 50-57);
insert new Part 2C, to provide for a number of enhanced cyber security obligations that may be applied in relation to systems of national significance (item 58);
provide that directions made under Part 3A (facilitating government assistance to industry in the event of a serious cyber security incident) prevail over the requirements of a critical infrastructure risk management program (items 59, 61);
amend immunity provisions in Part 3A (item 60, 62 and 63);
amend provisions that authorise the use and disclosure of protected information to facilitate information sharing between responsible entities and State, Territory and Commonwealth government agencies (items 64-69);
provide that the Minister’s power to privately declare an asset as a critical infrastructure asset includes a power to determine that new Part 2A applies to the asset (item 70);
creates a power for the Minister to privately declare a critical infrastructure asset to be a system of national significance if specified criteria are met (new Part 6A, item 71); and
add additional information to the information required to be included in the annual report on the SOCI Act, to reflect the new measures being inserted by the Bill (items 72-74).
2.3
Upon referral of the SLACIP Bill to the Committee, the Department provided a submission outlining the major elements of the Bill, the consultation undertaken as a result of the Committee’s SOCI Bill report, initial indicated regulatory impact costings, and summaries of the amendments between the 2020 SOCI Bill and the similar elements in the SLACIP Bill, based on stakeholder feedback.
2.4
As outlined earlier in Chapter 1, the recommendations of the SOCI Bill report led to the splitting of the proposed reforms and the enactment of the 2021 SLACI Act. The reforms introduced in that Act were summarised as:
The SLACI Act has expanded the scope of the SOCI Act from applying to four asset classes to eleven sectors and 22 asset classes; expanded the Register of Critical Infrastructure Assets requirement for responsible entities to provide ownership, operational, interest and control information; provided a regime for the Commonwealth to receive mandatory reports in relation to cyber security incidents to the Australian Cyber Security Centre’s (ACSC’s) online cyber incident reporting portal, and provided a regime for the Commonwealth to respond to serious cyber security incidents immediately prior to, during, or following a significant cyber security incident to ensure the continued provision of essential services through Government Assistance or step in powers.
2.5
The remaining elements of the SOCI Bill are now presented in amended form in the SLACIP Bill, in line with the recommendations of the Committee.
Risk management programs (RMPs)
2.6
Revised provisions for critical infrastructure entities to implement and maintain a risk management program (RMP) is the main modified element of the SOCI Bill to be reintroduced in the SLACIP Bill.
2.7
As outlined above, the Rules to determine the scope of these programs was the subject of most of the consultation identified by the Department as having been undertaken since mid-2021 (see below).
2.8
The Department submitted regarding the breadth of impact these programs may have across critical infrastructure entities:
The Rules will provide a common baseline of minimum requirements for preparing for and managing risks across critical infrastructure assets. Many entities already have in place risk management programs that exceed those proposed by the risk management program rules, however, through the industry consultation process it has become apparent that many entities do not yet have in place even basic measures.
The risk management program has been designed to establish safeguards where there is currently no other regulatory settings that achieve the same purpose. For example, those entities subject to the Australian Prudential Regulation Authority’s (APRA’s) prudential regulation or the defence industry security program will not (with some exceptions) be subject to the risk management program obligations as they already have existing and equivalent obligations in place.
2.9
On the face of the presented information, this design process and the scope of the rules avoiding duplication would appear to address the majority of concern that the Committee heard from submitters and witnesses regarding potential regulatory duplication.
2.10
The Department’s submission also indicated a potential regulatory timeline for the RMPs:
On 1 February 2022, the Minister indicated her intent to apply the risk management program obligations to the following critical infrastructure assets shortly after the passage through Parliament of the SLACIP Bill:
Critical broadcasting assets
Critical domain name systems
Critical data storage or processing assets
Critical energy market operator assets
Critical water and sewerage assets
Critical electricity assets
Critical liquid fuel assets, and
Critical financial market infrastructure assets that are specified payment systems operator assets.
The Minister also indicated her intent that risk management program obligations for critical food and grocery assets, critical freight services assets and critical freight infrastructure assets will not commence before 1 January 2023, recognising the particular challenges these sectors have faced during the pandemic.
2.11
The Minister also outlined further stepped and collaborative introduction of the requirements of the programs:
Importantly, none of the risk management program requirements will come into force without additional consultation with industry and careful consideration of any issues they raise, including the timing on when the requirements will come into force.
…
Additionally, there are a number of assets that already have existing obligations in place, and I don't intend to apply the risk management program to every critical infrastructure asset. Detail about the coverage of assets is outlined in the explanatory memorandum.
The government understands that the introduction of reforms that impact many businesses across our economy will cause apprehension. The government is committed to ensuring that the requirements remain fit for purpose in a dynamic and evolving space.
Pursuant to the committee's advisory report recommendation 6, I have written to the Secretary of the Department of Home Affairs to outline my expectations that the Cyber and Infrastructure Security Centre within the Department of Home Affairs provide technical support and advice to industry regarding the functions of the SOCI Act.
Additional guidance on how to meet the requirements of the risk management program will be jointly developed with industry and government partners over the coming weeks and months. Stakeholders have expressed their appreciation of the government's commitment to working with industry to develop that guidance material.
The Cyber and Infrastructure Security Centre will take a pragmatic, active and engaged regulatory and partnership approach, working in collaboration with industry, as we build the security and resilience of Australia's critical infrastructure.
Regulatory cost of risk management programs
2.12
As an obligation under the SLACIP Bill’s proposed reforms that would ultimately apply to all relevant assets that meet the relevant sector or asset definitions, the potential cost of the RMPs was a concern that the Committee received during the SOCI Bill review.
2.13
The Department outlines at pages 8 and 9 of its submission the potential costs to the Australian economy of critical infrastructure failure, with estimations of costs of as much as $1.280 billion from a severe incident related to the electricity sector, or $1.913 billion for a similar severe event to the gas asset sector. This is in contrast to an average estimated one-off cost to assets of $9.2 million to develop RMPs with ongoing costs of $3.7 million per annum.
2.14
This cost obviously varies with the physical assets and complexity of an entity and whether an existing satisfactory program exists. The Department provides a comparative table in its submission outlining a high of $28.1 million for energy market operator assets, to a low of $0.1 million for financial market infrastructure assets (payment systems).
2.15
The Department also outlines that a final regulatory impact statement (RIS) cannot be finalised until the rules are finalised, but will be publicly released once agreed to by the Office of Best Practice Regulation.
Implementation of SOCI Bill recommendations
2.16
Central to consideration of the SLACIP Bill is an analysis of whether the 14 recommendations from the Committee’s SOCI Bill report have been implemented in the form of the SLACI Act and SLACIP Bill and its development.
2.17
Recommendations 1 to 5 and 7 to 11 were related to the original SOCI Bill proposed reforms and the two tranches of legislation recommended to be developed and implemented in response.
2.18
Recommendations 1 to 5, 10 and 14 have been identified by the Minister as being addressed in the SLACI Bill and 2021 Act, which enabled urgent access to cyber security notifications and government assistance measures.
2.19
The substance of these recommendations were substantively met by the SLACI ACT, however, Recommendation 10 of the SOCI Bill Report provided suggested improvements to the immunities introduced to the Criminal Code Act 1995 (the Criminal Code) for Australian Signals Directorate (ASD) staff. The amendments made under the SLACI Act have not addressed any elements of that recommendation in the changes already made to the Criminal Code. No mention of further proposed amendment is made in the SLACIP Bill or accompanying material. No mention of substantive response to Recommendation 10 is made in the Minister’s speech regarding the government amendments made to the SOCI Bill when debated in the House on 20 October 2021.
2.20
The Committee does note that the fourth dot point of Recommendation 10, relating to expanding immunities to the Australian Geospatial-Intelligence Organisation and Australian Secret Intelligence Service, as per the majority of recommendation 74 of the Comprehensive Review of the Legal Framework of the National Intelligence Community (Richardson Review), is addressed in the National Security Legislation Amendment (Comprehensive Review and Other Measures No. 1) Bill 2021 currently before Parliament and a separate Bill review underway by the Committee.
2.21
Recommendations 8 and 9 outlined an expectation for a program of consultation and extensive codesign of the provisions and rules being presented in the SLACIP Bill, as well as this Bill referral.
2.22
The Department and the Minister have outlined a program of consultation that includes elements undertaken in 2021 while the Committee was reviewing the SOCI Bill, as well as in response to the SOCI Bill Report from September/October 2021 to February 2022.
2.23
More commentary on this consultation and industry analysis of its effectiveness is provided later in this chapter.
2.24
Recommendations 6, 11, 12 and 13 are addressed or acknowledged in the Minister’s second reading speech as not being supported in the recommended form, or alternative actions having been taken or consideration ongoing.
2.25
Of most importance to this report and the SLACIP Bill are the commentary and principles providing for Recommendation 7 of the SOCI Bill report. In the Minister’s second reading speech and the Explanatory Memorandum, all principles expressed for attention in the SLACIP Bill have been indicated as addressed, except for the element of merits review for Systems of National Significance (SoNS) declarations and the resultant enhanced cyber security obligations, which has been not supported by the government, citing national security sensitivities and the availability of judicial review.
2.26
Of note regarding the implementation of Recommendation 7 of the SOCI Bill report is that the government has addressed the principles expressed in the dot points of paragraph 3.49 of the SOCI Bill report, but has not provided demonstrable change to the SoNS declarations or enhanced cyber security obligations, as recommended in the lead up to Recommendation 7 (paragraphs 3.48 and start of paragraph 3.49). More commentary will be provided on this later in this report.
2.27
The Department has demonstrated a concerted effort at working with industry to revisit sector and asset definitions, and to ensure that the risk management programs provided for in Part 2A of the SLACIP Bill are as flexible and fit for purpose as possible. However, the wholesale revisitation of the remaining elements of the SOCI Bill not addressed in the SLACI Act is harder to quantify.
2.28
The Department provides a summary table at Attachment B of its primary submission comparing the elements of the SOCI Bill to those in the exposure draft of the SLACIP Bill, with a summary of any changes made to the introduced Bill based on feedback.
2.29
The Law Council of Australia submitted to this review highlighting concerns regarding two elements of Recommendations 7 from the SOCI Bill report that being the scope of immunities and merits review. More commentary on these issues is provided later in this Chapter.
Outstanding concerns regarding measures introduced in the SLACI Act
2.30
A number of submitters identified continuing or evolved concerns regarding the measures introduced in the SLACI Act, as a result of Bill One recommended by the Committee in its SOCI Bill Report.
2.31
While these concerns are legitimate, by necessity the Committee will be focusing primarily on the evidence regarding the content of the SLACIP Bill, however some commentary regarding these other issues will be highlighted later in this report.
The declining cyber security environment
2.32
As identified in Chapter 1, the Committee has received regular briefings from the Department and ASD regarding the current cyber-threat environment and the targeting of critical infrastructure assets within the realm of cyber-crime, espionage and potential sabotage attempts.
2.33
At the public hearing on 16 March 2022, Ms Abigail Bradshaw CSC, Head of the Cyber Security Centre and Deputy Director-General of ASD provided the Committee with a contemporary and timely summary of the declining threat environment:
…there has been no reprieve from the level of malicious cyberactivity impacting Australian networks both in terms of criminal cyberactivity and state based activity. In fact, the invasion of Ukraine by Russia has marked an unprecedented level of malicious cyberactivity on a global level. For example, malicious cyberactivity against Ukraine networks, including critical infrastructure, has been quite prolific. In the lead up to the invasion, cyberattacks targeted Ukraine's finance sector and banks. On 20 February, Australia and our US and UK partners publicly attributed those cyberattacks to Russia's main intelligence director at the GRU. Since that time, and following its invasion, cyber actors have deployed data-wiping software, which is capable of spreading malware, and have hijacked Ukrainian government websites to spread disinformation and have knocked critical networks offline. Attacks have taken down telecommunications across Ukraine and parts of Europe. NATO agencies assisting refugees were also being targeted, allegedly by a Belarusian cyber actor loyal to Russia.
Since then we have seen cyberattacks impacting NATO and Five Eye nations: a yet unattributed attack against US company Viasat that resulted in internet outages for customers in Ukraine and parts of Europe; two ransomware attacks against Toyota—the first resulted in Toyota halting its domestic production, which occurred shortly after Japan imposed sanctions against Russia, and those ransomware attacks and their attribution are still subject to investigation; and a ransomware attack against Rio Tinto's PLC aluminium producer, one of the largest aluminium producers in Canada. Overnight, Conti, a ransomware affiliate that has publicly declared its allegiance to Russia, has claimed responsibility for that attack.
Russia itself has also been impacted by cyberattacks. Ukraine's so-called IT army consists of both state based cyber actors and volunteer hackers from around the globe. It has claimed to have launched cyberattacks against Russian and Belarusian websites. This IT army has said it lists targets that include the Belarusian railway network and Russia's alternative to GPS. Russia has publicly claimed that some of its federal agency websites, including the energy ministry, were compromised by unknown attackers in a supply chain attack. We are increasingly concerned at activity by state based actors but also the ever-growing number of so-called self-directed cyber vigilantes. On any day, we see the numbers grow in a number of groups on the side of Russia, for example. I think yesterday it was just below 20, and those declaring themselves in support of Russia, somewhere around 40 separate civilian hacking groups. Those generate risks not only to Russian and Ukraine networks but globally, in the case of misdirected, misattributed or collateral damage, including the possibility of wrongful attribution and therefore retribution by way of further cyberattacks.
Included in those entities that have declared their support to Russia are two ransomware affiliates which we have seen in Australia: the Conti ransomware affiliate and the LockBit 2.0 affiliate. Conti we are aware of being responsible for at least 13 attacks in Australia last year, including attacks on critical infrastructure in Australia. The pledge of allegiance to Russia remains a concern for us in terms of elevated levels of risk in Australia. As a consequence of that, we have directed the support of the ACSC and AFP to critical infrastructure sectors, including classified briefings for those critical infrastructure assets we regard as most at risk. We are in day-to-day contact, or hour-by-hour contact, with our Five Eyes counterparts, sharing indicators of compromise.
The four variations of highly destructive malware which we have observed to date we have distributed actionable advice to all critical infrastructure providers here in Australia in order that they are able to prepare themselves. To date, however, we have not observed any of that activity in Australia, nor are we aware of a specific threat. But of course the deterioration in the global threat environment means that the objectives of this bill, we think, are underscored in the context of this current threat environment.
2.34
When questioned what the immediate threat was and the need for the proposed reforms, DDG Bradshaw replied:
Can I answer that with just plain operational experience? We know that the potential for attack on critical infrastructure has increased and will continue to increase in time. That is my assessment, based on what's happening globally. At the same time, I can give you three examples of critical infrastructure providers who, in the last 12 months, were subject to attacks because they did not comply with very basic cybersecurity requirements set out in the Essential Eight: an energy operator who didn't meet application controls; another energy operator who didn't configure Microsoft Office macro settings; and another large critical infrastructure provider who didn't patch an operating system within 48 hours. My position is simply: wouldn't you want to reduce the risk of one of those attacks, which are increasingly regular, by simply applying a requirement to meet a minimum standard? In circumstances where the level of activity and the number of actors engaged are increasing, the risk of one of those compromises actually being highly successful and disruptive increases with each day.
2.35
In relation to the very basic measures identified, unrelated to the proposals in the SLACIP Bill, the witnesses from ASD confirmed that if entities had complied with existing ASD Essential Eight mitigations, around 85 per cent of current cyber incidents would be countered through the use of these baseline strategies.
2.36
This lack of basic cyber security mitigations and the resultant desired uplift is identified as the driver behind the SLACIP Bill, and the SOCI Act reforms as a whole. More commentary on this will be provided in Chapter 3.
Evidence presented in this report
2.37
Given the short timeframe requested for this Bill review, and the requirement to consider the evidence presented in the shortest time possible, this report does not replicate all evidence provided in submissions or at the public hearing, unless it is particularly pertinent to the commentary made by the Committee. Rather, this report will present evidence in themes and make the relevant observations and references where necessary.
2.38
Where similar evidence has been received from multiple submitters, reference may only be made to one such submission rather than all. Submitters can rest assured this does not indicate that one submission is more important in its expression of that point to any other.
2.39
All evidence received for this review is publicly available on the review website.
2.40
Similarly, if reference is made to previous Committee reports or public evidence from previous inquiries, this will not be replicated unless directly relevant to the point being made in the relevant section of this report.
Consultation on the reforms
2.41
One of the key themes of evidence that the Committee received in its SOCI Bill review, and which guided Recommendation 8 of the SOCI Bill report, was that industry consultation was essential to developing a ‘fit for purpose’ regulatory framework that minimised regulatory impact, cost, and potential duplication.
2.42
The consultation undertaken on the 2020 SOCI Bill by the Department was noted during that Bill review, however submitters expressed concern that either the consultation had not been wide-ranging enough or had not led to the perception of feedback being incorporated into the final SOCI Bill presented to the Parliament.
2.43
In responding to these concerns and the repeated recommendation for consultation in the development of the SLACIP Bill, the Department has outlined a program of targeted and general consultation undertaken in developing the SLACIP Bill.
2.44
This ranged from consultation undertaken in March 2021, while the Committee was still reviewing the SOCI Bill, up to a virtual town hall conducted on 4 February 2022, six days before the SLACIP Bill was introduced into the House of Representatives.
2.45
This identified consultation incorporated a mix of co-design meetings, roundtables and town-hall meetings, either aimed at co-design of sector-specific rules, governance rules, co-design process consultation, asset definition agreement, risk management rules design, or general industry awareness sessions.
2.46
The Department identifies that over 70 changes were made to the provisions in the SLACIP Bill from those originally proposed in the SOCI Bill, mainly based on this consultation and feedback, but also in response to analysis of recognised domestic and international standards.
2.47
The Department provided a table summarising the key 30 proposed amendments contained within the SLACIP Bill when compared to the SOCI Bill:
Table 2.1: Key SLACIP Bill amendments
|
|
|
|
Minor/Technical
|
Four (4) technical or minor clarifying amendments
|
|
Industry consultation—risk management programs
|
One (1) new streamlined reporting regime to recognise Digital Transformation Agency’s (DTA’s) Hosting Certification Framework (HCF); new rule making power to specify additional frameworks (Part 2AA)
Two (2) key amendments to enable recognition of existing standards, including international standards
|
|
Industry consultation—enhanced cyber security
|
Six (6) amendments to add additional criteria the Secretary must consider when applying enhanced cyber security obligations
|
|
Enabling appropriate and lawful exchange of protected information
|
Four (4) new authorisations for sharing protected information
One (1) new exception to the offence of unauthorised disclosure
|
|
Reconsideration of breadth of immunities
|
Four (4) key amendments to expand the types of entities protected for existing immunities when complying with Parts 2B, 3 and 3A
|
|
Industry consultation—other amendments
|
Three (3) amended or new exceptions to the definition of ‘direct interest holder’ to prevent unintended capture of certain entities
|
Source: Department of Home Affairs, Submission 1, p. 3.
2.48
The amendments to the substance of the SOCI Bill, replicated in the SLACIP Bill, is noted, as is the change to the provisions regarding risk management programs and the associated rules and explanatory statement, which are set out in draft form in the Department’s submission and in the Explanatory Memorandum.
Industry evidence on consultation
2.49
Many submitters welcomed the efforts of the Department in engaging with them on the ongoing development of the SLACIP Bill and associated Rules and resources. This was accompanied with an acknowledgement of the undertaking to continue consultation once reforms are in place, as well as a call to ensure that collaborative and consultative practices underpin any security of critical infrastructure regulation and practice.
2.50
Some submitters identified the consultation process from the Department and Minister as ‘strong and productive’ and consultative and collegiate.
2.51
The timing of consultation on the exposure draft of the Bill over the Christmas and New Year period was highlighted as a challenge.
2.52
Some submitters did highlight concerns with some of the consultation forums used by the Department. The Australian Logistics Council (ALC) highlighted that the widest consultation mechanism used, virtual town halls, did not provide suitable interaction or access to in-depth questioning, amounting more to ‘briefing sessions’, with identification that out of the four town halls, only the last one offered any different content. The most productive feedback and consultation was achieved with industry-specific roundtables.
2.53
Other submitters, such as Uniting Care Queensland, expressed a feeling of exclusion from consultation processes, a sentiment expressed by the Australian Council of Trade Unions (ACTU).
2.54
The concern regarding consultation with private hospital providers was reiterated at the public hearing, with a statement that some providers felt ‘blindsided’ by the process and a perceived lack of engagement.
2.55
This contention was countered by a detailed outline of consultation with critical health sector representatives, including those that outlined the above concerns, from the Department.
2.56
The pace of design of the SLACIP Bill and its reintroduction was also questioned. The ACTU highlighted:
Given these provisions were accepted to be non-urgent by this Committee and the Minister when they moved to amend the Bill to allow passage of more urgent amendments, there is no justification for the speed at which the Government moved to reintroduce this to Parliament. The rapid reintroduction of the Bill undermines the Committee’s recommendation that co-design take place before the Bill is introduced to ensure Parliament has a full transparency of the impact of the law that is being considered.
2.57
The Australian Information Industry Association (AIIA) expressed concern that the pace of the reforms was threatening the ability of industry to work with government on appropriate and proportionate regulation:
Whilst the AIIA is cognisant of the need to address national security concerns, the hurried reviews of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the proposed 2022 Bill, coupled with the lack of due consideration given to industry stakeholder interests, will be to the detriment of any regulatory regime the Government seeks to institute. It is the opinion of the AIIA that any legislation which will have as significant an impact on Australian economic and security interests should be subject to conscientious development, and be fully inclusive of all interests.
Organisations such as the AIIA devote substantial time and resources in engaging with Government to ensure its interests are represented, and are committed to continuing this activity for the foreseeable future. The AIIA strongly encourages the Government to continue to engage with relevant stakeholders so as to ensure that any such legislation is fit for purpose to ensure positive outcomes in the longer-term.
2.58
AIIA identified current engagement that the ACSC has with industry suggesting this could be continued in lieu of the Bill progressing:
The ACSC already run a good industry outreach program across the economy on cybercapability, so there is a degree of understanding as to threats and vulnerabilities, and they should continue to work as they do with those entities that they see as having immature cyber-resilience. That's perhaps a really good and sensible approach to dealing with the vulnerabilities in our economy and identifying the next Toll, if I can pick on Toll, which is a very public case from 18 months ago. They can identify those that do not have mature systems, do not leverage the global clouds and capabilities that we have on this call and perhaps have their servers in the back office. They can work cooperatively. They can say, 'You need to do better and you need to uplift your capability. We want to help you.' I think that is a very sensible and measured approach. Then this committee and this parliament can reserve the right to legislate more harshly in the future if industry doesn't come along the way that the government would like.
2.59
The pace of introduction into Parliament following consultation was questioned by other submitters.
2.60
Many submitters identified the need for ongoing consultation and engagement as the SOCI framework changes and matures.
2.61
The inconsistent identification of consultation and outcomes from submitters and witnesses will be commented on further in Chapter 3.
Main evidence themes
2.62
Presented in this part of the report are the main themes of evidence received from submitters and in the public hearing for the Bill review.
2.63
As outlined in Chapter 1, due to the time constraints on the Committee in undertaking this review in less than six weeks, this report does not include the typical acknowledgements of evidence received. Quotes and footnotes are made where particular evidence is especially pertinent to the point being outlined and may only recognise one submission where the point is identified.
2.64
The Committee is mindful of the pressures the timeframe of this review placed on submitters, many of whom outlined concerns of the pace of the Department’s consultation, however the requirement to legislate during this Parliament, and the increasing threat of cyber-enabled security risks has necessitated this approach.
Support for the intent of critical infrastructure reforms
2.65
Overwhelmingly the majority of submitters to the Bill review have indicated support for the intention of the SOCI Act and the reforms contained within the SLACI Act and the SLACIP Bill.
2.66
Invariably there are always concerns regarding the scope, impact and regulatory burden of new legislation and resultant regulation, but the overall intent of securing the nation’s most critical assets is supported.
2.67
Exceptions have come from submitters such as trade unions who reject the premise of increased analysis of workers for security purposes, arguing that workers’ rights and privacy may be infringed, and that workers and their representative bodies have not been adequately consulted regarding the Bill’s development and design.
2.68
Other submitters have expressed support for the Bill’s intent, but believe that the scrutiny and development of the Bill needs to be ongoing and not rushed.
Definitional impacts for entities or assets
2.69
Some submitters have identified that definitions leave potential gaps in coverage for the SLACIP reforms, or capture entities that are not perceived as being critical.
2.70
Ports Australia identify that the current identification of port operators as responsible entities means that port facility operators, who lease and operate the ports, will not be required to report or undertake any obligations prescribed under the SOCI Act, leaving port operations at risk.
2.71
This was reiterated at the public hearing:
The best example I can give you is in the privatised ports where they have tenants who are terminal operators. They are their own legal entities. They bring their own subcontractors in. They have their own people in dealing with their IT. The port operator does not know. In the same way that Westfield does not know what Woolworths, Coles and ALDI are doing in their shops we have exactly the same problem. We have a real concern there and unless it's addressed it's a weakness. Our port operator will not know if there is a problem at the terminal operator level and they're caught up in this legislation. It can be fixed up in this. We have continued to put this for some time, but we don't see it being amended. That is an issue there.
2.72
In response the Department identified that even though critical ports are defined by physical location in section 11 of the SOCI Act and by ‘operator’, the SOCI Act and the proposed rules allow for other security regulated ports to be prescribed as a critical port and individual operators to be identified for relevant obligations under the Act.
2.73
Private hospital providers have identified that the current definition of ‘critical hospital’ with a link to Intensive Care Unit (ICU) operations creates inconsistent application and cost for multi-operations providers.
2.74
Private hospital operators reiterated these concerns at the public hearing identifying that requested changes to the definition have not been addressed.
2.75
NSW Health identified that the current definition would capture 40 hospitals in the state and suggest that the definition be changed to only apply to level 5 and level 6 ICUs.
2.76
As with the SOCI Bill review, the issue of data storage and processing has drawn comment from submitters regarding the definition of such assets and the data types that identify such an asset.
2.77
Item 32 of the SLACIP Bill proposes amending the definition of a data storage or processing service provider to only those storing ‘business critical data’ as defined in the SOCI Act. Macquarie Telecom and others submit that this narrowing of the asset definition will leave providers that store other crucial government data vulnerable and potential reliance on the Commonwealth’s hosting certification framework (HCF) for risk management program coverage may leave gaps in coverage. Inversely, other submitters such as Telstra welcome the changes to definitions of critical data storage or processing assets and critical telecommunications assets. Communications Alliance identify that there may be a disconnect between the definitions of a critical data storage or processing asset and a data storage or processing service.
2.78
In response to further questioning regarding the definition the Department provided the following written answer:
Existing frameworks govern governmental security including the storage of government data. For example, the Australian Government security is, inter alia, underpinned by information security requirements under the Australian Government’s Information Security Manual (ISM), the Protective Security Policy Framework (PSPF) and other policies such as the Digital Transformation Agency’s Hosting Certification Framework. It is through these frameworks that Government’s critical data is secured.
The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) adds to these frameworks by refining the data storage or processing assets as critical infrastructure. The Department has undertaken detailed co-design of the definition of the data storage or processing assets for many months. The suggested changes reflect the outcomes of these consultations.
The definition as proposed in the SLACIP Bill covers business critical data of governments. This includes the rich source of data held on a large proportion of Australians or individuals. Both the Commonwealth Government and State and Territory governments host a large amount of personal information, which is expressly captured as per the requirement in paragraph (a) to the definition of ‘business critical data’.
Should there be a particularly sensitive data storage or processing provider that is not captured by the definition, the Minister for Home Affairs could capture the specific entity as a critical infrastructure asset under s51 of the Security of Critical Infrastructure Act 2018.
2.79
Macquarie Telecom also identify the continuing argument that complications with data stored or processed offshore by providers has not been addressed in the SLACIP Bill.
2.80
The Group of Eight welcomed definitional changes to the higher education and research sector and recognition of the University Foreign Interference Taskforce (UFIT). This was echoed by Universities Australia and the Australian Technology Network of Universities (ATN).
2.81
This support for the amended definition was reiterated at the public hearing along with a desire to further refine the definition to remove ‘defence of Australia’.
2.82
The Clean Energy Council identified that most renewable energy providers will be new to the SOCI regime given the all-encompassing definition of critical electricity asset, a concern shared by AGL regarding the low megawatt generation threshold.
2.83
In relation to associated definitions, the Business Council of Australia identified:
As we have advocated throughout this and related processes, we also continue to recommend government disentangle the definition of 'national security business' in the FIRB Act from critical infrastructure legislation. As we have stated throughout the development of these reforms, the policy objectives of these two pieces of legislation are substantially different and the current approach will lead to an unreasonably large number of entities being captured as 'national security businesses' and increasing the hurdle for businesses looking to invest in Australia.
2.84
This was a position echoed by the Australian Banking Association.
Potential impact on privacy and rights of workers from background checks and consultation
2.85
The ACTU, the Electrical Trades Union (ETU) and the Australian Services Union (ASU) have submitted to this review in similar terms as the SOCI Bill Review, highlighting concerns regarding consultation processes and a lack of representation of workers, as well as the potential for invasion of privacy of workers from the AusCheck background checks proposed for the purposes of managing critical workers for RMPs.
2.86
The ACTU and ETU expanded on these concerns at the public hearing along with a concern that the definition of a ‘critical worker’ under the proposed rules for RMPs had been expanded.
2.87
The Business Council of Australia emphasised that ‘it would be sensible for government to continue to engage with employee representatives and provide a central point of coordination on these requirements, to ensure any concerns businesses and their employees have about this requirement are being managed consistently’.
2.88
The Unions again identified potential misuse of the SOCI Act and the proposals of the SLACIP Bill by businesses in conducting far-reaching background or internet use checks, with a proposal from the ACTU that the AusCheck mechanism be the only background check available to critical infrastructure assets, to enable protection of personal information.
2.89
Sunwater identified that it would seem like the AusCheck system was proposed as the default for all background checks.
2.90
When asked to comment further on the concerns expressed by the trade unions, the Department provided the following written answer:
The SLACIP Bill is intentionally non-prescriptive in determining a critical worker or a critical component. Individual entities are best placed to determine which roles are critical to the operation of their own particular critical infrastructure assets. Flexibility will provide critical infrastructure to appropriately manage the risks relevant to their unique operational context and security environment.
Through engagements with sectors, even within one sector, a role which may be critical to a smaller business may be redundant due to other controls in a much larger organisation, making a designation of that role as critical unnecessary. In this way, responsible entities will be able to designate which workers are critical to their operations, and consider what controls should be implemented to protect the business.
The Department is positioned to support entities as they develop their risk management programs, and will provide detailed guidance on what a business should be considering in developing their risk management programs, including in their consideration of critical employees. The Department encourages responsible entities to consult on proposed risk management programs, including personnel rules, with all affected parties, including workers and their representatives.
The SLACIP Bill does not negate responsibilities of employers under the Fair Work Act 2009, Work Health and Safety legislation, or any other currently legally mandated or protected action. An employee who is subject to action as a result of an employer’s background check, AusCheck or otherwise, is protected by all existing employment legislation and worker entitlements, such as the right to appeal a decision with the Fair Work Tribunal. This could be made clear in the Explanatory Memorandum.
Risk management programs and associated Rules
2.91
The revised content and scope of the RMPs made up a substantial proportion of the evidence to this review. The revised format and sector-agnostic nature of the draft rules has drawn support from some and concern from others. The abandonment of sector-specific rules was of concern to some.
2.92
A number of submitters expressed support for the revised RMPs and acknowledged that they strike a balance between security and cost.
2.93
The ALC raised concerns regarding the presumption that entities will be able to adopt existing risk management tools to meet the Part 2A programs requirements, arguing that sophisticated multi-part entities, such as transport and logistics providers, will have to create such programs from scratch. They also highlighted that some inconsistencies in the legislative wording regarding adoption and maintenance of RMPs and associated risks confuses the understanding of the purpose and applications of the proposed requirements, with confusion between the proposed Bill wording and the proposed Rules and how these will be applied.
2.94
A number of submitters identify that a staged and flexible approach to implementation and enforcement of RMPs and associated rules is required without a rushed process, highlighting the six-month grace period timeframe for RMP development.
2.95
Ramsay Health Care identified that a delay for RMP implementation for hospitals is desired, due to the impacts of the COVID-19 pandemic, to align with that already identified for food and grocery and freight and infrastructure. This was reiterated by Catholic Health Australia and Uniting Care Queensland.
2.96
The intersection between terminology for RMPs regarding material risk and material hazards was raised by the Water Services Association of Australia and expanded on at the public hearing:
Ours were more around the common internationally agreed standard around formulating a risk management program or plan, ISO 31000. What we have is conflicting terminology between that document and the current legislation, particularly with the terms 'material risk' and 'material hazard'. The term 'material risk', as was highlighted, is not defined in the document. It creates confusion between entities. This is unhelpful in formulating the risk management program and also in the implementation under crisis, which is when these things are designed to be used. What the department is calling one thing the entities are often calling something different, because they're complying with the international standard. That confusion could lead to unintended and potentially large consequences if it's allowed to continue. So we believe it's very important that that terminology is made consistent now if we can.
2.97
The contention that making RMPs flexible enough to recognise existing ISO 31000 compliant risk management plans required definitional consistency was echoed by other stakeholders, however the Department reiterated at the public hearing that the terminology was not the determinant of compliance:
We contend that we are trying to narrow what we're interested in, in terms of the protection of critical infrastructure, from a preventative sense. When you go through the material risks, that is a significantly high level of things, in section 4(a) to (g), that gives light to what's in the legislation. It's about material risks. People said, 'What we would like to collectively understand is material risk.' Through the co-design process, these are the things we collectively came up with. We did hear, as you rightly point out, that some very technical and very advanced companies said, 'But how do we translate that?' The answer is that, if you go through the material risks, you can point to each of the standards and how they adhere to the stoppage or major slowdown of the asset's functions for an unmanageable period.
There are standards in place that cover personnel, ICT, supply chain and physical. What we're trying to do here is say: 'Here's the principal. We're not telling you how to do it. We're just saying that here's the principal risk to mitigate. How you mitigate it is up to you and your board. We just ask that you have a plan in place.' If a company came to us and said, 'We have an existing risk management program, it does all these things and we think it adheres to each of the particular requirements in the rules,' then that would be a judgement that a company could make.
Declarations of systems of national significance
2.98
The uncertain future for entities not being aware of whether a SoNS declaration may affect them was reiterated in submissions to this review.
2.99
Calls were made for the timeframe for consultation on a potential declaration to be extended from 28 days to a longer period, such as 45 days.
2.100
Some submitters raised the lack of a merits review mechanism for the Minister’s declarations of SoNS. The government has indicated that it does not support Recommendation 7 of the SOCI Bill report regarding this, as mentioned earlier in this report.
2.101
The UNSW Allens Hub for Technology, Law and Innovation suggests that an independent assessor could be created, similar to that for Australian Security Intelligence Organisation (ASIO) adverse security assessments.
2.102
BSA the Software Alliance also raised concerns regarding when an entity is not a SoNS, but has end users who may be – a distinct possibility for data and IT providers.
2.103
Internet Australia called for the Minister to include general terms information in the Department’s annual report regarding all declarations under proposed Part 6A.
2.104
The Department reiterated at the public hearing that the intention of declaring SoNS is only to target the very small number of assets that will satisfy the requirements of proposed section 52B, and that only the four extra obligations could apply, and that most of those obligations will only stem from a determination of a required need for incident response planning, cyber security exercises, vulnerability assessments, and provision of system information, and only after consultation with that entity had occurred.
2.105
Additionally, in response to identified concerns about a lack of guidance material on declarations, obligations, and also RMP requirements, Mr Hansford outlined:
…we have heard from a number of submitters that people would like additional guidance. As I think I mentioned under question No. 1, we have guidance ready to go from day one after royal assent, should that occur, to give people factual information. We stand ready to work with anyone who wants to explore what a system of national significance is, the process for declaring them and consulting and the approach that would be undertaken. We take on board that additional guidance is required, and we're very happy to provide that. That's our day job, and we're very committed to doing that.
Enhanced cyber security obligations (ECSOs)
2.106
A number of submitters again raised concerns regarding the potential impact of the ECSOs that could be required of SoNS declared assets.
2.107
The Business Council of Australia highlighted that installation of software could lead to instability, and that the involvement of ASD may lead to hesitancy for international businesses.
2.108
Microsoft identified that proposed Part 2C obligations and access to systems could pose serious risks:
The introduction of untested third-party software into a cloud service provider’s systems creates real and serious risks of collateral consequences that could interrupt critical services. Microsoft believes that the risks of Government intervention far outweigh any potential benefits for many critical data storage and processing sector participants, particularly parties with established histories of cooperation with the Government and hyperscale providers with complex architecture.
2.109
Microsoft also drew the distinction that hyperscale cloud service providers have a unique role in critical infrastructure in Australia, as well as globally, and that such providers already address the concerns that the SOCI reforms aim to remediate.
2.110
AIIA made multiple recommendations regarding the declarations of SoNS, as well as the obligations and accesses that come with a declaration. Access to system information and installation of monitoring software was recommended to be given external oversight or removed from the Bill.
2.111
Palo Alto Networks identified concerns regarding the potential for access to system information and installation of system information software enabled by the ECSOs that can be imposed once an asset is declared as a SoNS.
2.112
The concern regarding system information access was primarily outlined by IT and technology stakeholders, but was reiterated and supported by a range of critical infrastructure sector stakeholders.
2.113
In response, ASD outlined:
Our experience, and our strong preference, is that we will install software only in instances where a private entity does not have its own capacity to pass to us telemetry or technical artifacts. That's the start point. If an entity had those tools themselves, there would be no need for us to use our own tools. Our second insight from an operational perspective would be that most mature or large entities that we engage with already employ the same commercial tools that we would utilise and they have those because a mature entity would want its own means of detecting malicious activity in the same way that we would. We use a range of commercial tools which are open-source tools. We don't use one specific one; we have a range of them. Normally, if we're going to engage in using our software, we would ask the entity for their preference for the tool that is most compatible with their network setup.
2.114
The Department also reiterated the limited circumstances in which installation of software can occur and for what purpose in its supplementary submission:
…proposed sections 30DK and 30DD mandates consultation with the entity prior to any system reporting notice being issued. There are no exceptions to this requirement. Furthermore, section 30DJ provides that system information software can only be installed where the Secretary believes on reasonable grounds that the entity is not technically capable of otherwise providing system information itself. This process will ensure the entity has an opportunity to raise any concerns about unintended consequences of the provision of system information, whether by the entity itself or through the installation of the software.
Receipt of this information will be crucial to the development of a near-real time threat picture which will allow the Government to share actionable, anonymised information back to industry to assist relevant entities improve their cyber resilience. The Government will partner with these responsible entities of designated SoNS to manage risks, including any unintended consequences that may arise, through the implementation phase of these reforms.
2.115
Additionally, the Department made an undertaking to provide extra explanatory material for stakeholders to understand the circumstances and scope of when proposed section 30DJ installation will occur, and only when the entity is not technically capable of preparing reports with the relevant information.
2.116
Discussion occurred at the public hearing regarding a potential modification of proposed Division 5, Subdivision A, as summarised by Ai Group regarding:
…whether entities would be comfortable if they were given the responsibility of installing their own system software that would produce system information and provide this to the ASD on request i.e. system information software designed, installed and operated by entities (instead of being designed, installed and operated by government). A perceived benefit may be to avoid concerns arising from direct government intervention.
2.117
When questioned regarding this, the Department correctly pointed out that the current proposed Division 5, Subdivision A (system information reporting notices) already provides for that mechanism, and that subdivision B is for those entities not technically capable of providing such reports.
2.118
Concerns over the process for a vulnerability assessment of a SoNS, and the potential invasive nature of this function were raised.
2.119
Suggestion was made that the Minister be required to consider the commercial, technical and practical feasibility of powers under Part 2C, over the current proposed considerations of costs, reasonableness and proportionality and other matters. Suggestion was made that this could be supported by an independent technical support body, as an expansion of the role for the CISC as a result of Recommendation 6 of the SOCI Bill report.
2.120
Calls for clear guidance material on obligations were made by multiple submitters, as well as potential guidance on whether an entity may be declared as a SoNS. See above for the Departmental response on this issue.
2.121
Some submitters continued to question the liability for damage caused by mandatory software installation and unintended consequence liability or compensation. BSA the Software Alliance strongly objects to the compulsion to install software, recommending that this access be by request only.
2.122
.au Domain Administration highlighted that inadvertent access to data of foreign entities may breach extraterritorial laws.
Protected information
2.123
Some submitters raised the issue of protected information under the SOCI Act and the SLACIP proposed amendments, in similar terms to those received during the SOCI Bill inquiry.
2.124
The Commonwealth Ombudsman requested that section 47 of the Act be amended to enable the sharing of protected information for the purposes of its functions, in similar terms to that created for the Inspector-General of Intelligence and Security (IGIS) at subsection 47(2).
2.125
The IGIS identifies that the proposed amendment for new subsection 46(5) for voluntary disclosure of protected information to an Ombudsman official would be advantageous in similar terms for entities to volunteer that information to the IGIS.
2.126
The Office of the Australian Information Commissioner again raised concerns regarding the restriction of provision of protected information under the SOCI Act, and how that might impact on its operations.
2.127
Water Services Association of Australia highlighted that a proposed amendment to what constitutes protected information may render RMPs unworkable:
Amendments 19 and 20 of the SLACIP Bill propose amendments to the definition of Protected Information – information that cannot be revelated to any external entity without specific permission from the Minister or the Legislation. Amendment 19 inserts a new paragraph (bc) to the definition of 'Protected Information' which indicates that the entire risk management program is protected information. This renders the risk management program unworkable. The risk management program typically covers every aspect of business operations. In day-to-day operations it is essential to be able discuss and refer to elements of the risk management program. These elements are also typically an embodiment of ongoing operational management for both the Entity and any subcontractors. In addition, achieving good practice risk management requires the sharing of key aspects of the risk management plan with auditors and other external parties. Inhibiting this exchange of information will severely inhibit achievement and realisation of good practice risk management. The same logic applies to the proposed insertion at Amendment 20 of the new paragraph (bf).
Paragraph '(bd)' of the proposed amendment to the definition of 'Protected Information' applies to any update or modification to the risk management that is notified under Section 30AG. Any such changes would then need to be isolated and would be unable to be shared or discussed. Again, this action actually inhibits good practice risk management and works against the stated goal of a security uplift.
We recommend that the proposed Amendments 19 and the proposed new paragraph (bf) at Amendment 20 are not adopted into the proposed legislation.
2.128
General concerns regarding the ability of an entity to disclose protected information to business third parties may hamper operations.
2.129
Optus also identified desired clarification on the disclosure of protected information under proposed section 42A being for the purposes of consultation with critical infrastructure entities for developing or assessing amendments, rules or amendments to proposed rules.
2.130
Communications Alliance identified that subsets of protected information may lead to confusion:
Our concern around these provisions as they presently stand is we don't think the rules are particularly practical, in the sense that the legislation now would allow so-called type 1 information to be disclosed to entities such as those in your supply chain; this is information about the day-to-day functions of operating the service. But it would prevent type 2 information—that is, the information provided to government in response to risk management, planner requirements, intervention requests, incident reports, evaluations and so forth—from being disclosed to entities and stakeholders that would need it. The problem, as we see it, is there is no clear division between those datasets. Many of the elements that will be provided to government as data are also within the type 1 category, which ought to be disclosed to those in the supply chain as necessary and appropriate. From our members' point of view, that leaves them in a somewhat invidious position: do they provide high-quality comprehensive reports to government, and in doing so severely limit the amount of information they're able to disclose to entities that need it, which is not an ideal situation, or do they do what they can to skimp a bit on the data provided to government to make the operation of their daily business more practical, which is also not a good solution. We really struggle with the way this is constructed at the moment. We just don't think it's something businesses can effectively deal with while also meeting their obligations to government.
2.131
When questioned about the concerns regarding protected information and its design in the Act and Bill, the Department identified the controls around the protection of the data received, but also the intention of designing an operationally pragmatic system:
…it's almost like you're in a room and all the information that's provided for the purpose of the bill, or the act, as it could be, is in the room. And you need a door to get information out. So what we've designed through the protected information regime is a series of doors to enable entities who have information about themselves to tell the relevant stakeholders the relevant pieces of information that they need to, such as consultants, their insurance company, their relevant stakeholders. We think that section 46(4) gives that ability within the existing act. However, some people have told us that, if there's information that's subject to a decision or a direction of the government under the act, they would prefer to have the authorisation of the department to do so. So we've also designed, in the protected information area, a number of provisions which allow the disclosure of information, which is why section 43E, subsections (2) and (3) being particularly relevant, allows that authorisation process to enable the provision of information with approvals, either to fulfill the functions under the act or, alternatively, to look at how the authorisation process could occur through that particular provision.
Oversight and review
2.132
Submitters questioned the breadth of decision-making powers invested in the Minister and Secretary, without independent review or oversight.
2.133
Amazon Web Services identified that while the government has undertaken to work with industry and invest in the operations of the CISC, an independent reviewer of authorisations and oversight mechanisms should sit outside of government.
2.134
Palo Alto Networks reiterated the call for a review or appeal mechanism outside of general judicial review that the Minister identifies as the avenue of recourse for challenge of decisions made under the Act.
2.135
This was expanded on at the public hearing by Palo Alto Netrworks regarding the precedent not having a review mechanism may set:
…the concern we have is that this power puts a precedent, if adopted in the region, that would be particularly problematic for Australia and Australia's interests.
As the committee knows, we're in a period of geostrategic competition that is inherently linked to issues of technology and values, such as the separation of powers, rule of law, including checks and balances on the execution of government power. We believe that a merits review or some kind of review process can co-exist with this particular piece of legislation.
The committee might be interested to know that Singapore have passed critical infrastructure reforms themselves and they have implemented a mechanism, similar to the AWS proposal, to review particularly contentious decisions made under those reforms. So we would encourage the government and the committee to consider a review or appeal mechanism for these particular powers.
2.136
The Business Council reiterates its position that a simple right of reply from affected entities under direction should be enabled to allow for the best mitigation to apply.
2.137
The Law Council of Australia also highlight that the rejection of the element of Recommendation 7 of the SOCI Bill report for merits review of SoNS declarations does not take into account the identification of these reviews to be taken in the Security Division of the Administrative Appeals Tribunal (AAT).
2.138
In response to review of SoNS declarations, the Department reiterated that such declarations are subject to prior consultation, internal review by the Department upon request, as well as judicial review, as such determinations are not exempt from the Administrative Decisions (Judicial Review) Act 1977, like the majority of other national security legislation.
Immunities
2.139
Microsoft expressed concerns regarding statutory liability exemptions, but identified that reputational damages are a reality, and that the ‘good faith’ qualifier for exemption from liability needs clarification. This was also supported by Telstra.
2.140
The Law Council of Australia welcomes the expanded immunities at items 54, 60, 62 and 63 of Schedule 1 to the Bill, that seek to expand the relevant immunities in sections 30BE, 35AAB, 35AW and 35BB of the SOCI Act beyond the personnel of the regulated entity itself. However the Law Council identifies three other potential gaps:
1
Contracted service providers to ‘related companies’, where a ‘related company’ is responsible for the activities which would enable the regulated entity to comply with its obligations under the SOCI Act;
2
Actions of a regulated entity (or those of a related company or contracted service provider) which are not clearly referable to one or more specific regulatory obligation under the SOCI Act; and
3
Acts done in preparation for future regulatory obligations, which are not yet in force.
2.141
Additionally, the Law Council notes that the immunities apply to proceedings for damages only.
2.142
In response, the Department outlined:
…the immunity provisions have been drafted specifically to provide entities with effective immunity where they comply with a specific action under the act. Some of the submissions said that this should include things that are undertaken pre-emptively prior to the issue of an action, or a direction or an obligation under the act. The response there is that if it's not a direction or a requirement of the act then it's preparatory activity being undertaken off an entity's own bat. The immunity provisions therefore kick in when the act requires something to be undertaken.
We heard a lot of comment in the last hearing process about expanding the immunity provisions. These provisions were substantially expanded and put in the exposure draft of the legislation released on 15 December through 1 February. On balance a lot of the submitters who put concerns about the extension of the immunity provisions in the initial bill were satisfied to abbreviate that we had extended them to be consistent with other pieces of legislation; at the last hearing the Banking Act was one of those particular elements that one submitter mentioned. So they were substantially extended. We would contend that the idea that immunity provisions don't apply to the enhanced cybersecurity obligations is an incorrect statement.
Regulatory impact and associated costs
2.143
Across the majority of submitters to the review, concern was expressed that despite the recommendations of the Committee’s SOCI Bill report, and the concerns expressed by submitters to that process, the regulatory impact and cost to entities from the SLACIP proposals is still mostly unknown or are stated in average cost terms. The Business Council of Australia identifies that the unknown and potentially substantial cost to businesses may lead to higher prices for goods and services.
2.144
As outlined earlier in this Chapter, the Department has done some initial speculative costings, but without final rules in place, and the unknown status of potential SoNS declarations, critical infrastructure entities expressed concern regarding unknown costs.
2.145
Uniting Care Queensland expressed significant concern that as a not-for-profit private hospital provider, all costs would be imposed with no patient care or ICU benefit. This was reiterated in the public hearing and in a further supplementary submission.
2.146
Similarly, Ramsay Health Care identified that only some of its facilities would fall under the definition of a critical hospital, leading to inconsistent requirements on enterprise-wide services.
2.147
Additionally, Ramsay identify that the obligations and costs imposed by the proposed SLACIP reforms may deter private operators from entering the market, with the associated negative health impacts that may have.
2.148
NSW Health identifies the financial and resource implications as ‘significant’.
2.149
Water Services Association of Australia estimated that a SoNS declaration of a water business may have regulatory cost of hundreds of millions of dollars.
2.150
In response to concerns regarding cost to private hospitals in particular, the Department outlined:
The costs that are in our submission at a high level give you a sense of what all of the critical infrastructure providers are telling us, noting that the average one-off cost is really reflective of extremely large companies and smaller ones as well. So that's an average. It doesn't mean that, for every single hospital that has a one-bed ICU—which I don't think would be captured under the definition, in any case, but hypothetically let's say it is—$8.5 million would need to be the one-off cost. It is an average cost and it includes some extremely big hospitals. It is really meant to be appropriate to the risk circumstance, and it is not prescriptive.
…the provisions that we've put in the legislation really go to: how do we work with an entity to make sure they have a risk management program and are updating and reviewing it, and, internally, they're working with their own board and governance authority to manage risk and give us the confidence that that's happening? It's not a punitive approach, to say: 'We don't think you've managed this particular personnel security issue or this particular physical security issue.' At least as late as 10 March, we tried to give confidence to, and information back to, a small number of hospitals about our intended approach to operationalising the bill, should it become an act of parliament, and to really focus on education and awareness and to try to build a culture of risk management. We stand committed to doing everything we can to support and help, rather than being punitive in doing so.
Calls for funding support
2.151
While the regulatory cost may vary across sectors and the physical nature of sectors, the financial model of some affected providers was identified as being a determinate in the overall impact that the SLACIP measures, and especially the RMPs, may have.
2.152
Catholic Health identifies that the not-for-profit hospital sector would struggle to meet the requirements of the reforms, and that patient care may suffer as a result. This view was echoed by Uniting Care Queensland regarding the non-government hospital sector, and was restated in a further supplementary submission.
Requirement for further review
2.153
A number of submitters identify the requirement for further review of the SOCI Act once the proposed amendments are in place.
2.154
The Australian Banking Association, Internet Australia, Communications Alliance, Business Council of Australia call for an early or two-year statutory review of the SOCI Act after the commencement of amendments by the SLACIP Bill, if passed.
Impacts on states and territories
2.155
The evidence received to this Bill review from State and Territory governments, was limited, as it was for the SOCI Bill review.
2.156
NSW Health and Emergency Management Victoria provided the Committee with observations regarding impacts on their discrete operations, or with recommendations regarding avoiding Federal and State duplication, notification or consultation requirements, and potential costs.
Department of Home Affairs response to submissions
2.157
On 10 March 2022, the Department provided a supplementary submission to the Committee identifying that the further submission ‘will address the key recommendations, concerns and suggestions raised by stakeholders in their submissions to this review’.
2.158
This report will not substantively replicate the content of that submission, but notes that the following subjects and responses were covered:
The Department reiterates that consultation has been adequate and that ‘The Department recognises that engagement and education will be crucial to the success of these reforms and is committed to working with entities to ensure these reforms are understood and can be practically implemented. Mechanisms like the Trusted Information Sharing Network for Critical Infrastructure Resilience (TISN) are important forums for cross-sector dialogue, and will be key in the Department’s ongoing dialogue with industry’.
The Department reiterates that the 2020 SOCI Bill RIS is still valid and that the draft RIS for the RMPs is outlined in paragraphs 228-233 of the EM.
The Department reiterates that the commitment to analysis of existing regulatory systems will avoid duplication and that obligations will not be ‘switched on’ if determined to be adequate, with identification of the following as already compliant:
Banking, superannuation, insurance and financial market infrastructure (other than payment systems) assets – covered by Australian Prudential Regulation Authority requirements
Defence industry assets – covered by the Defence Industry Security Program (other than a small subset of assets connected to the Osborne Naval Shipyard)
Higher education assets – covered by the UFIT guidelines, and
Public transport assets – covered by state and territory regulations.
Reiterating that ASD does not have a regulatory role under the proposed reforms and that the Minister may prescribe other agencies as the relevant Commonwealth Regulator.
The Department reiterates that its goal is not to actively seek to penalise entities and that it is committed to working collaboratively with business as the measures mature.
Restates that the definition of critical hospital is suitable.
Identifies that both support and opposition to the change to data storage or processing service definition will narrow the scope of data and those entities affected. The submission points out that the Minister will have scope to further exclude identified assets under subsection 9(2) of the SOCI Act.
The Department acknowledges concerns with both the flexibility and specificity of proposed RMPs, but reiterates that it stands ready to support businesses in developing RMPs.
Stating that the 6-month grace period for RMP application is based on when the rule is made, which will not automatically align with the Bill’s passage.
Responds to concerns regarding background checks and the use of the AusCheck Act under the proposed reforms.
The Department reiterated that guidance for declarations of SoNS will be created with industry, but noting the high legal threshold related to the sensitivities of the assets and their SoNS status. The Department also stated that the 28 day consultation period is appropriate with the proposed 30 day notification being adequate as well.
The Department recognises the concerns regarding system software installation and access to information for SoNS, but stresses that this will only occur in a very small number of cases and that entities will be consulted prior and that installation can only occur where the entity is not technically capable of providing the information itself.
Extra obligations that the Secretary must have regard to prior to activating any obligations for SoNS, as well as consultation mechanisms should ensure that unnecessary imposition does not occur.
The Department acknowledges concerns regarding sharing of protected information in the course of business, but places the onus of assessment of lawfulness on entities as to the purpose of disclosure.
The Department states that current information sharing provisions in the SOCI Act allow for the operation of the OAIC and Ombudsman to undertake their activities as authorised by a law of the Commonwealth.
States that the current immunities are sufficient to protect entities in actions under the Act, stating immunities have specifically not been included to cover preparatory acts.
2.159
In summary, while the Department acknowledged the concerns, suggestions and recommendations of submitters, the supplementary submission does not indicate support for any suggested changes. Rather, the supplementary submission reiterates the drafted positions or restates the assertions of the Explanatory Memorandum or initial primary Departmental submission.
2.160
Additionally, the Department’s representatives provided extensive responses to a number of concerns, some of which have been outlined above, but reiterates that the Department has been responsive to concerns and has adjusted the proposed regulatory settings based on feedback and stands ready to work with and support industry:
…can I say on the public record to all of the witnesses who have appeared before your committee, both for this hearing and previously, and all of the stakeholders whom we've engaged with—we've been talking to some thousands of people since 2020—thank you for everyone's support. We couldn't have produced the legislation that's currently before this committee without their involvement and without the time and effort that they put into preparing a whole range of input, particularly the costing in relation to the draft rules for the risk management program.
…
…in submissions to both of your inquiries, Chair, as well as submissions to the consultation paper in 2020, the exposure draft legislation in 2020 and the exposure draft legislation in December and January into early February of this year, the department has been working dedicatedly over this period of time, over two years and more through December over the Christmas and New Year period into February, to make the 74 changes that we've tried to outline in our submission, that the department has proposed to the government and that the government accepted, which you see before you in the legislation currently before this committee.
Our contention is that we have listened; we have listened to a range of stakeholders through town halls, roundtables, ministerial roundtables, one-on-ones, bilateral meetings, written submissions and emails—a whole range of inputs. The department's advice to the government was reflected in our advice on the bill that's currently before the committee. Subsequently, we reviewed the submissions that have been tabled and we provided our supplementary submission, which reflects the response from the department to the issues raised. Based on that, the department think that there is one amendment that we would propose to the explanatory material, and that relates to where the draft rule for the risk management program says 'TBA' in the definitions. It relates to the critical component definition. It should read that it means 'an asset, part of an asset or a system that the absence, damage or compromise would prevent the proper function of the asset or cause significant damage to the asset as assessed by the entity'. We would propose that that is clarified in the explanatory material.
I also heard as recently as today that there is additional guidance required. Both in our submissions and in our engagement with industry, including through the town halls, we've committed to continuously working on guidance. I think that was reflected in the Secretary of the Department of Home Affairs' advice to this committee on the stand up of the Cyber and Infrastructure Security Centre and, indeed, in the minister's second reading speech response to recommendation 6 of this committee's previous inquiry—that that is an absolute commitment of the department to continue to provide advice and guidance on a continual basis. We have fact sheets ready to go should the parliament endorse the legislation that's before this committee, as the Prime Minister has indicated he would like to bring that through the parliament in March.