Australia faces a very serious and rapidly deteriorating cyber security environment. It demands both a swift and comprehensive response. As this report sets out, the Committee does not believe both can be done at the same time in the same bill. If the Parliament seeks to achieve both in the same process, it may achieve neither. This is due to the inherently complex nature of the challenge and the proposed response to it, and the extraordinary and unusual economic climate we find ourselves in.
The Committee received compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate. This threat requires a rapid response. However, there is significant disagreement between industry and government on the exact response required.
The scope of the proposed framework in the SOCI Bill is broad and virtually all witnesses before the inquiry supported the objectives of the legislation. However, the proposed framework has an inherently uncertain regulatory cost because much of the regulation is to be designed and defined in legislative instruments, rather than in the primary legislation. The uncertain obligations and costs imposed by the Bill would apply to Australian businesses in the context of an already fragile economy beset by lockdowns and other impacts of the COVID-19 pandemic. This environment has made it difficult for industry to fully engage in the consultation process and even more wary about the outcomes of it. As a result, many have called for the entire Bill process to be paused. Although sympathetic to these calls, the Committee does not believe that pausing the entire bill is the responsible course of action.
The Committee also faced constraints on its ability to undertake meaningful and considered analysis of the considerable and varied evidence base regarding the Bill. The consultation on the development of the Bill and the parallel development of rules by the Department of Home Affairs while the Committee inquiry was underway led to inconsistent engagement from industry with the Committee process, as well as an evolving and shifting evidence base during the course of the inquiry. The ongoing considerable workload of the Committee constrained its ability to engage with all interested parties, and when paired with the effect of COVID-19 lockdowns and restricted Parliamentary processes, the Committee has been unable to resolve all the disputes put before it.
The Committee is also conscious that there is limited time left in the Parliamentary sitting calendar in 2021 and that sittings have previously been disrupted due to local outbreaks and lockdowns. Given this small and rapidly diminishing window of opportunity to legislate, it is necessary to prioritise the most urgent elements of the legislation.
These factors have led the Committee to the conclusion that the SOCI Bill should be split to legislate promptly the urgent measures which seek to address the immediate threat, while deferring the remainder of the proposed framework to be revisited and amended in a consultative and collaborative basis with those entities affected, so that industry can work actively with the Government to achieve an agreed way forward for these essential critical infrastructure assets to be protected.
The urgency for response from an escalating threat was stated by the Secretary of the Department of Home Affairs:
… once the bill achieves royal assent as an act of parliament it allows us to activate certain emergency procedures under the government assistance measures, and it is those measures that, frankly, I would prefer to have on the statute books tonight.
In response to this threat, the Committee recommends that the SOCI Bill be split in two, so that the current Bill can be amended (Bill One) to allow urgent elements of the reforms such as government assistance mechanisms, mandatory notification requirements and related measures to be swiftly legislated. This will ensure that the Government can exercise these vital powers when ‘last resort’ circumstances arise.
However, passage of only the government assistance mechanisms in Bill One, and not the remaining positive security obligations and other measures, does risk moral hazard where cyber-security for critical infrastructure is regarded as “the government’s job” instead of a shared partnership between industry and government.
The Committee therefore recommends that the remaining elements of the SOCI Bill be amended in consultation with industry, and reintroduced in a subsequent Bill (Bill Two) containing the less urgent measures, such as risk management programs and declarations of Systems of National Significance (with accompanying enhanced cyber security obligations). Bill Two can then proceed at a more manageable pace for government and industry and ensure that the Security of Critical Infrastructure framework that Australia needs generates broad stakeholder consensus.
The Committee believes that the elements in Bill Two, following appropriate consultation and amendment where necessary, are essential because they recognise that industry has its own obligations to secure essential services for their customers and the nation.
The Committee is also recommending that Bill Two be referred to the Committee when it is introduced for further review, alongside analysis of the impacts of the more urgent Bill One. This is accompanied by a further statutory review mechanism of the Security of Critical Infrastructure Act 2018 in the future, to ensure that these considerable legislative reforms are not just a ‘set and forget’ response to a current threat.