The following is an extract of the Bill outline from the Explanatory Memorandum, providing the rationale for the SOCI Bill and a brief explanation of the reforms contained within.
The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver.
Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty.
Threats ranging from natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders) all have the potential to significantly disrupt critical infrastructure. Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, and the impacts of COVID-19 illustrate that threats to the operation of Australia’s critical infrastructure assets continue to be significant. Further, the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others.
The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life, causing:
shortages or destruction of essential medical supplies;
instability in the supply of food and groceries;
impacts to water supply and sanitation;
impacts to telecommunications networks that are dependent on electricity;
the inability of Australians to communicate easily with family and loved ones;
disruptions to transport, traffic management systems and fuel;
reduced services or shutdown of the banking, finance and retail sectors; and
the inability for businesses and governments to function.
While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune:
over the last two years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network;
malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities; and
key supply chain businesses transporting groceries and medical supplies have also been targeted.
Accordingly, Government will introduce an enhanced regulatory framework, building on existing requirements under the SOCI Act. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 gives effect to this framework by introducing:
additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;
enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and
government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure assets.
These changes will be underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy. This will include a range of activities that will improve our collective understanding of risk within and across sectors.
The enhanced framework will uplift security and resilience in all critical infrastructure sectors. When combined with better identification and sharing of threats, this framework will ensure that Australia’s critical infrastructure assets are more resilient and secure. Government will work in partnership with responsible entities of critical infrastructure assets to ensure the new requirements build on and do not duplicate existing regulatory frameworks.
This framework will apply to owners and operators of critical infrastructure regardless of ownership arrangements. This creates an even playing field for owners and operators of critical infrastructure and maintains Australia’s existing open investment settings, ensuring that businesses who apply security measures are not at a commercial disadvantage.
The Australian Government’s Critical Infrastructure Resilience Strategy currently defines critical infrastructure as:
‘those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.’
In the context of this, the SOCI Act currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors.
As such, the amendments in this Bill will enhance the obligations in the SOCI Act, and expand its coverage to the following sectors: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage.
The Commonwealth needs to establish a clear, effective, consistent and proportionate approach to ensuring the resilience of Australia’s critical infrastructure. The amendments to the SOCI Act will drive the uplift of the security and resilience of Australia’s critical infrastructure.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) will introduce an all-hazards positive security obligation for a range of critical infrastructure assets across critical sectors. This ensures industry is taking the appropriate steps to manage the security and resilience of their assets. The obligations to be included in the Act in relation to a critical infrastructure risk management program will be supported by specific requirements which will be prescribed in rules, which will be co-designed between industry and government.
The Bill also recognises those assets that are the most critical to the security, economy and sovereignty of Australia. These ‘systems of national significance’ will bear additional cyber obligations recognising the cyber threat environment we currently face.
Finally, while these measures are designed to ensure we do not suffer a catastrophic cyber attack, the Bill will ensure Government has the necessary powers to provide direct assistance to industry in the event of a serious cyber security incident.
Positive Security Obligations
The additional positive security obligations will build on the existing obligations in the SOCI Act to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened. It will also provide greater situational awareness of threats to critical infrastructure assets.
The positive security obligations involve three aspects:
adopting and maintaining an all-hazards critical infrastructure risk management program;
mandatory reporting of serious cyber security incidents to the Australian Signals Directorate (ACSC); and
where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.
Importantly, each aspect of the positive security obligations will only apply once a rule is made in relation to that aspect for a critical infrastructure asset or class of critical infrastructure assets. The rules will prescribe which aspects are ‘switched on’ for a critical infrastructure asset or class of critical infrastructure assets.
The critical infrastructure risk management program will require responsible entities of specified critical infrastructure assets to manage and mitigate risks. Responsible entities of critical infrastructure assets will be required to take an all-hazards approach when identifying and understanding those risks – both natural and human induced hazards.
Responsible entities of specified critical infrastructure assets will be required to report cyber security incidents to the relevant Commonwealth body. Collecting this information will support the development of an aggregated threat picture to inform both proactive and reactive cyber response options –from providing immediate assistance to working with industry to uplift broader security standards.
Part 2 of the current SOCI Act requires assets covered by the Act to provide ownership and operational information to the Secretary of Home Affairs for the Register of Critical Infrastructure Assets (the Register). The Bill will extend this requirement to the expanded class of critical infrastructure assets where appropriate to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary.
Enhanced Cyber Security Obligations for systems of national significance
The Enhanced Cyber Security Obligations in the Bill will support a bespoke, outcomes-focused partnership between Government and Australia’s ‘systems of national significance.’ These are a significantly smaller subset of critical infrastructure assets that are crucial to the nation, by virtue of their interdependencies across sectors and consequences of cascading disruption to other critical infrastructure assets and sectors.
Under the Enhanced Cyber Security Obligations, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more prescribed cyber security activities. These include the development of cyber security incident response plans, cyber security exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities for remediation, and the provision of system information to build Australia’s situational awareness.
The Enhanced Cyber Security Obligations will support the sharing of near-real time threat information to provide industry with a more mature understanding of emerging cyber security threats, and the capability to reduce the risks of a significant cyber attack against Australia’s most critical assets.
This Bill introduces a Government Assistance regime to respond to serious cyber security incidents that applies to all critical infrastructure sector assets. Government recognises that industry should and in most cases, will respond to the vast majority of cyber security incidents, with the support of Government where necessary. However, Government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the Bill provides for Government assistance to protect assets immediately prior, during or following a significant cyber attack.
More specifically, Schedule 1, Part 1 of the SOCI Bill is separated into:
proposed amendments to the Administrative Decisions (Judicial Review) Act 1977 and AusCheck Act 2007 to enable proposed review exclusions and background checks;
proposed amendments made to existing Part 2 of the Act for expansion of the information required for the Register of Critical Infrastructure Assets;
a new proposed Part 2A to introduce risk management programs;
a new proposed Part 2B to introduce mandatory cyber incident reporting;
a new proposed Part 2C outlining enhanced cyber security obligations of entities set by declarations from the Secretary of the Department (the Secretary) as systems of national significance (SoNS);
a new proposed Part 3A to introduce powers of government assistance (including intervention, information gathering and action directions); and
a new proposed Part 6A outlining the mechanisms for SoNS declarations.
Schedule 1, Part 2 of the SOCI Bill defines application provisions.
Schedule 1, Parts 3 and 4 of the SOCI Bill enables updates of terminology regarding the impacts of the Federal Circuit and Family Court of Australia Act 2021 and National Emergency Declaration Act 2020.
Schedule 2 of the SOCI Bill proposes amendments to the Criminal Code Act 1995 to limit liability for ASD to perform certain acts under the Bill that would otherwise contravene or be prohibited by Commonwealth or State and Territory laws regarding computer-related activities.
The majority of the detail regarding specific requirements of critical infrastructure entities under regulation is identified to be designed and outlined in ‘rules’ under the SOCI Bill, identified as disallowable legislative instruments under the Explanatory Memorandum, but not under the Bill itself.
The Committee will not be including further commentary regarding the Bill’s substance in this report, except at the sections relevant to commentary regarding impact of proposed elements of the SOCI Bill and any subsequent recommendations.
The threat to be countered
The main rationale for the SOCI Bill and the expansion of the government’s critical infrastructure security focus is outlined in the Explanatory Memorandum extract above. The Department and ASD expanded on these threats and their impact in their primary submissions.
The expanding threat of cyber security vulnerability and malicious cyber activity has become increasingly evident in recent years. Australia has enjoyed relative security in this regard, but recent years have highlighted that both government and the private sector are not immune. The incidence of cyber attacks, ransomware and exploitation of system vulnerabilities is accelerating at an ever-increasing pace.
High profile cyber security incidents affecting government departments, including Parliamentary networks, major logistics and transport companies like Toll Group, or media companies like the Nine Network, bring mainstream attention to the ongoing and persistent attacks that Australian companies and networks face every day.
These attacks are just the most public face of the threat, with the Australian Cyber Security Centre (ACSC) reporting 2,266 reported incidents in 2019-20, with just over a third of those incidents coming from critical infrastructure companies and assets.
When outlining these threats and the increasing challenge of preparing, hardening and countering assets, Mr Michael Pezzullo AO, Secretary of the Department of Home Affairs, stated:
Cyber attacks will soon reach global pandemic proportions. This has been building for about five years but has accelerated over the course of the COVID pandemic. The minister has directed that we build on the Cyber Security Strategy launched in 2020 with an increased focus on protecting critical infrastructure—that's what brings us before you today—cybercrime operations, counter-ransomware, along with intensified engagement with states, territories, industry and the general public.
Basic cyber security protections will always help, but malicious actors, such as cybercriminals, state sponsored actors and state actors themselves will defeat the best defences that firms, families and individuals can buy. We have to do what we can, of course, to defend our own networks and devices against known vulnerabilities. However, just as we do not rely on home security alarms and door locks to deal with serious and organised crime, we cannot leave firms, families and individuals on the field on their own.
We have to be prepared to conduct offensive operations in the havens of cybercriminals. Cyber is not immaterial. It is material. It is reliant on infrastructure, hardware, coding spaces for the coders and physical staging points. These havens can be mapped and targeted. Nations such as Australia have an asymmetric advantage because unlike in terms of military strength––where great powers have a symmetric advantage––should we have the will, the strategies, the authorities and the means, we can gain asymmetric advantages including when we go on the offensive. It's already the case that policing and intelligence agencies as well as military cyber forces within authorities are striking at the infrastructure of these malicious actors in their havens, where regrettably some states either turn a blind eye to their activities or actively enable and sponsor them. Regrettably, state protection emboldens these malicious actors.
One model to tackle this challenge is the counterterrorism model that was put in place after 9/11 to deal with al-Qaeda. Another model that I would suggest to this committee, that is worth reflecting on as you consider this bill and consider your report, is the campaign that was mounted in the 17th, 18th and then in the beginning of the 19th century to clear the world's oceans of pirates, including the pirates of the Caribbean who were defeated by Her Majesty's warships of the royal navy in concert with bringing law to a lawless ocean. This is a problem with which we can deal, just as Britain overcame piracy, but we need the tools to do so including the requisite legal authorities.
Australia’s Cyber Security Strategy 2020 foreshadowed and outlined this response when it was delivered in August 2020:
The Australian Government must be ready to act in the national interest when its unique capabilities are needed, especially in emergency situations.
In consultation with critical infrastructure owners and operators, the Australian Government will develop new powers proportionate to the consequences of a sophisticated and catastrophic cyber attack, accompanied by appropriate safeguards and oversight mechanisms.
These powers will ensure the Australian Government can actively defend networks and help the private sector recover in the event of a cyber attack.
The nature of this assistance will depend on the circumstances, but could include expert advice, direct assistance or the use of classified tools. This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians.
Evidence was received from a panel of experts at the public hearing on 9 July 2021, highlighting the agreed state of a shift in the cyber threat environment. This shift was summarised by Mr Chris Krebs:
…there have been three strategic shifts over the last several years in the threat actor landscape. First, as you already mentioned, was ransomware and criminal actors. I don't want to gloss over the fact that it is important that the public—the American public, the Australian public and the public elsewhere—finally recognise the true disruptive nature of cyber security in general, after decades of intelligence based actions that have been, by design, subtle and covert. Now, when we have these brazen, in-your-face, disruptive attacks—particularly here in the US, but also in Australia—when your hamburgers and hotdogs have been taken off the shelves, I think that finally brings it home and makes it really resonate.
I think the second strategic shift that we've seen was probably over the last two to three years, where, rather than go after their primary targets through the front door, the intelligence apparatus of our adversaries—traditionally, from the US perspective at least, we call that Russia, China, Iran and North Korea, but obviously there are others—have sought to effectively use the global ICT ecosystem, the systems we use on a daily basis, as a real-time collection apparatus. When you think about SolarWinds, that's how I would be thinking about it: taking advantage of the IT systems that we use and deploy without fully appreciating the risk and the elevated access these systems have.
The third and final strategic shift that I'd suggest we really prioritise is a shifting to functional disruptions and moving away from purely reconnaissance and intelligence collection. As great power conflict increases, particularly in the case of Russia or China, we will see colder or warmer activity. What we may see is precursor operations that disable infrastructure to prevent the opposing power from being able to project power.
This strategic shift and the rise of cyber-enabled crime and security threats has not been countered evenly by entities:
…there's an uneven investment in cyber security. There are companies out there, if you look to the JP Morgans or Bank of Americas, that size and sophistication of entities, that are spending almost $1 billion a year on cyber security programs, which is clearly a significant investment for a company of any size. But it's absolutely true that it's not consistent across industry. I think at least part of the objectives of the bill should be ensuring that everybody is levelling up but doing so without inhibiting the good work that many companies are doing already.
In response to this shift and the uneven response to it, the SOCI Bill’s rationale states that there is a requirement for the measures outlined, but that time for a measured response is limited, if not already past, as identified by the Secretary:
We're already past time. The clock is ticking. The possibility of us waking up tomorrow and being in the grip of such an attack was already last year or the year before. The urgency of this legislation, frankly, is I would think self-evident, particularly for those who have seen the intelligence that is relevant here…two parts: each sector will be different; I don't think there will ever be a clean start line. Secondly, the imperative is so overwhelming that we are probably past time.
The imperative for the reforms was not contested in evidence to the inquiry, but significant concerns about the process to develop government’s response was presented to the Committee, as outlined further below.
The Committee is highly aware of the threat that Australia faces from cyber-enabled national security and critical infrastructure threats. A large proportion of the national security legislation that the Committee has considered in this and previous Parliaments has been in response to rising information technology risks and cyber-enabled threats; however these powers have been to enable government and law enforcement and intelligence agencies to respond when that threat can be countered directly.
The Committee recognises that the proposed critical infrastructure framework in the SOCI Bill is to enable the government to assist critical infrastructure assets to counter and respond to these threats in the best way possible, preferably in a cooperative fashion, but also in a ‘step-in’ fashion if required. However, the time window in which that response and assistance can be delivered is closing rapidly, as the threat increases.
This need for timely action and the appropriate response within the proposed framework and time available, but without uncertain regulatory cost, is outlined by the Committee in Chapter 3.
As mentioned in Chapter 1, the Committee received substantial evidence in submissions to the inquiry. These submissions were received from companies that will be affected directly by the proposed framework in the SOCI Bill, representative organisations advocating for member companies or on the sector impacts more generally, cyber security or technology companies or consultants, trade unions, State governments, Commonwealth agencies affected by the SOCI Bill, and legal peak bodies.
This wide-ranging evidence base presented diverse and varied opinions on the intent of the SOCI Bill, as well as the prospective regulatory and business impacts that the SOCI Bill could present to the entities affected. Much of the evidence focused on the current business practices of those companies, the cyber security practices and systems in place, as well as any existing regulatory systems and standards implemented and applied.
This variation in evidence, specific to the eleven critical infrastructure sectors was useful evidence to the Committee’s considerations of the potential impact of the SOCI Bill. However, the commentary provided below has had to be restricted to that evidence specific to the need for reform, the broad impact of the SOCI Bill, or common themes of evidence regarding Bill development or regulatory scope.
The Committee received numerous submissions providing technical evidence regarding cyber security trends, threats or observations of weakness regarding particular industry sectors. These submissions were useful to consideration of the overall threat environment and landscape that the SOCI Bill is attempting to address.
The Committee thanks all submitters and witnesses that have provided invaluable evidence and insight into the potential impact of the SOCI Bill and the business environment that the reforms propose to address or ameliorate the cyber security threat to. Critical infrastructure assets are vital to the security of our nation and the provision of essential services to its citizens.
Due to the wide impact of the SOCI Bill, the range of evidence received and the unknown nature of the impact of certain elements of the Bill, the Committee cannot acknowledge or comment on all concerns, recommendations or suggestions made to it. Likewise, the challenges that the Committee continued to face with the conduct of the review, as well as the increasing cyber security threat that the SOCI Bill is intended to address, has meant that the Committee is delivering a shorter thematic report for this review, acknowledging the major shared elements of evidence between submitters and witnesses, while addressing the identified threat to be countered.
This commentary is below and in the following Chapters.
Themes of evidence received
The evidence received on the rationale for, and the development of the Bill, as well as the evidence regarding the SOCI Bill itself and its potential regulatory impact is summarised into major themes below.
This report will not be identifying every submitter or witness that provided information regarding a theme, rather identifying what the theme is with any pertinent points identifying the core of a theme or concern or any particularly relevant evidence.
Consultation on discussion paper and exposure draft
As mentioned in Chapter 1, the SOCI Bill was developed and introduced to Parliament after consultation processes on a discussion paper and an exposure draft of the Bill.
These consultation processes were intended to guide the development of the framework proposed in the SOCI Bill, essentially being the first step in the co-design process at the foundation of the regulation that the SOCI Bill proposes to introduce.
However, the Committee received extensive evidence in submissions and at public hearings that many companies, industry bodies or stakeholders did not feel like their input or feedback had been actioned or acknowledged.
Many stakeholders also stated there was little promotion of the process, given how wide the impact of the SOCI Bill would be. Medicines Australia stated:
I don't feel that there was very strong pull action. It was very much: engage if you're interested. Many of the members of Medicines Australia were not aware of the consultation process at all. We felt that there was not enough information on which to provide a really comprehensive submission.
Acknowledging that not all stakeholders will have been actively engaged with in development, other observations were made that consultation regarding development of the Bill itself was rapid and did not address many of the concerns raised, especially regarding potential duplication of regulation or what rules would be set for each industry sector:
…the consultation process, as people have outlined, has outlined intent, which we understand, but the lack of detail generates lots of questions at our end. Part of consultation is getting feedback on questions and understanding where you can take it, and having that two-way conversation. I don't believe that has really happened. We've had 129 submissions to Home Affairs, and within two weeks we've had a piece of legislation put forward and we're still no clearer on the level of detail we need to understand what level of duplication we'll be dealing with relative to the existing legislation that we work with…
A number of witnesses at public hearings highlighted that consultation on draft industry rules had improved since initial concerns regarding the Bill’s development were made in initial submissions, but the overall hesitancy of industry remained due to the fact that the detail regarding the impact of the Positive Security Obligations (PSOs) within the SOCI Bill are yet to be defined and codified in delegated legislation.
More commentary on the impact of rules is made later in this Chapter.
Response from the Department to legislative concerns
As part of the evidence gathering process for this review, the Committee requested that the Department respond to the numerous recommendations raised regarding the SOCI Bill from stakeholders such as the Law Council of Australia, Business Council of Australia, Office of the Australian Information Commissioner (OAIC), Inspector-General of Intelligence and Security (IGIS) and the Commonwealth Ombudsman. Many of these stakeholders raised issues with the Committee regarding the role that their agencies or offices would play within the proposed framework of the SOCI Bill.
This request was made to allow the Department to consider the merit of the recommendations, many of which had been identified by submitters in the exposure draft consultation process (and not addressed in the resultant Bill), and respond with potential improvements to the Bill taking into account these recommendations, alongside the substantial other evidence base the Committee received.
In response, the Department provided a supplementary submission (No. 59.1), outlining:
For the 40 recommendations made by the Law Council of Australia – not accepting 36 of the recommendations and noting the other four without proposing amendment;
Noting both concerns from the IGIS, with acknowledged amendment to the IS Act being required to bind ASD assistance to the Department for the purposes of an amended version of the Act;
Noting that OAIC concerns are to be addressed in other proposed legislation or through ongoing consultation; and
Not supporting any of the 13 proposed legislative changes from the Western Australia Department of Premier and Cabinet.
While the Department provided reasons of varying complexity for not supporting or accepting the proposed amendments or concerns of submitters, the Committee was not substantially aided by the response in understanding what the impact, if any, of the recommendations would have on the Bill as proposed.
Introduction of the Bill – timing and indicated timelines
As outlined earlier in this report, the SOCI Bill was introduced on the final sitting day of 2020, and the subsequent request for submissions period for the review spanned Christmas and the New Year period, hampering the efforts of submitters and the Committee to gather initial evidence in a timely manner.
The then Attorney-General requested that the Bill review be completed by the end of the Autumn sittings which, as outlined in Chapter 1, was not a realistic timeframe. This requested timeframe also aligned with an implementation timetable set out in the Regulatory Impact Statement at Attachment A of the Explanatory Memorandum.
This timeline stated an expectation that while co-design of rules and economic modelling and guidance would commence in January 2021 and be ongoing, that education and engagement would take place from January to July 2021, with the commencement of the measures in the Bill to apply from 1 July 2021, and enforcement of PSOs to commence on 1 January 2022.
This timeline raised concerns with submitters, especially in relation to the design of rules, the unknown nature of the impact of that regulatory element of the SOCI Bill’s framework, as well as potential enforcement and penalties.
The Communications Alliance expressed the shared sentiment from a number of submitters:
Given the importance of the sector-specific rules for the success of the entire framework we would believe that it would be wise if the committee advise parliament—or basically push the pause button and create the sector-specific rules first, or at least a substantial part of it and a substantial degree of detail first, before continuing to progress the bill.
The stated timeline in the Explanatory Memorandum has not been met, and the evidence provided to the Committee indicates that when draft rules have been provided, industry and asset sectors are not ready to accept the indications that rules will address all concerns expressed regarding the Bill.
Sector definition breadth
In order for the SOCI Bill to apply to relevant industry and asset sectors, those critical infrastructure sectors need to be defined and the assets contained within defined and identified, so the proposed regulations and powers from the Bill can apply accordingly.
Proposed section 8D of the Bill identifies the relevant sectors and each asset related to those sectors and the responsible entities (that aren’t already defined within the Act currently) are defined in proposed amendments to section 5 or proposed sections 12A-12L of the Bill.
Some of these definitions are necessarily very detailed (see the definition of a critical financial market infrastructure asset in proposed section 12D as an example), and others are very brief and general (see the definition of a critical education asset in proposed amendments to section 5 for example).
This specificity or generality is accompanied by the vacuum of detail regarding some assets and how they are, or will be, identified in the rules to be set outside of the SOCI Bill (see the definitions of a critical liquid fuel asset in proposed section 12A or a critical freight infrastructure asset at proposed section 12B as examples). These definitions describe the conceptual application of an asset, but leave attribution of specific assets to the rules to be defined in delegated legislation.
Similarly some definitions capture all assets within a broad sector, such as the definition of a critical data storage or processing asset in proposed section 12F, but then identify that some specific assets may not be an asset as defined, if precluded in the rules. This particular asset definition also does not seemingly recognise potential extraterritorial impact of the broad coverage of this definition, as affected providers may operate within Australia on relevant data held within Australia, but may hold part of that data offshore, or shift it offshore or have primary operations (including data centre assets) in other countries. This is in contrast to many of the other assets that relate to physical assets bound to Australian territory and operation within the country.
The application of asset definitions only to assets that are located within Australia (as per proposed subsection 9(2B)), further confuses the potential application to digital elements of critical infrastructure entities that have parts of their functional infrastructure or data located offshore, as mentioned above.
This variation in definitional breadth and specificity has caused many submitters and witnesses to express concern regarding the directed impact of the proposed framework from the SOCI Bill, or the unknown impact, which leads to a lack of industry confidence or an inability to accurately forecast regulatory impact and cost. Water Services Australia expressed:
The water sector hasn't been consulted in detail about the costs. It's very hard to get a cost at the moment because we don't actually know the details of the rules—it's 'How long is a piece of string?' That's been problematic for us.
The data storage and/or processing sector raised specific concerns with the definition of their sector, as well as the impact on their business given the ‘horizontal’ nature of their services, as they may provide data services to businesses captured under other asset sectors, and therefore be affected by the cyber focus of the Bill, not only for their own operations, but in relation to the services provide to those industries as well.
This point was made in opening statements at the public hearing of 8 July 2021 and expanded on by Mr David Masters, Director of Global Public Policy at Atlassian:
…we are a horizontally enabling sector across all of these industry verticals. As you are thinking about the regulatory mechanisms, generally they will flow down to us as supporting services to those critical infrastructure sectors. I think one of the concerns that we have as an industry is that the regulatory making process, the rule-making process that the Department of Home Affairs has flagged, needs to be considered as part of that process. Those regulatory requirements will flow down to us regardless of what they impose upon our sectors separately. I am just making sure that that is front of mind and also reflected in the bill, because some of the requirements that we see for other sectors—electricity or water or transport—may potentially be in conflict with what those sectors might be asking us to do separately as customers.
A number of industry representatives identified that defining assets in the broad terms within the SOCI Bill did not provide for the realities of the operation of a number of the affected sectors. Instead, the suggestion for defining industry functions was a more practical step to protecting the data and functions that are essential to the operation of critical infrastructure assets:
What we are asking basically is to zoom out and ask first: what do we want to protect and why? We sometimes ask our customers to engage in data classification. So when you identify highly sensitive data, what is top secret and what is just kind of general data that deserves protection but doesn't need the highest level of priority? I guess what we're arguing for is that governments need to start with workload classification. They need to identify the workloads that matter as opposed to specific assets. A practical example of this is to take a power company or even a government entity. There are several workloads that happen for that entity and one of them may be the cafeteria ordering system, for example, and another one may run the electric grid. Both of those workloads are not the same. If you prioritise both equally you're being over inclusive, you're diverting resources and you're also diverting regulatory resources on how to best protect that. What we are arguing for is, first, to step back, identify the functions that are really important to the Australian economy and the Australian industry and then figure out how to prioritise those functions, how to best protect those functions, so we can reduce regulatory costs for customers, for industry and for the government. This is a little bit of a different approach to identifying specific assets but we think this is a better approach.
The definitions of sectors and assets is crucial to the operation of the SOCI Bill’s proposed framework, and fundamentally establishes the areas of the Australian economy, and international partners operating within Australia in relevant sectors, that are affected, or will be affected by the Bill.
Unknown regulatory burden of positive security obligations
As outlined earlier, an overwhelming concern from industry representatives was the unknown nature of the majority of the regulatory impact or burden to be imposed by the proposed new Parts 2A-2C, and to some extent those in the proposed new Part 3A, of the Bill.
While the SOCI Bill outlines and defines the types of obligations and some of the elements of those obligations that industries will have to comply with, most of the detail of what businesses will have to do, and by what means is not prescribed in the Bill. Again, this detail is proposed to be designed and outlined in rules to be presented in delegated legislation.
Without certainty regarding definitions and regulatory requirements, affected industries cannot plan for the potential impact and cost of the framework’s requirements, as highlighted by Google:
From Google's perspective I'd like to say that many of the points we'd make have already been made here, but there's one—clarity—when it comes specifically to your question of costs. One of the ways to reduce cost is to ensure that there's clarity. Some of the concerns that we've raised, especially around reporting arrangements and definitions, can without clarity inadvertently cause great costs, as when we're responding to an incident or having to deal with an issue we have uncertainty about what is covered, when something is covered and what the time frame is. Making sure all the definitions in this bill are very clear and appropriate is one of the best ways to reduce costs and make sure that we get the best possible outcomes.
While this process of designing rules outside of the legislation is identified as providing for flexibility and consultation, most industry submitters expressed a preference for this detail to be included in the primary legislation, or that detail to be negotiated and provided in instruments to be considered alongside an amending Bill before the framework be considered and passed through Parliament.
The National Pharmaceutical Services Association summed up many of the concerns from industry in its opening statement to the 9 July public hearing:
Like others appearing today, NPSA members are rightly cautious about a Bill that provides nothing more than a skeleton framework of broad ranging and extensive powers and being told the rest will be worked out later by the Department of Home Affairs and the Minister through co-design.
Trusting in these statements is a significant leap of faith given what we would respectfully argue is a lack of consultation to date and an impossibly tight 2-week window for consideration of 129 submissions on the draft Bill before its tabling by the Minister.
The legislation is too thin on detail. It is impossible to know what its implications will be for NPSA members, and the proposed mechanisms within the Bill would make it almost impossible to challenge.
We believe that this is too great a risk given the scope of the proposed powers, and we recommend that the details of the regulatory framework must be within the primary legislation, not in rules and determinations.
Potential duplication of regulatory systems
In addition to the concerns regarding the unknown elements of regulatory impact, a number of industry representatives expressed concern regarding potential duplication of existing regulatory systems.
Some entities expressed very strong opposition to any further form of regulation that might duplicate or supplement existing obligations. Commercial Radio Australia highlighted this opposition, and potential consequences, in its opening statement to the 9 July public hearing:
CRA seeks confirmation that the rules will provide, under section 30AB(3), that Part 2A will not apply to the commercial radio industry and the SOCI Act obligations will therefore remain dormant, with the industry's existing obligations continuing to apply without supplement.
The commercial radio industry will resist strongly any attempt to impose additional compliance or reporting burdens on it through the Positive Security Obligations proposed in Part 2A (or any other part) of the Bill.
If it is not possible to guarantee that no additional compliance or reporting obligations will be imposed on commercial radio, then the commercial radio industry would prefer that the Bill does not cover commercial radio infrastructure. Additional regulations would threaten the viability of commercial radio stations, to the detriment of local Australian audiences. Ultimately, this could reduce the critical infrastructure available for the communication of emergency information to regional Australians.
This concern is ameliorated by the undertakings and identification in the SOCI Bill and Explanatory Memorandum that when defining rules the Minister must take into account any existing regulatory systems that provide for similar mechanisms. This is to ensure that regulation is not duplicated and was affirmed and restated in the Department’s supplementary submission as well as by the Secretary during the public hearing of 29 July 2021.
Despite the mechanisms built into the SOCI Bill and the undertakings for co-design and avoidance of duplication, industry representatives made a call for existing regulators to be central to any design process, with the Business Council of Australia and others calling for the Treasurer, or other relevant portfolio Ministers relevant to sectors, to be involved in any rules design and approval processes.
Timeframes for notifications
Another recurring theme of evidence from industry representatives related to the timeframes outlined in the SOCI Bill for the notification of cyber security incidents under proposed Part 2B.
Proposed sections 30BC and 30BD require that entities must notify the relevant authority of any critical or other cyber security incidents (a cyber security incident is defined in proposed section 12M), within 12 and 72 hours respectively.
This timeframe is identified as having been modified from an original proposed 24 hours for general notifications from the exposure draft of the Bill, to the 72 hour period requirement, to align with existing similar requirements in schemes such as that regulated by the Australian Prudential Regulation Authority (APRA).
A number of submitters and witnesses, especially those from within the technology sector, expressed concerns regarding the nexus between the requirements of assessing the criticality or seriousness of a cyber security incident, and the requirement to notify the appropriate authority of such an incident within 12 hours.
In response, the Department outlined that the intention for notification for critical incidents is intended to be the initial commencement of a process, not the only process involved. Mr Hamish Hansford, First Assistant Secretary, Cyber, Digital and Technology Policy stated:
I think the very first point of the 12 hours is to start a conversation, and so in the 12-hour threshold you've got to fulfil the legislative requirements. Effectively, the clock doesn't start when something happens; it's when you become aware that you have an incident and it falls within the category. The more detailed information about the content of the notification will fall in the rules, which will be subject to co-design. But the first notification can be oral and then subsequently, within 48 hours, it must be given in written form.
These notifications play a vital role in establishing or catalysing a number of actions and records under the SOCI Bill’s proposed framework. However, with the current lack of certainty around the metrics for assessing impact for the purposes of reporting incidents (as the seriousness or criticality of an incident is currently assessed according to impact under the Bill), there is concern regarding whether an entity will be in breach of the requirements of the Bill (with associated penalties) when assessment of the impact of an incident is based on elements such as availability, integrity, reliability or confidentiality, without accompanying thresholds for assessing restriction on these elements.
The Explanatory Memorandum provides limited guidance for entities:
Determining whether an incident is having a significant impact on the availability of the asset will be matter of judgment for the responsible entity. The services being provided by the asset, together with the nature and extent of the cyber security incident, will determine the significance of the incident and whether it meets the threshold of being a critical cyber security incident. For example, a cyber security incident which affects the availability of a critical clearing and settlement facility for a very brief period may have significant economic repercussions while an incident that affects the availability of a critical education asset for the same period of time may have a substantially lower impact.
Authorisations and executive powers
The proposed framework set in the SOCI Bill imposes very serious obligations on entities, as well as the potential for quite intensive assistance powers that allow for access to proprietary systems and IT architecture.
While the rationale behind the proposed framework is acknowledged by most stakeholders, the potential reach of the powers is not accompanied by appropriate authorisation or oversight mechanisms in the eyes of some.
Currently the authorisations for all proposed mechanisms sit solely within the Executive, either directly with Ministers or the Secretary of the Department (or delegated staff in limited circumstances).
The Law Council of Australia commented extensively on the potential powers proposed within the SOCI Bill and the potential for non-disclosure of significant items of interest:
…the Bill is extraordinary in terms of the number, breadth and gravity of legislative powers it proposes to delegate to the Minister and Secretary. The Law Council submits that the Bill is fairly characterised as a ‘framework’ or ‘shell’ which imposes highly significant regulatory obligations and liabilities, but largely delegates to the executive government the task of determining the substance of regulatory requirements, and their application to specific entities.
The Bill is also extraordinary in that it proposes to enable some delegated powers to be exercised via non-legislative instrument (Ministerial declarations in relation to assets, and Secretary’s notices in relation to cyber security obligations). These determinations and notices will not be disclosed publicly, with disclosures of their existence or contents potentially attracting the secrecy offence in section 45 of the SCI Act. They will also bypass the usual requirements for Parliamentary scrutiny and disallowance that apply to legislative instruments under the Legislation Act.
The Law Council and others also commented on the current exclusion of any independent authorising officer or potential check against the notices or obligations and directions that could be issued under the Bill’s proposed frameworks.
While the proposed framework would fall under the jurisdiction of the IGIS, Commonwealth Ombudsman and OAIC, to varying degrees, the SOCI Bill proposes to exclude from statutory judicial review all administrative decisions made under the intervention regime in proposed Part 3A in relation to cyber security incidents.
This proposed exclusion is based on national security grounds, but excluding these potentially far-reaching elements of the Bill from any review has instigated a call for some form of review of decisions, whether by a panel of experts, such as that provided for under Part 15 of the Telecommunications Act 1997, or ex post facto judicial review of the grounds a Ministerial authorisation is based upon.
Government assistance measures
Proposed Part 3A assistance powers are the portion of the SOCI Bill that has been expressed as being the most urgent, but are also those which generated significant concerns by industry during the inquiry.
The ability for the Minister to authorise the Secretary of the Department to direct an entity to gather information, undertake an action (or direct that an action not be undertaken), or authorise ASD to intervene, when a cyber security incident has occurred, is occurring, or is likely to occur, is a considerable power to wield under the proposed framework for security of critical infrastructure.
While the Minister must take into account a number of factors when considering authorising a government assistance direction, including seeking the agreement of the Prime Minister and the Defence Minister in relation to intervention requests, the range of actions available under proposed section 35AC for interventions, as well the considerable penalties that apply to non-compliance, and the potential for liability, are areas of concern for many stakeholders.
These government assistance measures are identified as provisions of ‘last resort’ throughout the Explanatory Memorandum, but many witnesses at the public hearings of 8 and 9 July 2021 questioned whether the measures allowed for would indeed be used only in the direst circumstances.
In response, the Secretary of Home Affairs stated:
On 8 and 9 July, earlier this month, the committee heard witnesses from many companies speaking of their cyber maturity. We observed those proceedings very closely, and they evidenced their willingness to engage voluntarily with the Australian Cyber Security Centre in a crisis. In such circumstances there would be no requirement for these powers to be utilised, and the government's first preference, as stated in the explanatory memorandum and elsewhere, of working collaboratively and in partnership with the entity would of course suffice. However, the risks to Australia's national interests, in the view of the government, are too great to not have a clear, established framework in place ahead of an incident to operate as a last resort in a national emergency, should an entity be unwilling or unable to do what is necessary.
The references by the Secretary regarding entities and companies being willing to cooperate voluntarily with the ACSC aligns with the evidence received for the review, where most submitters and witnesses outlined willingness to cooperate, and pre-existing healthy relationships with ASD and existing relevant regulators.
This was summed up by Ms Rosemary Sinclair, Chief Executive Officer of .au Domain Administration Limited:
We have a very close relationship with the Department of Infrastructure, Transport, Regional Development and Communications. We already work very, very closely with the Signals Directorate and the Australian Cyber Security Centre.
So all those relationships and processes are in place. One of the things that strikes us about the legislation is that it's focusing on a problem of the unwilling and trying to address that, whereas I suspect that the people on this call and the vast majority of people who have been engaging in this process are in fact the willing. So we need to be careful about a response to the wrong problem.
The Committee acknowledges the substantial and varied evidence received from all manner of submitters and witnesses to this Bill review. With this substantial and varied evidence comes an equally substantial and varied level of agreement and disagreement about the response required.
Outlined above is a brief snapshot of the main themes of evidence received from the majority of submitters and witnesses. The Committee is unable to outline all the evidence received, and as will be discussed in the next Chapter, does not believe it is relevant to do so at this stage.
The uncertain regulatory cost is an element of the proposed framework that poses a substantial concern for affected industry. The fragility of the economy in an uncertain COVID-19 affected environment is a primary concern for the companies that will become critical infrastructure entities under the Bill, so any uncertainty in regulatory administration, cost or penalty is only going to heighten an already stressed commercial reality.
The Committee’s proposed way forward is discussed in the next Chapter.
Challenges faced by the Committee with the reviews
The Committee has faced some challenges in being able to review the SOCI Bill in a timely and accurate manner.
Timing of referral
The first challenge came from the timing of the SOCI Bill’s introduction to Parliament. With the SOCI Bill being introduced on Thursday, 10 December 2020, the final sitting day of that year, the Committee faced logistical pressure in launching the inquiry in the face of the Christmas period, where traditionally many stakeholders have reduced staff and ability to respond to a call for evidence.
To acknowledge this the Committee set Friday, 12 February 2021 as the due date for submissions, which even though there was a nine week period between the launch and requested due date, a number of submitters did not meet. Accompanying this was the fact that two other Bill inquiries had been launched by the Committee in December with the same due date and a lot of the non-government organisations that provide valuable submissions to the Committee for each of its inquiries, such as the Law Council of Australia, were overwhelmed with the call for evidence on multiple topics at once.
Confusion regarding consultation processes
As the Committee started to receive submissions it became evident that the consultation processes undertaken by the Department prior to the introduction of the SOCI Bill to Parliament had created some confusion for potential and actual submitters.
Cyber Security Strategy 2020 to Bill introduction
Between September 2019 and February 2020 the Department consulted on the development of Australia’s Cyber Security Strategy 2020 (the Strategy). The final report was publicly released in late July 2020.
Resulting from the Strategy, the Department released the Protecting Critical Infrastructure and Systems of National Significance Consultation Paper, first proposing the framework which is now embodied in the SOCI Bill. Consultation processes on this paper:
…revealed broad in-principle support for the introduction of the reforms. Certain sectors strongly supported their inclusion within the proposed coverage of the framework, given their level of criticality and currently limited regulatory environment. Industry concerns primarily centred on the sectoral implementation of the reforms including the need for greater clarity around coverage, true industry co-design of sector-specific requirements to reduce unnecessary regulatory impost, and the extent of proposed Government Assistance powers. Industry further called for consultation on an exposure draft of the proposed bill.
Out of this process the Department released an exposure draft of the Bill and associated documents on 9 November 2020 for comment. This was followed by further industry consultation, closing on 27 November 2020.
The SOCI Bill was then introduced to the House of Representatives eight business days later on 10 December 2020. Further commentary on this timeframe is provided later in this report.
Effect on Committee submissions
The effect of the rapid process outlined above was that when the Committee started to receive submissions, a number of them did not expressly address the Bill before the Parliament or the statutory review. Many expressed the same feedback provided to the consultation process conducted by the Department, with many attaching copies of submissions made to both the consultation paper and Bill exposure draft processes, even though minor but technically consequential amendments had been made to the SOCI Bill since those submissions had been written.
Similarly, the Committee did not receive the expected quantity of submissions from affected companies from the critical infrastructure asset sectors or the peak-bodies that represent those industries. This was despite a request from the Committee to the Department in early January 2021 to avail their submitters of the Committee process underway, which the Committee was advised had occurred.
In later interactions with witnesses, through direct communications with witnesses, or through lobbying from companies once public hearings were announced in June and July 2021, it became evident that many organisations were either not aware of the Committee process, or had assumed that the input provided to the Department would constitute evidence to the Committee. A number of late submitters also expressed a feeling of ‘consultation fatigue’ or voiced concerns that earlier feedback had made little or no impact on the final SOCI Bill presented to Parliament.
The workload of the Committee in 2021 has also been a challenge in considering the SOCI Bill.
For the majority of 2021 the Committee has had a revolving inquiry load averaging between 10 to 15 active inquiries at any one time, with the Committee having handed down ten reports or statements finalising various inquires, reviews or terrorist organisation listings under the Criminal Code in that time, with 25 finalised in total for the 46th Parliament to date.
This workload and the requirement for associated public hearings, briefings and meetings places strain on the Committee to be able to undertake the appropriate evidence gathering and consideration of such evidence. As outlined earlier in this Chapter, the evidence base for this Bill review and the range of affected industry entities is extensive.
Evolving evidence base and contemporary regulation development
The restricted evidence base in the early stages of the Bill review did reduce the range of industry opinions that were presented to the Committee somewhat, but this evidence advanced and expanded as time progressed and affected companies and representative bodies became aware of the process.
However, the Committee received a range of submissions prior to, during hearings and after, mainly due to the engagement related to these processes, but also due to the evolving nature of feedback from submitters.
As discussed, the Department engaged in industry consultation during 2021, in parallel to the Committee’s inquiry, in line with the co-design process outlined in the SOCI Bill, Explanatory Memorandum, and as expressed in the ‘timetable for implementation and key tasks’ outlined in the Regulatory Impact Statement included at Attachment B of the Explanatory Memorandum.
This co-design process for the rules to apply to certain elements of the SOCI Bill’s proposed framework either instigated engagement with the Committee process (for industries that may have not been aware of the process, or who had assumed that the Committee was privy to earlier engagement with the Department), or reinvigorated or altered evidence provided to the Committee regarding the concerns expressed around a lack of consultation or the lack of detail regarding the regulation to be provided for in the rules being drafted.
The impact of this new evidence or the shift in existing evidence challenged the Committee in being able to settle its understanding of the concerns being expressed from industry.
Additionally, as the Committee conducted the last of its public hearings in July and collected the resultant evidence, or received new evidence from submitters catalysed by those hearings, the further lockdowns in Sydney, Melbourne and Canberra seriously affected the Committee’s ability to be able to collaborate on the evidence received and formulate a response.
This challenge and the increasing evidence from the Department and ASD that the threat of cyber security vulnerability of critical infrastructure assets was escalating and needed urgent response has necessitated the form and substance of this report and the recommendations in Chapters 3 and 4.