3.1
As the Bill review progressed, it became evident that the divided evidence base and divergent opinion between government and affected industry regarding the impact, scope and detail of the SOCI Bill, were going to be a restrictive factor in building stakeholder consensus in support of the proposed reforms.
3.2
As outlined in Chapters 1 and 2 most, if not all, companies and industry bodies, trade unions, and critical infrastructure assets owners and operators expressed some form of reservation with the Bill, its consultative development, the unknown or unquantifiable regulatory impact, or the contemporary rules development that has occurred while the Committee conducted this review.
3.3
These concerns have been acknowledged by the Department in a general way while endorsing very few suggestions for potential change to the proposed framework of the Bill. The Department’s rationale for advising against amendments has often been based on the urgency of the response required to the threat faced by critical infrastructure assets.
3.4
The Committee has heard compelling evidence regarding the threats to be countered, as well as the instances of ransomware and other cyber attack that have seriously impacted critical infrastructure both domestically and internationally.
3.5
The disagreement on the content of the SOCI Bill, the unknown nature of the rules to dictate the majority of asset regulation, and the increasing importance of countering the ever-evolving cyber threat to Australia’s social and economic stability, defence and national security, has highlighted to the Committee that all of the concerns expressed regarding the framework proposed in the Bill cannot be resolved in a manner that would be acceptable to all parties, and dictates that the proposed framework be amended.
3.6
The significant detail left to be resolved by sector rules in delegated legislation instead of in the primary legislation does not allow the Committee, the Parliament, or the effected entities sufficient confidence of the full impact of the legislation.
3.7
The Committee acknowledges that the rationale for relying on co-design for the rules is to enable appropriate impacts to be consulted on and for existing regulation to be catered for. However, the fact that this process has been underway in parallel to the Committee’s review of the Bill and Act, but has not yet been concluded for any of the designated eleven industries means the Committee cannot make meaningful recommendations for these parts of the Bill, nor endorse them. To do so would be to effectively grant a blank cheque.
3.8
While the Committee strongly supports the aims of the SOCI Bill, it would need a significant amount of re-drafting to pass in its entirety and respond adequately to many of the concerns expressed to it during this review. This would delay significantly the time-critical elements of the Bill.
3.9
It is not the Committee’s role to re-draft bills. However, the following commentary and recommendations in this Chapter are provided to assist in meeting the immediate threats we face now, as well as the comprehensive response which the Committee believes is necessary but accepts will take longer to finalise.
Splitting the Bill
… once the bill achieves royal assent as an act of parliament it allows us to activate certain emergency procedures under the government assistance measures, and it is those measures that, frankly, I would prefer to have on the statute books tonight.
3.10
The above quote from Secretary Pezzullo, and many of the requests to pause entirely the SOCI Bill’s passage through Parliament, have informed the path that the Committee is recommending regarding the review of the Bill, as well as the statutory reviews of both the Act and the TSSR Regime under Part 14 of the Telecommunications Act 1997. The recommended actions for the Bill are outlined below and the related consequences for the statutory reviews conclude the report.
3.11
These recommendations are either specific to the SOCI Bill, or are principles-based recommendations for actions to enable the elements of the Bill that remain contested to be reformed or refined.
Retain Part 3A and enabling provisions
3.12
In order for the increasing threat of cyber-enabled crime and security threats to critical infrastructure assets to be countered, the Committee is recommending that the government assistance measures within proposed Part 3A of the Bill be separated out and amended so as to be passed as soon as practicably (referred to from hereon as Bill One).
3.13
The Committee understands that the Government wishes to legislate to respond to the growing threat environment as soon as possible, and this separation will enable this to happen.
3.14
This will allow for the Department, and ASD as the technical authority, to work with entities to ensure that cyber security incidents can be responded to in the most expeditious fashion, to ensure that critical infrastructure assets (and associated functions) are secured.
3.15
Relevant sections of Part 1 of Schedule 1 of the SOCI Bill will need to be retained to enable all definitions and meanings to apply, to allow for the expanded critical infrastructure sectors to be assisted by the proposed Part 3A operation.
3.16
Proposed Part 2B will need to be retained within Bill One to allow for the notification of cyber security incidents, to allow for assistance measures under proposed Part 3A to be engaged when required. Similarly any amendments to the existing Parts 4 and 5 of the Act will need to be retained for such engagement of those provisions.
3.17
Schedule 2 of the SOCI Bill will need to be retained to allow for the liability of ASD staff to be limited related to actions undertaken under the proposed Part 3A provisions. However, these provisions require some further consideration, as outlined later in this Chapter.
3.18
These provisions should be amended to ensure that the stated intentions of cooperation and reactive consultation are enabled by the provisions of Bill One. Capturing elements such as:
the meanings of cyber security incident and unauthorised access, modification or impairment in proposed sections 12M and 12N be reviewed to ensure that an insider threat is captured;
under proposed section 30BBA rules designed for the purposes of proposed section 30BB be published and advised directly to any identified affected entities or companies, and that feedback in submissions received be considered and responded to formally before the rules are then presented to Parliament;
‘offensive cyber action’ be defined on an inclusive basis for the purposes of the exclusions outlined in proposed Part 3A, so entities can know what the Minister is not authorised to require;
‘significant impact’, for the purposes of proposed section 30BC be defined, or clarified as part of the existing proposed section 8G definition of ‘relevant impact’; and
the consultation that the Minister is required to take under proposed section 35AD be required in a specific form, and to a reasonable timeframe to allow for the entity to reply before the ministerial authorisation is made.
3.19
Any other relevant or required amendments to allow for these separated out elements not outlined above can also be made and outlined in Bill One’s explanatory material.
3.20
The remaining elements of the current SOCI Bill can then be deferred as a separate Bill, as per recommendations later in this Chapter.
3.21
The Committee recommends that the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be split in two, so that the urgent elements of the reforms contained within the government assistance measures in proposed Part 3A, with the definitions and meanings of expanded critical infrastructure sectors and assets, and other enabling provisions contained within proposed amendments to Part 1, Part 2B, Part 4, Part 5 and Schedule 2 of the current Bill, be retained, amended in line with the principles outlined in paragraph 3.18 of this report, and legislated in the shortest time possible (Bill One).
3.22
The Committee acknowledges that affected entities will still have reservations with the enablement of the assistance measures, especially within the technology sector. However, the Committee recognises that the potential threat faced to critical infrastructure assets is too great to stall introduction of these essential measures for any longer.
3.23
In making these recommendations the Committee is relying on the intention stated in the SOCI Bill, and as outlined in evidence from the Department, that these measures will only be used as a last resort.
3.24
The Committee expects that given the statements from witnesses regarding a willingness for cooperation with the Department and ASD, and given the safeguards outlined in proposed section 35AB requiring the Minister to consider multiple impacts and current responses, then these measures will need to be used rarely, if at all. And if they are used, it will only be on those entities that are unwilling or unable to respond appropriately.
3.25
More comment and a recommendation regarding proposed Schedule 2 of the SOCI Bill is outlined later in this Chapter.
Notification requirements and timeframes
3.26
As outlined above, the positive security obligation set out in proposed Part 2B of the SOCI Bill (Notification of cyber security incidents), is required as part of Bill One, as entities are sometimes the only party aware that a cyber security incident is underway that requires the engagement of a proposed Part 3A government assistance measure.
3.27
In response to identified concerns regarding the 12 hour timeframe that notifications would be required for critical incidents, the Committee believes that the 12 hour notification is reasonable, given the ability for such a notification to be made orally in the first instance, but believes that the current requirement for the entity to then issue a written report within another 48 hours is too onerous. This is potentially complicated if the entity is still in the midst of determining what the incident may be and its effect.
3.28
Accordingly, the Committee is recommending that proposed section 30BC be amended to allow for the entity and the relevant Commonwealth Body (either ASD or another relevant regulator, as established under proposed section 30BF) to agree on the timeframe for a written report to be given, with a maximum of 84 hours from the time that the initial oral notification is given (96 hours total from the time that the entity becomes aware of the incident).
3.29
The amended section should also allow for a notification to be finalised without the need for a written record to be given, if the entity and the relevant Commonwealth body agree that the incident does not meet the definition of a critical cyber security incident. For consistency, the requirements of proposed section 30BD should be amended to allow for the finalisation of a non-critical incident notification by this means as well.
3.30
The Committee recommends that proposed Part 2B of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be retained in Bill One, and that Part be amended to:
extend the requirement under proposed section 30BC for formal written notification to be made by an affected entity within 84 hours if an initial oral notification is given when a critical cyber security incident is having a significant impact on the availability of the critical infrastructure asset the entity is responsible for; and
that proposed sections 30BC and 30BD be amended to allow for an entity and the relevant Commonwealth body to agree that a written notification is not required for an incident, if upon investigation it is agreed that the incident does not meet the requirement of an incident or does not have the defined impact outcome.
3.31
The Committee understands that the substance of the form of the written notifications and the entities to be affected by this proposed Part are to be established in rules, so the Committee recommends that these rules be designed and agreed to included as part of the explanatory material for Bill One, or as soon as possible after Bill One is passed. This way, entities will know whether they are specified in such rules and what form a notification must take, especially given that the penalty for non-compliance is set at 50 penalty units (currently $11,100).
3.32
The Committee recommends that the rules to be designed for the purposes of amended Part 2B of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be developed in consultation with relevant entities and incorporated into explanatory material to Bill One.
3.33
In order for the Parliament, and through it the Australian public, to be satisfied that the government assistance measures are being used in line with the last resort expectations of usage, the Committee is also recommending that any determination made under the Part 3A powers enabled by Bill One be reported to the Committee as soon as practicable after the assistance is rendered.
3.34
This report should be provided initially in written form outlining the circumstances and entities involved, the assistance measure used and the current status of the incident and any outstanding actions or results.
3.35
The Committee can then receive extra information in briefings from the Department, ASD or any other relevant Commonwealth Body. This will also allow for the Committee to request meetings or briefings from the affected entity or entities as well, to ensure that the assistance was requested, notified and undertaken in an appropriate and lawful manner.
3.36
The Committee recommends that Bill One include a provision that as soon as practicably after a government assistance measure is directed or requested the Parliamentary Joint Committee on Intelligence and Security be notified in writing about the circumstances, actions, status and parties involved in each measure used relative to any cyber security incident.
3.37
The IGIS and Ombudsman will continue to have oversight and complaints investigation roles to the measures within Bill One, adding that extra level of assurance that the powers are being used appropriately, and any complaints or concerns are given adequate avenue for recourse.
3.38
Once the amendments have been made, the Committee recommends that Bill One be passed.
3.39
The Committee recommends that, subject to the amendments outlined above, the resultant Security Legislation Amendment (Critical Infrastructure) Bill (Bill One) be passed.
Expanded role for the Cyber and Infrastructure Security Centre
3.40
The Committee received correspondence from the Secretary dated 30 August 2021 outlining changes to the existing Critical Infrastructure Centre (CIC), creating the Cyber and Infrastructure Security Centre to:
…lead the Australian Government’s efforts to protect Australia’s critical infrastructure through an all hazards security and resilience regulatory mandate. The Cyber and Infrastructure Security Centre will bring together the Department of Home Affairs regulatory capabilities on aviation and maritime security, critical infrastructure security, and the background checking function performed by AusCheck with an expanded and integrated mission.
3.41
This reformed body within the Department is a welcome move and consolidates advice and regulatory functions under multiple Acts, and this potential reformation of the CIC was flagged by the Secretary in evidence:
Of the three big tools we have, the critical infrastructure centre, which goes to infrastructure security, was born out of a physical infrastructure security legacy, but I'm thinking about how I reconfigure administratively a cybersecurity and infrastructure security function.
3.42
As the Committee is cognisant of potential concerns about the impact of Bill One from potentially affected entities, the Committee is recommending that the role of the expanded Cyber and Infrastructure Security Centre be further expanded, to be used as a technical review mechanism for the purposes of Bill One.
3.43
This reformed role would serve as a third-party checking mechanism regarding the suitability and feasibility of assistance measures, with industry and ASD technical experts convened as a technical expert advisory function within the Centre, enabled for both the Minister or Department and affected entities to seek advice on the assistance measures or circumstances surrounding the cyber security incident that catalysed the measure.
3.44
The Committee recommends that the Cyber and Infrastructure Security Centre within the Department of Home Affairs, be reformed to additionally provide technical support and advice regarding the functions of Bill One.
Part 6A declarations and the remainder of the Bill
3.45
The Committee understands that the intention of the SOCI Bill is to address the risk of potential and real cyber vulnerability within critical infrastructure entities within Australia. However, for the reasons stated above, the remaining elements of the SOCI Bill, including the declarations of SoNS, need to be redeveloped through engagement with the asset sectors and entities potentially affected by the SOCI Bill’s proposed framework as a whole. The responsibility for reinvigorating and amending these contested elements of the SOCI Bill should not fall on government alone.
3.46
The Committee understands that the intention of declarations of SoNS under proposed Part 6A enables the enhanced cyber security obligations under proposed Part 2C of the SOCI Bill; however the general consensus regarding both the positive and enhanced cyber security obligations and their unclear burden and impact, due to a reliance on yet to be designed rules, is not a tenable way forward at this time.
3.47
The Committee supports the intention of all of the measures outlined in the SOCI Bill, however it recognises that the evidence provided, and the reliance on designing rules after an enabling Bill was expected to be passed, highlights that the framework as a whole is not ready to be progressed at this time. This is especially important given the uncertain nature of economic, supply chain and infrastructure security during the current pandemic, and the regulatory certainty desired by entities, as highlighted by the Group of Eight:
The red tape argument certainly is one that we believe in quite strongly. We really need to be very proportionate in how we regulate these types of issues so that we effectively use regulations to get the best outcome in terms of protecting critical infrastructure...we just need to be careful that we are regulating to best effect, if you like, and that we don't get overwhelmed with red tape, because there's an opportunity cost in a resource constrained environment from any kind of regulatory activity, and we want to make sure that we're doing our best to get the best outcomes from these types of processes.
3.48
Accordingly, the Committee is recommending that the remaining elements of the SOCI Bill not outlined above (or any elements not essential to the retention of the features mentioned) to be included in Bill One, be revisited and reconsidered by the Department, in consultation with potentially affected industry representatives, and reintroduced in a subsequent second Bill.
3.49
As part of this reconsideration and consultative redesign, the Committee recommends that additional Bill (referred to from hereon as Bill Two) be amended in line with the following principles, incorporating a number of thematic considerations and recommendations put forward by submitters such as the Business Council of Australia, Law Council of Australia, and other industry representative bodies or businesses:
any definitions or meanings introduced by Bill One that have been clearly identified as requiring modification or clarification as part of rules co-design or in evidence to this review, or that require reconsideration as to scope, be captured in revised definitions;
any elements of PSOs or enhanced cyber security obligations that can be aligned to international standards or to align with existing best-practice critical infrastructure programs in other international jurisdictions (ISO 31000 is an international risk management standard already applied by many entities);
any decision or determination made that will affect an entity be amended to not only include the existing consultation by the Minister or Secretary, but also require a right of reply by the affected entity and consideration of that reply in the final determination;
consideration of potential impacts of Bills One and Two on foreign investment attractiveness and Foreign Investment Review Board processes;
the currently drafted secrecy around declarations of assets as SoNS under proposed section 52B of the SOCI Bill, and current section 51 of the Act, be amended to require that such declarations only be confidential if the Minister is satisfied on reasonable grounds, that there is a significant risk of harm to Australia’s defence or national security as a result of the disclosure of the regulatory status of the asset;
ensure that protected information provisions enable the appropriate and lawful exchange of information among oversight and compliance assurance bodies;
formulating a merits review system of appeal to the security division of the AAT for any determination under Bill Two for declarations under proposed Part 6A and proposed Part 2C, once revised, with requisite access to protected information;
more generally, consideration of the issue of merits review rights in respect of the administrative decisions of the Secretary or Minister under other aspects of the expanded SOCI Bill framework; and
reconsideration of the suitability of the types and breadth of immunities afforded to entities under the entirety of the SOCI Bill’s proposed framework (including those in Bill One).
3.50
The Committee recommends that the remaining non-urgent elements of the current Security Legislation Amendment (Critical Infrastructure) Bill 2020 not recommended for inclusion in Bill One, be deferred and amended into a separate Bill (Bill Two) in line with the principles outlined in paragraph 3.49.
3.51
As outlined earlier, when amending Bill Two, the Committee recommends that the substance of the primary SOCI Bill be reviewed in consultation with key stakeholders (those that engaged with the Department’s consultation process, those who engaged with this Committee review, and any other identified parties). Bill Two should then be released as an exposure draft for extensive consultation with affected industries and representative bodies, with follow-up consultation meetings to be held on the collective feedback received from that exposure draft process.
3.52
This process will allow for the collaborative intention of securing critical infrastructure assets, and bring a sense of ownership to the process from those entities that will ultimately have a regulated role under the final legislative framework.
3.53
When the draft Bill Two is then further refined based on that feedback, the substance of the feedback and resultant change to Bill Two should be clearly outlined in the explanatory memorandum. Once reintroduced to Parliament, Bill Two should be referred to this Committee for review. Included with that Bill review, a review of the operation of the legislative changes from Bill One up to that date is to be conducted by the Committee at the same time, to ensure that it is operating as intended, and is indeed being used only as a last resort.
3.54
The Committee recommends that Bill Two be amended in consultation with key stakeholders, released for feedback and with further consultation on incorporated amendments based on that feedback, prior to being reintroduced to Parliament.
Once reintroduced, Bill Two should be referred to the Parliamentary Joint Committee on Intelligence and Security for review, with a concurrent review of the operation to date of the amendments to the Security of Critical Infrastructure Act 2018 resulting from Bill One.
3.55
In addition to the amendment of Bill Two in line with the above, the Committee recommends that any rules to be developed be co-designed as part of the consultation process on Bill Two, to the extent possible, and be outlined in the explanatory memorandum to Bill Two once introduced.
3.56
This will allow for the fullest consultation and establishment of regulatory impact to be discussed and realised before the Parliament has to consider Bill Two enabling those rules. This will also allow for the realisation of the flexibility of having those elements of the critical infrastructure framework in instruments that can be amended, reviewed, or even disallowed, but also available for the Parliament and potentially affected entities to review alongside Bill Two.
3.57
The Committee recommends that any rules to be designed under Bill Two be co-designed, agreed and finalised to the extent possible before the introduction of that Bill and made available as part of the explanatory material for the Bill.
Criminal code amendments and IS Act amendments
3.58
The Committee understands the intention of the proposed amendments to the Criminal Code in Schedule 2 of the SOCI Bill. The uncertain nature of the work of ASD in intercepting and undertaking computer-related acts in the interests of national security is becoming more fraught as technology progresses.
3.59
These proposed amendments realise part of recommendation 74 of the Comprehensive Review of the Legal Framework of the National Intelligence Community (Richardson Review), to enable ASD to undertake its mission and while in the proper performance of a function of that agency.
3.60
The Committee realises the intention of this Schedule and the immunities it would grant ASD, while also realising that the scope of that immunity will reach much further than the activities ASD would undertake as the technical authority for the purpose of the SOCI Bill and any amended Security of Critical Infrastructure framework.
3.61
The Committee acknowledges the detailed evidence that the Law Council of Australia tendered to the Committee on this issue, and while not necessarily agreeing that all of the Law Council’s recommendations for amendment to this Schedule are warranted, the Committee does not believe that they should be not acted upon at all, as was suggested by the Department in its supplementary submission.
3.62
Accordingly, the Committee is recommending that Schedule 2 of the SOCI Bill be reviewed with the concerns expressed by the Law Council of Australia in mind, and amended in Bill One taking into account the following principles:
whether an immunity, rather than a defence of a mistake or ignorance of fact, is a more suitable mechanism to address potential accidental onshore acts. If so, articulate the preference in explanatory material;
whether the proposed immunities are appropriate to extend to both criminal and civil liabilities, given the proposed expanded civil immunity leaves no recourse for affected entities to seek reparations for unintended damages;
whether the expanded immunity could adversely impact on the warrant and issuing safeguards regarding interceptions and access to telecommunications and data under the Telecommunications (Interception and Access) Act 1979 (TIA Act); and
whether the expanded immunity should be expanded to include AGO and ASIS, as per the majority of recommendation 74 of the Richardson Review.
3.63
The Committee recommends that proposed Schedule 2 of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be amended in accordance with the principles outlined in paragraph 3.62 and included as part of Bill One.
3.64
Some submissions to the review identified that as part of the consultation undertaken by the Department, draft regulations under section 13A of the Intelligence Services Act 2001 (IS Act) were distributed for comment. These draft regulations have not been provided as part of the Bill review, but section 13A regulations are established to enable IS Act agencies to cooperate with and assist other agencies, subject to arrangements or directions given by the responsible Minister.
3.65
The proposed regulations identified the Department as a Commonwealth authority to be assisted by ASD under paragraph 7(1)(f) of the IS Act, but did not limit that assistance to the extent of proposed arrangements under the SOCI Bill. As identified by the Law Council of Australia and the IGIS, such regulations could potentially authorise ASD to assist the Department in relation to any of its functions under section 7 of the IS Act, such as collecting intelligence on people outside Australia.
3.66
While the Committee is confident this would not be the intention of the regulations, and the Minister is capable of binding the agency to assistance as set out in arrangements or directions, the Committee agrees that there should not be any doubt as to whether the cooperation under section 13A is only for the purposes of actions expressly authorised by Parliament in statute. The Department acknowledged this potential in its supplementary submission and identified that amendment to the IS Act would be required.
3.67
Accordingly, the Committee is recommending that subsection 13A(2) of the IS Act be amended to restrict cooperation or assistance provided by an IS Act agency to agencies or other bodies under regulation outlined in subsection 13A(1) only to the functions and extent authorised by other Commonwealth legislation.
3.68
The Committee recommends that subsection 13A(2) of the Intelligence Services Act 2001 be amended to restrict cooperation or assistance provided by an agency under that Act to agencies or other bodies by regulation outlined in subsection 13A(1) only to the functions and extent authorised by other Commonwealth legislation.
Democratic institutions as critical infrastructure
3.69
The Committee heard expert evidence during hearings about the ‘corrosive’ potential of any interference with electoral process and that, “longer-term, sustained assault on democratic institutions and the information environment … is harder to grapple with, with this kind of bill that is focused around tactical support to organisations when they’re compromised”.
3.70
The Committee also heard from the former Director of the Cybersecurity and Infrastructure Security Agency in the United States, Mr Christopher Krebs:
Our strategies have to be connected against countering disinformation as much as we do technically. This is important for critical infrastructure as well. If you go to the point about an uneven underinvestment for cybersecurity in the critical infrastructure community, there is virtually no investment in countering disinformation. Nowhere more important is that right now than in the deployment of COVID-19 vaccinations. We are seeing an active threat environment from Russia and China for vaccine diplomacy. We’re also seeing it from conspiracy theorists and antivaxxers in general. There is a much longer tail on the disinformation.
3.71
In the context of election security, Mr Krebs said that ahead of the 2020 Presidential election, the US Government prepared for technical attacks or disruptions to electoral systems and hacks against media websites and voter databases. But he warned that the ‘more pervasive aspect’ was the “…broader campaign… to undermine confidence in leadership, government and democratic institutions through disinformation operations”.
3.72
Mr Krebs confirmed to the Committee that government facilities are included as critical infrastructure in the United States, with election functions considered a specific subsection.
3.73
This evidence was put to department and agency representatives in subsequent hearings. The Secretary of the Department of Home Affairs, Mr Michael Pezzullo, advised that operational planning for the security of upcoming Australian elections was already underway and that, as the Australian Electoral Commission (AEC) was a part of government, specific legislation was not required to ensure the security of elections or to facilitate support from ASD or the Director-General of Security.
Committee comment
3.74
Cyber-enabled operations spanning disinformation, data theft and technical disruption render democratic infrastructure vulnerable in new ways. Such operations, as witnessed in the 2020 presidential election in the United States, target political parties, news, and social media, and have the potential to affect broader public confidence in democratic systems.
3.75
The Committee notes the assurances from the Department of Home Affairs in relation to the AEC.
3.76
However, Committee members observe that democratic institutions in Australia are broader than the AEC and include State and Territory electoral commissions, a free press, local councils, State and Federal parliaments, and political parties. The Committee heard evidence that these institutions should be considered critical infrastructure.
3.77
The Committee appreciates that democratic institutions have characteristics which distinguish them in important ways from other entities; importantly, Australia has robust statutory mechanisms which protect the administration of elections from political interference from executive government. It can not automatically be assumed that a regulatory regime designed to secure critical infrastructure operated by business entities will be suitable to protect political parties.
3.78
Therefore the Committee is recommending that the Government review the risk of cyber threat to all levels of democratic institutions, to ensure that the most appropriate protections are in place.
3.79
The Committee recommends the Government review the risks to democratic institutions, particularly from foreign originated cyber-threats, with a view to developing the most appropriate mechanism to protect them at Federal, State and local levels.
Caretaker conventions, disinformation and cyber attacks
3.80
The Committee acknowledges the importance of Mr Krebs’ observation that public officials, such as those from national security agencies, should be responsible for making any public notifications regarding cyber and disinformation threats, especially during election campaigns, in order to avoid perceptions of political influence:
… you never want the incumbent with the ability to put their thumb on the scale and change the outcome of the election… you would not have wanted a White House press conference for those sorts of announcements because that, in and of itself, can be politicised.
3.81
Evidence from the Department of Home Affairs confirmed that there is no requirement in Australia during the caretaker period for such information to be provided by a public official, or even for the incumbent government to advise or seek agreement from the opposition party prior to making such an announcement. Rather, any consultation during a caretaker period would be, “a matter for the Government”.
3.82
When questioned on this topic, the Department of Home Affairs Secretary advised the Committee:
It would be always open to, the head of the government—that is, the Prime Minister—or a minister who has relevant competency, to make a decision about making an [public] announcement about any matter within their legal authority. Whether it related to a cyberattack, whether it related to a natural disaster, whether it related to any matter, that would always be open to a minister.
Committee comment
3.83
Committee members observe that there are other conventions and rules in Australia’s system of government that require government consultation with the opposition party on certain matters, particularly in relation to national security or in the context of an election.
3.84
Given that foreign interference, disinformation and cyber attacks are new risks to the free and fair conduct of elections in Australia, the Committee recommends that the caretaker conventions be updated to reflect this new context.
3.85
The Committee recommends the Government review the processes and protocols for classified briefings for the Opposition during caretaker periods in response to serious cyber-incidents, and consider the best practice principles for any public announcement about those incidents.
Concluding comments
3.86
As outlined above, the Committee believes that there is a critical need to legislate now the urgent measures proposed within the SOCI Bill. The Committee also recognises that there is not consensus about the impact of all elements of the Bill. Rather than delay the time-sensitive elements of the Bill while other outstanding issues are resolved, the Committee has instead proposed this split to equip government now with the emergency powers it needs and give more time for the broader response to be settled with key stakeholders.
3.87
The recommendations made above are also the best result that the Committee feels can be reached given the significant constraints on this inquiry imposed by the Committee’s workload, the limited time remaining in the Parliamentary sitting calendar and the COVID environment.
3.88
This response seeks to balance the immediate cyber threat to critical infrastructure assets with the ability for government assistance when the threat becomes real and unmanageable by critical infrastructure entities themselves, while also allowing for the next stage of the framework to be designed, agreed and implemented on a consultative and cooperative basis.
3.89
The Committee realises that this split amendment of the SOCI Bill may be somewhat difficult to follow, so the below table is provided for a visual representation.
Table 3.1: Recommended split-Bill response
|
|
|
|
Government Assistance Measures – Part 3A
|
Positive Security Obligations -Part 2A risk management programs
|
|
Notification requirements – Part 2B – with relevant rules
|
Enhanced Security Obligations – Part 2C
|
|
Critical asset definitions and meanings, or other enabling provisions
|
Declarations of Systems of National Significance – Part 6A
|
|
Schedule 2 – ASD Criminal Code Amendments
|
Any other amendments, including revised amendments from Bill One, as well as rules
|
|
IS Act amendment
|
|