Legal Insights

Security of Critical Infrastructure reforms fast-tracked in response to urgent cyber threats

By Ooma Khurana & Hemant Vijaykumar

• 01 October 2021 • 6 min read

A progress update on the security of critical infrastructure reforms

This week the Parliamentary Joint Committee on Intelligence and Security (PJCIS) issued its Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.

The PJCIS has made 14 recommendations on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill), including a recommendation which would effectively ‘split’ the current Bill into two parts. The proposal allows for ‘urgent’ elements of the proposed reforms to be passed as soon as possible, with non-urgent elements deferred for further industry consultation.

The PJCIS has made this recommendation in direct response to

…compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate.

Critical Infrastructure Reforms

The Security of Critical Infrastructure Act 2018 (the Act) seeks to manage and address complex and evolving risks which threaten Australia's critical infrastructure and in turn Australia’s national security.

In December 2020, the Government proposed amendments to the Act to build on the existing regulatory regime, by granting new regulatory tools to Government and imposing additional obligations on industry to enhance the security and resilience of Australia’s critical infrastructure through the Bill.

The Bill proposes an enhanced regulatory framework to widen the application of the Act to address threats ranging from natural disasters to human-induced threats such as cyber-attacks, by amending the Act to:

  • impose additional positive security obligations (including obligations to adopt and maintain an all-hazards critical infrastructure risk management program and mandatory cyber security reporting) for a range of critical infrastructure assets

  • impose enhanced cyber security obligations on a new class of assets to be declared as 'systems of national significance' – those assets which are most critical to the security, economy and sovereignty of Australia

  • introduce new regulatory powers to provide direct assistance to industry in the event of a serious cyber security incident.

The Bill also expands the definition of critical infrastructure assets in the Act to a total of 22 asset classes (or 11 sectors), each of which will be subject to an enhanced regulatory framework if the Bill is passed as currently drafted. These requirements will apply to both foreign-owned and Australian-owned critical infrastructure where the critical infrastructure asset is located in Australia.

Of the 22 critical infrastructure assets classes, 10 have been fully defined in the Bill. These are:

  1. critical aviation assets
  2. critical data storage or processing assets
  3. critical defence industry assets
  4. critical education assets
  5. critical hospital assets
  6. critical market operator assets
  7. critical port assets
  8. critical public transport assets
  9. critical telecommunications assets
  10. critical water assets

However, in relation to the 12 remaining asset classes further rules need to be made to determine whether individual assets are subject to the enhanced regulatory framework. These asset classes are:

  1. critical banking assets
  2. critical broadcasting assets
  3. critical domain name systems
  4. critical electricity assets
  5. critical financial market infrastructure assets
  6. critical food and grocery assets
  7. critical freight infrastructure assets
  8. critical freight services assets
  9. critical gas assets
  10. critical insurance assets
  11. critical liquid fuel assets
  12. critical superannuation assets

Referral to the PJCIS

The Bill was referred to the PJCIS in December 2020 in conjunction with a statutory review of the Act which was already required to occur by April 2021.

Meanwhile, consultation with industry, including in relation to the definition of proposed asset classes and other key aspects of the regulatory regime has been ongoing. In particular, the Department of Home Affairs has continued to undertake consultation with industry with a view to developing co-designed sector specific rules for the proposed introduction of a mandatory risk management program.

However, the anticipated time frame for completing that co-design consultation process, which is being conducted on an asset class by asset class basis currently extends into late August 2022.

The PJCIS Report

In its report, released earlier this week, the PJCIS notes that:

… the proposed framework has an inherently uncertain regulatory cost because much of the regulation is to be designed and defined in legislative instruments, rather than in the primary legislation. The uncertain obligations and costs imposed by the Bill would apply to Australian businesses in the context of an already fragile economy beset by lockdowns and other impacts of the COVID-19 pandemic. This environment has made it difficult for industry to fully engage in the consultation process and even more wary about the outcomes of it. As a result, many have called for the entire Bill process to be paused. Although sympathetic to these calls, the Committee does not believe that pausing the entire bill is the responsible course of action.

In response to these challenges the PJCIS has recommended that emergency powers be swiftly legislated in a standalone bill, with a second, separate bill to be introduced following further consultation. This approach would enable critical and urgent aspects of the Bill to be fast-tracked, while the Government continues to consult with industry to develop a more nuanced regulatory framework and with the intention that non-urgent elements of the Bill will be enacted at a later date.

Bill One

Bill One proposes to allow urgent elements of the reforms such as government assistance mechanisms, mandatory notification requirements and related measures to be enacted swiftly.

The PJCIS considers that this will ensure that the Government can exercise vital powers if and when ‘last resort’ circumstances arise.

Bill Two

The PJCIS recommends that the remaining elements of the Bill be amended in consultation with industry and reintroduced in a subsequent bill (Bill Two).

Bill Two would contain less urgent measures, such as risk management programs and declarations of Systems of National Significance (with accompanying enhanced cyber security obligations).

It is anticipated that by the PJCIS Bill Two would proceed at a ‘more manageable pace’ for government and industry.

Associated with this recommendation, the PJCIS also recommends that Bill Two be referred back to the PJCIS when it is introduced for further review, alongside analysis of the impacts of the more urgent Bill One and statutory review of the Act.

This is intended to ensure that legislative reforms in relation to Australia’s critical infrastructure

…are not just a ‘set and forget’ response to a current threat.

Summary

Following the PCJIS report and recommendations on the Bill, we await a response from the Government.

We will continue to follow the progress of these important reforms, which will have significant impact across a number of industry sectors.

The reforms have the potential to impose a significant regulatory burden in some cases, and non-compliance will give rise to financial penalties, so it is important to be aware of the proposed changes and the ongoing progress of the Bill. Watch this space for further details as they emerge.

By Ooma Khurana & Hemant Vijaykumar

  • Share

Related articles

Online Access