Attorney General announces Security of Critical Infrastructure Bill 2017 to deal with cyber security threats
October 10, 2017 |
The Attorney General today announced that it will introduce into Parliament a bill to give powers to the Minister to issue directions to mitigate national security risks. Clearly this relates to the ongoing and increasing threat posed by cyber attacks. It has released an exposure draft bill for comment until 10 November.
Some notable provisions of the Bill are:
- there will be a Register of interest and control information and operational information on critical infrastructure assets with the Register not being made public (Part 2, Division 2).
- requiring direct interest holders and responsible entities of critical infrastructure assets to provide interest and control information and operational information to the Register and to notify the Government when there is a change in the information provided (Part 2, Division 3).
- giving primary consideration to a mandatory ASIO adverse security assessment, which will consider the risk posed and include a recommendation for action
-
- being satisfied that ‘good faith’ negotiations have occurred
- considering the costs and consequences to services in implementing the mitigation
- ensuring the direction is a proportionate response to the riska ministerial directions power to reporting entities and operators of critical infrastructure assets to do or not to a certain thing where a risk to national security has been identified (Part 3, Division 2) after the Minister considers the following factors:
- the Secretary to require reporting entities and operators to provide information or documents relevant to managing national security risks to critical infrastructure (Part 4, Division 2).
- that Information obtained under this Act is protected information and can only be disclosed in certain circumstances and for particular purposes (Part 4, Division 3).
- there will be enforcement provisions including civil penalties, injunctions and enforceable undertakings. There are criminal penalties for disclosure of protected information (Part 5, Division 2).
- the Minister will be able to privately declare a particular asset to be critical infrastructure in circumstances where declaration of the asset publicly would pose a risk to national security (Part 6, Division 2).
- a requirement to report annually on the operation of this Act (Part 7, Division 4).
The release provides:
The Government is seeking views on new legislation to help manage the complex and evolving national security risks from foreign involvement in Australia’s critical infrastructure. The Security of Critical Infrastructure Bill 2017 has been developed based on feedback received from key government and industry stakeholders and will supplement existing federal, state and territory regulations.
Foreign involvement in Australia’s critical infrastructure is essential to Australia’s economy.
However with increased foreign involvement, through ownership, offshoring, outsourcing and supply chain arrangements, Australia’s national critical infrastructure is more exposed than ever to sabotage, espionage and coercion.
The Government’s Security of Critical Infrastructure Bill 2017 proposes two new measures to better manage these risks.
Firstly, it will create a ‘last resort power’ which will allow the Minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate significant national security risks.
Secondly, a critical assets register will be created providing the Government greater visibility of who owns, controls and has access to, critical infrastructure assets. This information will inform the Government’s assessments of assets most at risk from espionage, sabotage and coercion.
The Critical Infrastructure Centre was established in January this year to bring together expertise and capability from across the Australian Government to manage these complex risks. The Centre is delivering more coordinated national security assessments to inform foreign investment decisions in significant and complex cases.
The creation of the Centre has already refined our understanding of the highest-risk sectors and informed the further development of mitigation strategies.
The Government thanks critical infrastructure owners and operators and state and territory governments for their ongoing constructive engagement on these important issues.
More information on how to provide comment on the proposed legislation, and upcoming stakeholder forums is available at www.cicentre.gov.au
Submissions will be accepted until 10 November 2017.
The exposure draft of the bill provides:
A Bill for an Act to create a framework for managing critical infrastructure, and for related purposes
The Parliament of Australia enacts:
This Act is the Security of Critical Infrastructure Act 2017.
(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. The whole of this Act A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 3 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.
Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.
The object of this Act is to provide a framework for managing national security risks relating to critical infrastructure, including by:
(a) improving the transparency of the ownership and operational control of critical infrastructure in Australia in order to better understand those national security risks; and
(b) facilitating cooperation and collaboration between all levels of government, and regulators, owners and operators of critical infrastructure, in order to identify and manage those national security risks.
4 Simplified outline of this Act
This Act creates a framework for managing national security risks relating to critical infrastructure.
The framework consists of the following:
(a) the keeping of a register of information in relation to critical infrastructure assets (the register will not be made public);
(b) requiring certain entities relating to a critical infrastructure asset to provide information in relation to the asset, and to notify if certain events occur in relation to the asset;
(c) allowing the Minister to require certain entities relating to a critical infrastructure asset to do, or refrain from doing, an act or thing if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security;
(d) allowing the Secretary to require a reporting entity for, or an operator of, a critical infrastructure asset to provide certain information or documents;
(e) allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a national security risk relating to the asset.
Certain information obtained under, or relating to the operation of, this Act is protected information. There are restrictions on when a person may make a record of, use or disclose protected information.
Civil penalty provisions of this Act may be enforced using civil penalty orders or injunctions, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. The Regulatory Powers Act is applied for these purposes. Certain other provisions of this Act may be enforced by imposing a criminal penalty.
The Minister may privately declare a particular asset to be a critical infrastructure asset so that this Act applies to it. A private declaration can only be made if there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security.
The Secretary must give the Minister reports, for presentation to the Parliament, on the operation of this Act.
In this Act:
ABN has the same meaning as in the A New Tax System (Australian Business Number) Act 1999.
acquisition of property has the same meaning as in paragraph 51(xxxi) of the Constitution.
adverse security assessment has the same meaning as in Part IV of the Australian Security Intelligence Organisation Act 1979.
appointed officer for an unincorporated foreign company means:
(a) the secretary of the company; or
(b) an officer of the company appointed to hold property on behalf of the company.
approved form means a form approved by the Secretary.
civil penalty provision has the same meaning as in the Regulatory Powers Act.
commencing day means the day this Act commences.
critical electricity asset has the meaning given by section 10.
critical infrastructure asset has the meaning given by section 9.
critical port has the meaning given by section 11.
critical water asset means water infrastructure or sewerage infrastructure:
(a) that is ultimately used to service at least 100,000 water or sewerage connections; and
(b) in relation to which an entity holds a licence, approval or authorisation (however described) to provide that service.
Note: The rules may prescribe that a specified critical water asset is not a critical infrastructure asset (see section 9).
direct interest holder in relation to an asset has the meaning given by section 8.
entity means any of the following:
(a) an individual, whether or not resident in Australia or an Australian citizen;
(b) a body corporate, whether or not formed, or carrying on business, in Australia;
(c) a body politic, whether or not an Australian body politic;
(d) a partnership, whether or not formed in Australia;
(e) a trust, whether or not created in Australia;
(f) a superannuation fund, whether or not created in Australia;
(g) an unincorporated foreign company.
Note: See Division 2 of Part 7 for how this Act applies to partnerships, trusts, superannuation funds and unincorporated foreign companies.
grace period for an asset means:
(a) for an asset that is, or will be, a critical infrastructure asset at the end of the period of 6 months starting on the commencing day—that 6 month period; or
(b) for an asset that becomes a critical infrastructure asset after the end of the period mentioned in paragraph (a)—the period of 6 months starting on the day the asset becomes a critical infrastructure asset.
interest and control information, in relation to an entity and an asset, has the meaning given by section 6.
notifiable event has the meaning given by section 24.
operational information in relation to an asset has the meaning given by section 7.
operator of an asset means:
(a) for a critical port—a port facility operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of a port facility within the port; or
(b) for a critical infrastructure asset other than a critical port—an entity that is authorised (however described) to operate the asset or part of the asset.
Note: For some assets, an operator of the asset is also the responsible entity for the asset.
port facility has the same meaning as in the Maritime Transport and Offshore Facilities Security Act 2003.
protected information means information, in relation to an asset, that:
(a) is obtained by a person in the course of performing duties or functions, or exercising powers, under this Act; or
(b) is the fact that the asset is declared under section 49 to be a critical infrastructure asset; or
(c) was information to which paragraph (a) or (b) applied and is obtained by a person by way of an authorised disclosure under Division 3 of Part 4 or in accordance with section 44.
Register means the Register of Critical Infrastructure Assets kept by the Secretary under section 18.
Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.
relevant industry, for an asset, is whichever of the following industries the asset relates to:
(a) electricity;
(b) water;
(c) ports;
(d) an industry prescribed by the rules for the purposes of this paragraph.
reporting entity for an asset means either of the following:
(a) the responsible entity for the asset;
(b) a direct interest holder in relation to the asset.
Note: An entity may be both the responsible entity for an asset and a direct interest holder in relation to the asset.
responsible entity for an asset means:
(a) for a critical electricity asset or a critical water asset—the entity that holds the licence, approval or authorisation (however described) to operate the asset to provide the service to be delivered by the asset; or
(b) for a critical port—the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of the port; or
(c) for an asset declared under section 49 to be a critical infrastructure asset—the entity specified in the declaration as the responsible entity for the asset (see subsection 49(2)); or
(d) for an asset prescribed by the rules for the purposes of paragraph 9(1)(e)—the entity specified by the rules for the asset.
rules means the rules made by the Minister under section 57.
security (other than in references to national security):
(a) other than in section 10—has the same meaning as in the Australian Security Intelligence Organisation Act 1979; and
(b) in section 10—has its ordinary meaning.
sewerage infrastructure means any infrastructure that is, or is to be, used for the collection, treatment, storage or conveyance of sewage.
superannuation fund has the meaning given by section 10 of the Superannuation Industry (Supervision) Act 1993.
this Act includes the rules.
unincorporated foreign company means a body covered by paragraph (b) of the definition of foreign company in section 9 of the Corporations Act 2001.
water infrastructure means any infrastructure that is, or is to be, used for the production, treatment, filtration, storage, conveyance or reticulation of water.
6 Meaning of interest and control information
(1) Information is interest and control information in relation to an entity (the first entity) and an asset if it is any of the following:
(a) the legal name of the first entity;
(b) if applicable, the ABN of the first entity, or other similar business number (however described) if the first entity was incorporated, formed or created (however described) outside Australia;
(c) for an entity other than an individual or body politic:
(i) the address of the first entity’s head office or principal place of business; and
(ii) the country in which the first entity was incorporated, formed or created (however described);
(d) for an entity that is an individual:
(i) the residential address of the first entity; and
(ii) the country in which the first entity usually resides; and
(iii) the country or countries of which the first entity is a citizen;
(e) for an entity that is a body politic:
(i) the address of the first entity’s head office or principal place of business; and
(ii) the country in which the first entity was formed or created (however described) as a body politic;
(f) the type and level of the interest the first entity holds in the asset;
(g) information about the influence or control the first entity is in a position to directly or indirectly exercise in relation to the asset, including:
(i) information about the control the first entity has over decisions relating to the running of the asset (such as voting or veto rights and the ability to appoint persons to the body that governs the asset); and
(ii) information relating to any person the first entity has appointed to the body that governs the asset (such as the full name of the person and the country or countries of which the person is a citizen);
(h) information about the ability, of a person who has been appointed by the first entity to the body that governs the asset, to directly access networks or systems that are necessary for the operation or control of the asset;
(i) for each other entity that is in a position to directly or indirectly influence or control the first entity:
(i) the information covered by paragraphs (a) to (e) as if a reference in that paragraph to the first entity were a reference to the other entity; and
(ii) information about the influence or control the other entity is in a position to directly or indirectly exercise in relation to the first entity;
(j) information prescribed by the rules for the purposes of this paragraph.
(2) Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988).
7 Meaning of operational information
(1) Information is operational information in relation to an asset if it is any of the following:
(a) the location of the asset;
(b) a description of the area the asset services;
(c) the following information about each entity that is the responsible entity for, or an operator of, the asset:
(i) the name of the entity;
(ii) the address of the entity’s head office or principal place of business;
(iii) whether the entity is incorporated, formed or created (however described) in Australia or another country;
(iv) if the entity is incorporated, formed or created (however described) in another country—that country;
(d) the following information about the chief operating officer (however described) of the responsible entity for the asset:
(i) the full name of the officer;
(ii) the country or countries of which the officer is a citizen;
(e) a description of the arrangement under which the operator operates the asset or a part of the asset;
(f) information prescribed by the rules for the purposes of this paragraph.
Note: For paragraph (e), this would include if the control system of the asset is to be managed by a foreign body.
(2) Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988).
8 Meaning of direct interest holder
(1) An entity is a direct interest holder in relation to an asset if the entity:
(a) holds a legal or equitable interest of at least 10% in the asset (including if the interest is held jointly with one or more other entities); or
(b) holds a lease of, or an interest in, the asset that puts the entity in a position to directly or indirectly influence or control the asset.
(2) Subsection (1) applies to an entity that is:
(a) a trust if one or more trustees hold the interest on behalf of the beneficiaries of the trust; or
(b) a partnership if one or more partners hold the interest on behalf of the partnership; or
(c) a superannuation fund that is a trust if one or more trustees hold the interest on behalf of the beneficiaries of the superannuation fund; or
(d) an unincorporated foreign company if one or more appointed officers hold the interest on behalf of the company.
Note: For appointed officers, see section 5.
9 Meaning of critical infrastructure asset
(1) An asset is a critical infrastructure asset if it is:
(a) a critical electricity asset; or
(b) a critical port; or
(c) a critical water asset; or
(d) an asset declared under section 49 to be a critical infrastructure asset; or
(e) an asset prescribed by the rules for the purposes of this paragraph.
(2) However, the rules may prescribe that a specified:
(a) critical electricity asset; or
(b) critical port; or
(c) critical water asset;
is not a critical infrastructure asset.
Prescribing an asset as a critical infrastructure asset
(3) The Minister must not prescribe an asset for the purposes of paragraph (1)(e) unless the Minister is satisfied that:
(a) the asset is critical to:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; and
(b) there is a risk, in relation to the asset, that may be prejudicial to security.
(4) The Minister also must not prescribe the asset unless the Minister has first consulted with each Minister of a State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant industry for the asset in the State or Territory in which the asset is located.
(5) Subsection (4) does not limit the persons with whom the Minister may consult.
10 Meaning of critical electricity asset
(1) An asset is a critical electricity asset if it is:
(a) a network, system, or interconnector, for the transmission or distribution of electricity; or
(b) an electricity generation station that is critical to ensuring the security and reliability of electricity networks or electricity systems in a State or Territory, in accordance with subsection (2).
Note: The rules may prescribe that a specified critical electricity asset is not a critical infrastructure asset (see section 9).
(2) For the purposes of paragraph (1)(b), the rules may prescribe requirements for an electricity generation station to be critical to ensuring the security and reliability of electricity networks or electricity systems in a particular State or Territory.
An asset is a critical port if it is any of the following (as declared under section 13 of the Maritime Transport and Offshore Facilities Security Act 2003):
(a) Port of Darwin;
(b) Port of Geelong;
(c) Port Adelaide;
(d) Port of Rockhampton;
(e) Port of Port Botany;
(f) Port of Port Hedland;
(g) Port of Brisbane;
(h) Broome Port;
(i) Port of Cairns;
(j) Port of Christmas Island;
(k) Port of Dampier;
(l) Port of Eden;
(m) Port of Fremantle;
(n) Port of Gladstone;
(o) Port of Hay Point;
(p) Port of Hobart;
(q) Port of Melbourne;
(r) Port of Newcastle;
(s) Port of Townsville;
(t) Port of Sydney Harbour;
(u) a security regulated port (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) prescribed by the rules for the purposes of this paragraph.
Note: The rules may prescribe that a specified critical port is not a critical infrastructure asset (see section 9).
Division 3—Constitutional provisions and application of this Act
This Act applies to the following:
(a) an entity that is a corporation to which paragraph 51(xx) of the Constitution applies;
(b) an entity that is a reporting entity for, or an operator of, an asset that is:
(i) in a Territory; or
(ii) used in the course of, or in relation to, trade or commerce with other countries, among the States, between Territories or between a Territory and a State; or
(iii) used for the purposes of the defence of Australia;
(c) an entity that is an alien (within the meaning of paragraph 51(xix) of the Constitution).
This Act applies both within and outside Australia.
Note: This Act extends to every external Territory.
(1) This Act binds the Crown in each of its capacities.
(2) This Act does not make the Crown liable to be prosecuted for an offence.
(3) The protection in subsection (2) does not apply to an authority of the Crown.
15 Concurrent operation of State and Territory laws
This Act is not intended to exclude or limit the operation of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act.
16 State constitutional powers
This Act does not enable a power to be exercised to the extent that it would impair the capacity of a State to exercise its constitutional powers.
Part 2—Register of Critical Infrastructure Assets
Division 1—Simplified outline of this Part
17 Simplified outline of this Part
The Secretary must keep a Register of Critical Infrastructure Assets, containing information in relation to those assets. The Register must not be made public.
The responsible entity for a critical infrastructure asset must give the Secretary operational information in relation to the asset.
An entity that is a direct interest holder in relation to a critical infrastructure asset must give the Secretary interest and control information in relation to the entity and the asset.
If particular events occur in relation to the asset, the relevant reporting entity for the asset must notify the Secretary of the event and provide certain information.
If an entity required to give notice or information dies or is wound up before doing so, the entity’s executor or liquidator must give the notice or information. An agent may give notice or information for an entity.
The rules may provide for exemptions from these requirements.
Division 2—Register of Critical Infrastructure Assets
18 Secretary must keep Register
The Secretary must keep a Register of Critical Infrastructure Assets, containing:
(a) the information obtained by the Secretary under Division 3 (obligation to give information and notify of events); and
(b) any information added under section 19; and
(c) any corrections or updates of information described in paragraph (a) or (b) that are made under section 20.
19 Secretary may add information to Register
The Secretary may add to the Register any of the following that is obtained by the Secretary (other than information obtained under Division 3):
(a) operational information in relation to a critical infrastructure asset;
(b) interest and control information in relation to a direct interest holder and a critical infrastructure asset.
20 Secretary may correct or update information in the Register
The Secretary may correct or update information in the Register.
21 Register not to be made public
The Secretary must ensure that the Register is not made public.
Note: See Division 3 of Part 4 for the use, recording and disclosure of protected information that may be contained in the Register.
Division 3—Obligation to give information and notify of events
22 Initial obligation to give information
(1) This section applies if an entity is, or will be, a reporting entity for a critical infrastructure asset at the end of the grace period for the asset.
Note: Once an entity has given information in relation to an asset under this section, the reporting entity for the asset must comply with section 23 (ongoing obligation to give information).
(2) The entity must give the Secretary the following information in accordance with subsection (3):
(a) if the reporting entity is the responsible entity for the asset—the operational information in relation to the asset;
(b) if the reporting entity is a direct interest holder in relation to the asset—the interest and control information in relation to the entity and the asset.
Note 1: An agent may give the information on the entity’s behalf (see section 28).
Note 2: If the reporting entity is not a legal person, see Division 2 of Part 7.
Civil penalty: 25 penalty units.
(3) The information must be given:
(a) in the approved form; and
(b) by the later of:
(i) the end of the grace period for the asset; and
(ii) the end of 30 days after the day the entity becomes a reporting entity for the asset.
23 Ongoing obligation to give information
(1) This section applies to a reporting entity for a critical infrastructure asset if a notifiable event occurs in relation to the asset:
(a) after the entity gives information in relation to the asset under section 22; or
(b) after the end of the grace period for the asset.
Requirement to give information
(2) If the reporting entity is required to give information in relation to the event in accordance with subsection (3), the reporting entity for the asset must give the Secretary that information and notice of the event:
(a) in the approved form; and
(b) by the end of 30 days after the event occurs.
Note 1: An agent may give the notice and information on the entity’s behalf (see section 28).
Note 2: If the reporting entity is not a legal person, see Division 2 of Part 7.
Civil penalty: 25 penalty units.
(3) The following table sets out the information a reporting entity is required to give in relation to the event.
Ongoing obligation to give information Item If the event is… this reporting entity… must give this information… 1 an event covered by subparagraph 24(a)(i) the entity that is the responsible entity for the asset immediately after the event occurs any operational information in relation to the asset that is necessary to correct or complete the operational information, in relation to the asset, previously obtained by the Secretary. 2 an event covered by subparagraph 24(a)(ii) the entity that is the direct interest holder to which the information relates any interest and control information in relation to the entity and the asset that is necessary to correct or complete the interest and control information, in relation to the entity and the asset, previously obtained by the Secretary. 3 an event covered by paragraph 24(b) or (c) relating to the responsible entity for the asset the responsible entity for the asset the operational information in relation to the asset. 4 an event covered by paragraph 24(b) or (c) relating to a direct interest holder in relation to the asset the direct interest holder in relation to the asset the interest and control information in relation to the entity and the asset.
Exception to requirement to give information
(4) However, subsection (2) does not apply in relation to the event (the first event) if:
(a) before the end of 30 days after the first event occurs, another notifiable event (the second event) occurs in relation to the asset; and
(b) a result of the second event is that the information in relation to the asset that was required to be given to the Secretary under subsection (2) following the first event is no longer correct.
Note: An entity that wishes to rely on subsection (4) in proceedings for a civil penalty order bears an evidential burden in relation to the matter in that subsection (see section 96 of the Regulatory Powers Act).
24 Meaning of notifiable event
An event is a notifiable event in relation to a critical infrastructure asset if:
(a) the event has the effect that either of the following previously obtained by the Secretary for the purposes of this Act becomes incorrect or incomplete:
(i) the operational information in relation to the asset;
(ii) the interest and control information in relation to a direct interest holder and the asset; or
(b) the event is an entity becoming a reporting entity for the asset; or
(c) the event is a reporting entity for the asset becoming an entity to which this Act applies (see section 12).
Note: If an asset becomes a critical infrastructure asset after the end of the period of 6 months starting on the commencing day, a reporting entity for the asset initially has 6 months in which to provide information in relation to the asset (see section 22).
25 Rules may exempt from requirement to give notice or information
The rules may provide that this Division, or specified provisions of this Division, do not apply in relation to:
(a) any entity; or
(b) specified classes of entities; or
(c) specified entities;
either generally or in specified circumstances.
[…] Attorney General announces Security of Critical Infrastructure Bill 2017 to deal with cyber security… […]