Security Legislation Amendment (Critical Infrastructure) Bill 2021 passed by both Houses of Parliament.
November 24, 2021 |
The Security Legislation Amendment (Critical Infrastructure) Bill passed both houses of the Commonwealth Parliament on Monday 22 November 2021.
Key elements of the legislation are:
- Section 8D defines the critical infrastructure sector as being:
Each of the following sectors of the Australian economy is a critical infrastructure sector:
(a) the communications sector;
(b) the data storage or processing sector;
(c) the financial services and markets sector;
(d) the water and sewerage sector;
(e) the energy sector;
(f) the health care and medical sector;
(g) the higher education and research sector;
(h) the food and grocery sector;
(i) the transport sector;
(j) the space technology sector;
(k) the defence industry sector.
- section section 8E defines a critical infrastructure asset as being an asset that relates to a critical infrastructure sector. There are definitions of specific types of critical infrastructure assets
- there are very broad definitions of when assets relate to a sector
- the definition of a relevant impact is broad and general
- Part 2B sets out the obligations of mandatory reporting. Section 30BC, regarding a critical cyber security incident, provides, in part:
(1) If:
(a) an entity is the responsible entity for a critical infrastructure asset; and
(b) the entity becomes aware that:
(i) a cyber security incident has occurred or is occurring; and
(ii) the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset;
the entity must:
(c) give the relevant Commonwealth body (see section 30BF) a report that:
(i) is about the incident; and
(ii) includes such information (if any) as is prescribed by the rules; and
(d) do so as soon as practicable, and in any event within 12 hours, after the entity becomes so aware.
In short compass a “critical cyber security incident” which has occurred or is occurring has to be reported, in writing or in within 12 hours of the organisation/business/agency becoming aware that it has had, or is having, a “significant impact”on the availability of a critical infrastructure asset. An oral report has to be confirmed in writing within a further 84 hours.
A “significant impact” occurs when it materially disrupts the availability of essential goods or services which use or are being used by the asset. Under the Act this involves proper consideration of the services and the impact of the disruption in the context of the cyber security incident.
- Lesser incidents are defined as other cyber security incidents, at section 30BD, which is defined in part as:
(1) If:
(a) an entity is the responsible entity for a critical infrastructure asset; and
(b) the entity becomes aware that:
(i) a cyber security incident has occurred, is occurring or is imminent; and
(ii) the incident has had, is having, or is likely to have, a relevant impact on the asset;
the entity must:
(c) give the relevant Commonwealth body (see section 30BF) a report that:
(i) is about the incident; and
(ii) includes such information (if any) as is prescribed by the rules; and
(d) do so as soon as practicable, and in any event within 72 hours, after the entity becomes so aware.
Reporting is less onerous, within 72 hours of becoming aware that the incident has had/ is having/ is likely to have, a “relevant impact on the asset”. A “relevant impact” is defined very widely. It is safe to say that it covers circumstances where the incident would impact the availability, reliability, confidentiality or integrity of the asset in question.
- Under the legislation the Government has the power to to respond to serious cyber security incidents that impact the ability of Australia’s critical infrastructure assets to deliver essential services when:
-
- a cyber security incident has occurred/ is occurring/ is imminent;
- the incident had/ is having/ is likely to have a “relevant impact” on a “critical infrastructure asset” – being an impact the availability, reliability, confidentiality or integrity of the asset;
- there is a material risk that the incident has seriously prejudiced/ is seriously prejudicing/ is likely to seriously prejudice:
- the social or economic stability of Australia or its people;
- the defence of Australia; or
- national security; and
- there is no existing regulatory system of the Commonwealth, a State or a Territory available to provide a practical and effective response to the incident.
- The means of responding is for the Minister for Home Affairs to authorise the Secretary of Home Affairs to, for a prescribed time period, give:
- directions to a specified organsiation to gather information regarding the incident and its impact on the relevant “critical infrastructure asset”/ specified “critical infrastructure sector asset”;
- directions to a specified oranisation (entity to use the language of the legislation) requiring it to take specific action in response to the incident and the “critical infrastructure asset”/ specified “critical infrastructure sector asset”; or
- an intervention request, authorising the ASD to provide specified assistance and cooperation in response to the incident and the relevant “critical infrastructure asset”/ a specified “critical infrastructure sector asset”.
These powers are broad and go beyond “critical infrastructure assets”. They cover “critical infrastructure sector assets”.
- the Minister may give an “action direction” where he or she is satisfied that :
- the entity is unwilling or unable to take all reasonable steps to resolve the incident; and
- the direction is reasonably necessary to respond to the incident; and
- the direction is a proportionate response to the incident; and
- compliance with the direction is technically feasible.
A failure to comply with an action direction has a penalty of 2 years imprisonment and/or a fine of $26,640 for an individual or $133,200 for a corporation.
- the Minister can issue an intervention request where satisfied that an action direction would not constitute a practical and effective response to the incident but the same criteria required for an action direction apply. In that case the ASD may be authorised to respond to an incident by:
- accessing, modifying or analysing computer systems or data;
- installing computer programs; and (iii) removing, disconnecting, connecting or adding computers or computer devices.
- accessing premises.
Again the penalties for non compliance are severe, 2 years imprisonment and/or a fines of $33,300 for an individual and $166,500 for a corporation.
These powers are quite extraordinary and it is quite surprising that they were not the subject of media coverage and concerns. The times we live in perhaps might explain that.
The Second Reading Speech provides:
The first priority of the Morrison government is the safety and security of Australians.
Millions of Australians use power, water, banking and health services on a daily basis and do not have to think about the supporting systems and infrastructure that deliver those essential services to our community and across the country.
Imagine a day without power or water because the systems that reliably deliver these services to our homes and our businesses have been attacked or deliberately disrupted.
A prolonged and widespread failure in the energy sector, for example, could have catastrophic and far-reaching consequences. Such an incident may lead to shortages or destruction of essential medical supplies; impact food, groceries, water supply and telecommunications networks; disrupt transport, traffic management systems and fuel; reduce or shutdown banking, finance and retail services; and leave businesses and governments unable to function.
The introduction today of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is a significant step in the protection of the critical infrastructure and essential services which all Australians rely upon.
Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation’s wealth and prosperity, and national security.
While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune.
Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on federal parliamentary networks, logistics, the medical sector and universities, just to mention a few.
Internationally, we have seen cyberattacks on critical infrastructure, including water services and airports.
COVID-19 has also strained the ability of critical infrastructure to deliver essential services. These disruptions show how quickly events can cause widespread physical, financial and indeed psychological damage.
While owners and operators of critical infrastructure are best placed to deal with such threats, it takes a team effort to bring about positive change. That is why the ongoing security and resilience of critical infrastructure must be a shared responsibility, not only by all governments and the owners and operators of the infrastructure but indeed by all Australians. The cost of inaction is far too great to ignore.
This bill signifies an enhanced effort to ensure the ongoing security and resilience of critical infrastructure and the essential services they provide for all Australians.
This bill will extend the application of the Security of Critical Infrastructure Act 2018 to additional sectors and assets within those sectors that are critical to:
maintaining basic living standards for the Australian population;
sustaining Australia’s wealth and prosperity;
Australia’s national security and defence; and
the security of large or sensitive data holdings.
This includes communications, transport, data and the cloud, food and grocery, defence, higher education, and research and health.
The bill will build on the regulatory regime in the existing act by introducing a new framework designed to uplift the all-hazards security and resilience of critical infrastructure assets and provide government with greater visibility of cyberattacks.
Part 2A of the bill requires entities to adopt and comply with a risk management program that ensures that critical infrastructure assets are protected and safeguarded from all hazards. This obligation is designed to uplift core security practices of critical infrastructure assets by ensuring that entities take a holistic and proactive approach to identifying, preventing and mitigating risks.
Part 2B of the bill creates a framework that requires entities to report cybersecurity incidents to the Australian Signals Directorate. The purpose of this framework is to establish a comprehensive understanding of the cybersecurity risks to critical infrastructure assets.
Through greater awareness, the government can better see malicious trends and campaigns which would not be apparent to an individual victim of an attack. This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyberattacks.
The bill also facilitates the government to work with industry to strengthen the cyber preparedness and resilience of entities that operate assets of the highest criticality to Australia’s national interests. These assets of highest criticality are defined as systems of national significance due to the role they serve in the economy and the consequences to the national interest should they be unavailable or inoperable.
The enhanced cybersecurity obligations will support a bespoke, outcomes-focused partnership between government and Australia’s most critical assets and will build an aggregated threat picture and understanding of cybersecurity risks to critical infrastructure in a way that is mutually beneficial to government and industry.
These obligations will require the responsible entity for a system of national significance to undertake one or more prescribed activities requested by the Department of Home Affairs, including:
developing cybersecurity incident response plans to prepare for a serious cyber incident.
undertaking cybersecurity exercises to build cyber preparedness.
undertaking vulnerability assessments to identify vulnerabilities for remediation, and
providing system information to build Australia’s situational awareness.
While private industry is best placed to protect critical infrastructure, some threats are too sophisticated or disruptive to be handled alone. That is why Part 3A of this bill provides government with last-resort powers to respond to a serious cyber incident that is having, has had or may have an impact on a critical infrastructure asset and there is a material risk to Australia’s national interests. These new powers will ensure government is able to act effectively and decisively in responding to cyberattacks that go beyond the capability or capacity of industry to respond.
Under the bill, the Minister for Home Affairs will be able to authorise the Secretary of Home Affairs to:
give directions to a specified entity for the purposes of gathering information—positioning government to understand the nature of the incident and determine alongside industry any further action that might be necessary
give directions to a specified entity requiring the entity to take certain actions or do certain things in response to the incident—limited to where the entity is unwilling or unable to resolve the incident; or
request an authorised government agency to provide assistance in responding to the incident—it may be necessary for the government to step in and take the necessary actions to defend the asset where directing an entity to take specified action would not be practical or effective.
These new powers will be subject to stringent authorisation and oversight mechanisms, including:
the Minister for Home Affairs being satisfied that there is a material risk that the incident has or will seriously prejudice,
the social or economic stability of Australia or its people; or
the defence of Australia; or
national security.
Government only being able to take action if the entity is unwilling or unable to take all reasonable steps to resolve the cybersecurity incident. This is reflective of the government’s continued view that industry are primarily responsible for responding to incidents impacting their business.
Any direction or action authorised must be reasonably necessary and proportionate, and technically feasible to comply with.
Finally, before authorising a request to directly intervene, the Minister for Home Affairs must obtain the agreement of the Prime Minister and the Defence Minister.
The bill has been developed through extensive consultation with industry. This includes consulting with over 3,000 people and receiving close to 350 submissions over two separate periods of consultation on a consultation paper and exposure draft legislation. I would like to thank industry and the department for the constructive approach to the consultations and their assistance in developing the legislation with the home affairs department.
The final bill reflects the outcomes of the consultation process and ensures we have the right balance between taking effective steps to manage security of our critical infrastructure and appropriate checks and balances. This includes mandatory industry consultation periods, reporting mechanisms and oversight by IGIS.
However this is not the end of consultation, the government is committed to continuing the conversation to ensure that the reforms are operationalised in the most appropriate and effective manner.
An enhanced partnership with industry will be key to the success of these reforms. Strengthening government’s cooperation and collaboration with industry is a vital part of improving the resilience of Australia’s critical infrastructure.
In 2021, the government will relaunch the Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience and a revised Critical Infrastructure Resilience Strategy to further embed the genuine industry government partnership approach to managing the security and resilience of our critical infrastructure.
This enhanced industry engagement mechanism will be central as we commence co-design of the sector-specific requirements and best practice guidance which will underpin the Risk Management Program.
To ensure the Risk Management Program obligations are fit for purpose and drive genuine security uplift, we will work with industry to ensure the rules are proportionate to the risks impacting each sector, recognise existing approaches and impose the least regulatory burden necessary. These obligations will not commence for a given sector until we have completed this co-design work with industry.
The bill demonstrates the government’s commitment to uplifting the security and resilience of Australia’s critical infrastructure assets. It guarantees the continued growth of Australian industry and the ability for businesses to compete in overseas markets. It allows Australians to have uninterrupted access to essential services and ensures that our society and living standard continues to be the envy of the world. It ensures that Australia continues to be a safe, prosperous and wealthy nation.
Before concluding, I’d like to take this opportunity to thank all of the hardworking officers of the home affairs portfolio for their work during this difficult year. No-one could have anticipated the events of 2020, but it is clear your outstanding response has kept Australians safe and secure in unprecedented times. Specifically with regard to the development of these important reforms and the comprehensive consultations conducted with industry regarding the proposed regime I would like to thank Hamish Hansford, Sam Grunhard, Andrew Kiley, Louise Bechtel, Lib Clark, Alex Sallabank and Luke Muffet for their tireless efforts. I’m very proud of the work of these officers and those across the department.
The scope and operation of the Act will require organisations controlling critical infrastructure assets to develop a comprehensive data breach notification protocols which are much more detailed and comprehensive than an organisation should have under the Data Breach Notification Regime. Given the tight time frames and onerous obligations and organisation owning or operating a “critical infrastructure asset” will need to have a comphrehensive, easy to implement cyber-attack response and recovery plan. Specific staff should have specific roles and everyone should be familiar with those roles. That means training and simulations. In my experience many organisations plans to comply with the current Mandatory Data Breach Notification Scheme are vague and ineffective. Given it is self assessment and the criteria in the Scheme are vague it has not been treated as seriously as it should be. The consequences of non compliance are not significant. This legislation is a different matter. The obligations are onerous, the time frames narrow and the consequences for breaches severe. Protocols need to be carefully structured having regard to the various obligations, the role the organisation performs and the asset. A “one size fits all” approach will not work.
Under the existing Act oganisations covered should have processes to comply with the current information provision requirements in respect of the Register of Critical Infrastructure Assets. Now other organisations will need to establish their own processes.