As part of a broader strategy to strengthen the cyber security resilience of Australia’s infrastructure, the Government introduced the Security Legislation Amendment (Critical Infrastructure) Bill (the Bill) into Parliament on 10 December 2020. In response to a range of client queries on the implications of the Bill, we provide a short insight.
The Bill proposes to substantially broaden the application of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) to 11 sectors of critical infrastructure;
The Bill gives the Federal Government wider powers, including the ability to intervene and direct organisations to provide information or do specified acts when responding to cyber security incidents; and
Proposed new obligations include:
a 'positive security obligation' for critical infrastructure, including mandatory cyber incident reporting and a risk management program; and
enhanced cyber security obligations for systems deemed to be of 'national significance'.
The SOCI Act currently applies to operators of assets in only four critical infrastructure sectors - electricity, gas, water and ports.
The Bill introduces an expanded definition of 'critical infrastructure sector', which will broaden the application of the SOCI Act to 11 classes of critical infrastructure, including:
The Bill introduces positive security obligations where the Minister for Home Affairs (the Minister) has made a rule or determination turning the specific obligation "on" for particular critical infrastructure assets. These positive security obligations may require entities to:
The Minister may declare a critical infrastructure asset a 'system of national significance', having regard to the nature and extent of interdependencies between the asset and other critical infrastructure assets. At this stage, no systems of national significance have been declared.
If declared a system of national significance, an entity may be subject to enhanced cyber security obligations, including requirements to:
Importantly, if the Secretary believes that a responsible entity would not be technically capable of preparing such system information reports, the Secretary may require an entity to install and maintain a specified computer program to collect, record and transmit the required system information.
The Bill introduces a Government assistance regime which permits the Secretary to enact one or more of the following directions and requests during and after a cyberattack that significantly prejudices Australia's social or economic stability, or national security:
Concerns have been raised by organisations over the Bill – in particular, over the Government’s new direct-action powers and the wide range of organisations which will become subject to the new rules (regardless of their nexus to the traditional infrastructure sector).
Businesses and the Government have differing priorities in a cyber-attack, including:
From January 2021, the Department of Home Affairs has been working to implement the reforms through consultation.
The Parliamentary Joint Committee on Intelligence and Security has commenced a review into the operation, effectiveness and implications of the Bill, due to be completed by 11 April 2021.
If you would like to further understand the likely impact on your business, please reach out to one of our team.