SoCI Bill passes the House on 22 Nov 2021

Formally known as Security Legislation Amendment (Critical Infrastructure) Bill 2020, and colloquially referred to as the SoCI Act 2.0, this pivotal legislation has now formally passed both houses of Parliament. It awaits Royal Assent before passing into law.

ASIS Victoria Chapter has been following the passage of this legislation since first mooted in late 2020.

The amendment was introduced to the House on 10 Dec 20, and promptly moved to the crowded task list on the Parliamentary Joint Committee for Intelligence and Security (PJCIS), where it was released on 29 Sep 21, reflecting a significant review process.

The PJCIS report recommended splitting the proposed Bill into two parts, which has been done.

So what is in, and what is out?

• The Bill has omitted the following:
  • proposed new Part 2A of the Act – critical infrastructure risk management programs
  • proposed new Part 2C of the Act – enhanced cyber security obligations
  • proposed new Part 6A of the Act – declaration of systems of national significance
• The Bill includes:
  • Part 1 All eleven sectors, including definitions and sector-specific descriptions into 22 different classes, The positive security obligation (PSO will be introduced
  • Part 2B Notification of cyber security incidents
  • Part 3A Responding to serious cyber security incidents

The Department of Home Affairs statement regarding the critical need for cyber security measures has been adopted. 

Summary:

The Bill proposes amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), including to:

• Introduce additional critical infrastructure assets, which means that the existing powers under the SOCI Act, and the new powers to be introduced under this Bill, will apply to a broader range of assets. The Bill introduces definitions for the following critical infrastructure sectors and assets:
  • Communication sector: critical telecommunication assets, critical broadcasting assets, broadcasting transmission assets and critical domain name system
  • Data storage or processing sector: critical data storage or processing assets o Defence industry sector: critical defence industry assets
  • Financial services and markets sector: critical banking assets, critical superannuation assets, critical insurance assets and critical financial market infrastructure assets
  • Food and grocery sector: critical food and grocery assets
  • Higher education and research sector: critical education assets
  • Health care and medical sector: critical hospitals as critical infrastructure assets
  • Transport sector: critical freight infrastructure assets, critical freight services assets, and critical public transport assets
  • Energy sector: critical liquid fuel assets, and critical energy market operator assets, and
  • Space technology sector: critical space technology assets.
• In addition to the reporting obligations to the Register of Critical Infrastructure Assets in Part 2 of the current SOCI Act, the Bill will introduce a new positive security obligation (PSO) on owners and operators of critical infrastructure assets to report cyber security incidents to the Government. This will facilitate an enhanced understanding of cyber security threats to critical infrastructure to better inform both proactive and reactive cyber response options.
• Introduce a regime to support the Government responding to serious cyber security incidents which would allow the Government, in limited circumstances, to take actions to protect critical infrastructure assets that are subject to serious cyber security incidents.
• Enable the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to conduct a review of the operation, effectiveness and implications of the Bill not less than three years from when the Bill receives Royal Assent.

These amendments will implement an enhanced critical infrastructure security framework which will enhance the security and resilience of critical infrastructure in Australia, build situational awareness and enable the Government to assist industry to effectively prevent, defend against and recover from serious cyber security incidents. This will allow the Government to maintain the continuity of essential services that support Australia’s economy, security and sovereignty.

Amendments to the measures reflect:

• amend the proposed regime requiring the mandatory reporting of a cyber security incident by an entity to a relevant Commonwealth body to allow for the written report to be made within 84 hours (instead of 48 hours) of an oral report being made, and to empower a relevant Commonwealth body to exempt an entity from the requirement to provide a written report;
• require the Secretary to give a written report to the PJCIS about a cyber security incident in relation to which directions or requests in relation government assistance measures are given or made under sections 35AK, 35AQ or 35AX . The report must describe each of the directions or requests made in relation to the incident;
• allow the PJCIS to conduct a review of the operation, effectiveness and implications of the security of critical infrastructure legislative framework in the Act, to begin not more than three years from when the Bill receives Royal Assent.
• require any draft rules relating to the mandatory reporting obligations be provided directly to any entities which would reasonably be impacted by the draft rules and include an obligation that the Minister must formally respond to any submissions made by responsible entities;
• insert a definition of significant impact;
• in relation to a Ministerial authorisation under new section 35AD, if consultation is required, to inform relevant entities in writing and invite the entities to make a submission within 24 hours after receiving the draft authorisation;
• include an example of where a person is not entitled to cause access, modification or impairment of computer data or a computer program, being that if a person (including employees or agents of a responsible entity) exceeds their authority, then this will amount to such unauthorised access, modification or impairment for the purpose of the Act.

What's next?

On receiving Royal Assent, there is no honeymoon period, and the legislation will take immediate effect.  The work currently undertaken by the Cyber and Infrastructure Centre will remain ongoing as the Department continues to develop the working model with industry sectors through what has been coined a ‘co-design period’.

Industry sectors and businesses will have to wait and see how the respective State legislation will dovetail into the amended Act.