New National Critical Infrastructure Legislation

A brief background and overview of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. How will it impact you? Where can you learn more about it?

In 2018 the Federal Government introduced new legislation - the Security of Critical Infrastructure Act 2018 (Cth) (SOCI).  The new Act represented the first tranche of legislation designed to improve the government’s visibility and control of critical infrastructure (CI) in Australia.  The Act applies to electricity, water and gas assets, and ports deemed ‘critical’ to Australia.  The Act also introduced the concept of ‘responsible entity’, ‘direct interest holder’, and notably commenced a ‘register of assets’.  This approach set the stage for the latest Amendment: the Security Legislation Amendment (Critical Infrastructure) Bill 2020, that introduced to Parliament on 10 Dec 2020.

The Amendment significantly changes the context of the 2018 Act.  Principle changes reflect:

• Increasing the current four sectors to eleven:
  • Sectors will now include financial services, communications, data storage & processing, defence industry, higher education & research, energy, food and grocery, health care & medical, space technology, transport and water & sewerage;
• Creates a new Positive Security Obligation (PSO) on owners and operators of CI (on the determination of such assets by the Minister);
• Imposes new asset categories defined as ‘Systems of National Significance’ (SoNS) which attract additional cybersecurity measures or requirements classed as ‘Enhanced Cyber Security Obligations’ (ECSO);
• Introduces new Government powers to direct owners and operators to perform acts, provide information, and intervene in certain circumstances;
• New powers that would enable ASD to install software, access, add, restore, copy, alter or delete data, alter the ‘functioning’ of hardware, and or remove it entirely from the premises;
• Provides immunity from prosecution for Government personnel prosecuting the Act; and
• Introduces financial penalties for non-compliance to sections of the Act.

The Amendment’s focus is targeted explicitly at cybersecurity vulnerability in CI where a cyber-attack originating from a criminal or foreign state-based threat actor could damage Australia’s national security.

The Bill before the house has broad implications for corollary legislation associated with improving ‘national security’ that addresses foreign ownership aspects.

During the brief public consultation process, business’s principal concern reflected regulatory duplication and the financial cost of these measures.

Given the extraordinary powers prescribed in the Amendment and its parallel with aspects of the Telecommunications Sector Security Reforms (TSSR) Bill already under review by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), an invitation for public submissions closed last week.  The PJCIS posed the opportunity for respondents to address if a ‘unified scheme’ was more practical as the TSSR reflects an industry covered under the proposed SOCI Amendment.  At the time of this writing, some 63 responses had been published and are available here.

So what does this mean for owners of CI?  There are evident problems ahead with the co-design of each sector-specific rules and conditions as both State and Federal laws will need review.  Furthermore, cost analysis in the Amendment is based on pre-COVID-19 data, and there has been inadequate consultation with the CI industry.

The Department of Home Affairs, specifically the Critical Infrastructure Centre (CIC) will commence the co-design process with open workshops on 2^nd and 4^th March.  Stay tuned.

The ASIS International, Victoria, Australia Chapter will hold a FREE webinar on 23^rd March at which the SOCI Amendment is the central topic. 

Please REGISTER HERE if you would like to attend.