A clearer picture of the coming Cyber Security Bill and critical infrastructure reforms
06 August 2024
06 August 2024
These reforms are part of Australia's 2023-2030 Cyber Security Strategy vision to be a world leader in cyber security by 2030 – read about the strategy, and Ashurst's response to the earlier discussion paper.
Proposed new Cyber Security Bill
| Proposed Critical Infrastructure reforms
|
Media reports of comments from Minister Clare O'Neil last week reveal the Government's thinking around ransom reporting. A recent cabinet reshuffle has seen Minister Tony Burke take over cyber security responsibilities from Minister O'Neil, and the appointment of Andrew Charlton as Special Envoy for Cyber Security and Digital Resilience.
A new "limited use" requirement will limit how the Australian Signals Directorate (ASD) and National Cyber Security Coordinator (NCSC) can use information provided to them by cyber attack targets – in the hope that businesses will be more comfortable cooperating with cyber agencies if they have comfort that information won't be used to take enforcement action against them.
This regime is not a "safe harbour" – it will not provide any form of immunity, and will not prevent regulators with enforcement functions (like the ACCC, the OAIC, the ACMA, the APRA or the ASIC) using regulatory powers to obtain that same information directly from organisations who have been the target of a cyber attack. If information is not carefully handled by agencies, there also remains a risk of information disclosed to those agencies being the subject of a freedom of information request, or a subpoena from an aggrieved third party.
Consultation feedback emphasised that keeping permitted uses narrow is essential to encouraging cooperation. At the same time, new laws will need to enable both the ASD and the NCSC to perform all of their functions, and to make sure that information can be shared with agencies involved in incident response and recovery (which might include enforcement action against a bad actor, or another entity involved in an incident). Regardless, clarity will be essential if the proposed “limited use” obligation is to have the desired outcome of business more openly sharing information, real time, with the ASD and NCSC.
It is not currently proposed that the "limited use" restriction will apply to the Cyber Incident Review Board (discussed below). The Review Board will face a similar challenge in providing industry with comfort that cooperation will not expose businesses to greater regulatory action or civil litigation risks.
A new Cyber Incident Review Board investigations will deliver "no fault, lessons learned" reviews of significant cyber incidents, modelled on similar safety-oriented bodies such as the US Cyber Safety Review Board (CSRB) and the Australian Transport Safety Bureau.
Submissions to consultations generally supported either modest or no information gathering powers, and raised concerns about whether information collected will remain confidential. The US CSRB currently relies on voluntary cooperation, but we may see information gathering powers introduced as part of renewed calls to legislate the body following the recent CrowdStrike mass outage. Under the CSRB's charter, its reports and related materials are protected under Presidential Communications Privilege, and an organisation's consent is required to include its non-public information in public reports.
Australian legislation will need to balance these concerns to encourage open engagement with the new Review Board.
Submissions also raised concerns around impartiality and conflicts of interest. Legislation will need to include flexibility to make sure that the Review Board has appropriate expertise available to it (including from industry) while managing the risks of conflicts of interest – particularly amongst competitors. Legislation will need to be flexible enough to deal with any teething problems for significant new investigative body, and to rapidly deal with any unforeseen challenges.
Australia will look to align cyber security standards for consumer-grade connectable devices (Internet of Things or IoT devices) with international regimes, focusing on the first three principles of the European Telecommunications Standards Institute (ETSI) standard ETSI EN 303 645 as a minimum baseline.
Australia’s regime will likely follow the United Kingdom's new Product Security and Telecommunications Infrastructure regime (which came into effect 24 April 2024), which requires the following:
We may see flexibility introduced to allow compliance with equivalent alternative standards, and to accommodate sector-specific requirements, such as standards for consumer energy resources (such as rooftop solar, batteries and electric vehicle chargers) being considered in the recent Consumer Energy Resources (CER) Roadmap.
The ASD has released guidance to help manufacturers comply with all 13 secure-by-design principles covered by the complete ETSI EN 303-645.
Submissions to consultations emphasised that critical infrastructure reforms should be very clear, supported by appropriate guidance, and should not duplicate obligations under other regimes (such as under the Privacy Act or financial services regulation).
Coming reforms will amend the Security of Critical Infrastructure Act.
Entities already covered by critical infrastructure legislation will need to treat internal systems that hold business critical data as critical infrastructure assets in their own right. This will likely mean that protection of large volumes of personal information is captured under both the Privacy Act and Security of Critical Infrastructure Act, although the Security of Critical Infrastructure Act will also capture non-personal information that is still business critical.
The new asset type is focused on internal systems – systems supplied by third parties should already be addressed as "critical data storage or processing assets."
The focus will be on systems that if compromised would have an impact on availability, integrity, reliability or confidentiality of another critical infrastructure asset.
For many organisations, it will be difficult to identify which of its systems fall into this new category, and we expect (at least initially) an education and uplift approach will be adopted with additional guidance on what business critical data might mean for different entities, and what systems have a sufficient connection to the main critical assets.
Understanding which systems are "in scope" will in practice require an understanding of what data is considered "business critical data" under the Security of Critical Infrastructure Act, together with a risk assessment – for example, considering whether compromise of a data storage system may allow lateral movement between IT systems, or between IT systems and Operational Technology systems.
Organisations will need to add systems holding business critical data to the Register of Critical Infrastructure, a process that requires a good understanding of the operational management responsibilities and the ownership, influence and control that entities (including suppliers) may have over systems.
These powers supplement existing cyber incident response powers that allow the Minister to authorise directions in relation to critical infrastructure assets as well as participants in the relevant infrastructure sector.
New laws will expand this regime to apply to:
The expanded powers will be subject to the same safeguards as the existing regime – for example, that no existing regulation can provide a practical response, that the incident has or is likely to have a relevant impact to availability, confidentiality, integrity or reliability of a critical infrastructure asset, and that there is a material risk to Australia’s social or economic stability.
Reforms will allow entities to share protected information about their critical assets for the purpose of the continued operation of, or mitigation of risks to, an asset. You read more in our publication, Clarifying the protected information regime under the SOCI Act.
Proposed amendments will allow written directions where a Critical Infrastructure Risk Management Program (CIRMP) is seriously deficient (such that it carries a material risk to the socioeconomic stability, defence, or national security of Australia, or there is a severe and credible threat to national security).
Before a direction is issued, the regulator will give an entity notice of the deficiency and consider any response and any actions taken or to be taken.
Security requirements currently spread through the Telecommunications Act (including Part 14 of that Act, Carrier Licence Conditions and a Service Provider Determination) and the Security of Critical Infrastructure Act will be consolidated in the Security of Critical Infrastructure Act.
Through ongoing consultation with the Australian Telecommunications Security Reference Group, the new laws are hoped to simplify regulatory arrangements, minimise duplication, create clear demarcation between the role of telecommunications and critical infrastructure regulators, and bring an "all hazards" approach to telecommunications security regulation (consistent with other critical infrastructure sectors).
In addition to the proposed reforms, Cyber and Infrastructure Security Centre (CISC) has indicated that critical infrastructure oversight is shifting from an "education and awareness" posture to a compliance focused posture. We have already seen industry compliance with Security of Critical Infrastructure obligations tested through a series of trial audits in the latter half of 2023-24. This shift will continue to progress in 2024-25.
CISC has also indicated that it will partner with entities responsible for Systems of National Significance (SoNS), to ensure they understand and comply with the additional obligations that apply to them, known as Enhanced Cyber Security Obligations.
These changes have been proposed in the midst of a very ambitious and busy digital, technology and cyber agenda for the Government, not long before the end of its term.
Authors: John Macpherson, Partner, Ashurst Risk Advisory; Geoff McGrath, Partner; John Moore, Director, Ashurst Risk Advisory; Andrew Hilton, Expertise Counsel; Thomas Suters, Graduate.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 6 August 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up