Major reforms to Australia's critical infrastructure laws - exposure draft legislation released

What you need to know 

• On 9 November 2020, the Australian Government released an exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill.
• The draft bill proposes to:
  
  • substantially broaden the application of the Security of Critical Infrastructure Act 2018 (Cth) to new classes of critical infrastructure sectors including the communications, data storage and processing, financial services and food and grocery sectors;
  • impose new positive security obligations on owners and operators of assets within these new classes upon the making of certain rules or determinations by the Minister for Home Affairs;
  • impose additional cyber security obligations on a new class of assets to be declared as "systems of national significance"; and
  • introduce new Government powers to not only direct owners and operators of critical infrastructure to provide information and do specified acts or things in response to a cyber security incident, but to also intervene in certain circumstances.
• The Government is currently accepting public submissions on the draft bill up until 5pm (AEDT) on 27 November 2020. 
• Ahead of this date, the Government is hosting virtual town halls regarding the reforms on 16 and 19 November 2020. 

What you need to do

In light of these proposed changes, businesses should:

• consider whether these reforms could impact their assets or systems  and if so, what obligations the business will need to comply with if the draft bill becomes law; 
• consider attending one of the virtual town halls and preparing submissions on the draft bill; 
• seek to be involved in the co-design of related sector-specific rules expected to commence in 2021; and
• closely monitor any further Government announcements on these reforms.

What has just happened?

On 9 November 2020, the Australian Government released an exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Draft Bill). This follows the release of the Government's Cyber Security Strategy 2020 and the Protecting Critical Infrastructure and Systems of National Significance Consultation Paper (the Consultation Paper) released in August 2020.

The Draft Bill proposes to amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) by:

• significantly broadening the application of the SOCI Act to new classes of critical infrastructure assets used in 11 industry sectors, including the communications, data storage and processing, financial services and food and grocery sectors; 
• imposing positive security obligations on owners and operators of the aforementioned new classes of critical infrastructure assets upon the making of certain rules or determinations by the Minister for Home Affairs;
• imposing additional cyber security obligations on owners and operators of declared systems of national significance; and 
• introducing new Government powers to direct organisations to provide information or do specified acts or things, and to itself intervene, in response to cyber attacks that prejudice Australia's social or economic stability, defence or national security.

At a high level, these proposed reforms are in line with the three initiatives set out in the Consultation Paper. However, the ability for the Government to intervene appears to operate with wider effect than noted in the Consultation Paper. 

We take a further look at the key reforms proposed by the Draft Bill below. 

Broadening the application of the SOCI Act

Currently, the obligations under the SOCI Act only apply to specific entities in the electricity, gas, water and maritime port sectors. In response to the evolving security landscape, the Draft Bill proposes to expand the application of the SOCI Act to entities in the following 11 sectors:

• communications (e.g. carriers, carriage service providers, intermediaries like mobile service retailers and commercial broadcasters); 
• financial services and markets (e.g. banks and insurance providers); 
• data storage and processing (e.g. data centres, IaaS, SaaS and PaaS, including those entities that provide such services and are notified by a customer who is a responsible entity for a critical infrastructure asset that their services handle business critical information (a new notification obligation requiring that a responsible entity do so as soon as is practicable after becoming so aware));
• food and grocery (e.g. supermarkets and food and grocery wholesalers); 
• transport (e.g commercial freight, public transport operators and operators of road and rail networks);
• defence industry; 
• higher education and research;
• energy (e.g. organisations involved in the production, distribution and supply of electricity, gas or fuel); 
• healthcare and medical;
• space technology; and
• water and sewerage.

While certain thresholds do apply before an asset is considered a critical infrastructure asset, the scope of entities captured by each designated critical infrastructure sector is generally wide and will often include entities that form part of the supply chain supporting a particular sector (for example, the food and grocery sector will in addition to the major supermarkets, include prescribed food and grocery wholesalers).

As is consistent with the current SOCI Act, the Draft Bill imposes obligations on the responsible entity for a critical infrastructure asset. Generally this will be either the owner or controller of the relevant critical infrastructure asset. 

New positive security obligations

The Draft Bill introduces new positive security obligations which will only apply where the Minister for Home Affairs (the Minister) has made either a rule or a determination turning the specific obligation "on" for particular critical infrastructure assets. For the communications sector in particular, we note that the rules implementing these positive security obligations will be informed by the outcomes of the current Parliamentary Joint Committee's review of the Telecommunications Sector Security Reform framework. 

These positive security obligations may require entities to:

• adopt and maintain, comply with, regularly review and keep up to date an all-hazards critical infrastructure risk management program (the content requirements of which are to be co-designed by government and industry stakeholders);
• report serious cyber security incidents to the Australian Signals Directorate (ASD); and 
• provide ownership and operational information to the Register of Critical Infrastructure Assets (the Register).

We consider each of these positive security obligations in further detail below.

Risk management program

The Draft Bill provides that responsible entities of critical infrastructure assets may be required to:

• adopt and maintain, comply with, regularly review and keep up to date a critical infrastructure risk management program; and 
• submit an annual report to the Secretary of Home Affairs (the Secretary) on whether this program was up to date and any hazards that had a significant impact on any of the entity's assets during the relevant period. We note that this annual report is to be signed off on by the board, council or other governing body of the relevant entity. 

While sector-specific requirements in respect of these programs will be a matter left for the rules to be co-designed by both government and industry stakeholders, a critical infrastructure risk program should generally achieve the following principles:

• take an all-hazards approach to identifying material risks, 
• develop methods to minimise and mitigate the impacts of these risks; and
• implement appropriate risk management oversight arrangements, including regular evaluation and testing.

Generally, responsible entities will be given six months to comply once a relevant rule imposing these reporting obligations commence. Failure to comply with these risk management obligations can attract a civil penalty of up to $42,000.

Mandatory reporting 

The Draft Bill provides that responsible entities may be required to report the following to the ASD:

• critical cyber security incidents within 12 hours of becoming aware that the incident has or is having a significant impact on the availability of the asset; and
• any other cyber security incidents within 24 hours of becoming aware that such incident has, is having or is likely to have an impact on the availability, integrity, reliability or confidentiality of the asset.

Failure to comply with these reporting obligations can attract a civil penalty of up to $10,500. 

The Register of Critical Infrastructure Assets

The Draft Bill extends existing reporting obligations for responsible entities to provide ownership and operation information for inclusion on the Register to the expanded class of designated critical infrastructure sectors. 

Responsible entities will continue to have six months to comply once their reporting obligations commence. Failure to comply with these reporting obligations can attract civil penalties of up to $10,500.

Importantly, the Register is not public and there are certain protections under the SOCI Act limiting the use, recording and disclosure of information on the Register. 

Enhanced obligations for systems of national significance

The Draft Bill provides that the Minister may declare a critical infrastructure asset as a "system of national significance". 

A series of enhanced cyber security obligations can be imposed on the responsible entity of a system of national significance upon written notice given by the Secretary. This may include requirements to:

• adopt and maintain, comply with, regularly review, keep up to date and provide to the Secretary a copy of, an incident response plan in respect of cyber security incidents;
• undertake a cyber security exercise to test response preparedness and mitigation, and provide an evaluation report to the Secretary;
• undertake a vulnerability assessment and provide a vulnerability assessment report to the Secretary; and
• provide system information relating to the operation of the computer needed to operate a system of national significance (but excluding any personal information (as defined in the Privacy Act 1988 (Cth)), including providing periodic reports or event-based reports to the ASD. 

Importantly, if the Secretary believes on reasonable grounds that a responsible entity would not be technically capable of preparing such system information reports, then the Secretary may require an entity to install and maintain a specified computer program to collect, record and transmit the required system information. 

Failure to comply with these obligations can attract civil penalties of up to $42,000. 

Government assistance 

The Draft Bill also proposes to introduce a Government assistance regime which allows the Secretary, as authorised by the Minister, to do one or more of the following during and following a cyber attack that significantly prejudices Australia's social or economic stability, defence or national security:

• Information Gathering Direction – direct an entity to provide information to the Secretary;
• Action Direction – direct an entity to do one or more specified acts or things in response to the incident; or
• Intervention Request – request that the ASD do one or more prescribed acts or things (which can include accessing and removing computers, analysing, copying and modify data and altering the function of a computer) to respond to the incident.

Importantly, these directions and requests are not limited to the critical infrastructure asset directly affected by the incident but may extend to other entities related to the primary asset affected by the incident.

However, such directions and requests are subject to certain limitations and safeguards including requirements that:

• the direction or request is a proportionate response and reasonably necessary;
• compliance with the direction is technically feasible; 
• an entity be unwilling or unable to take all reasonably necessary steps to appropriately resolve the incident before an Action Direction or Intervention Request can be made; and
• consultation with the affected entity occurs prior to making the direction or request unless this would frustrate the effectiveness of the direction or request.

We note that there are penalties of up to 2 years imprisonment and/or $31,500 for a failure to comply with the Secretary's directions or provide assistance in relation to an Intervention Request. 

Further, entities have limited rights to appeal such decisions as:

• the Minister and Secretary need not consult the affected entity if it would frustrate the effectiveness of the authorisation, direction or request; and
• judicial review under the Administrative Decisions (Judicial Review) Act 1977 (Cth) is not available for such decisions.

Enforcement

We also note that the Draft Bill expands the enforcement powers under the SOCI Act to include monitoring and investigation powers and the power to provide infringement notices under the Regulatory Powers (Standard Provisions) Act 2014 (Cth). 

What is next?

• The Government is hosting two virtual town halls regarding the Draft Bill on 16 and 19 November 2020. You can register to attend these town halls here. 
• Public submissions on the Draft Bill should use the designated submission form and be returned by 5pm (AEDT) on 27 November 2020. 
• The co-design process regarding sector-specific rules is expected to commence in 2021. 

Digital Economy key contacts are: Tim Brookes, Partner; Rebecca Cope, Partner; Amanda Ludlow, Global Co-Head of Digital Economy; Emma Butler, Partner; Andrew Craig, Partner; and Angela Summersby, Partner.

Corporate Transaction key contacts are: Nigel Deed, Partner; Anita Choi, Partner; Lynda Tully, Partner; Murray Wheater, Partner; and Bruce Macdonald, Partner. 

Authors: Tim Brookes, Partner; Rebecca Cope, Partner; Florence Tan, Lawyer; and Kerry Liang, Graduate.