Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2019-2020
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
SECURITY LEGISLATION AMENDMENT
(CRITICAL INFRASTRUCTURE) BILL 2020
EXPLANATORY MEMORANDUM
(Circulated by authority of the Minister for Home Affairs,
the Honourable Peter Dutton MP)
Security Legislation Amendment (Critical Infrastructure) Bill 2020
OUTLINE
1. The Australian Government is committed to protecting the essential services all
Australians rely on by uplifting the security and resilience of our critical infrastructure. As
the threats and risks to Australia's critical infrastructure evolve in a post-COVID world, so
too must our approach to ensuring the ongoing security and resilience of these assets and the
essential services they deliver.
2. Critical infrastructure is increasingly interconnected and interdependent, delivering
efficiencies and economic benefits to operations. However, connectivity without proper
safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and
result in cascading consequences across our economy, security and sovereignty.
3. Threats ranging from natural hazards (including weather events) to human induced threats
(including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders)
all have the potential to significantly disrupt critical infrastructure. Recent incidents such as
compromises of the Australian parliamentary network, university networks and key corporate
entities, and the impacts of COVID-19 illustrate that threats to the operation of Australia's
critical infrastructure assets continue to be significant. Further, the interconnected nature of
our critical infrastructure means that compromise of one essential function can have a domino
effect that degrades or disrupts others.
4. The consequences of a prolonged and widespread failure in the energy sector, for example,
could be catastrophic to our economy, security and sovereignty, as well as the Australian way
of life, causing:
shortages or destruction of essential medical supplies;
instability in the supply of food and groceries;
impacts to water supply and sanitation;
impacts to telecommunications networks that are dependent on electricity;
the inability of Australians to communicate easily with family and loved ones;
disruptions to transport, traffic management systems and fuel;
reduced services or shutdown of the banking, finance and retail sectors; and
the inability for businesses and governments to function.
5. While Australia has not suffered a catastrophic attack on critical infrastructure, we are not
immune:
over the last two years, we have seen several cyber attacks in Australia that have
targeted the Federal Parliamentary Network;
malicious actors have taken advantage of the pressures COVID-19 has put on the
health sector by launching cyber attacks on health organisations and medical research
facilities; and
key supply chain businesses transporting groceries and medical supplies have also
been targeted.
6. Accordingly, Government will introduce an enhanced regulatory framework, building on
existing requirements under the SOCI Act. The Security Legislation Amendment (Critical
Infrastructure) Bill 2020 gives effect to this framework by introducing:
additional positive security obligations for critical infrastructure assets, including a
risk management program, to be delivered through sector-specific requirements, and
mandatory cyber incident reporting;
enhanced cyber security obligations for those assets most important to the nation,
described as systems of national significance; and
government assistance to relevant entities for critical infrastructure sector assets in
response to significant cyber attacks that impact on Australia's critical infrastructure
assets.
7. These changes will be underpinned by enhancements to Government's existing education,
communication and engagement activities, under a refreshed Critical Infrastructure
Resilience Strategy. This will include a range of activities that will improve our collective
understanding of risk within and across sectors.
8. The enhanced framework will uplift security and resilience in all critical infrastructure
sectors. When combined with better identification and sharing of threats, this framework will
ensure that Australia's critical infrastructure assets are more resilient and secure. Government
will work in partnership with responsible entities of critical infrastructure assets to ensure the
new requirements build on and do not duplicate existing regulatory frameworks.
9. This framework will apply to owners and operators of critical infrastructure regardless of
ownership arrangements. This creates an even playing field for owners and operators of
critical infrastructure and maintains Australia's existing open investment settings, ensuring
that businesses who apply security measures are not at a commercial disadvantage.
10. The Australian Government's Critical Infrastructure Resilience Strategy currently defines
critical infrastructure as:
'those physical facilities, supply chains, information technologies and communication
networks, which if destroyed, degraded or rendered unavailable for an extended
period, would significantly impact the social or economic wellbeing of the nation, or
affect Australia's ability to conduct national defence and ensure national security.'
11. In the context of this, the SOCI Act currently places regulatory obligations on specific
entities in the electricity, gas, water and maritime ports sectors. However, as the security
landscape evolves, so must our approach to managing risk across all critical infrastructure
sectors.
12. As such, the amendments in this Bill will enhance the obligations in the SOCI Act, and
expand its coverage to the following sectors: communications; financial services and
markets; data storage and processing; defence industry; higher education and research;
energy; food and grocery; health care and medical; space technology; transport; and water
and sewerage.
The reforms
13. The Commonwealth needs to establish a clear, effective, consistent and proportionate
approach to ensuring the resilience of Australia's critical infrastructure. The amendments to
the SOCI Act will drive the uplift of the security and resilience of Australia's critical
infrastructure.
14. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) will
introduce an all-hazards positive security obligation for a range of critical infrastructure
assets across critical sectors. This ensures industry is taking the appropriate steps to manage
the security and resilience of their assets. The obligations to be included in the Act in relation
to a critical infrastructure risk management program will be supported by specific
requirements which will be prescribed in rules, which will be co-designed between industry
and government.
15. The Bill also recognises those assets that are the most critical to the security, economy
and sovereignty of Australia. These 'systems of national significance' will bear additional
cyber obligations recognising the cyber threat environment we currently face.
16. Finally, while these measures are designed to ensure we do not suffer a catastrophic cyber
attack, the Bill will ensure Government has the necessary powers to provide direct assistance
to industry in the event of a serious cyber security incident.
Positive Security Obligations
17. The additional positive security obligations will build on the existing obligations in the
SOCI Act to embed preparation, prevention and mitigation activities into the business as
usual operating of critical infrastructure assets, ensuring that the resilience of essential
services is strengthened. It will also provide greater situational awareness of threats to critical
infrastructure assets.
18. The positive security obligations involve three aspects:
adopting and maintaining an all-hazards critical infrastructure risk management
program;
mandatory reporting of serious cyber security incidents to the Australian Signals
Directorate (ACSC); and
where required, providing ownership and operational information to the Register of
Critical Infrastructure Assets.
19. Importantly, each aspect of the positive security obligations will only apply once a rule is
made in relation to that aspect for a critical infrastructure asset or class of critical
infrastructure assets. The rules will prescribe which aspects are 'switched on' for a critical
infrastructure asset or class of critical infrastructure assets.
20. The critical infrastructure risk management program will require responsible entities of
specified critical infrastructure assets to manage and mitigate risks. Responsible entities of
critical infrastructure assets will be required to take an all-hazards approach when identifying
and understanding those risks - both natural and human induced hazards.
21. Responsible entities of specified critical infrastructure assets will be required to report
cyber security incidents to the relevant Commonwealth body. Collecting this information will
support the development of an aggregated threat picture to inform both proactive and reactive
cyber response options -from providing immediate assistance to working with industry to
uplift broader security standards.
22. Part 2 of the current SOCI Act requires assets covered by the Act to provide ownership
and operational information to the Secretary of Home Affairs for the Register of Critical
Infrastructure Assets (the Register). The Bill will extend this requirement to the expanded
class of critical infrastructure assets where appropriate to develop and maintain a
comprehensive picture of national security risks, and apply mitigations where necessary.
Enhanced Cyber Security Obligations for systems of national significance
23. The Enhanced Cyber Security Obligations in the Bill will support a bespoke, outcomes-
focused partnership between Government and Australia's 'systems of national significance.'
These are a significantly smaller subset of critical infrastructure assets that are crucial to the
nation, by virtue of their interdependencies across sectors and consequences of cascading
disruption to other critical infrastructure assets and sectors.
24. Under the Enhanced Cyber Security Obligations, the Secretary of Home Affairs may
require the responsible entity for a system of national significance to undertake one or more
prescribed cyber security activities. These include the development of cyber security incident
response plans, cyber security exercises to build cyber preparedness, vulnerability
assessments to identify vulnerabilities for remediation, and the provision of system
information to build Australia's situational awareness.
25. The Enhanced Cyber Security Obligations will support the sharing of near-real time threat
information to provide industry with a more mature understanding of emerging cyber security
threats, and the capability to reduce the risks of a significant cyber attack against Australia's
most critical assets.
Government Assistance
26. This Bill introduces a Government Assistance regime to respond to serious cyber security
incidents that applies to all critical infrastructure sector assets. Government recognises that
industry should and in most cases, will respond to the vast majority of cyber security
incidents, with the support of Government where necessary. However, Government maintains
ultimate responsibility for protecting Australia's national interests. As a last resort, the Bill
provides for Government assistance to protect assets immediately prior, during or following a
significant cyber attack.
27. Detailed notes on the clauses of the Bill is included at Attachment A.
FINANCIAL IMPACT STATEMENT
28. A detailed Regulation Impact Statement to assess the high level regulatory impact to
industry of uplifting the security and resilience of Australia's critical infrastructure assets is at
Attachment B.
Sector specific rules are expected to be developed in early 2021 through a co-design process
with industry. These rules will inform a more detailed regulation impact statement which will
provide clarity around the costs and benefits for each sector of the specific obligations
contained in Part 2A of the Bill (Critical Infrastructure Risk Management Programs).
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
29. A Statement of Compatibility with Human Rights has been completed in relation to the
Bill. It has been assessed that the amendments are compatible with Australia's human rights
obligations. A copy of the Statement of Compatibility with Human Rights is at Attachment C.
COMMON ABBREVIATIONS AND ACRONYMS
Abbreviation or acronym Meaning
AAT Administrative Appeals Tribunal
Acts Interpretation Act Acts Interpretation Act 1901
ACMA Australian Media and Communications Authority
ADJR Act Administrative Decisions (Judicial Review) Act 1977
AEMO Australian Energy Market Operator
APRA Australian Prudential Regulation Authority
ASA Australian Shareholders' Association
ASD Australian Signals Directorate
Abbreviation or acronym Meaning
ASIC Australian Securities and Investments Commission
ASIO Australian Security Intelligence Organisation
ASIO Act Australian Security Intelligence Organisation Act 1979
ATSA Aviation Transport Security Act 2004
AusCheck Act AusCheck Act 2007
Corporations Act Corporations Act 2001
Courts Act Federal Court and Family Court of Australia Act 2020
Criminal Code Criminal Code Act 1995
DISP Defence Industry Security Program
Department Department of Home Affairs
FATA Foreign Acquisitions and Takeovers Act 1975
FIRB Foreign Investment Review Board
IGIS Inspector General of Intelligence and Security
Intelligence Services Act Intelligence Services Act 2001
Legislation Act Legislation Act 2003
MTOFSA Maritime Transport and Offshore Facilities Security Act 2003
MW Megawatts
NEM National Energy Market
NSI Act National Security Information (Criminal and Civil Proceedings) Act
2004
Privacy Act Privacy Act 1988
PSPF Protective Security Policy Framework
RBA Reserve Bank of Australia
Regulatory Powers Act Regulatory Powers (Standard Provisions) Act 2014
Secretary Secretary of the Department of Home Affairs
Abbreviation or acronym Meaning
SOCI Act Security of Critical Infrastructure Act 2018
SCADA Supervisory Control and Data Acquisition
Telecommunications Act Telecommunications Act 1997
TEQSA Tertiary Education Quality and Standards Agency
TIA Act Telecommunications (Interception and Access) Act 1979
TSSR Telecommunications sector security reforms contained in the
Telecommunications and Other Legislation Amendment Act 2017
Attachment A
Security Legislation Amendment (Critical Infrastructure) Bill 2020
NOTES ON CLAUSES
Section 1 Short title
1. Section 1 of the Bill provides that the short title of the Act is the Security Legislation
Amendment (Critical Infrastructure) Act 2020.
Section 2 Commencement
2. Section 2 of the Bill sets out the times at which the Act commences once passed by the
Parliament.
3. Subsection (1) provides that each provision of the Bill specified in column 1 of the table
commences, or is taken to have commenced, in accordance with column 2 of the table.
Any other statement in column 2 has effect according to its terms. The table provides that:
sections 1 to 3 of the Bill and anything not otherwise covered by the table
commences the day the Act receives the Royal Assent (item 1)
Parts 1 and 2 of Schedule 1 to the Bill commence on a single day to be fixed by
Proclamation. If a Proclamation is not made within 6 months beginning on the day
that the Bill receives the Royal Assent, these provisions will commence the next
day (item 2)
Part 3 of Schedule 1 to the Bill commences the later of immediately after table
item 2, and the commencement of the Federal Court and Family Court of
Australia Act 2020 (the Courts Act) (item 3). This item also provides that, if the
Courts Act never commences, then the amendments in Part 3 of Schedule 1 never
occur
Part 4 of Schedule 1 to the Bill commences the later of immediately after table
item 2 and the commencement of the National Emergency Declaration Act 2020
(the NED Act) (item 4). This item also provides that, if the NED Act never
commences, the then amendments in Part 4 of Schedule 1 never occur, and
Schedule 2 to the Bill commences the day after the Bill receives the Royal Assent
(item 5).
4. A note explains that this table relates only to the provisions of this Bill as originally
enacted. It will not be amended to deal with any later amendments.
5. A fixed date, as by Proclamation, or 6 months after Royal Assent, will allow Government
to provide certainty to industry and investors on the scope and application of the
obligations under the Act. It will also allow industry and investors to become familiar
with the obligations in the Act, and understand how these obligations may apply to their
assets prior to commencement.
6. Subsection (2) provides that any information in column 3 of the table is not part of the
Bill. Information may be inserted in this column, or information in it may be edited, in
any published version of this Bill.
Section 3 Schedules
7. Section 3 of the Bill provides that legislation that is specified in a Schedule to the Bill is
amended or repealed as set out in the applicable items in the Schedule concerned. In
addition, this clause provides that any other item in a Schedule to this Act has effect
according to its terms.
8. There are two Schedules to the Bill. Part 1 of Schedule 1 to the Bill will make
amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) to:
insert new Part 2A, which provides that specified critical infrastructure assets
must adopt and maintain a critical infrastructure risk management program
insert new Part 2B, which will require that specified critical infrastructure assets
are required to report cyber security incidents
insert new Part 2C, to provide for a number of enhanced cyber security obligations
that may be applied in relation to systems of national significance
insert new Part 3A, which outlines a number of government assistance measures
that may be exercised in the most serious and significant of cyber security
incidents, and
insert new Part 6A, to confer a power on the Minister to make a private
declaration that an asset is a system of national significance
include additional measures concerning annual reporting, disclosure and use of
protected information etc., and
outline relevant definitions that are required to support these amendments.
9. Part 1 of Schedule 1 also makes amendments to the Administrative Decisions (Judicial
Review) Act 1977 (the ADJR Act) to exclude certain decisions made under the SOCI Act
from judicial review under that Act, and to the AusCheck Act 2007 (the AusCheck Act) to
provide that the AusCheck scheme established under section 8 of that Act can apply if
triggered by a legislative instrument made by the Minister under new subsection 30AH(2)
of the SOCI Act.
10. Parts 2 and 3 of Schedule 1 to the Bill provide for the application of amendments in Part 1
of Schedule 1, and for the making of contingent amendments related to the proposed
amalgamation of the Federal Circuit Court and Family Court of Australia.
11. Schedule 2 to the Bill will amend the Criminal Code to provide for an immunity to apply
in relation to the Australian Signals Directorate (ASD) for conduct occurring, or
reasonably believed to occur, outside of Australia.
Schedule 1--Security of critical infrastructure
Part 1--General amendments
Administrative Decisions (Judicial Review) Act 1977
Item 1 Before paragraph (da) of Schedule 1
12. Item 1 of Schedule 1 to the Bill inserts new paragraph (dae) into Schedule 1 to the ADJR
Act, to provide that any decision made under new Part 3A of the SOCI is not a 'decision
to which this Act applies'. This means that a decision made under new Part 3A in
response to a 'serious cyber security incident' is not subject to judicial review under the
ADJR Act (see further explanation regarding new Part 3A below).
13. The Administrative Review Council (ARC), in their 2012 report Federal Judicial Review
in Australia, identified a number of reasons that may justify an exemption from review
under the ADJR Act. National security considerations were one such reason identified by
the ARC as justifying excluding ADJR Act review, particularly where sensitive
information is involved which may be publicly disseminated through judicial
proceedings.
14. When making a decision under new Part 3A of the SOCI Act, the Minister must be
satisfied that there is a material risk that a 'cyber security incident' (as defined by new
section 12M, see item 7 of Schedule 1 below) has seriously prejudiced, is seriously
prejudicing, or is likely to seriously prejudice, the social or economic stability of
Australia or its people, the defence of Australia or national security. Decisions of this
nature are likely to be based on sensitive and classified information and deal with the
capabilities of intelligence agencies as well as security vulnerabilities. This could include
intelligence information and covert investigation methods and procedures, the disclosure
of which may impact ongoing investigations, compromise intelligence methodologies or
other damage Australia's national security and defence. The same applies equally to
decisions of the Secretary and the authorised agency under new Part 3A who
operationalise the Ministerial authorisations.
15. For this reason, it is reasonable to exempt decisions made under new Part 3A of the SOCI
Act from review under the ADJR Act as the public dissemination of the sensitive
information and capabilities that may be used to make decisions under new Part 3A
would pose a risk to national security and the defence of Australia.
16. Similar to decisions made under the Foreign Acquisitions and Takeovers Act 1975, which
are exempt from review under the ADJR Act (see paragraph (h) of Schedule 1 to that
Act), decisions made under Part 3A are also likely to deal with classified and
commercially confidential material that is relevant to the operation of assets critical to
Australia's economy. This further supports the need for the exemption noting the
potential impact to the economy if the confidentiality of this information was
compromised.
17. Owners and operators of critical infrastructure assets may be reluctant or unwilling to
disclose such information to government for the purpose of Part 3A, despite the penalties
that such non-compliance could attract, if there is potential for this information to be
disclosed publicly in court proceedings under the ADJR Act. This could delay or
seriously inhibit the Minister, Secretary or authorised agency from making decisions
under new Part 3A to protect assets critical to the Australian economy from imminent or
released threats.
18. Furthermore, Part 3A is designed to be used in emergency circumstances where it is
necessary for the Government to respond rapidly to the most serious cyber security
incidents that are affecting critical infrastructure assets. Any unnecessary delays in the
use of these mechanisms may prejudice the national interest noting the complex nature of
such serious cyber security incidents, and the importance of critical infrastructure assets
to Australia's social and economic stability, defence and national security. An exemption
from review under the ADJR Act ensures the mechanisms in new Part 3A can be
deployed as required and without delay.
19. Whilst decisions under new Part 3A will be exempt from review under the ADJR Act,
there are certain safeguards and limitations included in the Bill to ensure that any
decisions made under the Part are appropriate. In particular, the Minister can only make
an authorisation for the exercise of powers where the Minister is satisfied that:
a cyber security incident has occurred, is occurring or is imminent
(paragraph 35AB(1)(a))
the incident has had, is having, or is likely to have, a 'relevant impact' (as defined in
new section 8G) on a critical infrastructure asset (paragraph 35AB(1)(b))
there is a material risk that the incident has seriously prejudiced, is serious
prejudicing, or is likely to seriously prejudice the social or economic stability of
Australia or its people, defence or national security (paragraph 35AB(1)(c)), and
no other regulatory system could be used to provide a practical and effective response
to the incident (paragraph 35AB(1)(d)).
20. Further, consultation requirements are built into each stage of the regime to ensure any
concerns of the entity are considered, and that any decisions are informed.
21. Importantly, the Inspector-General of Intelligence and Security will oversee the activities
of the authorised agency under the Part. The Commonwealth Ombudsman also maintains
jurisdiction in relation to any of the Secretary's activities under new Part 3A.
22. It is noted that the amendment does not have the effect of entirely excluding judicial
review of decisions under Part 3A of the SOCI Act. A person who is the subject of a
decision under Part 3A is still entitled to seek judicial review under section 39B of the
Judiciary Act 1903 or subsection 75(v) of the Constitution.
AusCheck Act 2007
Item 2 Subsection 4(1)
23. Item 2 to Schedule 1 to the Bill inserts a definition of 'critical infrastructure risk
management program' into subsection 4(1) of the AusCheck Act, which refers to the
meaning given by the SOCI Act (in new section 30AH, see further at item 39 of Schedule
1 to the Bill).
Item 3 After paragraph 8(1)(b)
24. Section 8 of the AusCheck Act provides that regulations may provide for the
establishment of the AusCheck scheme, which relates to the conduct and coordination of
background checks if conditions outlined in paragraphs 8(1)(a), (b), (c) or (d) are met.
Item 3 of Schedule 1 to the Bill inserts new paragraph 8(1)(ba) into the AusCheck Act, to
provide that the AusCheck scheme may also be established if critical infrastructure risk
management programs are required, by rules made under the SOCI Act, to include
provisions that require background checks of individuals to be conducted under the
AusCheck scheme.
25. The AusCheck scheme is currently established in relation to Aviation and Maritime
Security Identification Cards, security sensitive biological agents and major national
events. The elements of a background check that may be enabled under the AusCheck
scheme include an identity check, a criminal history check, an immigration status check,
and a security assessment conducted by the Australian Security Intelligence Organisation
(ASIO) under Part IV of the Australian Security Intelligence Organisation Act 1979.
26. This amendment to the AusCheck Act will enable background checks, should they be
required as part of a critical infrastructure risk management program under new Part 2A
of the SOCI Act, to be used as a measure to mitigate against the threat that trusted
insiders may pose to critical infrastructure assets. New section 30AL provides the
consultation requirements for the making of rules in relation to requirements for a critical
infrastructure risk management program.
Security of Critical Infrastructure Act 2018
Item 4 Section 3
27. Item 4 of Schedule 1 to the Bill amends the objects provision of the SOCI Act (section 3),
to omit the words 'to national security'.
28. This amendment reflects the additional and broader purpose of the SOCI Act (as a result
of amendments in this Bill) which is to manage the threats posed by, and the impacts of, a
variety of hazards including those that are human induced and naturally occurring in
relation to critical infrastructure assets and systems of national significance.
Item 5 At the end of section 3
29. Section 3 of the SOCI Act currently outlines the original intent of the SOCI Act which
was to provide a regulatory framework to manage risks to national security relating to
Australia's critical infrastructure. The national security risks of particular focus were
sabotage, espionage and coercion.
30. As a result of the evolved security environment, amendments are required to the SOCI
Act, and in turn, the intent and purpose of the SOCI Act has been augmented to reflect
these amendments.
31. Item 5 of Schedule 1 to the Bill inserts paragraphs (c), (d) and (e) into section 3 of the
SOCI Act, which describe how the purpose of the SOCI Act is carried out. Paragraph (c)
provides that the object of the SOCI Act is carried out by requiring responsible entities
for critical infrastructure assets to identify and manage risks relating to those entities.
These 'positive security obligations' will involve adopting and maintaining a 'critical
infrastructure risk management program' under new Part 2A of the SOCI Act, reporting
cyber security incidents under new Part 2B and the existing register obligations under
Part 2 of the Act.
32. Paragraph (d) provides that the object of the SOCI Act is carried out by security imposing
enhanced cyber obligations on relevant entities for systems of national significance in
order to improve their preparedness for, and ability to respond to, cyber security
incidents, which is a reference to new Part 2C of the SOCI Act.
33. Finally, paragraph (e) provides that the object of the SOCI Act is carried out by providing
a regime for the Commonwealth to respond to serious cyber security incidents, which is a
reference to new Part 3A of the SOCI Act.
Item 6 Section 4
34. Item 6 repeals and substitutes section 4 of the SOCI Act, which contains the simplified
outline of the Act which is designed to assist the reader of the legislation in understanding
the structure and content of the SOCI Act.
Section 4 Simplified outline of this Act
35. New section 4 of the SOCI Act outlines that the Act, as amended by the Bill, creates a
framework for managing risks relating to critical infrastructure, based on elements
including:
a private register of information in relation to assets that are critical infrastructure
assets
requiring a responsible entity for an asset to have and comply with a critical
infrastructure risk management program, and to notify Government about cyber
security incidents
imposing enhanced cyber security obligations that relate to systems of national
significance
requiring certain entities relating to a critical infrastructure asset to provide
information in relation to an asset and to notify of certain events
allowing the Minister to require an entity to do or refrain from doing certain things
if the Minister is satisfied that there is a risk that the act or omission would be
prejudicial to security
allowing the Secretary to require certain entities to provide certain information or
documents
setting up a regime for the Commonwealth to respond to serious cyber security
incidents, and
allowing the Secretary to undertake an assessment of a critical infrastructure asset
to determine if there is a risk to national security relating to the asset.
36. The third paragraph notes that certain information in relation to this Act is protected
information and that the use and disclosure of this information is restricted.
37. The fourth paragraph notes that the civil penalty provisions in this Act may be enforced
using civil penalty orders, injunctions or infringement notices, and enforceable
undertakings may be accepted in relation to compliance with civil penalty provisions. It
also notes that the Regulatory Powers Act is applied for these purposes. The paragraph
also notes that some provisions of the Act are subject to monitoring and investigation
under the Regulatory Powers Act and that certain provisions of the Act can be enforced
by criminal proceedings.
38. The fifth paragraph notes that the Minister may privately declare an asset to be a critical
infrastructure asset. The sixth paragraph notes that the Minister may also privately declare
an asset to be a system of national significance. The final paragraph notes that the
Secretary must give the Minister reports on the operation of the Act that are to be
presented to Parliament.
Item 7 Section 5
39. Item 7 of Schedule 1 to the Bill provides a number of definitions for terms that facilitate
the amendments to the SOCI Act being made by the Bill. A number of terms are defined
by reference to other acts, for example the term aircraft operator has the same meaning as
it does in the Aviation Transport Security Act 2004 (ATSA). For terms defined in this
manner it is intended that the term in the SOCI Act has the meaning as it appears in the
Acts referred to from time to time.
40. In this explanatory memorandum those terms have been described according to how they
are defined in the respective acts at the time of the introduction of the Bill.
access
41. In relation to a computer program, means the execution of the computer program. The
purpose of this definition is to differentiate between instances in the Bill where access has
its ordinary meaning, and instances where its use relates to accessing a computer program
that is installed on a computer
access to computer data
42. This definition has been separated into three paragraphs reflecting the different methods
data may be regarded as being accessed depending on how it is held. Paragraph (a)
provides that access to computer data means, in a case where the computer data is held in
a computer, the display of the data by the computer or any other output of the data from
the computer.
43. Paragraph (b) defines access to computer data to also mean, in the case where the
computer data is held in a computer, the copying or moving of the data to any other
location in the computer, another computer or a data storage device. Paragraph (c) also
defines access to computer data as meaning, in the case where the computer data is held
in a storage device, the copying or moving of the data to a computer or to another data
storage device.
aircraft operator
44. This term has the same meaning as in the ATSA. At the time of the introduction of the
Bill section 9 of the ATSA provides that aircraft operator means a person who conducts,
or offers to conduct, an air service. This term is used in the definition of 'critical aviation
asset'. At the time of the introduction of the Bill, in the ATSA, air service means a service
of providing air transportation of people or goods, or both people and goods.
airport
45. Has the same meaning as in the ATSA. At the time of the introduction of the Bill
subsection 28(1) of the ATSA provides that an 'airport' is an area of land or water
(including any buildings, installations or equipment situated in the area) intended for use
either wholly or partly in connection with the arrival, departure or movement of aircraft.
It also includes any area that is controlled by the airport operator that is contiguous with
such an area of land or water. This term is used in the definition of 'critical aviation
asset'.
airport operator
46. Has the same meaning as in the ATSA. At the time of the introduction of the Bill
section 9 of the ATSA provides that 'airport operator' means the operator of an airport.
This term is used in the definition of 'critical aviation asset'.
air service
47. Has the same meaning as in the ATSA. At the time of the introduction of the Bill
section 9 of the ATSA provides that 'air service' means a service of providing air
transportation of people or goods, or both people and goods. This term is used in the
definition of 'critical aviation asset'.
approved staff member of the authorised agency
48. This term has the meaning given in new section 35BJ of the SOCI Act.
ASD
49. Means the Australian Signals Directorate.
asset
50. The definition of 'asset' is non-exhaustive and is intended to clarify the types of physical
and electronic things that can be considered to be an 'asset'. This is particularly relevant
for the definition of 'critical infrastructure asset' at section 9 of the SOCI Act (see items
22-29 of Schedule 1 to the Bill, below). The term 'asset' is also used in the definition of
'critical infrastructure sector asset' at new section 8E of the Bill.
51. The use of 'asset', including in the definition of 'critical infrastructure asset' and 'critical
infrastructure sector asset', may refer to individual components of infrastructure or a
collection of components of infrastructure, which while individually could be regarded as
assets, as a collection interact to provide, or support the provision of, a service or thing.
associated entity
52. This term has the same meaning as in the Corporations Act. At the time of introduction of
the Bill, section 50AAA of that Act provides that an entity is an 'associated entity' of
another entity (the principal) if any of the criteria listed in subsections 50AAA(2)-(7) are
satisfied. Some examples of the criteria are that:
the associate and the principal are related bodies corporate
the principal controls the associate, or
the associate controls the principal and the operations, resources and affairs of
the principal are material to the associate.
associated transmission facility
53. The definition captures those pieces of equipment or other things that are required to
operate a radio communications transmitter. 'Associated transmission facilities' form part
of a 'broadcasting transmission asset' which is used in the definition of 'critical
broadcasting asset' at new section 12E of the Bill.
AusCheck scheme
54. Has the same meaning as in the AusCheck Act. At the time of the introduction of the Bill,
section 8 of the AusCheck Act states that regulations may provide for the establishment
of an AusCheck scheme which relates to the conduct and coordination of background
checks.
Australia
55. When used in a geographical sense, includes the external Territories.
Australian CS facility licence
56. Has the same meaning as in Chapter 7 of the Corporations Act 2001 (the
Corporations Act), which at the time of the introduction of the Bill means a licence under
section 824B of that Act which authorises a person to operate a clearing and settlement
facility. This term is used in the definition of 'critical financial market infrastructure
asset' at section 12 of the Bill.
Australian derivative trade repository licence
57. Has the same meaning as in Chapter 7 of the Corporations Act. This term is relied upon
for the meaning of 'critical financial market infrastructure asset' at section 12D of the
Bill.
Australian market licence
58. Has the same meaning as in Chapter 7 of the Corporations Act, which at the time of the
introduction of the Bill is defined as being a licence applied for under section 795B of
that Act. This term is relied upon in the definition of 'critical financial market
infrastructure asset' at section 12D of the Bill.
authorised agency
59. Authorised agency means ASD. This term is particularly relevant to new Division 5 of
Part 3A of the Bill--the serious cyber incident response powers which are part of the
government assistance measures.
authorised deposit-taking institution
60. Has the same meaning as in the Banking Act 1959 (the Banking Act), which at the time of
introduction of the Bill means a body corporate in relation to which an authority under
subsection 9(3) of that Act is in force. This term is relied upon in the definition of 'critical
banking asset' at section 12G of the Bill.
background check
61. Has the same meaning as in the AusCheck Act. Section 5 of the AusCheck Act, at the
time of introduction of the Bill, provides that a background check in relation to an
individual is an assessment of information relating to one or more of the following:
the individual's criminal history
in certain circumstances, whether the individual has been charged with a serious
offence or whether a charge for a serious offence has been resolved in relation to
the individual
matters relevant to a security assessment of the individual as defined in the ASIO
Act
the individual's citizenship status, residency status or the individual's right to
work in Australia, including whether the person is an Australian citizen, a
permanent resident or an unlawful non-citizen, and
the identity of the individual.
banking business
62. Has the same meaning as in the Banking Act. At the time of introduction of the Bill the
term is defined as:
a business that consists of banking within the meaning of paragraph 51(xiii) of the
Constitution, or
a business that is carried on by a corporation to which paragraph 51(xx) of the
Constitution applies and that consists of both taking money on deposit (otherwise
than as a part payment for good or services) and making advances of money, or
other financial activities prescribed by regulations made under the Banking Act
for the purposes of the definition.
63. This term is relied upon in the definition of 'critical banking asset' in section 12G of the
Bill.
benchmark administrator licence
64. Has the same meaning as in the Corporations Act. At the time of introduction of the Bill a
'benchmark administrator licence' is defined as a licence granted under section 908BC of
the Corporations Act. This term is relied upon in the definition of 'critical financial
market infrastructure asset' in section 12D of the Bill.
broadcasting re-transmission asset
65. This term means a radiocommunications transmitter, a broadcasting transmission tower,
or an associated transmission facility (as these terms are defined respectively in the SOCI
Act), that is used in connection with the transmission of a service to which, as a result of
section 212 of the Broadcasting Services Act 1992 (the Broadcasting Services Act), the
regulatory regime established by that Act does not apply.
broadcasting service
66. Has the same meaning as in the Broadcasting Services Act, which at the time of
introduction of the Bill means a service that delivers television programs or radio
programs to persons having equipment appropriate for receiving that service, whether the
delivery uses the radiofrequency spectrum, cable, optical fibre, satellite or any other
means or a combination of those means, but does not include:
a service (including a teletext service) that provides no more than data, or no more
than text (with or without associated still images); or
a service that makes programs available on demand on a point-to-point basis,
including a dial-up service; or
a service, or a class of services, that the Minister determines, under subsection (2)
of that Act, not to fall within this definition.
67. 'Broadcasting service' is used in the context of defining the 'communications sector'.
broadcasting transmission asset
68. The definition identifies the individual assets or components (paragraphs (a)-(c)) that are
used, or capable of being used, for the transmission of a national broadcasting service, a
commercial radio broadcasting service or a commercial television broadcasting service.
broadcasting transmission tower
69. The term has the same meaning as the Broadcasting Services Act. At the time of the
introduction of the Bill item 2 of Schedule 4 to that Act defines a 'broadcasting
transmission tower' as being a tower, pole, mast or a similar structure that is used to
supply:
a broadcasting service by means of radiocommunications using the broadcasting
services bands, or
a datacasting service provided under, and in accordance with the conditions of a
data casting licence.
business critical data
70. The definition of 'business critical data' outlines the categories of data that are of most
significance to the operation and security of 'critical infrastructure assets', or otherwise
represent a potential security vulnerability. This includes bulk holdings of personal
information, within the meaning of the Privacy Act 1988 (the Privacy Act) (paragraph
(a)), including sensitive data. This definition largely aligns with the existing reporting
requirements for data arrangements under section 5 of the current Security of Critical
Infrastructure Rules 2018 (the SOCI Rules) and paragraph 7(1)(f) of the SOCI Act.
71. The purpose of this term is to limit the application of new subsection 12F(2) of the SOCI
Act so that 'critical data storage or processing assets' are those assets owned or operated
by a 'data storage or processing provider', and used to store or process 'business critical
data' that relates to another asset captured as a 'critical infrastructure asset'.
carriage service
72. Has the same meaning as in the Telecommunications Act 1997 (the Telecommunications
Act), which at the time of introduction of the Bill means a service for carrying
communications by means of guided and/or unguided electromagnetic energy. This term
is used in the definition of 'critical telecommunications asset', and in the definition of the
'communications sector'.
carriage service provider
73. Has the same meaning as in section 87 of the Telecommunications Act. The term is used
in the definition of 'critical telecommunications asset'.
carrier
74. Has the same meaning as in the Telecommunications Act, which at the time of
introduction of the Bill means the holder of a carrier licence. Carrier licence is defined at
section 56 of the Telecommunications Act. This term is used in the definition of 'critical
telecommunications asset'.
chief executive of the authorised agency
75. Means the Director-General of the Australian Signals Directorate.
clearing and settlement facility
76. Has the same meaning as in Chapter 7 of the Corporations Act. At the time of
introduction of the Bill section 768A of the Corporations Act defined the term as meaning
a facility that provides a regular mechanism for the parties to transactions relating to
financial products to meet obligations to each other that arise from entering into the
transactions and are of a kind prescribed by regulations made under the Corporations Act
for the purposes of that paragraph (paragraph 768A(1)(b) of the Corporations Act).
77. This term is relied upon for the meaning of 'critical financial market infrastructure asset'
at new section 12D of the SOCI Act, and is used in the definition of 'financial services
and markets sector'.
commercial radio broadcasting service
78. Has the same meaning as in the Broadcasting Services Act. At the time of introduction of
the Bill the term was defined as meaning a commercial broadcasting service that provides
radio programs.
commercial television broadcasting service
79. Has the same meaning as in the Broadcasting Services Act, which at the time of
introduction of the Bill means a commercial broadcasting service that provides television
programs.
communications sector
80. Means the sector of the Australian economy that involves supplying a carriage service,
providing a broadcasting service, owning or operating assets that are used in connection
with the supply of a carriage service, owning or operating assets that are used in
connection with the transmission of a broadcasting service, or administering an Australian
domain name system.
81. The communications sector is a critical enabler of economic and social activity.
Communications have always been necessary to 'doing business' and the functioning of
society. Many industries rely heavily on the sector and would see the ongoing and safe
operation of their industry significantly compromised without it. The Internet enables
Australians to communicate (for example, via over-the-top communications providers)
and access essential services (for example, Telehealth services which proved critical
during the COVID-19 pandemic), and has facilitated industry with accessing and
competing in overseas markets.
82. As noted by the Australian Competition & Consumer Commission in a Final report on
Communications Sector Market Study released in April 2018, the communications sector
is subject to rapid changes in technology, product innovation and consumer preferences
as well as major structural changes. For example, the greater availability of high-speed
broadband and changing business models within the communications sector has resulted
in broadcasters and carriers alike looking to cross-platform delivery as a business
necessity. As such, the definition is intended to be flexible so that it continues to be
relevant as the sector evolves.
83. An 'Australian domain name system' means any country code Top Level Domain
managed within Australia and its external territories (such as Norfolk Island) and generic
Top Level Domains.
computer
84. The meaning of 'computer' is intended to capture all or parts of an individual computer, a
collection of computers that form a network or system, or any combination of these. A
'computer' has the capability to store or process data, or be used to monitor, control or do
anything else that is connected to the functioning of an asset. For example, a Supervisory
Control and Data Acquisition (SCADA) system is considered to be a 'computer'.
computer data
85. Means any data held in a computer or a data storage device, irrespective of the form in
which that data exists.
computer device
86. Means a device connected to a computer. 'Computer devices' include any hardware that
is designed, or has the capability, to be connected to and enable the use or functioning of
a computer. Examples of things that are a 'computer device' are monitors, keyboards,
computer storage devices and other devices that receive communications from the
computer.
connected
87. Means connection otherwise than by means of physical contact, for example, a
connection by means of radiocommunication.
constable
88. Has the same meaning as in the Crimes Act 1914 (the Crimes Act), which at the time of
introduction of the Bill means a member or special member of the Australian Federal
Police or a member of the police force or police service of a State or Territory.
credit facility
89. Has the meaning given by regulations made for the purposes of paragraph 12BAA(7)(k)
of the Australian Securities and Investments Commission Act 2001.
credit facility business
90. Means a business that offers, or provides services in relation to, a credit facility.
critical aviation asset
91. A 'critical aviation asset' is defined as:
an asset that is used in connection with the provision of an air service and is
owned or operated by an aircraft operator
an asset that is used in connection with the provision of an air service and is
owned or operated by a regulated air cargo agent, or
an asset that is used by an airport operator in connection with the operation of an
airport.
92. The aviation industry provides the only rapid global network for the transportation of
goods and people, making it essential for global business. The industry generates
economic growth through the creation of jobs locally as well as the facilitation of
international trade and tourism. The geographic expansiveness of Australia also makes it
crucial to the domestic economy as well as supporting dispersed populations. The
aviation industry is dependent on distributed architectures for delivery of efficient
services, included distributed networks and interdependent physical and cyberspace
functions which presents complex security challenges. Breaches can have dire
consequences ranging from privacy breaches, the theft of trade secrets and risk to life.
93. The aviation industry already has robust security frameworks in place, in the ATSA.
Comprehensive reforms to this regime are anticipated to be progressed in 2021. This will
ensure that key assets regulated by this regime would similarly implement the positive
security obligations, including in relation to the significant threat posed by cyber and
systems attacks. The Department will work closely with industry to coordinate the
implementation of these reforms across the aviation industry. It is however crucial to
ensure the sector is captured by the framework in the amended SOCI Act to ensure that
further enhancements and protective measures are available.
94. The note to the definition explains that under section 9 of the SOCI Act the rules may
prescribe that a specified 'critical aviation asset' is not a 'critical infrastructure asset'.
This will ensure that assets that are not intended to be captured can be excluded from the
operation of the framework and avoid unnecessary impact.
critical banking asset
95. This term is defined in new section 12G of the SOCI Act. The note to the definition
explains that under section 9 of the SOCI Act the rules may prescribe that a specified
'critical banking asset' is not a 'critical infrastructure asset'. This will ensure that assets
that are not intended to be captured can be excluded from the operation of the framework
and avoid unnecessary impact.
critical broadcasting asset
96. This term is defined in new section 12E of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
broadcasting asset' is not a 'critical infrastructure asset'. This will ensure that assets that
are not intended to be captured can be excluded from the operation of the framework and
avoid unnecessary impact.
critical data storage or processing asset
97. This term will be defined in new section 12F of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
data storage or processing asset' is not a 'critical infrastructure asset'. This will ensure
that assets that are not intended to be captured can be excluded from the operation of the
framework and avoid unnecessary impact.
critical defence capability
98. A critical defence capability is one which provides for the ability to shape Australia's
strategic environment, deter actions against Australia's interests, and respond with
credible military force when required to protect Australia's national security and national
interests. This is a non-exhaustive definition as what is a critical defence capability will
shift in reflection of the changing risks to Australia's national security and defence
environment.
99. The term 'critical defence capability' includes materiel, technology, a platform, a
network, a system and a service, that is required in connection with either the defence of
Australia or with national security. Broadly, this may include things that:
support operational requirements to respond to an existing and imminent threat;
provide support to, prepare for, and sustain additional government-directed
operations;
maintain high-readiness contingency forces;
conduct government directed regional engagement;
maintain and sustain Defence capability for force generation, including training,
medical, health and welfare; and
deliver business continuity for Defence and defence industry.
critical defence industry asset
100. A 'critical defence industry' asset is an asset that is being, or will be, supplied by an
entity to the Defence Department, or the Australian Defence Force, under a contract and
consists of, or enables, a critical defence capability.
101. The reference to 'will be' in the definition is intended to capture assets, for which
there is a contract in place, however the supply has not yet commenced.
102. The note to the definition explains that under section 9 of this Act the rules may
prescribe that a specified 'critical defence industry asset' is not a 'critical infrastructure
asset'. This will ensure that assets that are not intended to be captured can be excluded
from the operation of the framework and avoid unnecessary impact.
103. These assets are key enablers of Defence capability. They provide the ability to shape
Australia's strategic environment, deter actions against Australia's interests, and respond
with credible military force when required to protect Australia's national security and
national interests. This definition includes only those goods and services that are provided
directly to Defence to meet a critical capability need, as well as critical components to
those goods, technologies and services. This definition is intended to exclude those
industry entities that could be considered key enablers of Defence capability but would be
captured under other sectors in the Bill (e.g. electricity or water).
104. The definition of critical defence industry asset is intended to be a sub-set of the
'critical military-related goods, services and technologies' identified in the context of the
proposed reforms to the Foreign Acquisitions and Takeovers Regulations 2015; noting
reforms to Australia's foreign investment review framework are still subject to
Parliamentary consideration.
105. While assets that fall within this definition may be subject to each of the positive
security obligations, it is proposed that the Department of Defence will continue to
manage security practices through its pre-existing DISP framework.
critical domain name system
106. This term is defined in new section 12KA of the SOCI Act.
critical education asset
107. This term is defined as meaning a university that is owned or operated by an entity
that is registered in the Australian university category of the National Register of Higher
Education Providers. The National Register of Higher Education Providers is
administered by the Tertiary Education Quality and Standards Agency (TESQA) and is
accessible on their website.
108. Australian universities contribute strongly to Australia's economy. For example, a
2018 report by London Economics found that Group of Eight universities, which
comprise Australia's leading research-intensive universities, had an annual economic
impact to the Australian economy of some $66.4 billion each year. Universities are also
responsible for a significant portion of critical research and innovation activities in
Australia. Universities Australia estimates that Australian universities undertook 34 per
cent of Australia's total research and development, and more than 70 per cent of public
sector research in 2017-18. This research and innovation underpins a wide range of
aspects of Australia's society, economy and defence.
109. Australian universities are likely to continue to be a key contributor to research and
innovation activities as they are required to undertake research, and offer Masters and
Doctoral research degrees, in at least three broad fields, as a condition of registration with
the Tertiary Education Quality and Standards Agency. Accordingly, maintaining the
security and stability of critical education assets is key to the continued prosperity in
Australia.
110. The definition for critical education asset refers to an institution that is owned or
operated by an Australian university rather than particular aspects of the institution that
are owned or operated. This reflects the complex, interconnected and multi-functional
nature of universities. However, should obligations under Part 2A of the Bill be applied to
critical education assets, the Department will work closely with responsible entities to
ensure that any requirements are reasonable and proportionate in relation to the various
components of the institution such as physical and electronic assets such as campuses,
research labs and computing infrastructure and networks, while not unduly impacting
non-critical aspects of a university such as recreational facilities.
111. The note to the definition explains that under section 9 of this Act the rules may
prescribe that a specified 'critical education asset' is not a 'critical infrastructure asset'.
This will ensure that assets that are not intended to be captured can be excluded from the
operation of the framework and avoid unnecessary impact.
critical energy market operator asset
112. This term is defined as an asset that is owned or operated by Australian Energy
Market Operator Limited (ACN 072010327), or Power and Water Corporation, or
Regional Power Corporation, or Electricity Networks Corporation, that is
used in connection with the operation of an energy market or system (paragraph
(b)), and
critical to ensuring the security and reliability of an energy market (paragraph (c)).
113. However, a 'critical energy market operator asset' does not include a 'critical
electricity asset', a 'critical gas asset' or a 'critical liquid fuel asset' (see paragraphs (d),
(e) and (f)).
114. Energy market operators play a crucial role in ensuring the safe and reliable provision
of energy which supports the broader functioning of society, the economy, national
security and defence of Australia. A disruption to these critical assets could have
significant and widespread impacts on communities, businesses and national security
capabilities. Specifically, electricity and gas market operators play an essential role in
ensuring electricity and gas systems operate safely and reliably, and allow for the trading
of energy commodities that are ultimately sold to customers.
115. In this context, an asset that is owned or operated by an energy market operator will
be critical to ensuring the security and reliability of an energy market if the asset is
essential to the market operator undertaking its statutory functions, for example managing
market trading and ensuring the security and reliability of the physical infrastructure.
Although Western Power's primary function is as a transmission and distribution network
operator, it has been included within the definition of a critical energy market operator as
it undertakes market operator functions.
116. The note to the definition explains that under section 9 of this Act the rules may
prescribe that a specified 'critical energy market operator asset' is not a 'critical
infrastructure asset'. This will ensure that assets that are not intended to be captured can
be excluded from the operation of the framework and avoid unnecessary impact.
critical financial market infrastructure asset
117. This term is defined in new section 12D of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
financial market infrastructure asset' is not a 'critical infrastructure asset'. This will
ensure that assets that are not intended to be captured can be excluded from the operation
of the framework and avoid unnecessary impact.
critical food and grocery asset
118. This term is defined in new section 12K of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may that a specified 'critical food and
grocery asset' is not a 'critical infrastructure asset'. This will ensure that assets that are
not intended to be captured can be excluded from the operation of the framework and
avoid unnecessary impact.
critical freight infrastructure asset
119. This term is defined in new section 12B of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
freight infrastructure asset' is not a 'critical infrastructure asset'. This will ensure that
assets that are not intended to be captured can be excluded from the operation of the
framework and avoid unnecessary impact.
critical freight services asset
120. This term is defined in new section 12C of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
freight asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not
intended to be captured can be excluded from the operation of the framework and avoid
unnecessary impact.
critical hospital
121. A 'critical hospital' means a hospital that has a general intensive care unit. These
assets are critical as they have the ability to provide specialised treatment to patients who
are acutely unwell and require critical care, have multi-disciplinary medical professionals
and the necessary equipment to provide critical care for patients with a variety of medical,
surgical and trauma conditions. These hospitals are therefore integral to the sustainment
of life in Australia.
122. The note to the definition explains that under section 9 of this Act the rules may
prescribe that a specified 'critical hospital' is not a 'critical infrastructure asset'. This will
ensure that assets that are not intended to be captured can be excluded from the operation
of the framework and avoid unnecessary impact.
critical infrastructure risk management program
123. This term is defined in new section 30AH of the SOCI Act.
critical infrastructure sector
124. This term is defined in new section 8D of the SOCI Act.
critical infrastructure sector asset
125. This term is defined in new subsection 8E(1) of the SOCI Act.
critical insurance asset
126. This term is defined in new section 12H of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
insurance asset' is not a 'critical infrastructure asset'. This will ensure that assets that are
not intended to be captured can be excluded from the operation of the framework and
avoid unnecessary impact.
critical liquid fuel asset
127. This term is defined in new section 12A of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
liquid fuel asset' is not a 'critical infrastructure asset'. This will ensure that assets that are
not intended to be captured can be excluded from the operation of the framework and
avoid unnecessary impact.
critical public transport asset
128. The term is defined as a public transport network or system that is both managed by a
single entity and is capable of handling at least five million passenger journeys per
month. However the definition provides that it does not include a critical aviation asset.
129. Such assets play a vital role in enhancing economic productivity and the national
economy by facilitating the efficient movement of people around Australia's cities.
Australia's cities are growing rapidly and the movement of people is increasingly
important to facilitating our prosperity. In our five largest cities (Adelaide, Brisbane,
Melbourne, Perth and Sydney), close to half of the population live in the outer suburbs
and have a high reliance on functioning and regular public transport networks. 1 Further,
these assets are critical to supporting the functioning of Australian society and culture by
facilitate efficient freedom of movement.
130. Unfortunately, international events have shown that this criticality can also make
these large and connected public transport networks prime targets for terrorist activities or
1
Infrastructure Australia, Outer Urban Public Transport 2018, page 4.
other unlawful acts. This is particularly due to their accessibility and the large numbers of
people being concentrated together at peak and predictable times. Some public transport
providers also hold large data sets relating to their customers, including billing
information and their public transport usage, which also need to be appropriately
protected.
131. A public transport network or system may be comprised of multiple modes of
transport, such as buses, trams and trains, which are managed by a single entity. The
requirement for the critical public transport asset to be capable of handling at least five
million passenger journeys a month, focuses the definition on those networks and systems
that service major population hubs and whose disruption would cause significant
economic impact and social disconnection.
132. The note to the definition explains that under section 9 of this Act the rules may
prescribe that a specified 'critical public transport asset' is not a 'critical infrastructure
asset'. This will ensure that assets that are not intended to be captured can be excluded
from the operation of the framework and avoid unnecessary impact.
critical superannuation asset
133. This term is defined in new section 12J of the SOCI Act. The note to the definition
explains that under section 9 of this Act the rules may prescribe that a specified 'critical
superannuation asset' is not a 'critical infrastructure asset'. This will ensure that assets
that are not intended to be captured can be excluded from the operation of the framework
and avoid unnecessary impact.
critical telecommunications asset
134. A 'critical telecommunications asset' means:
a telecommunications network that is owned or operated by a carrier and used to
supply a carriage service, or
a telecommunications network or any other asset that is owned or operated by a
carriage service provider an used in connection with the supply of a carriage
service.
135. The definition mirrors the assets currently regulated under the Telecommunications
and Other Legislation Amendment Act 2017, also known as the Telecommunications
Sector Security Reforms. The definition covers the networks that carry voice and data
between users across Australia and overseas and includes wires, fibre, towers, sensors,
satellites, radio spectrum and physical infrastructure such as cable landing stations.
136. The security and resilience of telecommunications infrastructure significantly affects
the social and economic well-being of the nation. Government and business are
increasingly storing and communicating large amounts of information on and across
telecommunications networks and facilities. They are crucial to a functioning society and
economy and by their nature, telecommunications networks and facilities hold sensitive
information. For example, lawful interception systems and customer billing and
management systems which, if unlawfully accessed, can reveal sensitive law enforcement
operations or the location of persons. Therefore, in addition to being a critical facilitator
of so many aspects of society, these assets also present a rich intelligence target for those
who wish to harm Australian interests. Telecommunications networks are also vital to the
delivery and support of other critical infrastructure and services such as power, water and
health. For these reasons, the telecommunications networks of carriers and carriage
service providers are attractive targets for espionage, sabotage and foreign interference
activity by state and non-state actors.
137. The definition does not include 'Over-the-Top' applications or services which operate
over the top of this infrastructure. Over-the-Top refers to applications and services which
are accessible over the internet, without any direct influence or control from network
operators or internet service providers. These may include communications services such
as voice and messaging (e.g. Skype), content streaming (e.g. Netflix) or cloud-based
storage (e.g. Dropbox).
138. The note to the definition explains that under section 9 of this Act the rules may
prescribe that a specified 'critical telecommunications asset' is not a 'critical
infrastructure asset'. This will ensure that assets that are not intended to be captured can
be excluded from the operation of the framework and avoid unnecessary impact.
139. For the positive security obligations to apply to a 'critical telecommunication asset' a
rule must be made by the Minister to turn the obligations on. The telecommunications
sector already has robust security frameworks in place in the Telecommunications Act
1997, including obligations under TSSR in Part 14 of that Act. Reforms to the TSSR
regime will be considered in 2021, to be informed by the Parliamentary Joint Committee
on Intelligence and Security's 'Review of Part 14 of the Telecommunications Act 1997',
and through consultation with industry.
140. Government will consider the outcome of this Review before considering applying
the SOCI Act's positive security obligations to the telecommunications sector. This will
allow sufficient time to amend the Telecommunications Act 1997, if needed, and will
avoid duplication of regulatory requirements on industry. However, retaining the
definition of 'critical telecommunications' at this stage will clarify, for example, the
telecommunications assets on which there must be a relevant impact to trigger the powers
in Part 3A--Responding to serious cyber security incidents.
cyber security exercise
141. This term is defined in new section 30CN of the SOCI Act.
cyber security incident
142. This term is defined in new section 12M of the SOCI Act.
data
143. 'Data' is defined in a non-exhaustive manner to include information in any form.
data storage
144. 'Data storage' is defined as data storage that involves information technology, and
includes data held in all forms on computer hardware and software systems . For
avoidance of doubt, the definition expressly provides that data back-up is included within
the definition.
data storage device
145. Means a thing (for example, a disk or file server) containing (whether temporarily or
permanently), or designed to contain (whether temporarily or permanently), data for use
by a computer.
data storage or processing provider
146. Means an entity that provides a data storage or processing service.
data storage or processing sector
147. This term is defined to mean the sector of the Australian economy that involves
providing data storage or processing services. These services are critical to maintaining
the supply and availability of data and cloud services in Australia which are increasingly
relied upon by, and facilitate the effective functioning of, government and industry.
148. New high-speed networks are enabling an exponential growth in services including
the Internet of Things and cloud technology. In 2019, Deloitte reported that the adoption
of cloud services by businesses in Australia has resulted in a cumulative productivity
benefit to the economy of $9.4 billion over the previous 5 years, with 42% of businesses
in Australia using a paid cloud.
149. Industries that have the highest adoption rates of cloud services include information,
media and telecommunications (64% of businesses in the industry), mining (53%),
healthcare and social assistance (45%) and retail trade (42%).
150. While the adoption of data storage and cloud services offers numerous economic and
social benefits, it also introduces new risks for data security as businesses and
governments aim to address challenges such as skill shortages in IT and cybersecurity,
compatibility of new technologies with legacy systems and the cost associated with
maintaining IT infrastructure. More than ever, commercially sensitive and personal data
is being uploaded and processed online. This presents an attractive target for malicious
actors.
151. As companies rely on third party providers for data storage and processing services
for operational needs, these services have become vital for business continuity. The
demand for data storage services, including Disaster Recovery as a Service, is expected to
increase to address the risk of data centre outages.
data storage or processing service
152. Means either a service that enable end-users to store or back-up data, or a data
processing service.
Defence Department
153. Means the Department of State that deals with defence and that is administered by the
Defence Minister.
defence industry sector
154. The 'defence industry sector' means the sector of the Australian economy that
involves the provision of critical defence capabilities. The definition is intended to cover
entities that provide or support, whether directly or indirectly through supply chain
arrangements, a critical capability which enables the Defence Department's or the
Australian Defence Force's (collectively referred to as Defence) ability to shape
Australia's strategic environment, deter actions against Australia's interests, and respond
with credible military force when required to protect Australia's national security and
national interests. This includes entities that supply essential goods, technologies and
services to Defence to meet a critical defence capability need, and entities that provide
critical components to such a critical capability. Many different entities may play a role in
the creation and supply of a critical defence capability.
155. Further, the defence industry sector includes those suppliers or producers of goods,
technology and services that:
Defence needs to ensure ongoing access due to the highly essential nature of the
goods, technology or services to Defence's capability advantage; or
Defence needs to limit others' access to due to the highly sensitive nature of the
goods, technology or services and their potential impact on their interests.
156. A strong defence industry sector is essential to delivering Australia's modernised
defence capabilities. The demand will increase for this sector to build and maintain fleets
of new ships, submarines, armoured vehicles, infrastructure and facilities, and contribute
to intelligence, surveillance and reconnaissance, cyber and other electronic and
information based capabilities. Australian design, construction, integration, sustainment,
services and support capabilities will be critical to meeting that demand.
Defence Minister
157. The 'Defence Minister' is the Minister administering section 1 of the Defence Act
1903.
derivative trade repository
158. This term is defined by reference to Chapter 7 of the Corporations Act. That Act
defines a 'derivative trade repository' as a facility to which information about derivative
transactions, or about positions relating to derivative transactions, can be reported
(whether or not other information or data can also be reported to the facility).
designated officer
159. This term is defined in new section 30DQ of the SOCI Act.
Electricity Networks Corporation
160. Means the Electricity Networks Corporation established under section 4 of the
Electricity Corporations Act 2005 (WA).
electronic communication
161. Means a communication of information in any form by means of guided or unguided
electromagnetic energy.
energy sector
162. The 'energy sector' is the sector of the Australian economy that involves one of the
following:
the production, transmission, distribution or supply of electricity
the production, processing, transmission, distribution or supply of gas, or
the production, processing, transmission, distribution or supply of liquid fuel.
163. This sector is crucial to ensuring the ongoing and reliable supply of energy in
Australia, and in turn, facilitates the operation of society, the economy and defence of
Australia. If the energy sector were impacted by a significant disruption it would lead to
cascading consequences across all sectors, significantly impacting Australia's security
and economy. The energy sector provides essential services to almost all people and
businesses across the Australian economy.
164. The consequences of a prolonged and widespread failure in the energy sector could
have significant implications across the economy, such as shortages or destruction to
essential medical supplies or the inability for businesses and governments to function.
Any number of these situations would be catastrophic to Australia's economy, security
and sovereignty, as well as the Australian way of life.
165. The definition is intended to be flexible so that it continues to be relevant as business
models and technologies for the supply of electricity, gas and liquid fuels change over
time. For example, technological advances, including advanced metering technologies,
battery storage and virtual power plants, are transforming the Australian electricity
industry.
166. For example, the sector might encompass electricity generators, gas and electricity
transmission and distribution networks, gas processing and storage assets, liquid fuel
refineries, transmission and storage assets and energy market operators. However it does
not capture energy consumers.
engage in conduct
167. 'Engage in conduct' means to do an act or thing or omit to perform an act or thing.
evaluation report
168. This term is defined in new section 30CS of the SOCI Act.
external auditor
169. Means a person authorised under section 30CT of the SOCI Act to be an external
auditor for the purposes of this Act.
financial benchmark
170. 'Financial benchmark' is defined by reference to Part 7.5B of the Corporations Act.
At the time of the introduction of the Bill, the Corporations Act definition of 'financial
benchmark' in section 908AB provides that it is a price, estimate, rate, index or value
that:
is made available to users
is calculated periodically from one or more transactions, instruments, currencies,
prices, estimates, rates, indices, values, financial products, bank accepted bills or
negotiable certificates of deposit, or other interests or goods (whether tangible or
intangible), and
is referenced or otherwise used for purposes that include one or more of the
following: calculating the interest, or other amounts, payable under financial
products, bank accepted bills or negotiable certificates of deposit; calculating the
price at which a financial product, bank accepted bill or negotiable certificate of
deposit may be traded, redeemed or dealt in; calculating the value of a financial
product, bank accepted bill or negotiable certificate of deposit; or measuring the
performance of a financial product, bank accepted bill or negotiable certificate of
deposit.
financial market
171. This term is defined by reference to Chapter 7 of the Corporations Act. At the time of
the introduction of the Bill, Section 767A of the Corporations Act defines a 'financial
market' as a facility through which:
offers to acquire or dispose of financial products are regularly made or accepted,
or
offers or invitations are regularly made to acquire or dispose of financial products
that are intended to result or may reasonably be expected to result in the making
of offers to acquire or dispose of financial products or the acceptance of such
offers.
172. Subsection 767A(2) of the Corporations Act also provides circumstances that are not
financial markets.
financial services and markets sector
173. Means a sector of the Australian economy that involves:
carrying on a banking business, operating a superannuation fund; or
carrying on an insurance business; or
carrying on a life insurance business; or
carrying on a health insurance business; or
operating a financial market; or
operating a clearing and settlement facility; or
operating a derivative trade repository; or
administering a financial benchmark; or
operating a payment system; or
carrying on financial services business; or
carrying on credit facility business.
174. This is intended to be an expansive and broad definition that includes not only each of
the above types of businesses, but other entities that support each of the above outcomes.
175. The financial services and markets sector is a key driver of Australia's economy and
is important to the prosperity of the Australian population. In 2019-20 Financial and
Insurance Services was the industry that contributed the second largest share to current
price gross value add (8.9 per cent)2.
176. The sector also plays a critical role in the accumulation of capital, investment and
commerce, and the production of goods and services. The existence of robust financial
markets and services facilitates the international flow of funds between countries and
tends to lower search and transactions costs in the economy. Highly developed financial
markets make Australia one of the major centres of capital markets activity in Asia.
177. The accelerating rate of technological change and increasing penetration of mobile
devices, combined with shifting customer preferences, will have dramatic implications for
the ways in which financial services are structured, delivered and consumed. This trend is
evident in Australia and is perhaps even more apparent in other countries in the
Asia-Pacific region.
178. The prevalence and dependence on advanced technologies, and the importance of
financial services and markets to the Australian economy means that this sector will
continue to be a target for malicious actors. That is why the Boston Consulting Group
concluded in their report 'Global Wealth 2019: Reigniting Radical Growth'3 that financial
firms are 300 times more likely than other institutions to experience cyber attacks.
financial services business
179. This term is defined by reference to Chapter 7 of the Corporations Act where the term
'financial services business', at the time of introduction of the Bill, is defined as meaning
a business of providing financial services.
2
Australian Bureau of Statistics, Australian National Accounts, catalogue number 5217.0. Accessed on 1
December 2020 at https://www.abs.gov.au/statistics/economy/national-accounts/australian-system-national-
accounts/latest-release.
3
Boston Consulting Group, Global Wealth 2019: Reigniting Radical Growth, 2019, Page 22
food
180. Means food that is fit for human consumption.
food and grocery sector
181. The 'food and grocery sector' means the sector of the Australian economy that
involves manufacturing, processing, packaging, distributing or supplying food or
groceries on a commercial basis. Primary production and agriculture are not intended to
be captured within the food and grocery sector definition.
182. The definition recognises that the reliable and secure access to food and grocery are
key components for the sustainment of life for all Australians. As such, the definition
captures those entities that are integral to the supply chain of the food and groceries in
Australia. While supermarkets are often the most visible point for consumers within the
supply chain, when it comes to the purchasing and acquiring of food and groceries, there
are numerous suppliers and components that are required in order for food and groceries
to make it onto the shelves of supermarkets throughout each part of the large and diverse
supply chain.
gas
183. Means a substance that:
is in a gaseous state at standard temperature and pressure, and
consists of naturally occurring hydrocarbons and non-hydrocarbons, the principal
constituent of which is methane, and
is suitable for consumption.
general intensive care unit
184. Means an area within a hospital that is equipped and staffed so that it is capable of
providing to a patient mechanical ventilation for a period of several days, and invasive
cardiovascular monitoring, has admission and discharge policies in operation, and is
supported by:
during normal working hours--at least one specialist, or consultant physician, in
the specialty of intensive care, who is immediately available, and exclusively
rostered, to that area. and
at all times--at least one medical practitioner who is present in the hospital and
immediately available to that area; and
at least 18 hours each day--at least one nurse.
government business enterprise
185. This term is defined by reference to the Public Governance, Performance and
Accountability Act 2013 (the PGPA Act). Section 8 of the PGPA Act, at the time of
introduction of the Bill, defines 'government business enterprise' as meaning a
Commonwealth entity or Commonwealth company that is prescribed by rules made under
that Act.
health care
186. A non-exhaustive definition of 'health care' is provided which includes a range of
medical and allied health care services such as services provided by individuals who
practice in any of the following professions and occupations: dental (including the
profession of a dentist, dental therapist, dental hygienist, dental prosthetist and oral health
therapist, medical, medical radiation practice, nursing, midwifery, occupational therapy,
optometry, pharmacy, physiotherapy, podiatry, psychology, or a profession or occupation
specified in Ministerial rules made under section 61 of the SOCI Act. The definition also
includes treatment and maintenance as a patient in a hospital
health care and medical sector
187. The 'health care and medical sector' is the sector of the Australian economy that is
involved in the provision of health care such as public health and preventive services,
primary health care, emergency health services, hospital-based treatment, e-health
services, pharmaceutical services, rehabilitation and palliative care, and diagnostic and
imaging services. The definition also captures the production, distribution and supply of
medical supplies which includes products that support the provision of health care
services (for example, personal protective equipment and diagnostic equipment),
pharmaceutical products and medicines, pacemakers and prosthetics.
188. The Australian health care and medical system is one of the best in the world and
provides quality, safe and affordable health care for all Australians. It is a key reason why
Australians enjoy one of the longest life expectancies in the world. Its criticality was also
apparent and tested during COVID-19, where it played a central role in saving a number
of lives and providing continued care to the most vulnerable members of the public.
189. Malicious actors have been known to exploit these dependencies, and the mass of
sensitive information held, for profit. Evidence suggests that cyber security incidences are
a significant area of concern for the health care and medical sector. According to the
Office of the Australian Information Commissioner, the health sector has remained
among the top reporting sectors for data breaches since January 2018. In 2019, the
Victorian health sector was subject to a ransomware attack, and advanced persistent
threats have been witnessed targeting Australian health sector organisations and medical
research facilities.
190. International experience also highlights the dire consequences that could occur as a
result of a cyber security incident impacting the health care and medical sector. In 2017,
WannaCry ransomware infected over 300,000 computers and impacted organisations in
150 countries. Among them, several health organisations were affected such as the United
Kingdom National Health Service which had to cancel surgeries and divert ambulances.
More recently, in September 2020, hackers disabled computer systems at Düsseldorf
University Hospital in Germany, which led to the death of a patient after an ambulance
had to be diverted.
191. Importantly, the definition of the sector has been developed to be intentionally broad
in order to capture advances in health care and medicine in the future. However, the
definition is not intended to capture the provision of services that are cosmetic rather than
for example therapeutic or diagnostic.
health insurance business
192. This term is defined by reference to the Private Health Insurance Act 2007 (the
Private Health Insurance Act), which at the time of introduction of the Bill, defines
'health insurance business' as the business of undertaking liability by way of insurance or
an employee health benefits scheme that relates in a particular way to hospital treatment
or general treatment.
higher education and research sector
193. The 'higher education and research sector' means the sector of the Australian
economy that involves being a higher education provider, or undertaking a program of
research that is supported financially (wholly or in part) by the Commonwealth, or is
relevant to a critical infrastructure sector other than the higher education and research
sector itself.
194. This definition captures institutions that contribute significantly to the Australian
economy, competitiveness, skilled workforce, and Australia's global standing both as
quality providers of education and as cutting-edge research institutions. For example, this
could include institutions that carry out medical research or institutions that own large-
scale infrastructure that is essential to Australia's national interest. This definition does
not capture the services provided by early learning centres, primary and secondary
schools.
195. While higher education providers account for a large portion of research activities in
Australia, private institutions may also conduct nationally significant research and
development. These institutions are only caught within the definition of the sector to the
extent that they receive financial assistance from the Australian Government, or relate to
another critical infrastructure sector. For example, entities that have received financial
assistance from the Australian Research Council or the National Health and Medical
Research Council, and research activities that are relevant to the space or health sector
fall within the higher education and research sector.
higher education provider
196. This term is defined by reference to the Tertiary Education Quality and Standards
Agency Act 2011. At the time of introduction of the Bill section 5 of that Act defines
'higher education provider' to mean:
a constitutional corporation that offers or confers a regulated higher education
award
a corporation that offers or confers a regulated higher education award and is
established by or under a law of the Commonwealth or a Territory, or
a person who offers or confers a regulated higher education award for the
completion of a course of study provided wholly or partly in a Territory.
hospital
197. This term is defined by reference to the Private Health Insurance Act. At the time of
introduction of the Bill subsection 121-5(5) of that Act provides that a 'hospital' is a
facility for which a declaration under subsection 121-5(6) of the Private Health Insurance
Act is in force. Subsection 121-1(6) of the Private Health Insurance Act provides that the
Minister may declare a facility is a 'hospital'.
IGIS official
198. IGIS officials means the Inspector-General of Intelligence and Security, or any other
person covered by subsection 32(1) of the Inspector-General of Intelligence and Security
Act 1986 (the IGIS Act).
impairment of electronic communication to or from a computer
199. This term is defined non-exhaustively to include the prevention of any such
communication, and the impairment of any such communication on an electronic link or
network used by the computer, but does not include a mere interception of any such
communication. For example, this would include an action that disabled the ability for a
computer to connect with the internet, irrespective of whether that action involved access
the computer itself.
incident response plan
200. This term is defined in new section 30CJ of the SOCI Act.
inland waters
201. This term means waters within Australia other than waters of the sea.
insurance business
202. This term is defined by reference to the Insurance Act 1973 (the Insurance Act). At
the time of introduction of the Bill section 3 of the Insurance Act defines the term
'insurance business' as meaning the business of undertaking liability, by way of insurance
(including reinsurance), in respect of any loss or damage, including liability to pay
damages or compensation, contingent upon the happening of a specified event, and
includes any business incidental to insurance business as so defined. The definition then
lists a number of things that are not an 'insurance business'.
internet carriage service
203. This term means a listed carriage service that enables end-users to access the internet.
life insurance business
204. This term is defined by reference to the Life Insurance Act 1995. At the time of
introduction of the Bill the term was defined as meaning a business that consists of any or
all of the following:
the issuing of life policies,
the issuing of sinking fund policies
the undertaking of liability under life policies
the undertaking of liability under sinking fund policies.
205. The definition also includes any business related to the above businesses and provides
for what is not a 'life insurance business'.
liquid fuel
206. This term has the same meaning as in the Liquid Fuel Emergency Act 1984. At the
time of introduction of the Bill, section 3 of that Act defined the term as meaning liquid
petroleum, a liquid petroleum product, a liquid petrochemical, methanol or ethanol. This
includes crude oil and condensate, as well as refined products such as petrol, diesel and
jet fuels, and biodiesel.
listed carriage service
207. This term has the same meaning as in the Telecommunications Act. At the time of
introduction of the Bill 'listed carriage service' is defined in that Act to be:
a carriage service between a point in Australia and one or more other points in
Australia,
a carriage service between a point and one or more other points, where the first
mentioned point is in Australia and at least one of the other points is outside
Australia,
a carriage service between a point and one or more other points, where the first-
mentioned point is outside Australia and at least one of the other points is in
Australia.
208. The definition in section 16 of the Telecommunications Act also clarifies what a
'point' is for the purposes of that definition.
local hospital network
209. This term has the same meaning as in the National Health Reform Act 2011. At the
time of the introduction of the Bill section 5 of that Act defined 'local hospital network'
as meaning an organisation that is a local hospital network (however described) for the
purposes of the National Health Reform Agreement.
managed service provider
210. This term, when used in relation to an asset, means an entity that:
manages the asset or part of the asset,
manages an aspect of the asset or a part of the asset,
manages an aspect of the operation of the asset or part of the asset.
211. For example, an operator of a critical infrastructure asset may outsource responsibility
for maintaining its information technology infrastructure to a separate legal entity through
a contractual service-level agreement. As a result, the managed service provider has
effective control and responsibility for the information technology of the critical
infrastructure asset.
medical supplies
212. This term is defined non-exhaustively and includes goods for therapeutic use and
other things that are specified in the rules made under this Act.
Ministerial authorisation
213. This term means an authorisation under new section 35AB of the SOCI Act.
modification
214. 'Modification' is defined in reference to two scenarios. In respect of computer data it
means either the alteration or removal of the data or an addition to the data. In respect of a
computer program is means the alteration or removal of the program or an addition to the
program.
national broadcasting service
215. This term has the same meaning as the Broadcasting Services Act. At the time of
introduction of the Bill the definition in section 13 of that Act provided that national
broadcasting services are:
broadcasting services provided by the Australian Broadcasting Corporation in
accordance with section 6 of the Australian Broadcasting Corporation Act 1983,
or
broadcasting services provided by the Special Broadcasting Service Corporation
in accordance with section 6 of the Special Broadcasting Service Act 1991, or
broadcasting services provided under the Parliamentary Proceedings
Broadcasting Act 1946.
216. Section 13 of the Broadcasting Services Act further provides what is not included in
the definition.
National Register of Higher Education Providers
217. Means the register that is established and maintained under section 198 of the Tertiary
Education Quality and Standards Agency Act 2011.
notification provision
218. Notifications provisions are those provisions listed in paragraphs (a) to (s) in this
definition.
Ombudsman official
219. Means the Ombudsman, a Deputy Commonwealth Ombudsman or a person who is a
member of the staff referred to in subsection 31(1) of the Ombudsman Act 1976.
Item 8 Section 5 (paragraph (b) of the definition of operator)
220. Item 8 of Schedule 1 to the Bill repeals and replaces paragraph (b) of the definition of
'operator' in section 5 of the SOCI Act. New paragraph (b) defines operator to mean, for
a critical infrastructure asset other than a critical port, an entity that operates the asset or
part of the asset.
Item 9 Section 5
221. Item 9 of Schedule 1 to the Bill inserts a definition of 'payment system' into section 5
of the SOCI Act.
payment system
222. 'Payment system' has the same meaning as in the Payment Systems (Regulation) Act.
At the time of the introduction of the Bill section 7 of that Act defined payment system as
a funds transfer system that facilitates the circulation of money, and includes any
instruments and procedures that relate to that system.
Item 10 Section 5
223. Item 10 of Schedule 1 to the Bill inserts a definition of 'Power and Water
Corporation' into section 5 of the SOCI Act.
Power and Water Corporation
224. Means the Power and Water Corporation that is established under section 4 of the
Power and Water Corporation Act 1987 (NT).
Item 11 Section 5 (after paragraph (b) of the definition of protected
information)
225. Item 11 of Schedule 1 to the Bill expands the definition of 'protected information' in
section 5 of the SOCI Act, to include information that relates to new provisions being
inserted into the SOCI Act under the Bill, the disclosure of which may contain
commercially sensitive information, reveal security vulnerabilities or is otherwise
sensitive and its disclosure needs to be managed.
226. The additional types of documents or information that will be 'protected information'
under the Bill includes information that:
records or is the fact that an asset is declared under section 52B to be a system of
national significance (paragraph (ba))
records or is the fact that the Minister has given a Ministerial authorisation or
revoked a Ministerial authorisation (paragraph (bb))
is, or is included in, a critical infrastructure risk management program that is
adopted by an entity in compliance with section 30AC (paragraph (bc))
is, or is included in, a report that is given under section 30AG (paragraph (bd))
is, or is included in, a report under section 30BC or 30BD (paragraph (be))
is, or is included in, an incident response plan adopted by an entity in compliance
with section 30CD (paragraph (bf))
is, or is included in, an evaluation report prepared under section 30CQ or 30CR
(paragraph (bg))
is, or is included in, a vulnerability assessment report prepared under section
30CZ (paragraph (bh))
is, or is included in, a report in compliance with a system information periodic or
event-based reporting notice (paragraph (bi))
records or is the fact that the Secretary has given a direction under section 35AK
or revoked such a direction (paragraph (bj))
records or is the fact that the Secretary has given a direction under section 35AQ
or revoked such a direction (paragraph (bk)), or
records or is the fact that the Secretary has given a request under section 35AX or
revoked such a request (paragraph (bl)).
227. Importantly, there are a number of circumstances where the use and disclosure of
protected information is authorised or exceptions to the prohibition (see Division 3 of Part
4 of the SOCI Act. Notably, the offence in section 45 which prohibits an entity from
using or disclosing the protected information does not apply if the entity is the entity to
which the protected information relates, or that entity consents to such disclosure or use
(see subsection 46(4) of the SOCI Act). This recognises that the entity is well placed to
manage the sensitivities associated with the information so far as it relates to their asset
and may need to disclose the information to meet their obligations under the Act, or
otherwise effectively operate the asset.
Item 12 Section 5 (paragraph (c) of the definition of protected information)
228. Paragraph (c) of the definition of 'protected information' in section 5 of the SOCI Act
currently provides that information is 'protected information' if it is a document or
information to which paragraphs (a) or (b) applies. Item 12 of Schedule 1 to the Bill
amends paragraph (c) to make reference to the different types of information that is
'protected information' in new paragraphs (ba) to (bh) of the definition, as outlined in
Item 11 above.
Item 13 Section 5
229. Item 13 of Schedule 1 to the Bill inserts further definitions into the SOCI Act that are
required as a result of the amendments being made by the Bill.
radiocommunications transmitter
230. Has the same meaning as the Radiocommunications Act 1992 (the
Radiocommunications Act). At the time of the introduction of the Bill subsection 7(2) of
that Act defines 'radiocommunications transmitter' as:
a transmitter designed or intended for use for the purpose of radiocommunications
anything (other than a line within the meaning of the Telecommunications Act)
designed or intended to be ancillary to, or associated with, such a transmitter for
the purposes of that use, or
anything (whether artificial or natural) that is designed or intended for use for the
purpose of radiocommunication by means of the reflection of radio emissions and
that the Australian Communications and Media Authority determines in writing to
be a radiocommunications transmitter for the purposes of the
Radiocommunications Act.
regional centre
231. This term means a city, or a town, that has a population of 10,000 or more people.
Regional Power Corporation
232. This term means the Regional Power Corporation established by section 4 of the
Electricity Corporations Act 2005 (WA).
registrable superannuation entity
233. This term has the same meaning as in the Superannuation Industry (Supervision) Act
1993. At the time of introduction of the Bill section 10 of that Act defined 'registrable
superannuation entity' as meaning a regulated superannuation fund, an approved deposit
fund or a pooled superannuation trust, but does not include a self-managed
superannuation fund.
regulated air cargo agent
234. This term has the same meaning as in the ATSA. At the time of the introduction of the
Bill, the ATSA defined the term to mean a person designated as a regulated air cargo
agent in accordance with regulations made under section 44C of the ATSA.
related body corporate
235. This term has the same meaning as the Corporations Act. At the time of introduction
of the Bill, a 'related body corporate' was defined in that Act to mean, in relation to a
body corporate, a body corporate that is related to the first-mentioned body by virtue of
section 50 of the Corporations Act.
relevant Commonwealth regulator
236. This term means either a Department that is specified in the rules made by the
Minister under section 61 of the SOCI Act or a body that is established by a law of the
Commonwealth and specified in the rules.
relevant entity
237. A 'relevant entity', in relation to an asset, means an entity that is the responsible
entity for the asset, or is a direct interest holder in relation to the asset, or is an operator of
the asset, or is a managed service provider for the asset. Operator is used is this context
consistent with the definition in section 5 to include an entity that operates the asset or
part of the asset.
relevant impact
238. This term is defined in new section 8G of the SOCI Act.
Item 14 Section 5 (definition of relevant industry)
239. Item 14 of Schedule 1 to the Bill repeals the definition of 'relevant industry', as this
has been replaced in the Bill by the concept of 'critical infrastructure sector' as defined in
new section 8D of the SOCI Act (see Item 21 of Schedule 1 to the Bill, below).
Item 15 Section 5 (definition of responsible entity)
240. Item 15 of Schedule 1 to the Bill repeals the definition of 'responsible entity' in
section 5 of the SOCI Act and replaces it with a definition which refers to new
section 12L, where the term will now be defined (see further at Item 32 of Schedule 1 to
the Bill, below).
Item 16 Section 5 (paragraph (a) of the definition of security)
241. Item 16 of Schedule 1 to the Bill amends paragraph (a) of the definition of 'security'
to provide that 'security' has the meaning given by the ASIO Act except in the definition
of critical energy market operator asset and sections 10, 12, 12A, 12D, 12G, 12H, 12J,
12M, 12N, 30AG, 30CB, 30CM, 30CR, 30CU and 30CW where 'security' has its
ordinary meaning and is not necessarily limited to national security.
Item 17 Section 5 (paragraph (b) of the definition of security)
242. Item 17 of Schedule 1 to the Bill amends paragraph (b) of the definition of 'security'
to provide that 'security' has the meaning given by the ASIO Act except in the definition
of critical energy market operator asset and sections 10, 12, 12A, 12D, 12G, 12H, 12J,
12M, 12N, 30AG, 30CB, 30CM, 30CR, 30CU and 30CW where 'security' has its
ordinary meaning and is not necessarily limited to national security.
Item 18 Section 5
243. Item 18 of Schedule 1 to the Bill inserts further definitions into the SOCI Act that are
required as a result of the amendments being made by the Bill.
significant financial benchmark
244. This term has the same meaning as in the Corporations Act. At the time of
introduction of the Bill, section 908AC of the Corporations Act provides that a
'significant financial benchmark' is a financial benchmark declared under subsection
908AC(2) of the Act. That subsection provides that ASIC may, by legislative instrument,
declare a financial benchmark to be a 'significant financial benchmark' if satisfied of the
criteria in paragraphs 908(2)(a)-(2)(c).
space technology sector
245. The 'space technology sector' is the sector of the Australian economy that involves
the commercial provision of space-related services. The space technology sector touches
every aspect of the Australian economy and is heavily relied on by other critical
infrastructure for their daily functioning. For example, space-based technology provides
essential data in support of other services such as weather forecasting, emergency
management, communications and online banking. This dependence poses a serious
security dilemma as incidents can have far-reaching and potentially catastrophic
consequences for other critical infrastructure sectors such as communications, banking
and transport.
246. The definition is intended to capture the assets that provide the services, as well as
those that support them. The note to the definition provides the following non-exhaustive
examples of what may be regarded as space-related services noting that it is a dynamic
and evolving sector of the economy:
position, navigation and timing services in relation to space objects,
space situation awareness services,
space weather monitoring and forecasting,
communications, tracking, telemetry and control in relation to space objects,
remote sensing earth observations from space, or
facilitating access to space.
247. These examples align with the National Civil Space Priority Areas outlined in the
Department of Industry, Science, Energy and Resources' Australian Civil Space Strategy
2019-2028. The space technology sector is a rapidly evolving sector with new space-
related services and new methods of utilising space technology constantly being
developed. In Australia, the space technology sector is growing strongly and is expected
to grow at an annualised 7.1 per cent over the five years through 2023-24.
staff member
248. In relation to the authorised agency, means a staff member of the Australian Signals
Directorate (within the meaning of the Intelligence Services Act).
system information event-based reporting notice
249. This means a notice under new subsection 30DC(2) of the SOCI Act.
system information period reporting notice
250. This means a notice under new subsection 30DB(2) of the SOCI Act.
system information software notice
251. This means a notice under new subsection 30DJ(2) of the SOCI Act.
system of national significance
252. This term has the meaning given in new section 52B of the SOCI Act.
technical assistance notice
253. This term has the same meaning as in Part 15 of the Telecommunications Act. At the
time of introduction of the Bill, the term was defined in that Act as meaning a notice that
has been issued under section 317L of the Telecommunications Act.
technical assistance request
254. This term has the same meaning as in Part 15 of the Telecommunications Act. At the
time of introduction of the Bill, the term was defined in that Act as meaning a request
made under paragraph 317G(1)(a) of the Telecommunications Act.
technical capability notice
255. This term has the same meaning as in Part 15 of the Telecommunications Act. At the
time of introduction of the Bill, the term was defined in that Act as meaning a notice
given under section 317T of the Telecommunications Act.
telecommunications network
256. This term has the same meaning as in the Telecommunications Act. At the time of
introduction of the Bill, the term was defined in that Act as meaning a system, or series of
systems, that carries, or is capable of carrying, communications by means of guided
and/or unguided electromagnetic energy.
therapeutic use
257. This term has the same meaning as in the Therapeutic Goods Act 1989. At the time of
the introduction of the Bill, the term was defined in that Act as meaning use in, or in
connection with:
preventing, diagnosing, curing or alleviating a disease, ailment, defect or
injury in persons,
influencing, inhibiting or modifying a physiological process in persons
testing the susceptibility of persons to a disease or ailment
influencing, controlling or preventing conception in persons
testing for pregnancy in persons, or
the replacement or modification of parts of the anatomy in persons.
transport sector
258. The 'transport sector' means the sector of the Australian economy that involves:
owning or operating assets that are used in connection with the transport of
goods or passengers on a commercial basis, or
the transport of goods or passengers on a commercial basis.
259. The definition recognises the important role that the sector plays in the economy by
facilitating the movement of goods and people across Australia, as well as the assets that
support that movement. The geographic spread of Australia's population coupled with
economic reliance on goods that are produced in remote areas means that the reliable and
efficient transport of goods, such as food, and passengers is essential to the functioning of
the economy and social cohesion. For instance, the transport of essential food and
groceries into remote areas of the Northern Territory relies on the availability of long
combination vehicles or 'road trains' (as they are commonly referred to).
260. The intent of extending the definition to capture entities that own or operate assets
used in connection with the transport of goods and passengers on a commercial basis is to
capture those enabling assets that, if disrupted, would undermine the operation of
Australia's transport capability. For example, the definition is intended to capture
logistics services without which freight operations could not function. In another
example, transport is often reliant on intermodal facilities that provide for the efficient
transfer of goods and people from one mode of transport to another.
unauthorised access, modification or impairment
261. This term has the meaning given by new section 12N of the SOCI Act.
vulnerability assessment
262. This term has the meaning given by new section 30CY of the SOCI Act.
vulnerability assessment report
263. This term has the meaning given by new section 30DA of the SOCI Act.
water and sewerage sector
264. The 'water and sewerage sector' means the sector of the Australian economy that
involves either operating water or sewerage systems or networks, or manufacturing or
supplying goods, or providing services, for use in connection with the operation of water
or sewerage systems of networks.
265. This definition is intended to capture wastewater, potable water, raw water and
recycled water and encompasses desalination plants, water utilities and bulk water
providers. The definition also captures the supply chains that support these services, such
as the manufacturers and suppliers of chemicals used in the treatment of water.
266. This sector is critical to the continued supply of clear and safe water for all
Australians and to the functioning of other critical infrastructure. Water and sewerage are
essential to socio-economic development, healthy ecosystems and to human survival
itself. Combined, they are vital to reducing the burden of disease and improving the
health, welfare and productivity of the Australian population. Water is a finite and
irreplaceable resource that must protected.
267. International examples have shown that these services can be the target of malicious
actors who intend to cause serious harm to populations. For example, Israel's National
Cyber Directorate received reports about attempted cyber attack in April 2020 and June
2020 on its water infrastructure. If successful, the attack would have led to the increased
chlorination of treated water, causing the poisoning of the local population served by the
affected treatment facility.
Item 19 Section 5 (definition of water utility)
268. Item 19 of Schedule 1 to the Bill will insert the words 'or sewerage services, or both.'
at the end of the definition of 'water utility'. This is intended to provide consistency with
the breadth of the water and sewerage sector as well as the existing definition of critical
water asset in section 5 of the SOCI Act.
Item 20 At the end of section 6
269. Item 20 of Schedule 1 to the Bill inserts new subsections (5) and (6) into section 6 of
the SOCI Act, which outlines the meaning of 'interest and control information'.
270. Subsection 6(5) provides that, if the 'first entity' (i.e. the entity operating an asset) is
the Governor-General, the Prime Minister or a Minister, and is a direct interest holder in
relation to an asset because of paragraph 8(1)(b) of the SOCI Act, the first entity is not
required to provide any interest or control information.
271. The note to subsection 6(5) reminds the reader that the term Minister is defined in
section 2B of the Acts Interpretation Act 1901 (Acts Interpretation Act).
272. As provided at item 26, the broader range of assets that are intended to be captured as
critical infrastructure assets may include Commonwealth government business
enterprises. In light of this, subsection 6(5) ensures these individuals, who would
otherwise be required to provide interest or control information as a result of the office
they hold, are not required to report information for the register.
273. However, subsection 6(6) clarifies that subsection 6(5) does not affect the obligation
of the Commonwealth to provide interest and control information in relation to the asset if
the Commonwealth is also a direct interest holder in relation to the asset because of
paragraph 8(1)(a) or (b) of the SOCI Act.
274. This means that if the Commonwealth identifies as a direct interest holder for an
asset, then the Commonwealth is required to provide interest and control information. The
practical effect of this provision is that the Commonwealth department or agency
responsible for the asset will provide interest and control information in relation to that
asset on the register of critical infrastructure assets.
Item 21 After section 8C
275. Item 21 of Schedule 1 to the Bill inserts new sections 8D, 8E, 8F and 8G into the
SOCI Act.
Section 8D Meaning of critical infrastructure sector
276. New section 8D of the SOCI Act lists each of the following sectors of the Australian
economy as a 'critical infrastructure sector':
the communications sector (paragraph (a))
the data storage or processing sector (paragraph (b))
the financial services and markets sector (paragraph (c))
the water and sewerage sector (paragraph (d))
the energy sector (paragraph (e))
the health care and medical sector (paragraph (f))
the higher education and research sector (paragraph (g))
the food and grocery sector (paragraph (h))
the transport sector (paragraph (i))
the space technology sector (paragraph (j)), and
the defence industry sector (paragraph (k)).
277. The definitions for each separate sector are included in section 5, by operation of the
Bill.
278. This definition, in combination with the amendments to sections 9 and 51 of the SOCI
Act, serves to limit the sectors from which the Minister may prescribe or declare
additional critical infrastructure assets. The definition is also used in the definition of
critical infrastructure sector assets (defined in new section 8E of the SOCI Act).
Section 8E Meaning of critical infrastructure sector asset
279. New section 8E of the SOCI Act provides that an asset is a 'critical infrastructure
sector asset' if it relates to a 'critical infrastructure sector' as defined in new section 8D,
above. In addition, certain assets are deemed to be critical infrastructure sector assets as
outlined in subsections (2)-(11). These deeming provisions are not intended to limit the
interpretation of a critical infrastructure sector asset but rather clarify that particular
critical infrastructure assets relate to certain critical infrastructure sectors.
280. Section 8E is used to limit the assets to which the serious cyber incident response
powers at new Part 3A may apply.
281. While the serious cyber incident response powers are focused on protecting critical
infrastructure assets, the high-level of interdependencies across the Australian economy
and through supply chains means that actions in relation to an asset in a sector identified
in new section 8D may be required to respond to a serious cyber security incident.
Subsections 8E(2)-(11)--Deeming--when asset relates to a sector
282. Subsection (2) provides that, for the purposes of the SOCI Act, each of the following
assets (each of which is defined) is taken to relate to the communications sector:
a critical telecommunications asset (paragraph (a))
a critical broadcasting asset (paragraph (b)), and
a critical domain name system (paragraph (c)).
283. Subsection (3) provides that, for the purpose of the SOCI Act, a critical data storage
or processing asset is taken to relate to the data storage or processing sector.
284. Subsection (4) provides that each of the following assets (each of which is separately
defined), are taken to relate to the financial services and market sector:
a critical banking asset (paragraph (a))
a critical superannuation asset (paragraph (b))
a critical insurance asset (paragraph (c)), and
a critical financial market infrastructure asset (paragraph (d)).
285. Subsection (5) provides that for the purpose of the SOCI Act a critical water asset is
taken to relate to the water and sewerage sector.
286. Subsection (6) provides that each of the following assets (each of which is separately
defined), are taken to relate to the energy sector:
a critical electricity asset (paragraph (a))
a critical gas asset (paragraph (b))
a critical energy market operator asset (paragraph (c)), and
a critical liquid fuel asset (paragraph (d)).
287. Subsection (7) provides that for the purposes of the SOCI Act a critical hospital is
taken to relate to the health care and medical sector. Subsection (8) provides that a critical
education asset is taken to relate to the higher education and research sector. Subsection
(9) provides that a critical food and grocery asset is taken to relate to the food and grocery
sector.
288. Subsection (10) provides that the following assets (each of which is a term defined
separately) relate to the transport sector:
a critical port (paragraph (a))
a critical freight infrastructure asset (paragraph (b))
a critical freight services asset (paragraph (c))
a critical public transport asset (paragraph (d)), and
a critical aviation (paragraph (e)).
289. Subsection (11) provides that a critical defence industry asset is taken to relate to the
defence industry.
Section 8F Critical infrastructure sector for a critical infrastructure asset
290. New section 8F of the SOCI Act clarifies that, for the purposes of the SOCI Act, the
critical infrastructure sector for a critical infrastructure asset is the critical infrastructure
sector to which the asset relates.
Section 8G Meaning of relevant impact
291. New section 8G of the SOCI Act defines the term 'relevant impact' in relation to a
hazard on a critical infrastructure asset, a cyber security incident on a critical
infrastructure asset and a cyber security incident on a system of national significance.
292. This term is used in several places in the SOCI Act to refer to the types of impacts on
an asset that are the focus of the obligations. For example, an impact on customer service
or the quality of the service being provided will not necessarily be regarded as a relevant
impact unless it also impacts the availability, integrity, reliability or confidentiality of
information about the asset. This term is intended to focus the obligations under the SOCI
Act to only those impacts on the security of critical infrastructure assets and systems of
national significance, and therefore, impact Australia's social and economy stability,
national security and defence.
293. The relevant impact may be direct or indirect. This is intended to focus the definition
on the result of the hazard or cyber security incident rather than its source, emphasising
the all-hazards approach being taken under the Bill.
294. Subsection (1) provides that the relevant impact of a hazard on a critical infrastructure
asset is the impact (whether direct or indirect) of the hazard on:
the availability of the asset (paragraph (a))
the integrity of the asset (paragraph (b))
the reliability of the asset (paragraph (c)), or
the confidentiality of information about the asset, information stored in the
asset an computer data (paragraph (d)).
295. For instance, the relevant impact of a hazard on a critical infrastructure asset in the
energy sector could be an extreme weather event (e.g. heatwave, severe storm) creating a
black out across a metropolitan area. This amounts to a 'relevant impact' because the
availability of the critical electricity asset has been compromised, such that a significant
population does not have access to power, or the supply is unreliable. This would lead
to considerable disruption to interconnected networks that rely on electricity, impacting
their integrity, reliability and availability, potentially resulting in:
reduced services or shutdown of the banking, finance and retail sectors,
impacts to clean water supply, and
disruptions to the transport sector, traffic management systems and availability
of fuel.
296. The relevant impact of an unauthorised access to the systems of a data centre could
directly result in a compromise to the confidentiality of the information held in that data
centre, resulting in an impact on businesses ability to trust in the integrity of the data held
in that facility.
297. It is important to note that a relevant impact must be more serious than a reduction in
the quality of service being provided.
298. Subsection (2) provides that the relevant impact of a cyber security incident on a
critical infrastructure asset is the impact (whether direct or indirect) of the cyber security
incident on:
the availability of the asset (paragraph (a))
the integrity of the asset (paragraph (b))
the reliability of the asset (paragraph (c)), or
the confidentiality of information about the asset, information stored in the
asset an computer data (paragraph (d)).
299. Subsection (3) provides that the relevant impact of a cyber security incident on a
system of national significance is the impact (whether direct or indirect) of the cyber
security incident on:
the availability of the system (paragraph (a))
the integrity of the system (paragraph (b))
the reliability of the system (paragraph (c))
the confidentiality of information about the system, information stored in the
asset an computer data (paragraph (d)).
Item 22 Paragraphs 9(1)(a), (b), (c) and (d)
300. Section 9(1) of the SOCI Act defines the term 'critical infrastructure asset' through
the list in paragraphs (1)(a) to (f). Item 22 of Schedule 1 to the Bill repeals
paragraphs (1)(a) to (d), and inserts paragraphs (1)(a) to (dr), which provides for the
inclusion of the additional 18 classes of critical infrastructure assets introduced through
the Bill.
301. Building on the existing definition in the SOCI Act, definitions of additional critical
infrastructure assets within the eleven critical infrastructure sectors will be introduced
while retaining the Minister for Home Affairs' existing ability to prescribe or declare
additional assets, noting the amendments to paragraph 9(3)(b).
302. Critical infrastructure assets across each sector have been identified through an
assessment of criticality to the social or economic stability of Australia or its people, the
defence of Australia, or national security. In particular, considerations include, but are not
limited to, whether, if destroyed, degraded, or rendered unavailable, there would be a
significant detrimental impact on:
maintaining basic living standards for the Australian population - this includes
those essential services and other services without which the safety, health or
welfare of the Australian community or a large section of the community
would be endangered or seriously prejudiced;
industries, commercial entities and financial institutions that underpin
Australia's wealth and prosperity;
the security of large or sensitive data holdings which, if undermined, could
lead to the theft of personal or commercially sensitive information, intellectual
property or trade secrets, and national security and defence capabilities.
Item 23 At the end of subsection 9(1)
303. Item 23 of Schedule 1 to the Bill will insert a note at the end of subsection 9(1)
directing the reader to see subsection 13(3) of the Legislation Act 2003 (Legislation Act)
with regard to the prescription by class. Subsection 13(3) of the Legislation Act provides
that if enabling legislation, such as this Act, confers on a person the power to make a
legislative instrument that specifies or declares or prescribes a matter, or doing anything
in relation to a matter, then in exercising the power, the person may identify the matter by
referring to a class or classes of matters.
Item 24 Paragraphs 9(2)(a), (b), (c) and (d)
304. Under subsection 9(2) of the SOCI Act, the rules made by the Minister under
section 61 may prescribe that a specific asset is not a critical infrastructure asset. Item 24
of Schedule 1 to the Bill reflects the same changes made under item 22, in that it repeals
paragraphs (a) to (d) and replaces them with the new paragraphs (a) to (v), creating a list
of twenty two classes critical infrastructure assets from which the rules may prescribe a
specific asset as not being a critical infrastructure asset.
Item 25 At the end of subsection 9(2)
305. Item 25 of Schedule 1 to the Bill will insert a note at the end of subsection 9(2)
directing the reader to see subsection 13(3) of the Legislation Act with regard to the
prescription by class. Subsection 13(3) of the Legislation Act provides that if enabling
legislation, such as this Act, confers on a person the power to make a legislative
instrument that specifies or declares or prescribes a matter, or doing anything in relation
to a matter, then in exercising the power, the person may identify the matter by referring
to a class or classes of matters.
Item 26 After subsection 9(2)
306. Item 26 of Schedule 1 to the Bill inserts new subsections 9(2A) and (2B) after the
existing subsection 9(2).
307. New subsection (2A) applies where an asset is owned by the Commonwealth or a
body corporate established by a law of the Commonwealth. When this subsection applies,
the asset concerned will not be a critical infrastructure asset unless:
the asset is declared under section 51 of the SOCI Act to be a critical
infrastructure asset (paragraph (c)), or
the asset is prescribed by the rules for the purposes of paragraph 9(1)(f)
(paragraph (d)).
308. The Government acknowledges the need to critical of, and the need to safeguard and
protect, assets, networks and infrastructure that are necessary for the effective operation
of government and democratic institutions. This is critical to maintaining trust and
confidence in government and democratic institutions, and the effective functioning of
government services.
309. However, the measures and powers in this Bill will not apply to all Commonwealth
assets because these assets are already subject to existing frameworks that are designed to
maintain security and resilience. The Commonwealth is also in a position to provide
active assistance should these assets be subject to a serious cyber incident.
310. Commonwealth assets are subject to the Protective Security Policy Framework
(PSPF) which requires government departments and agencies to implement certain
security measures in relation to four key areas:
Governance: to manage security risks and support a positive security culture
Personnel: to ensure employees and contractors are suitable to access Government
resources, and meet appropriate standards of integrity and honesty
Information: to maintain confidentiality, integrity and availability of official
information
Physical: to provide a safe and secure physical environment for people; information
and assets.
311. The PSPF is supported by other government initiatives that are designed to maintain
information security standards, including:
The Information Security Registered Assessors Program (IRAP), which is an
Australian Signals Directorate initiative to provide high-quality information and
communications technology security assessment services to government.
The Australasian Information Security Evaluation Program (AISEP) evaluates and
certifies products to provide a level of assurance in its security functionality in order
to protect systems and information against cyber threats. These evaluation activities
are certified by the Australasian Certification Authority (ACA).
the Australian Government Information Security Manual outlines a cybersecurity
framework that organisations can apply, using their risk management framework, to
protect their systems and information from cyber threats.
The Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation
strategies to assist organisations in protecting their systems against a range of
adversaries.
312. Furthermore, the Government has announced a package of work to strengthen the
defences of Commonwealth public sector networks as part of Australia's Cyber Security
Strategy 2020. The first priority of this work is to centralise the management and
operations of the large number of networks run by Australian Government agencies,
including considering secure hubs. Centralisation reduces the number of targets available
to hostile actors such as nation states or state-sponsored adversaries, allowing the
Australian Government to focus its cyber security investment on a smaller number of
more secure networks. A centralised model will be designed to promote innovation and
agility while still achieving economies of scale.
313. The centralisation of cyber security systems across government will be complemented
by the work of government agencies to strengthen cyber security and implement the
ACSC's Essential Eight strategies to mitigate cyber security incidents. This work will be
informed and supported by the ACSC's ongoing cyber security advice and assistance.
This approach to the uplift of government systems will be designed to reduce the risk of
compromise, and prevent the common techniques used by malicious cyber actors to
compromise systems. Australian government agencies will also put a renewed focus on
policies and procedures to manage cyber security risks. Standard cyber security clauses
will be included in Australian Government IT contracts.
314. However, as provided at new paragraph 9(2A)(b) this exemption for Commonwealth
assets does not extend to those assets owned by a Commonwealth body corporate that is a
government business enterprise. This is because government business enterprises are in
essence commercial entities. Accordingly, and generally speaking, Government has
limited control over the daily operations of these entities and the manner in which they
provide services may be regarded as more closely resembling private sector entities. NBN
Co Limited and the Australian Postal Corporation are examples of government business
enterprises.
315. However, new paragraphs 9(2A)(c)-(d) provides a mechanism by which
Commonwealth assets may be prescribed or declared to be critical infrastructure assets in
the future should there be a change circumstances and the existing security treatments no
longer be regarded as appropriate.
316. New subsection (2B) provides that an asset is not a critical infrastructure asset, if, or
to the extent to which, that asset is located outside of Australia. In effect, the various
definitions of critical infrastructure assets will be limited to the aspects of the assets that
are located in Australia permanently, or from time to time (for example in the case of an
airplane). It is notable that 'Australia', as defined under section 5 of this Act, includes the
external territories.
Item 27 Paragraph 9(3)(b)
317. Under paragraph 9(1)(f) of the SOCI Act, an asset prescribed in the rules for the
purposes of the paragraph will be a critical infrastructure asset. Paragraph 9(3)(b)
currently provides that the Minister, amongst other things, must not prescribe an asset for
the purposes of paragraph 9(1)(f) unless the Minister is satisfied that there is a risk, in
relation to the asset, that may be prejudicial to security.
318. Item 27 of Schedule 1 to the Bill repeals and replaces paragraph 9(3)(b) of the
SOCI Act to provide that the Minister must be satisfied that the asset relates to a critical
infrastructure sector before prescribing the asset as a critical infrastructure asset under
paragraph 9(1)(f).
319. The repealed provision is no longer appropriate in light of the new obligations being
introduced by the Bill which focus on identifying critical infrastructure assets and
ensuring they are resilient. The criticality of the assets, and the essential role they play in
Australia, must be the exclusive focus when identifying the focus of the SOCI Act.
Further the amendment reflects the reality that there is some security risk associated with
all critical infrastructure assets, limiting the utility of this criterion.
320. In its place, new paragraph 9(3)(b) limits the scope of assets that the Minister may
prescribe as critical to those that relate to a critical infrastructure sector. This will ensure
that assets cannot be prescribed economy wide, but rather must be from a sector of the
economy that is regarded as critical.
Item 28 Subparagraph 9(4)(a)(i)
321. Subparagraph 9(4)(a)(i) of the SOCI Act provides that the Minister must not prescribe
an asset under paragraph 9(1)(f) unless the Minister has first consulted the First Minister
of the State or Territory in which the asset is located. Item 28 of Schedule 1 to the Bill
amends subparagraph to refer to the State or Territory in which the asset is wholly or
partly located. This is intended to reflect the national, or cross-jurisdictional, footprint of
some critical infrastructure assets.
Item 29 Subparagraph 9(4)(a)(ii)
322. Item 29 of Schedule 1 to the Bill omits the words 'industry for the asset' and
substitutes the words 'critical infrastructure sector' in subparagraph 9(4)(a)(ii) of the
SOCI Act. This is to reflect the introduction of the concept of a 'critical infrastructure
sector' in new section 8D, as outlined above.
Item 30 Paragraph 10(1)(a)
323. Section 10 of the SOCI Act defines the term 'critical electricity asset'. One of the
current criteria for being a 'critical electricity asset' is that the asset is a network, system,
or interconnector, for the transmission or distribution of electricity to ultimately service at
least 100,000 customers.
324. Item 30 of Schedule 1 to the Bill inserts the words 'or any other number of customers
prescribed by the rules' at the end of paragraph 10(1)(a) which will allow the Minister,
through rules made under section 61 of the SOCI Act, to change the number of customers
that qualifies an asset to be a 'critical electricity asset'.
325. Electricity is fundamental to every facet of Australian society, underpinning just about
everything in the digital age. The Bill draws on the existing definition in the SOCI Act
and provides for the option to extend its application to a broader set of assets in
recognition that the prolonged disruption to Australia's electricity networks would have a
significant impact on communities, businesses and national security capabilities. This
change is intended to future-proof the framework.
Item 31 Paragraph 12(1)(b)
326. Section 12 of the SOCI Act defines the term 'critical gas asset'. Paragraph 12(1)(b)
currently provides that a 'critical gas asset' includes a gas storage facility that has a
maximum daily quantity of at least 75 terajoules per day or any other quantity prescribed
by the rules.
327. Item 31 of Schedule 1 to the Bill repeals paragraph 12(1)(b) of the SOCI Act, and
substitutes that a 'critical gas facility' is a gas storage facility that has a maximum daily
withdrawal capacity of at least 75 terajoules per day or any other maximum daily
withdrawal capacity prescribed by the rules.
328. This is not intended to be a change in policy but rather clarify the application of the
paragraph to more accurately reflect the terminology used in the sector.
Item 32 After section 12
329. This item inserts new sections 12A, 12B, 12C, 12D, 12E, 12F, 12G, 12H, 12J, 12K,
12L, 12M, 12N and 12P into the SOCI Act, which outline further definitions required in
relation to the amendments being made by the Bill.
Section 12A Meaning of critical liquid fuel asset
330. New section 12A of the SOCI Act outlines a definition of 'critical liquid fuel asset'.
Subsection (1) provides that a critical liquid fuel asset is any of the following:
a liquid fuel refinery that is critical to ensuring the security and reliability of a
liquid fuel market, in accordance with subsection (2) (paragraph (a))
a liquid fuel pipeline that is critical to ensuring the security and reliability of a
liquid fuel market, in accordance with subsection (3) (paragraph (b)), or
a liquid fuel storage facility that is critical to ensuring the security and
reliability of a liquid fuel market, in accordance with subsection (4)
(paragraph (c)).
331. The definition recognises the role that these assets play in delivering critical services
that are essential to energy security and relied on to support the economy. A prolonged
disruption to Australia's liquid fuel supply would have a significant impact on
communities, businesses and national security capabilities. For example, liquid fuel
underpins every aspect of our daily life, from our groceries to our commute to work and
our emergency services. The then Commonwealth Department of the Environment and
Energy, in an interim report released in April 2019, reported that on average each
Australian uses nearly three times more energy from liquid fuel than they do electricity.
The liquid fuel market also powers machinery on which other sectors rely, such as
transport or space technology. This definition captures the assets needed to refine liquid
fuel to be suitable for consumption, the pipelines required to distribute the fuel, and
facilities used to store it to ensure it is accessible at key locations.
332. A note to subsection (1) reminds the reader that under section 9 the rules may
prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset.
333. Subsection (2) provides that rules made under paragraph (1)(a) may prescribe
specified liquid fuel refineries that are critical to ensuring the security and reliability of a
liquid fuel market (paragraph (a)), or requirements for a liquid fuel refinery to be critical
to ensuring the security and reliability of a liquid fuel market (paragraph (b)). The rules
are expected to prescribe, initially, the three major Australian crude oil refineries
(Geelong, Altona and Lytton). These refineries play a major part in Australia's fuel
supply chain, with Australian refineries providing for approximately 50 per cent of
Australia's transport fuel needs.
334. Subsection (3) provides that rules made under paragraph (1)(b) may prescribe
specified liquid fuel pipelines that are critical to ensuring the security and reliability of a
liquid fuel market (paragraph (a)), or requirements for a liquid fuel pipeline to be critical
to ensuring the security and reliability of a liquid fuel market (paragraph (b)). The rules
are expected initially to prescribe the distribution pipelines that are critical for inter-city
distribution and for movement from refineries and ports to terminals.
335. Subsection (4) provides that rules made under paragraph (1)(c) may prescribe
specified liquid fuel storage facilities that are critical to ensuring the security and
reliability of a liquid fuel market (paragraph (a)), or requirements for a liquid fuel storage
facility to be critical to ensuring the security and reliability of a liquid fuel market
(paragraph (b)). The rules are expected to initially prescribe a 100 mega litre storage
threshold, capturing approximately 14 assets owned by seven organisations across all
states and territories, except Tasmania and the Australian Capital Territory. These storage
facilities are critical to building resilience to supply disruptions, thereby protecting
consumers and the economy from fuel shortages.
336. Rules made under these subsections will ensure that only those liquid fuel assets that
are critical to Australia at any point in time fall within the definition of critical liquid fuel
asset. This flexibility is necessary to ensure the definition can be reasonably adapted to
adjust to changes in the liquid fuel market and interdependencies with that market.
Section 12B Meaning of critical freight infrastructure asset
337. New section 12B of the SOCI Act provides the definition of 'critical freight
infrastructure asset'. Subsection (1) provides that an asset is a critical freight
infrastructure asset if it is any of the following:
a road network that, in accordance with subsection (2), functions as a critical
corridor for the transportation of goods between two States, a State and a
Territory, two Territories or two regional centres (paragraph (a))
a rail network that, in accordance with subsection (3), functions as a critical
corridor for the transportation of goods between two States, a State and a
Territory, two Territories or two regional centres (paragraph (b)), or
a intermodal transfer facility that, in accordance with subsection (4), is critical
to the transportation of goods between two States, a State and a Territory, two
Territories or two regional centres (paragraph (c).
338. The freight industry is an essential component of the national economy. These assets
play an important role in ensuring capital cities and population centres can access critical
products (such as medical supplies and food and groceries) as well as facilitating
businesses that rely on land based supply chains. An efficient intermodal facility is an
important component of the overall effectiveness of regional transport services and plays
a crucial role in road to road and road to rail interchange activities. Facilities improve the
predictability of pick-up and delivery times and address congestion on city roads. For
example, large vehicles will service manufacturing through to distribution between urban
centres whilst smaller distribution trucks will operate in and out of the cities. The
criticality of these networks and facilities became all the more apparent during the
COVID-19 outbreaks where demand increased for critical supplies across States,
Territories and regional centres.
339. A note to subsection (1) reminds the reader that under section 9 the rules may
prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset.
340. Subsection (2) provides that the rules may prescribe, for the purpose of
paragraph (1)(a), specified road networks that function as a critical corridor for the
transportation of goods between two States, a State and a Territory, two Territories or two
regional centres (paragraph (a)), or requirements for a road network to function as a
critical corridor for the transportation of goods between two States, a State and a
Territory, two Territories or two regional centres (paragraph (b)).
341. Subsection (3) provides that the rules may prescribe, for the purpose of
paragraph (1)(b), specified rail networks that function as a critical corridor for the
transportation of goods between two States, a State and a Territory, two Territories or two
regional centres (paragraph (a)), or requirements for a rail network to function as a critical
corridor for the transportation of goods between two States, a State and a Territory, two
Territories or two regional centres (paragraph (b)).
342. Subsection (4) provides that the rules may prescribe, for the purpose of
paragraph (1)(c), specified intermodal transfer facilities that function are critical to the
transportation of goods between two States, a State and a Territory, two Territories or two
regional centres (paragraph (a)), or requirements for an intermodal transfer facility to be
critical to the transportation of goods between two States, a State and a Territory, two
Territories or two regional centres (paragraph (b)).
343. Considerations when determining criticality under subsections 12B(2), (3) and (4)
may include:
the volume of freight the network or facility enables to be transported;
the value of the commodities the network or facility enables;
the frequency of heavy vehicles the network or facility utilising the network or
facility;
whether the network or facility enables the transport of specific commodities of high
economic significance for the region; or
whether any alternative transport routes are available should the network or facility
became unavailable.
344. Major road and rail assets are vital in responding to and mitigating the impacts of
natural disasters. The criticality of these assets is amplified if there is a lack of
redundancy, as inconvenience gives may to a threat to national interests. For example, the
2009 floods in Queensland's north and north-west temporarily closed the Bruce highway
and limited the availability of food and supplies to the region.
345. Similarly, intermodal terminals play a significant role in facilitating the consolidation,
storage and transfer of freight between rail and road at the beginning and end of each rail
journey. Intermodal terminals provide connectivity to ports, regional networks and other
capital cities and regional centres and are central to the stability and security of road and
rail infrastructure. These facilities are also useful in enabling redundancies by allowing
goods to be transferred between modes of transport should one be compromised.
346. The Department will work closely with the freight industry and State and Territory
Governments to identify which road networks, rail networks or intermodal transfer
facilities function as critical corridors.
Section 12C Meaning of critical freight services asset
347. New section 12C of the SOCI Act provides the definition of 'critical freight services
asset'. Subsection (1) provides that an asset is a critical freight services asset if it is a
network that is used by an entity carrying on a business that, in accordance with
subsection (2), is critical to the transportation of goods by road, rail, inland waters or sea.
348. The note to subsection (1) reminds the reader that under section 9 the rules may
prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset.
349. Subsection (2) provides that the rules may prescribe, for the purpose of subsection (1),
specified businesses that are critical to the transportation of goods by road, rail, inland
waters or sea (paragraph (a)), or requirements for a businesses that to be critical to the
transportation of goods by road, rail, inland waters or sea (paragraph (b)).
350. Critical freight services assets are critical to Australia's trade and commerce, and
social stability as they are responsible for logistics and movement of valuable goods and
products across the country. These assets assist businesses to transport products to
consumers, and ensuring communities can access critical supplies, including food and
groceries. The COVID-19 pandemic and recent natural disasters have highlighted the
importance of freight services, and the assets they rely on, in transporting personal
protective equipment, medical supplies, food and groceries, and other critical supplies
across Australia.
351. The Department will work closely with the freight industry and State and Territory
Governments to identify critical freight services. The factors the Minister may consider
when making rules may include:
the relevant business' market share;
the volume, value and criticality of goods transported;
i. for example, whether the business is responsible for the transport of
niche goods that enable the delivery of critical services (for instance
medical supplies that enable intensive care units to remain operational
or vaccines); and
whether any redundancies exist if that freight service is rendered unavailable.
Section 12D Meaning of critical financial market infrastructure asset
352. New section 12D of the SOCI Act provides the definition of 'critical financial market
infrastructure asset'. These assets are critical to the functioning, security and stability of
financial services and markets.
353. A significant disruption to financial market infrastructure assets would have a
detrimental impact in terms of public trust, financial stability and market integrity and
efficiency. The reasons for this include their central and enabling position within the
financial system and inability of participating financial institutions and, in most cases,
ultimately also consumers and businesses, to leverage substitute services.
354. Financial market infrastructure licensed in Australia support transactions in securities
with a total annual value of $16 trillion and derivatives with a total annual value of $150
trillion. These markets turn over value equivalent to Australia's annual GDP every three
business days.4
355. Subsection (1) provides that a critical financial market infrastructure asset is any of
the following assets:
an asset that is owned or operated by an Australian body corporate that holds
an Australian market licence and is used in connection with the operation of a
4
Council of Financial Regulators, 'Financial Market Infrastructure Regulatory Reforms' November 2019,
accessed on 2 December 2020 at < https://www.cfr.gov.au/publications/consultations/2019/consultation-on-
financial-market-infrastructure-regulatory-reforms/pdf/fmi-consultation-nov-2019.pdf>
financial market that is critical to the security and reliability of the financial
services and markets sector in accordance with subsection (2) (paragraph (a))
an asset that is owned or operated by an associated entity of an Australian
body corporate that holds an Australian market licence and is used in
connection with the operation of a financial market that is critical to the
security and reliability of the financial services and markets sector in
accordance with subsection (2) (paragraph (b))
an asset that is owned or operated by an Australian body corporate that holds
an Australian CS facility licence and is used in connection with the operation
of a clearing and settlement facility that is critical to the security and reliability
of the financial services and markets sector in accordance with subsection (3)
(paragraph (c))
an asset that is owned or operated by an associated entity of an Australian
body corporate that holds an Australian CS facility licence and is used in
connection with the operation of a clearing and settlement facility that is
critical to the security and reliability of the financial services and markets
sector in accordance with subsection (3) (paragraph (d))
an asset that is owned or operated by an Australian body corporate that holds a
benchmark administrator licence and is used in connection with the
administration of a significant financial benchmark that is critical to the
security and reliability of the financial services and markets sector, in
accordance with subsection (4) (paragraph (e))
an asset that is owned or operated by an associated entity of an Australian
body corporate that holds a benchmark administrator licence and is used in
connection with the administration of a significant financial benchmark that is
critical to the security and reliability of the financial services and markets
sector, in accordance with subsection (4) (paragraph (f))
an asset that is owned or operated by an Australian body corporate that holds
an Australian derivative trade repository licence and is used in connection
with the operation of a derivative trade repository that, in accordance with
subsection (5), is critical to the security and reliability of the financial services
and markets sector (paragraph (g))
an asset that is owned or operated by an associated entity of an Australian
body corporate that holds an Australian derivative trade repository licence and
is critical to the operation of a derivative trade repository in accordance with
subsection (5) (paragraph (h)), or
an asset that is used in connection with the operation of a payment system that,
in accordance with subsection (6), is critical to the security and reliability of
the financial services and markets sector (paragraph (i)).
356. Subsection (2) provides that for the purpose of paragraphs (1)(a) and (1)(b) the rules
may prescribe specified financial markets that are critical to the security and reliability of
the financial services and markets sector (paragraph (a)), or requirements for a financial
market to be critical to the security and reliability of the financial services and markets
sector (paragraph (b)).
357. Consistent with advice from existing financial regulators, the rules may prescribe, for
example, a threshold that captures a narrower cohort of the Domestic (s795B(1)) Tier 1
market licensees, and may be determined by a turnover metric.
358. Financial markets are used by participants to either raise funds (e.g. by issuing
securities) or invest savings (by buying securities and other financial assets). The stability
and operational efficiency of Australia's financial markets is of critical importance to
business confidence and the Australian economy. The importance of financial markets is
evident from the value of financial transactions. For example, the Australian equity
market daily average turnover for the June 2020 quarter was $9 billion, up from a daily
average $6.82 billion in the June 2019 quarter.5
359. Subsection (3) provides that for the purpose of paragraphs (1)(c) and (1)(d) the rules
may prescribe specified clearing and settlement facilities that are critical to the security
and reliability of the financial services and markets sector (paragraph (a)), or
requirements for a clearing and settlement facility to be critical to the security and
reliability of the financial services and markets sector (paragraph (b)).
360. Requirements for a clearing and settlement facility to be critical to the security and
reliability of the financial services and markets sector may include, but not be limited to,
the following criteria:
the size of the facility in Australia;
the availability of substitutes for the facility's services in Australia;
the nature and complexity of the products cleared or settled by the facility; or
the degree of interconnectedness with other parts of the Australian financial system.
361. Reliable and timely clearing, transfer of ownership and settlement arrangements are
essential to the efficient and effective operation of financial markets. A rigorous and
reliable clearing and settlement infrastructure allows market participants to undertake
bond market transactions without undue risk from default, market, systemic or other
broader risks. Accordingly, the effectiveness of such systems significantly affects the
development of secondary market activity.
362. Subsection (4) provides that for the purpose of paragraphs (1)(e) and (1)(f) the rules
may prescribe specified significant financial benchmarks that are critical to the security
and reliability of the financial services and markets sector (paragraph (a)), or
requirements for a significant financial benchmark to be critical to the security and
reliability of the financial services and markets sector (paragraph (b)).
5
Australian Securities & Investments Commission, Equity market data for quarter ending June 2020, accessed
on 1 December 2020 at: https://www.rba.gov.au/payments-and-infrastructure/payments-system.html
363. Significant financial benchmarks are of critical importance to a wide range of users in
financial markets and throughout the broader economy. Benchmarks affect the pricing of
key financial products such as credit facilities offered by financial institutions, corporate
debt securities, exchange-traded funds, foreign exchange and interest rate derivatives,
commodity derivatives, equity and bond index futures and other investments and risk
management products. They also drive or influence asset allocation decisions within
investment portfolios.
364. If the availability or integrity of a significant financial benchmark is disrupted, this
could lead to financial contagion or systemic instability, and impact on both retail and
wholesale investors.
365. Subsection (5) provides that for the purpose of paragraphs (1)(g) and (1)(h) the rules
may prescribe specified derivative trade repositories that are critical to the security or
reliability of the financial services and markets sector (paragraph (a)), or requirements for
a derivative trade repository to be critical to the operation of the financial services and
markets sector (paragraph (b)).
366. A derivative trade repository is a facility to which information about derivative
transactions, or about positions relating to derivative transactions, can be reported. They
act as a centralised registry that maintains an electronic database of records of
transactions. Derivative trade repositories are a core component of the infrastructure
supporting derivatives markets. A derivative trade repository may be part of a network
linking various entities (e.g. clearing and settlement facilities, dealers or financial
custodians) and therefore a disruption in a derivative trade repository could risk spreading
to linked entities and having cascading impacts across the economy.
367. Derivative trade repositories have emerged as a relatively new type of financial
market infrastructure and have recently grown in importance, particularly in light of the
Group of Twenty commitments reached at the summit in Pittsburgh in 2009 in relation to
the necessity of substantial reforms to practices in over-the-counter derivatives markets.
368. Whilst there is currently no domestically incorporated derivative trade repository that
is licensed in Australia, the intention of including derivative trade repositories is to future-
proof the regime should there emerge a domestic derivative trade repository noting it
would potentially play a critical role in the financial system.
369. Subsection (6) provides that for the purpose of paragraph (1)(i) the rules may
prescribe specified payment systems that are critical to the operation of the financial
services and markets sector (paragraph (a)), or requirements for a payment system to be
critical to the operation of the financial services and markets sector (paragraph (b)).
370. Requirements which, if present in a payment system, mean that such a payment
system is critical to ensuring the security and reliability of the financial services and
markets sector may include, but not be limited to:
a minimum aggregate value and/or volume of Australian dollar payments
processed through the system over a specified period;
the time-criticality of the payments processed;
a minimum average value of the payments processed through the system over
a specified period;
the provision of important payment services for which there are few or no
close substitutes;
the system being used to settle payments that effect settlement in one or more
financial market infrastructures; or
other factors indicating that the system has the potential to trigger or transmit
systemic disruption, or, if unavailable, result in significant disruption to
economic activity.
371. Payment systems refer to arrangements which allow consumers, businesses and other
organisations to transfer funds usually held in an account at a financial institution to one
another. Australian payment systems contribute to the smooth functioning of the
economy. Financial transactions are now more than ever before facilitated by the internet
and mobile-based technologies. Non-cash payments account for most of the value of
payments in the Australian economy. On average, in 2019 non-cash payments worth
around $255 billion were made each business day, equivalent to around 13 per cent of
annual GDP.6
372. Consumers and businesses are heavily dependent on the continued functioning and
security of infrastructure and assets that are used to operate these payment systems.
373. The development of any rules under this section will involve close consultation with
industry and existing Commonwealth financial regulators.
374. Subsection (7) provides that, for the purposes of section 12D, 'Australian body
corporate' means a body corporate that is incorporated in Australia.
Section 12E Meaning of critical broadcasting asset
375. New section 12E of the SOCI Act provides the definition of 'critical broadcasting
asset'. Subsection (1) provides that one or more broadcasting transmission assets are a
'critical broadcasting asset' if:
the broadcasting transmission assets are owned or operated by the same entity
and located on a site that, in accordance with subsection (2), is a critical
transmission site (paragraph (a)), or
6
Reserve Bank of Australia, Payments System, accessed on 1 December at https://www.rba.gov.au/payments-
and-infrastructure/payments-system.html
the broadcasting transmission assets are owned or operated by the same entity,
located on at least 50 different sites and not broadcasting re-transmission
assets (paragraph (b)), or
the broadcasting transmission assets are owned or operated by an entity that,
in accordance with subsection (3), is critical to the transmission of a
broadcasting service (paragraph (c)).
376. Broadcast media play an important role in emergencies, both in disseminating and
collecting information about an incident. While there is no legislative requirement for
broadcasters to undertake the role of disseminating emergency warnings to communities,
the Commonwealth, State and Territories have established working relationships with
broadcasters to ensure emergency information is disseminated effectively in a crisis.
However, the ability for national and commercial broadcasters to deliver emergency
messages is dependent on the resilience and security of transmission and distribution
infrastructure.
377. A note to subsection (1) reminds the reader that the rules, made under section 9, may
prescribe that a specified critical broadcasting asset is not a critical infrastructure asset.
378. Subsection (2) provides that, for the purposes of paragraph (1)(a), the rules may
prescribe specified sites as being critical transmission sites (paragraph (a)), or
requirements for sites to be critical transmission sites (paragraph (b)). For example, the
rules may prescribe a particular transmission site may service a key population centre
with no alternative sites meaning that any disruption to that site could cause significant
difficulties in an emergency.
379. The Department will work closely with industry and State and Territory Governments
to determine whether rules will need to be made to capture particular critical
transmissions sites that do not meet the 50-site threshold.
380. Paragraph (1)(b) provides that a network of broadcasting transmission assets across
50 different sites is critical as this represents an extensive network of transmission
infrastructure that is relied upon by key broadcasters to service significant population
areas in Australia. The services that are provided by networks captured by this limb of the
definition are crucial to ensuring key broadcasters are able to service the community
during emergency circumstances.
381. However, assets that are used exclusively for retransmission purposes are not within
the scope of the test at subsection (b). Re-transmission sites include broadcasting
transmission assets that are used in connection with the re-transmission of a service to
which, as a result of section 212 of the Broadcasting Services Act, the regulatory regime
under that Act does not apply.
382. This reflects that retransmission sites do not themselves form a critical network for
the transmission of radio and television. Instead, re-transmission sites play a support role
and are designed to address gaps in a transmission in network. As a result, only certain
re-transmission sites are critical to facilitating the services offered by broadcasters.
383. That is why paragraph (2)(a) provides scope for the Minister to prescribe broadcasting
transmission assets (including re-transmission sites) located on a critical transmission site
to be critical broadcasting assets. In determining whether a certain transmission site is a
critical broadcasting asset, the Minister will consider factors such as its geographic
location, redundancies in relation to alternative transmission sites, and the size of the
population serviced by the asset.
384. Paragraph (c) provides that a critical broadcasting asset may also be one or more
broadcasting transmission assets if those assets are owned or operated by an entity that, in
accordance with subsection (3), is critical to the transmission of a broadcasting service.
For the purposes of this paragraph, the rules may prescribe specified entities that are
critical to the transmission of a broadcasting service, or requirements for an entity to be
critical to the transmission of a broadcasting service.
Section 12F Meaning of critical data storage or processing asset
385. New section 12F of the SOCI Act provides the definition of 'critical data storage or
processing asset'. Demand for data and cloud services has significantly increased as more
business is conducted online. This means that data and cloud services have become an
important component for day-to-day business operations.
386. The definition encompasses those assets that are critical to maintaining the
commercial supply and availability of data and cloud services located in Australia. The
definition is intended to capture the physical infrastructure or computing platforms used
primarily to provide data storing or processing services on a commercial basis. This
includes enterprise data centres, managed services data centres, colocation data centres
and cloud data centres. The definition is aimed at data storage companies or cloud
computing companies that provide data storage or processing as their primary business
offering to the critical infrastructure asset, whether that be through infrastructure as a
service (IaaS) or platform as a service (PaaS). Software as a service (SaaS) providers may
also be captured by the critical data storage or processing asset definition, where the
software is relied on to store or process a Government agency's data or critical
infrastructure asset's business critical data as the primary function of the service.
387. The definition does not cover instances where data storage or processing is secondary
to, an enabler for, or simply a by-product of, the primary service being offered - for
example, accounting services. In a scenario where a business has shared business critical
data with a SaaS provider, but only for the purposes of the SaaS provider providing its
primary service (such as running the business' payroll), the SaaS provider is not to be
considered a critical infrastructure asset.
388. Subsection (1) provides that an asset is a critical data storage or processing asset if all
of the following apply:
the asset is owned or operated by an entity that is a data storage or processing
provider (paragraph (a))
the asset is used wholly or primarily to provide a data storage or processing
service that is provided by the entity on a commercial basis to one of the
government bodies listed in subparagraphs (i)-(vi) (paragraph (b)), and
the entity knows that the asset is used as described in paragraph (b).
389. A note to subsection (1) reminds the reader that the rules, made under section 9, may
prescribe that a specified critical data storage or processing asset is not a critical
infrastructure asset.
390. Data centres and cloud providers that are custodians of Government data are critical
due to sensitive nature of Government information that they store or process. Under the
Protective Security Policy Framework, the Australian Government is required to
safeguard official information and mitigate the risks of cyber attacks. This is because it is
likely that a compromise of Government data may lead to the disclosure of highly
sensitive information relevant to the operation of the nation, risk foreign relations with
key international partners and undermine economic prosperity and social stability. State
and Territory Government also hold sensitive data that is critical to the operation of
services and other aspects in their jurisdiction.
391. Subsection (2) also provides that an asset is a critical data storage or processing asset
if all of the following apply:
the asset is owned or operated by an entity that is a data storage or processing
provider (paragraph (a))
the asset is used wholly or primarily to provide a data storage or processing
service that is provided by the entity on a commercial basis to another critical
infrastructure asset and relates to business critical data (paragraph (b)), and
the entity knows that the asset is used as described in paragraph (b)
(paragraph (c)).
392. A note to subsection (2) reminds the reader that the rules, made under section 9, may
prescribe that a specified critical data storage or processing asset is not a critical
infrastructure.
393. Data centres and cloud providers captured by this limb of the definition are critical by
virtue of the fact that they handle business critical data for other critical infrastructure
assets. Business critical data includes bulk holdings of personal information, and
information that is crucial to the continued operation and functioning of assets that
directly contribute to maintaining Australia's economic and social stability. Should this
data, or the provision of services in relation to it, be impacted, the confidentiality and
reliability of the critical infrastructure asset is likely to be affected including, potentially
the provision of essential services.
394. A data storage or processing provider may not always know if they are providing
services relating to business critical data of a critical infrastructure asset. For example,
data privacy practices typically mean that third party providers do not have visibility over
what type of data is being stored or processes through their facilities. In response to these
circumstances, the asset will only become a critical data storage or processing asset where
the responsible entity knows that it is storing or processing business critical data or a
critical infrastructure asset.
395. In support of this requirement, subsection (3) applies if an entity (the first entity) is
the responsible entity for a critical infrastructure asset (paragraph (a)), and the first entity
becomes aware that a data storage or processing service is provided by another entity on a
commercial basis to the first entity and relates to business critical data (paragraph (b)).
396. For example, this obligation applies when the responsible entity of a critical banking
asset becomes aware that a data storage or processing service is managing its business
critical data on a commercial basis. This is likely to be at the point of services
commencing following the entering of a contractual arrangement. The responsible entity
must then take all reasonable steps to inform the relevant data storage or processing
service of these circumstances as soon as practicable after becoming so aware.
397. If subsection (3) applies, the first entity must:
take reasonable steps to inform the other entity that the first entity has become
aware that the data storage or processing service is provided by the other
entity on a commercial basis, and relates to business critical data
(paragraph (c)), and
do so as soon as practicable after becoming aware (paragraph (d)).
398. Commonwealth, State and Territory Governments will not be required to notify data
and cloud service providers that they are critical data storage and processing assets. In
these circumstances, it is expected that the relevant data or cloud service provider will be
aware that they provide services to a Government client.
399. Breach of subsection (3) is subject to a civil penalty of up to 50 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance and to ensure that owners or operators of data storage or processing providers
can be notified as soon as practicable that their asset is a critical data storage of
processing asset, noting the importance of the service they are providing. The penalty for
this notification requirement is commensurate with the penalty for failing to notify of
events in relation to the Register of Critical Infrastructure Assets.
Section 12G Meaning of critical banking asset
400. New section 12G of the SOCI Act provides the definition of 'critical banking asset'.
This definition recognises the role banking businesses play in the financial system,
holding the majority of financial system assets. In addition to retail deposit-taking and
lending activities, banks are involved in financial intermediation, including business
banking, trading in financial markets, stockbroking and insurance and funds management.
A severe compromise of any of Australia's major banks has the potential for significant
and lasting economic and security impacts given their high volume of retail customers as
well as important government and business customers.
401. Subsection (1) provides that an asset is a critical banking asset if it is any of the assets
described in paragraphs (a) or (b). Paragraph (a) describes an asset where the following
conditions are satisfied:
an asset is owned or operated by an authorised deposit-taking institution
(subparagraph (i))
the authorised deposit-taking institution is an authorised deposit-taking
institution that, in accordance with subsection (2), is critical to the security and
reliability of the financial services and markets sector (subparagraph (ii)), and
the asset is used in connection with the carrying on of banking business
(subparagraph (iii)).
402. Paragraph (b) described an asset that meets the following conditions:
the asset is owned or operated by a body corporate that is a related body
corporate of an authorised deposit-taking institution (subparagraph (i))
the body corporate is a body corporate that, in accordance with subsection (3),
is critical to the security and reliability of the financial services and markets
sector (subparagraph (ii)), and
the asset is used in connection with the carrying on of banking business
(subparagraph (iii)).
403. A note to subsection (1) reminds the reader that the rules, made under section 9, may
prescribe that a specified critical banking asset is not a critical infrastructure asset.
404. Subsection (2) provides that for the purposes of subparagraph (1)(a)(ii), the rules may
prescribe specified authorised deposit-taking institutions that are critical to the security
and reliability of the financial services and markets sector (paragraph (a)), or
requirements for an authorised deposit-taking institution to be critical to the security and
reliability of the financial services and markets sector (paragraph (b)).
405. For example, following consultation with industry, the Minister may make rules
prescribing particular banks as critical to the financial services and markets sector, or
establish threshold attributes in the rules for determining criticality such as a minimum
quantity of assets held for the bank to be regarded as a critical banking asset.
406. Subsection (3) provides that, for the purposes of subparagraph (1)(b)(ii), the rules may
prescribe specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector (paragraph (a)), or requirements for a body
corporate to be critical to the security and reliability of the financial services and markets
sector (paragraph (b)).
Section 12H Meaning of critical insurance asset
407. New section 12H of the SOCI Act provides the definition of 'critical insurance asset'.
Insurers play a critical role in the financial system and can act as an important buffer in
the Australian economy by softening the potential financial impacts to businesses and
individuals as a result of sudden and often uncontrollable shocks. Insurers also play a
significant role in assisting communities, industry and the Australian economy to recover
from natural disasters and other hazards.
408. Life insurance plays a vital role in Australia's social construct, and will continue to
provide necessary financial protection noting Australia's aging population. Life insurers
are also significant contributors to Australia's wealth and prosperity. Life insurance acts
as a saving mechanism for Australians and allows for significant volumes of long-term
funding for financial markets and other sectors in need of investment, contributing to
Australia's overall economic growth and stability.
409. Health insurers are not only critical to ensuring Australians can access health services,
but they also are important contributors to the country's wealth and prosperity. Private
health insurance provides cover for private hospital services and many out-of-hospital
health services not covered by Medicare, such as dentistry. According to the Australian
Prudential Regulation Authority (APRA), 43.8 per cent of the Australian population had
private hospital cover at 30 September 2020, and 53.2 per cent had cover for ancillary
services ('extras'), such as dentistry and optometry, as at 30 September 20207.
410. The critical insurance asset definition recognises the key role that insurers play in the
financial system. They act as an important buffer for the Australian economy, softening
the financial impact of events on public funds by drawing on private sector funding. For
example, failure in a reinsurer could affect operations across a significant number of
Australian insurers.
411. Subsection (1) provides that an asset that meets the criteria outlined in paragraphs (a)
to (f) are a 'critical insurance asset'. Paragraph (a) outlines the following criteria:
the asset is owned or operated by an entity that carries on insurance business
the entity is an entity that, in accordance with subsection (2), is critical to the
security and reliability of the financial services and markets sector, and
the asset is used in connection with the carrying on of insurance business.
412. Paragraph (b) outlines the following criteria:
the asset is owned or operated by a body corporate that is a related body corporate
7
APRA, Quarterly private health insurance statistics, September 2020. Accessed on 1 December 2020 at
https://www.apra.gov.au/sites/default/files/2020-
11/Quarterly%20private%20health%20insurance%20statistics%20highlights%20September%202020_0.pdf
of an entity that is carrying on insurance business
the body corporate is a body corporate that, in accordance with subsection (3), is
critical to the security and reliability of the financial services and markets sector,
and
the asset is used in connection with the carrying on of insurance business.
413. Paragraph (c) outlines the following criteria:
the asset is owned or operated by an entity that carries on life insurance business
the entity is an entity that, in accordance with subsection (4), is critical to the
security and reliability of the financial services and markets sector, and
the asset is used in connection with the carrying on of insurance business.
414. Paragraph (d) outlines the following criteria:
the asset is owned or operated by a body corporate that is a related body corporate
of an entity that is carrying on life insurance business, and is critical to the
carrying on of life insurance business
the body corporate is a body corporate that, in accordance with subsection (4), is
critical to the security and reliability of the financial services and markets sector,
and
the asset is used in connection with the carrying on of insurance business.
415. Paragraph (e) outlines the following criteria:
the asset is owned or operated by an entity that carries on health insurance
business
the entity is an entity that, in accordance with subsection (6), is critical to the
security and reliability of the financial services and markets sector, and
the asset is used in connection with the carrying on of insurance business.
416. Paragraph (f) outlines the following criteria:
the asset is owned or operated by a body corporate that is a related body corporate
of an entity that is carrying on health insurance business
the entity is an entity that, in accordance with subsection (6), is critical to the
security and reliability of the financial services and markets sector, and
the asset is used in connection with the carrying on of insurance business.
417. A note to subsection (1) reminds the reader that the rules, made under section 9, may
prescribe that a specified critical insurance asset is not a critical infrastructure asset.
418. Subsection (2) provides that for the purposes of subparagraph (1)(a)(i) the rules may
prescribe specified entities that are critical to the security and reliability of the financial
services and markets sector (paragraph (a)), or requirements for an entity to be critical to
the security and reliability of the financial services and markets sector (paragraph (b)).
419. Subsection (3) provides that for the purposes of subparagraph (1)(b)(ii) the rules may
prescribe specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector (paragraph (a)), or requirements for a body
corporate to be critical to the security and reliability of the financial services and markets
sector (paragraph (b)).
420. Subsection (4) provides that for the purposes of subparagraph (1)(c)(ii) the rules may
prescribe specified entities that are critical to the security and reliability of the financial
services and markets sector (paragraph (a)), or requirements for an entity to be critical to
the security and reliability of the financial services and markets sector (paragraph (b)).
421. Subsection (5) provides that for the purposes of subparagraph (1)(d)(ii) the rules may
prescribe specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector (paragraph (a)), or requirements for a body
corporate to be critical to the security and reliability of the financial services and markets
sector (paragraph (b)).
422. Subsection (6) provides that for the purposes of subparagraph (1)(e)(ii) the rules may
prescribe specified entities that are critical to the security and reliability of the financial
services and markets sector (paragraph (a)), or requirements for an entity to be critical to
the security and reliability of the financial services and markets sector (paragraph (b)).
423. Subsection (7) provides that for the purposes of subparagraph (1)(f)(ii) the rules may
prescribe specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector (paragraph (a)), or requirements for a body
corporate to be critical to the security and reliability of the financial services and markets
sector (paragraph (b)).
424. The rules will be used to identify those insurance assets that are critical. This may
include prescribing that an insurance with assets over a certain monetary threshold would
be regarded as critical as its market share would mean that events impacting the assets
would have cascading effects across the economy.
Section 12J Meaning of critical superannuation asset
425. New section 12J of the SOCI Act provides the definition of 'critical superannuation
asset'. Superannuation represents the largest financial asset for the majority of Australian
households. Superannuation savings are the basis for the retirement incomes of millions
of Australians. More than 60 per cent of Australians directly contribute to superannuation,
with a substantial proportion of that investment used to finance the development of
Australian industry.8 The long-term financial prosperity of Australian retirees is
intricately linked to the financial health of the Australian economy.
426. Subsection (1) provides that an asset is a 'critical superannuation asset' if it is owned
or operated by a registrable superannuation entity that, in accordance with subsection (2),
is critical to the security and reliability of the financial services and markets sector
(paragraph (a)) and is used in connection with the operation of a superannuation fund
(paragraph (b)). This is not intended to cover self-managed superannuation funds.
427. A note to subsection (1) reminds the reader that the rules, made under section 9, may
prescribe that a specified critical superannuation asset is not a critical infrastructure asset.
428. Subsection (2) provides that for the purpose of paragraph (1)(a) the rules may
prescribe registrable superannuation entities that are critical to the security and reliability
of the financial services and markets sector (paragraph (a)), or requirements for an a
registrable superannuation entity to be critical to the security and reliability of the
financial services and markets sector (paragraph (b)).
429. The rules will be used to identify those superannuation assets that are critical. This
may include prescribing as critical those registrable superannuation entity with assets
over a certain monetary threshold as its market share would mean that events impacting
the assets would have cascading effects across the population and economy.
Section 12K Meaning of critical food and grocery asset
430. New section 12K of the SOCI Act provides the definition of 'critical food and grocery
asset'. The COVID-19 pandemic has placed food and grocery distribution and supply
under significant pressure, revealing both the criticality and vulnerability of these
networks. The last six months in particular have highlighted how disruptions to
distribution networks and other key operations of Australia's major supermarkets can
seriously impact the availability of food and groceries to the community.
8
Infrastructure Partnerships Australia, 'The Role of Superannuation in Building Australia's Future' (2017).
431. Other parts of the sector (for example food manufacturing or packaging) are not
considered critical food and grocery assets as they are often disaggregated and, if
disrupted, are less likely to have a severe and widespread impact on the availability of
food and grocery.
432. Subsection (1) provides that an asset is a critical food and grocery asset if it is a
network that is used for the distribution or supply of food or groceries (paragraph (a)),
and is owned or operated by an entity that is declared by the rules to be a critical
supermarket retailer, critical food wholesaler or critical grocery wholesaler
(paragraph (b)).
433. A note to subsection (1) reminds the reader that the rules, made under section 9, may
prescribe that a specified critical food and grocery asset is not a critical infrastructure
asset.
434. Subsections (2)-(4) provide that the rules may prescribe specified entities that are
critical supermarket retailers, critical food wholesalers, or critical grocery wholesalers, or
alternatively requirements for an entity to be a critical supermarket retailers, critical food
wholesalers, or critical grocery wholesalers.
435. Following further consultation with industry, the Minister may declare a supermarket
retailer, food wholesaler or grocery wholesaler to be critical in the rules through
prescribing a specific entity or identifying a qualitative or quantitative threshold for
criticality. This is likely to cover the existing significant supermarket retailers.
Section 12KA Meaning of critical domain name system
436. New section 12KA of the SOCI Act will provide the definition of 'critical domain
name system'. The domain name system underpins the operation of the internet. The
domain name system is the global database that translates website names into computer-
readable internet protocol (IP) addresses. For example, '.au' is Australia's country code
domain. The .au namespace plays an important role in supporting the digital economy
with over 3.2 million domain names registered as at August 2020. With the online
environment becoming increasingly enmeshed with everyday life, a disruption to a
critical domain name system could have significant cascading implications for Australian
businesses, government and the community. Malicious or criminal exploitation of the
domain name system can compromise users' ability to conduct business, navigate the
internet or their data.
437. This term means a system that is managed by an entity that, in accordance with
subsection (2), is critical to the administration of an Australian domain name system and
is used in connection with the administration of an Australian domain name system. An
'Australian domain name system' means a country code Top Level Domain or a generic
Top Level Domain where the administrator of that domain name system is resident in
Australia.
438. The note below subsection (1) explains that under section 9 of this Act the rules may
prescribe that a specified 'critical data domain name system' is not a 'critical
infrastructure asset'. This will ensure that assets that are not intended to be captured can
be excluded from the operation of the framework and avoid unnecessary impact.
439. Subsection (2) provides that the rules may prescribe, for the purposes of subsection
(1), specified entities that are critical to the administration of an Australian domain name
system, or requirements for an entity to be critical to the administration of an Australian
domain name system.
Section 12KA Meaning of critical domain name system
440. New section 12KA of the SOCI Act will provide the definition of 'critical domain
name system'. The domain name system underpins the operation of the internet. The
domain name system is the global database that translates website names into computer-
readable internet protocol (IP) addresses. For example, '.au' is Australia's country code
domain. The .au namespace plays an important role in supporting the digital economy
with over 3.2 million domain names registered as at August 2020. With the online
environment becoming increasingly enmeshed with everyday life, a disruption to a
critical domain name system could have significant cascading implications for Australian
businesses, government and the community. Malicious or criminal exploitation of the
domain name system can compromise users' ability to conduct business, navigate the
internet or their data.
441. This term means a system that is managed by an entity that, in accordance with
subsection (2), is critical to the administration of an Australian domain name system and
is used in connection with the administration of an Australian domain name system. An
'Australian domain name system' means a country code Top Level Domain or a generic
Top Level Domain where the administrator of that domain name system is resident in
Australia.
442. The note below subsection (1) explains that under section 9 of this Act the rules may
prescribe that a specified 'critical data domain name system' is not a 'critical
infrastructure asset'. This will ensure that assets that are not intended to be captured can
be excluded from the operation of the framework and avoid unnecessary impact.
443. Subsection (2) provides that the rules may prescribe, for the purposes of subsection
(1), specified entities that are critical to the administration of an Australian domain name
system, or requirements for an entity to be critical to the administration of an Australian
domain name system. It is likely that auDA will be specified under subsection (2) as the
entity responsible for the .au domain name.
Section 12L Meaning of responsible entity
444. New section 12L of the SOCI Act will provide the definition for 'responsible entity'.
The definition has been separated into twenty five subsections representing the twenty
two classes of assets listed in the definition of critical infrastructure asset (see subsection
9(1)), as well as assets that are prescribed under paragraph 9(1)(f), assets that are declared
under section 51 by the Minister or assets that are systems of national significance.
445. Responsible entities are those entities with ultimate operational responsibility for the
asset. These entities have effective control or authority over the operations and
functioning of the asset as a whole (even if they do not have direct control over a
particular part of the asset), and are in a position to engage the services of contractors and
other operators. Given this, these entities are best placed to fulfil the obligations (should
they be activated and apply) under existing Part 2 of the SOCI Act, and new Part 2A and
2B of this Bill. Further, due to their ultimate responsibility for the asset, the responsible
entity will also serve as the key contact point for consultation in relation to rules that may
impact the asset.
446. Importantly, section 12L provides the Minister with the ability to make rules to
override the responsible entity for a specific category of critical infrastructure asset
identified in this section, and prescribe another entity to be the responsible entity. The
purpose of this rule making power is to provide adequate flexibility to ensure the
obligations and measures under this Bill continue to apply to the most appropriate entity.
Subsection 12L(1)--Critical telecommunications asset
447. Subsection (1) provides that the responsible entity for a critical telecommunications
asset is:
if the critical telecommunications asset is owned or operated by a carrier--the
carrier (subparagraph (a)(i))
if the critical telecommunications asset is owned or operated by a carriage
service provider--the carriage service provider (subparagraph (a)(ii)), or
another entity if prescribed by the rules (paragraph (b)).
448. These entities have been identified as responsible entities for critical
telecommunications assets as they are ultimately responsible for the asset's continued
operation. As such, they are best placed to meet each of the positive security obligations
in the event they are turned on.
Subsection 12L(2)--Critical broadcasting asset
449. Subsection (2) provides that the responsible entity for a critical broadcasting asset is:
the entity referred to in either subparagraph 12E(1)(a)(i), (b)(i) or (1)(c),
whichever is applicable (paragraph (a)), or
another entity if prescribed by the rules (paragraph (b)).
450. This means that the responsible entity for a critical broadcasting asset is the entity
that:
owns or operates broadcasting transmission assets that are located on a site
that is a critical transmission site (subparagraph 12E(1)(a)(i)). The rules will
prescribe either specified sites or requirements for sites to be critical
owns or operates broadcasting transmission assets located on at least 50
different sites (subparagraph 12E(1)(b)(i)) , or
has been prescribed in the rules as critical to the transmission of a
broadcasting service.
451. These entities have been identified as responsible entities for critical broadcasting
assets as they are ultimately responsible for the asset's continued operation. As such, they
are best placed to meet each of the positive security obligations in the event they are
turned on.
Subsection 12L(3)--Critical domain name system
452. Subsection (3) provides that the responsible entity for a critical domain name system
is:
an entity referred to in paragraph 12KA(1)(a) (paragraph (a)), or
another entity if prescribed by the rules (paragraph (b)).
453. This means that the responsible entity for a critical domain name system is an entity
that has been specified under subsection 12KA(2). As outlined above for section 12KA,
auDA will likely be the entity referred to in paragraph 12KA(1)(a) and therefore would be
the responsible entity. As such, they are best placed to meet each of the positive security
obligations in the event they are turned on.
Subsection 12L(4)--Critical data storage or processing asset
454. Subsection (4) provides that the responsible entity for a critical data storage or
processing asset is the entity referred to in paragraph 12F(1)(a) (paragraph (a)), 12F(2)(a)
(paragraph (a) and (b)) or another entity that has been prescribed by the rules to be the
responsible entity (paragraph (c)).
455. These entities (essentially the owner or operator of the asset) have been identified as
responsible entities for critical data storage or processing assets as they are ultimately
responsible for the asset's continued operation. As such, they are best placed to meet each
of the positive security obligations in the event they are turned on.
Subsection 12L(5)--Critical banking asset
456. Subsection (5) provides that the responsible entity for a critical banking asset is the
authorised deposit-taking institution referred to in paragraph 12G(1)(a), the body
corporate referred to in paragraph 12G(1)(b) (paragraphs (a) and (b)) or an entity been
prescribed by the rules to be the responsible entity (paragraph (c)).
These entities have been identified as responsible entities for critical banking assets as
they are ultimately responsible for the asset's continued operation. As such, they are best
placed to meet each of the positive security obligations in the event they are turned on.
Subsection 12L(6)--Critical superannuation asset
457. Subsection (6) provides that the responsible entity for a critical superannuation asset
is the entity registrable superannuation referred to in subsection 12J(1) (paragraph (a)) or
an entity has been prescribed by the rules to be the responsible entity (paragraph (b)).
458. These entities have been identified as responsible entities for critical superannuation
assets as they are ultimately responsible for the asset's continued operation. As such, they
are best placed to meet each of the positive security obligations in the event they are
turned on.
Subsection 12L(7)--Critical insurance asset
459. Subsection (7) provides that the responsible entity for a critical insurance asset is:
if the asset is covered by paragraph 12H(1)(a)--the entity that carries on
insurance business referred to in subparagraph 12H(1)(a)(i) (paragraph (a))
if the asset is covered by paragraph 12H(1)(b)--the body corporate that is a
related body corporate of an entity that carries on insurance business referred
to in subparagraph 12H(1)(b)(i) (paragraph (b))
if the asset is covered by paragraph 12H(1)(c)--the entity that carries on life
insurance business referred to in subparagraph 12H(1)(c)(i) (paragraph (c))
if the asset is covered by paragraph 12H(1)(d)--the body corporate that is a
related body corporate of an entity that carries on life insurance business
referred to in subparagraph 12H(1)(d)(i) (paragraph (d))
if the asset is covered by paragraph 12H(1)(e)--the entity that carries on
health insurance business referred to in subparagraph 12H(1)(e)(i)
(paragraph (e))
if the asset is covered by paragraph 12H(1)(f)--the body corporate that is a
related body corporate of an entity that carries on health insurance business
referred to in subparagraph 12H(1)(f)(i) (paragraph (f)), or
or any other entity prescribed by the rules (paragraph (g)).
460. These entities have been identified as responsible entities for each category of critical
insurance assets as they are ultimately responsible for the asset's continued operation. As
such, they are best placed to meet each of the positive security obligations in the event
they are turned on.
Subsection 12L(8)--Critical financial market infrastructure asset
461. Subsection (8) provides that the responsible entity for a financial market
infrastructure asset is:
if the asset is covered by paragraph 12D(1)(a)--the body corporate that holds
an Australian market licence referred to in subparagraph 12D(1)(a)(i)
(paragraph (a))
if the asset is covered by paragraph 12D(1)(b)--the associated entity of an
Australian body corporate that holds an Australian market licence as
mentioned in subparagraph 12D(1)(b)(i) (paragraph (b))
if the asset is covered by paragraph 12D(1)(c)--the body corporate that holds
an Australian CS facility licence referred to in subparagraph 12D(1)(c)(i)
(paragraph (c))
if the asset is covered by paragraph 12D(1)(d)--the associated entity of an
Australian body corporate that holds an Australian CS facility licence as
mentioned in subparagraph 12D(1)(d)(i) (paragraph (d))
if the asset is covered by paragraph 12D(1)(e)--the body corporate that holds
a benchmark administrator licence referred to in subparagraph 12D(1)(e)(i)
(paragraph (e))
if the asset is covered by paragraph 12D(1)(f)--the associated entity of a body
corporate that holds a benchmark administrator licence as mentioned in
subparagraph 12D(1)(f)(i) (paragraph (f))
if the asset is covered by paragraph 12D(1)(g)--the body corporate that holds
an Australian derivative trade repository licence referred to in
subparagraph 12D(1)(g)(i) (paragraph (g))
if the asset is covered by paragraph 12D(1)(h)--the associated entity of a body
corporate that holds an Australian derivative trade repository licence as
mentioned in subparagraph 12D(1)(h)(i) (paragraph (h))
if the asset is covered by paragraph 12D(1)(i)--the entity that is used in
connection with the operation of a payment system prescribed by the rules
(paragraph (i)), or
another entity if prescribed by the rules (paragraph (j)).
462. These entities have been identified as responsible entities for each category of critical
financial market infrastructure assets as they are ultimately responsible for the asset's
continued operation. As such, they are best placed to meet each of the positive security
obligations in the event they are turned on.
Subsection 12L(9)--Critical water asset
463. Subsection (9) provides that the responsible entity for a critical water asset is the
water utility that holds the licence, approval or authorisation to provide the service to be
delivered by the asset (paragraph (a)), or another entity has been prescribed by the rules to
be the responsible entity for the asset (paragraph (b)).
464. This replicates (with the addition of a rule making power) the existing position in the
SOCI Act for critical water assets.
Subsection 12L(10)--Critical electricity asset
465. Subsection (10) provides that the responsible entity for a critical electricity asset is the
entity that holds the licence, approval or authorisation to operate the asset to provide the
service to be delivered by the asset, or another entity has been prescribed by the rules to
be the responsible entity for the asset (paragraph (b)).
466. This replicates (with the addition of a rule making power) the existing position in the
SOCI Act for critical electricity assets.
Subsection 12L(11)--Critical gas asset
467. Subsection (11) provides that the responsible entity for a critical gas asset is the entity
that holds the licence, approval or authorisation to operate the asset to provide the service
to be delivered by the asset, or another entity has been prescribed by the rules to be the
responsible entity for the asset (paragraph (b)).
468. This replicates (with the addition of a rule making power) the existing position in the
SOCI Act for critical gas assets.
Subsection 12L(12)--Critical energy market operator asset
469. Subsection (12) provides that the responsible entity for a critical energy market
operator is:
if the asset is used by Australian Energy Market Operator Limited
(ACN 072 010 327)--that company (paragraph (a))
if the asset is used by Power and Water Corporation--that corporation
(paragraph (b))
if the asset is used by Regional Power Corporation--that corporation
(paragraph (c))
if the asset is used by Electricity Networks Corporation--that corporation
(paragraph (d)), or
if another entity is prescribed by the rules, that entity (paragraph (e)).
470. These entities have been identified as responsible entities for each critical energy
market operator asset as they are ultimately responsible for the asset's continued
operation. As such, they are best placed to meet each of the positive security obligations
in the event they are turned on.
Subsection 12L(13)--Critical liquid fuel asset
471. Subsection (13) provides that the responsible entity for a critical liquid fuel asset is:
for a liquid fuel refinery, the entity that operates that refinery (paragraph (a))
for a liquid fuel pipeline, the entity that operates that pipeline (paragraph (b))
for a liquid fuel storage facility, the entity that operates that facility
(paragraph (c)), or
if another entity is prescribed in the rules, that entity (paragraph (d))
472. These entities have been identified as responsible entities for each category of critical
liquid fuel assets as they are ultimately responsible for the asset's continued operation. As
such, they are best placed to meet each of the positive security obligations in the event
they are turned on.
Subsection 12L(14)--Critical hospital asset
473. Subsection (14) provides that the responsible entity for a critical hospital is:
if it is a public hospital, the local hospital network that operates the hospital
(paragraph (a))
if it is a private hospital, the entity that holds the licence, authorisation or
approval to operate the hospital (paragraph (b)), or
if another entity is prescribed by the rules, that entity (paragraph (c)).
474. These entities have been identified as responsible entities for critical hospital assets as
they are ultimately responsible for the asset's continued operation. As such, they are best
placed to meet each of the positive security obligations in the event they are turned on.
Subsection 12L(15)--Critical education asset
475. Subsection (15) provides that the responsible entity for a critical education asset is the
university that is owned or operated by an entity that is registered in the Australian
university category of the National Register of Higher Education Providers, or another
entity has been prescribed by the rules to be the responsible entity (paragraph (b)).
476. These entities have been identified as responsible entities for critical education assets
as they are ultimately responsible for the asset's continued operation. As such, they are
best placed to meet each of the positive security obligations in the event they are turned
on.
Subsection 12L(16)--Critical food and grocery asset
477. Subsection (16) provides that the responsible entity for a critical food and grocery
asset is the entity referred to in paragraph 12K(1)(b), or another entity has been
prescribed by the rules to be the responsible entity for the asset (paragraph (b)).
478. This means that the responsible entity for a critical food and grocery asset is the
critical supermarket retailer, critical food wholesaler or critical grocery wholesaler that
has been specified in the rules.
479. These entities have been identified as responsible entities for each category of critical
food and grocery assets as they are ultimately responsible for the asset's continued
operation. As such, they are best placed to meet each of the positive security obligations
in the event they are turned on.
Subsection 12L(17)--Critical port
480. Subsection (17) provides that the responsible entity for a critical port is the port
operator (within the meaning of the Maritime Transport and Offshore Facilities Security
Act 2003 (MTOFSA)), unless another entity has been prescribed by the rules to be the
responsible entity for the port (paragraph (b)).
481. This replicates (with the addition of a rule making power) the existing position in the
SOCI Act for critical electricity assets.
Subsection 12L(18)--Critical freight infrastructure asset
482. Subsection (18) provides that the responsible entity for a critical freight infrastructure
asset is:
if the Commonwealth is responsible for the management of the asset, the
Commonwealth (paragraph (a))
if the State is responsible for the management of the asset, the State
(paragraph (b))
if a Territory is responsible for the management of the asset, that Territory
(paragraph (c))
if a body is established by a law (Commonwealth, State or Territory) and that
body is responsible for the management of the asset, then that body
(paragraph (d))
if none of paragraphs (a)-(d) apply, then the entity prescribed by the rules
(paragraph (e)), or
if another entity is prescribed by the rules in relation to the asset, then that
entity (paragraph (f)).
483. These entities have been identified as responsible entities for each category of critical
freight infrastructure assets as they are ultimately responsible for the asset's continued
operation. As such, they are best placed to meet each of the positive security obligations
in the event they are turned on.
Subsection 12L(19)--Critical freight services asset
484. Subsection (19) provides that the responsible entity for a critical freight services asset
is the entity referred to in subsection 12C(1), or another entity has been prescribed by the
rules to be the responsible entity for the asset (paragraph (b)).
485. This means the responsible entity for a critical freight services asset is the entity that
uses a network that is critical to the transportation of goods.
486. These entities have been identified as responsible entities for critical freight services
assets as they are ultimately responsible for the asset's continued operation. As such, they
are best placed to meet each of the positive security obligations in the event they are
turned on.
Subsection 12L(20)--Critical public transport asset
487. Subsection (20) provides that the responsible entity for a critical public transport asset
is the entity managing a public transport network or system referred to in paragraph (a) of
the definition (in section 5 of the SOCI Act) of critical public transport asset or another
entity prescribed by the rules to be the responsible entity for the asset (paragraph (b)).
488. These entities have been identified as responsible entities for critical public transport
assets as they are ultimately responsible for the asset's continued operation. As such, they
are best placed to meet each of the positive security obligations in the event they are
turned on.
Subsection 12L(21)--Critical aviation asset
489. Subsection (21) provides that the responsible entity for a critical aviation asset is:
if the asset is used in connection with the provision of an air service, and is
owned or operated by an aircraft operator, the aircraft operator (paragraph (a))
if the asset is used in connection with the provision of an air service and
owned or operated by a regulated air cargo agent, the regulated air cargo agent
(paragraph (b))
if the asset is used by an airport operator in connection with the operation of
an airport, the airport operator (paragraph (c)), or
if another entity is prescribed by the rules in relation to the asset, that entity
(paragraph (d)).
490. These entities have been identified as responsible entities for each category of critical
aviation assets as they are ultimately responsible for the asset's continued operation. As
such, they are best placed to meet each of the positive security obligations in the event
they are turned on.
Subsection 12L(22)--Critical defence industry asset
491. Subsection (22) provides that the responsible entity for a critical defence asset is the
entity that is supplying or will supply that asset to the Defence Department, or the
Australian Defence Force under a contract, as referred to in paragraph (a) of the definition
of critical defence asset (see section 5), or another entity is prescribed by the rules to be
the responsible entity for the asset (paragraph (b)).
492. These entities have been identified as responsible entities for critical defence industry
assets as they are ultimately responsible for the asset's continued operation. As such, they
are best placed to meet each of the positive security obligations in the event they are
turned on.
Subsection 12L(23)--Assets prescribed by the rules
493. Subsection (23) provides that the responsible entity for an asset that has been
prescribed as a critical infrastructure asset under paragraph 9(1)(f), is the entity that is
listed in the rules.
Subsection 12L(24)--Assets declared to be a critical infrastructure asset
494. Subsection (24) provides that the responsible entity for an asset that has been declared
as a critical infrastructure asset by the Minister under section 51, is the entity listed in the
declaration. It is noted that subsection 51(2) requires that a declaration under section 51
specifies who the responsible entity for the asset is.
Subsection 12L(25)--System of national significance
495. Subsection (25) provides that if the critical infrastructure asset is a system of national
significance then the responsible entity for the system of national significance is the same
as for that critical infrastructure asset. Prior to being declared a system of national
significance under section 52B the asset must already be defined as a critical
infrastructure asset and the responsible entity for the asset will have already been
determined under subsections 12L(1)-(24).
Section 12M Meaning of cyber security incident
496. New section 12M of the SOCI Act defines the term 'cyber security incident'. Under
the amendments made by the Bill, there will be obligations for certain critical
infrastructure assets and systems of national significance in relation to such incidents.
Cyber security incidents will also be central to the operation of the powers outlines in
new Part 3A.
497. This section provides that a cyber security incident is one or more acts, events or
circumstances involving any of the following:
unauthorised access to computer data or a computer program (paragraph (a))
unauthorised modification of computer data or a computer program
(paragraph (b)),
unauthorised impairment of electronic communication to or from a computer
(paragraph (c)), or
unauthorised impairment of the availability , reliability, security or operation
of a computer, computer data or a computer program (paragraph (d)).
498. Some common examples of a cyber security incident include:
Malware - Any software intentionally designed to cause damage to a computer,
server, client, or computer network. A wide variety of malware types exist, including
computer viruses, worms, trojan horses, ransomware, spyware, adware, and others.
Phishing - Fraudulent attempts to obtain sensitive information or data, such as
usernames, passwords and credit card details, by disguising communications (through
emails and other formats) as trustworthy.
Denial of service - This form of attack is where a perpetrator seeks to make a
machine or network resource unavailable to its intended users by temporarily or
indefinitely disrupting services. Denial of service is typically accomplished by
flooding the targeted machine or resource with superfluous requests in an attempt to
overload systems and prevent some or all legitimate requests from being fulfilled.
Cross-site scripting - This is where an attacker injects malicious scripts into otherwise
benign and trusted websites. The victim's web browser executes those scripts thinking
they are legitimate, allowing the attacker to bypass the victim's access controls.
Section 12N Meaning of unauthorised access, modification or impairment
499. New section 12N of the SOCI Act will provide the definition for 'unauthorised
access, modification or impairment'. Under subsection (1) of this definition, the following
conduct is unauthorised if the person is not entitled to cause that access, modification or
impairment:
access to computer data or a computer program (paragraph (a))
modification of computer data or a computer program (paragraph (b))
impairment of electronic communications to or from a computer (paragraph
(c)), or
the impairment of the availability, reliability, security or operation of a
computer, computer data or a computer program (paragraph (d)).
500. For the conduct to be unauthorised, it must have occurred without authority,
irrespective of whether that authority is drawn from for example, legislation or
contractual arrangements.
501. Subsection (2) provides that it is immaterial if the person can be identified or not.
Subsection (3) provides circumstances in which a person is entitled to cause the access,
modification or impairment. Paragraph (3)(b) provides that if the person does so under the
following circumstances, they were entitled to do so:
under a warrant issued under a law of the Commonwealth, a State or a
Territory (subparagraph (i))
under an emergency authorisation given to the person under Part 3 of the
Surveillance Devices Act 2004 or under a law of a State or Territory that
makes provision to similar effect (subparagraph (ii))
under a tracking device authorisation given to the person under section 39 of
the Surveillance Devices Act 2004 (subparagraph (iii))
in accordance with a technical assistance request (subparagraph (iv))
in compliance with a technical assistance notice (subparagraph (v)), or
in compliance with a technical capability notice (subparagraph (vi)).
Section 12P Examples of responding to a cyber security incident
502. New section 12P of the SOCI Act illustrates types of actions that may be regarded as
responses to a cyber security incident. This is particularly relevant for new Part 3A as the
Minister in certain circumstances must be satisfied that the responsible entity is unwilling
or unable to take all reasonable steps to respond to the incident.
503. This section of the SOCI Act provides the following as examples of responding to a
cyber security incident:
if the incident is imminent--preventing the incident (paragraph (a))
mitigating a relevant impact of the incident on a critical infrastructure asset or
a critical infrastructure sector asset (paragraph (b)), or
if a critical infrastructure asset or a critical infrastructure sector asset has been,
or is being, affected by the incident--restoring the functionality of the asset
(paragraph (c)).
504. Due to rapid technological change, it is not possible to foresee all possible ways that a
system may be compromised or exploited, or the actions that would be required to
respond to the incident. In particular, the methods of compromise and the required
responses will change over time alongside technology. Therefore, a non-prescriptive
approach has been taken in relation to defining what a response to a cyber security
incident would involve. Further, it is important to recognise that a response will be
proportionate to the nature of the incident and the system that will, is being, or has been,
impact, as well as impacted by the capabilities of the entity responsible for protecting the
system.
Item 33 Paragraph 13(1)(b)
505. Subsection 13(1) provides that the SOCI Act applies to the types of entities listed in
the paragraphs to the subsection. Paragraph 13(1)(b) currently provides that the SOCI Act
applies to an entity 'that is a reporting entity for' or an operator of one of the assets listed
in the subparagraphs.
506. Item 33 of Schedule 1 to the Bill will repeal 'that is a reporting entity for' and replace
it with 'so far as the entity is the responsible entity for, a reporting entity for, a relevant
entity for'. This is to reflect the various classes of entities identified in the Act.
Item 34 At the end of paragraph 13(1)(b)
507. Item 34 of Schedule 1 to the Bill adds subparagraphs (iv), (v), (vi), (vii) and (viii) to
the end of paragraph 13(1)(b). Those subparagraphs provide the following further
characteristics of assets to which the SOCI Act applies:
used in the course of, or in relation to, banking to which paragraph 51(xiii) of
the Constitution applies (subparagraph (iv))
used in the course of, or in relation to, insurance to which paragraph 51(xiv) of
the constitution applies (subparagraph (v))
used to supply a carriage service (subparagraph (vi))
used in connection with the provision of a broadcasting service
(subparagraph (vii)), or
used to administer a domain name system (subparagraph (viii)).
508. These amendments reflect the additional classes of critical infrastructure assets that
have been added to the Act.
Item 35 Subsection 13(2)
509. Subsection 13(2) of the SOCI Act currently provides that Division 3 of Part 4 of the
SOCI Act, relating to the use and disclosure of protected information, also applies to any
other entity. Item 35 of Schedule 1 to the Bill amends subsection 13(2) of the SOCI Act
to also provide that section 60AA of this Act also applies to any other entity.
Item 36 Division 1 of Part 2 (heading)
510. Item 36 of Schedule 1 to the Bill will change the heading of Division 1 of Part 2 from
'Simplified outline of this Part' to 'Introduction'.
Item 37 At the end of section 18
511. Item 37 of Schedule 1 to the Bill inserts a note to section 18 that indicates that the
reader should also consider section 18A when considering the simplified outline in that
section.
Item 38 At the end of Division 1 of Part 2
512. Item 38 of Schedule 1 to the Bill inserts new section 18A of the SOCI Act, to provide
for the application of Part 2.
Section 18A Application of this Part
513. New section 18A of the SOCI Act provides for the application of Part 2.
Subsection (1) outlines that subject to subsection (3) (as outlined in subsection (2)), Part 2
applies to a critical infrastructure asset if any of the following apply:
the asset is specified in the rules (paragraph (1)(a))
the asset is the subject or a declaration under section 51, and the declaration
determines that this Part applies to the asset (paragraph (1)(b)), or
immediately before the commencement of section 18A, in accordance with
item 2 of the Bill, the asset was a critical infrastructure asset (within the
meaning of the Act prior to these amendments commencing)
(paragraph (1)(c)).
514. Paragraph 1(a) effectively works as an 'on switch' through which the Minister can
ensure that this particular aspect of the positive security obligations only applies in
appropriate situations. For example, the Minister may choose not to apply Part 2 to a class
of critical infrastructure assets, if the information that would be provided under the
obligations is already available to government through other means and therefore the
desired security objectives are being achieved. Importantly, this will be used to avoid
duplicate reporting to Government and thus reduce regulatory burden.
515. Paragraph 1(b) replicates the intent of paragraph 1(a) for assets declared to be critical
infrastructure assets under existing section 51 of the SOCI Act, noting the private nature
of those declarations due to the associated security vulnerabilities. Paragraph 18A(b)(ii)
requires that a declaration made under existing section 51 must specify if the obligations
under Part 2A are 'activated' and apply to the declared asset. This ensures responsible
entities of assets declared under section 51 are aware of their obligations under Part 2
(should they be activated) without disclosing the identity of these sensitive assets.
516. Section 1(c) also provides a transitional provision to ensure the obligations in Part 2
will continue to apply, uninterrupted, in relation to those critical infrastructure assets that
had existing obligations under the Part immediately prior to the commencement of section
18A.
517. In addition to the power to make this instrument under section 30AB,
subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a
power to make, grant or issue any instrument of a legislative or administrative character
(including rules, regulations or by-laws), the power shall be construed as including a
power exercisable in the like manner and subject to the like conditions (if any) to repeal,
rescind, revoke, amend, or vary any such instrument.
518. A note to subsection (1) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power
to make a legislative instrument specifying a matter may identify the matter by referring
to a class or classes of matters.
519. This note has been included to clarify that the Minister has the discretion to specify in
rules that Part 2 applies to:
all critical infrastructure assets,
a category of critical infrastructure assets such as critical broadcasting assets,
a subset of assets within a category of critical infrastructure assets, such as
liquid fuel pipelines that are critical liquid fuel assets, or
a specific asset that is a critical infrastructure asset.
520. Subsection (3) outlines that the rules may provide that, if an asset becomes a critical
infrastructure asset, this Part does not apply to the asset during the period beginning when
the asset became a critical infrastructure asset (paragraph (a)) and ending at a time
ascertained in accordance with the rules (paragraph (b)). This is intended to provide the
ability to offer a delayed commencement or 'grace period' in the future when an entity
becomes a critical infrastructure asset to which the Part applies, allowing them a
reasonable period to adjust their business.
Section 18AA Consultation--rules
521. New section 18AA of the SOCI Act sets out consultation requirements in relation to
rules made for the purposes of section 18A, providing that a responsible entity for a
critical infrastructure asset must comply with the requirement to adopt and maintain a
critical infrastructure risk management program.
Subsection 18AA(1)--Scope
522. Subsection (1) provides that section 18AA applies to rules made for the purposes of
section 18A of the SOCI Act.
Subsection 18AA(2)--Consultation
523. Subsection (2) provides that, before making or amending rules for the purposes of
section 18A, the Minister must do all of the following:
cause to be published on the Department's website a notice setting out the
draft rules or amendments and inviting persons to make submissions to the
Minister about the draft rules or amendments within 28 days of publication of
the notice (paragraph (a))
give a copy of the notice to each First Minister (paragraph (b)), and
consider any submissions received under paragraph (a) (paragraph (c)).
524. This consultation requirement will ensure that the Part is only activated in appropriate
circumstances and allow entities an opportunity to provide the Government with
submissions on any delay in the commencement of the Part necessary to allow them to
adjust their businesses without undue burden.
Item 39 After Part 2
525. Item 39 inserts new Parts 2A (critical infrastructure risk management programs), 2B
(notification of cyber security incidents) and 2C (enhanced cyber security obligations)
into the SOCI Act.
Part 2A--Critical infrastructure risk management programs
526. Part 2A will require critical infrastructure assets to develop and comply with a critical
infrastructure risk management program - the second limb of the positive security
obligation.
527. These amendments are intended to uplift core security practices of critical
infrastructure assets by ensuring responsible entities take a holistic and proactive
approach toward identifying, preventing and mitigating risks from all hazards.
528. The Bill sets out the overarching obligations for the risk management programs with
the more detailed, sector-specific requirements to be contained in rules. Noting that the
responsible entity is best placed to understand the risks to an asset and develop
appropriate risk practices, this obligation has been designed to be principle based.
Combined, the SOCI Act and the proposed rules will ultimately require responsible
entities of critical infrastructure assets to manage security risks by meeting the following
principles-based outcomes:
Identify material risks - Entities will have a responsibility to take an all-
hazards approach when identifying risks that may affect the availability,
integrity, reliability and confidentiality of their asset.
Mitigate risks to prevent incidents - Entities will be required to understand the
identified risks and have appropriate risk mitigations in place to manage those
risks.
Minimise the impact of realised incidents - Entities will be required to have
robust procedures in place to mitigate the impacts in the event a threat has
been realised and recover as quickly as possible.
Effective governance - Annual reporting requirements will ensure that risk
management is considered at an appropriately senior level within the entity.
Section 30AA Simplified outline of this Part
529. New section 30AA of the SOCI Act sets out a simplified outline of Part 2A. The
obligations in this part are the second element of the positive security obligations for
critical infrastructure assets--the others being notification of cyber security incidents
(new Part 2B of the SOCI Act) and maintaining the register of critical infrastructure
assets (existing Part 2 ).
Section 30AB Application of this Part
530. New section 30AB of the SOCI Act provides that Part 2A applies to a critical
infrastructure asset if either of the following apply:
the asset is specified in the rules (made by the Minister under section 61 of the
SOCI Act, see paragraph (a)), or
the asset is subject to a declaration under section 51 of the SOCI Act (being a
private declaration that an asset is a critical infrastructure asset) and the
declaration made under section 51 determines that Part 2A applies to the asset
(paragraph (b)).
531. This effectively works as an 'on switch' through which the Minister can ensure that
this particular aspect of the positive security obligations only applies in appropriate
situations.
532. Similar to new section 18A and new section 30BB, section 30AB allows for a
nuanced, sector-specific or asset-specific approach to be taken to the application of the
obligations contained in new Part 2A. In determining whether to make rules to apply the
obligations to certain critical infrastructure assets, the Minister is likely to consider
whether any existing requirements or arrangements appropriately deliver the same
outcomes as intended by the critical infrastructure risk management program. This
reflects the range of regulatory obligations that exist in relation to the various critical
infrastructure assets, as well the obligations that may exist in relation to future critical
infrastructure assets that are identified, and the Government's commitment to avoid
duplicating regulation. Should these alternative regimes be found wanting, this
mechanism provides a default option to ensure the security objectives can be achieved.
533. A note to this section indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power
to make a legislative instrument specifying a matter may identify the matter by referring
to a class or classes of matters.
534. This note has been included to clarify that the Minister has the discretion to specify in
rules that Part 2A applies to:
all critical infrastructure assets,
a category of critical infrastructure assets such as critical broadcasting assets,
a subset of assets within a category of critical infrastructure assets such as
liquid fuel pipelines that are critical liquid fuel assets, or
a specific asset that is a critical infrastructure asset.
535. In addition to the power to make this instrument under section 30AB,
subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a
power to make, grant or issue any instrument of a legislative or administrative character
(including rules, regulations or by-laws), the power shall be construed as including a
power exercisable in the like manner and subject to the like conditions (if any) to repeal,
rescind, revoke, amend, or vary any such instrument.
536. Subsection (3) outlines that the rules may provide that, if an asset becomes a critical
infrastructure asset, this Part does not apply to the asset during the period beginning when
the asset became a critical infrastructure asset (paragraph (a)) and ending at a time
ascertained in accordance with the rules (paragraph (b)). This is intended to provide the
ability to offer a delayed commencement or 'grace period' in the future when an entity
becomes a critical infrastructure asset to which the Part applies, allowing them a
reasonable period to adjust their business.
Section 30ABA Consultation--rules
537. New section 30ABA of the SOCI Act sets out consultation requirements in relation to
rules made for the purposes of section 30AB, providing that a responsible entity for a
critical infrastructure asset must comply with the requirement to adopt and maintain a
critical infrastructure risk management program.
Subsection 30ABA(1)--Scope
538. Subsection (1) provides that section 30ABA applies to rules made for the purposes of
section 30AB of the SOCI Act.
Subsection 30ABA(2)--Consultation
539. Subsection (2) provides that, before making or amending rules for the purposes of
section 30AB, the Minister must do all of the following:
cause to be published on the Department's website a notice setting out the
draft rules or amendments and inviting persons to make submissions to the
Minister about the draft rules or amendments within 28 days of publication of
the notice (paragraph (a))
give a copy of the notice to each First Minister (paragraph (b)), and
consider any submissions received under paragraph (a) (paragraph (c)).
540. This consultation requirement will ensure that the Part is only activated in appropriate
circumstances and allow entities an opportunity to provide the Government with
submissions on any delay in the commencement of the Part necessary to allow them to
adjust their businesses without undue burden.
Section 30AC Responsible entity must have a critical infrastructure risk management
program
541. New section 30AC of the SOCI Act provides that an entity that is the responsible
entity for one or more critical infrastructure assets, to which this Part applies, must adopt
and maintain a critical infrastructure risk management program that applies to the entity.
This requirement will ensure responsible entities develop a nuanced, comprehensive
understanding of the threat picture that can affect the availability, confidentiality,
reliability and integrity of the relevant critical infrastructure asset.
542. The purpose of section 30AC is to require responsible entities to develop and keep a
written program that satisfies the requirements at new section 30AH.
543. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance and to ensure responsible entities adopt and maintain a critical infrastructure
risk management program noting the importance of their role to Australia's society,
economy and defence. This penalty is commensurate with the penalty for non-compliance
with the obligation to have security programs under the ATSA and MTOFSA. The
penalty reflects the significance of this program in uplifting core security practices of
critical infrastructure assets and the onus on responsible entities to proactively identify,
prevent and mitigate risks from all hazards.
544. To reduce the administrative burden for entities responsible for more than one critical
infrastructure asset, it is permissible under this section for entities to have a single written
program for all critical infrastructure assets for which they are the responsible entity.
545. While the purpose and requirements for the critical infrastructure risk management
program are outlined at section 30AH, new Part 2A of the SOCI the Act does not
mandate how responsible entities should go about developing their program. This is
reflective of the wide range of complexity in relation to the scope of critical infrastructure
assets as well as the spectrum of risk management maturity. Government's intention is
that responsible entities will have discretion as to how they construct their risk
management program. This recognises industry's expertise and deep knowledge of the
unique challenges faced by each critical infrastructure asset and ensures there is no
unnecessary regulatory burden. Support and guidance will be provided to industry
through non-regulatory processes (such as the ongoing engagement with industry through
the Trusted Information Sharing Network) and other guidance.
Section 30AD Compliance with critical infrastructure risk management program
546. New section 30AD of the SOCI Act provides that if an entity is the responsible entity
for one or more critical infrastructure assets (that are specified for the purposes of
section 30AB) and has adopted a critical infrastructure risk management program under
section 30AC, the entity must comply with the program, including any variations to the
program.
547. Section 30AD is an extension of section 30AC and is intended to require that
responsible entities are not only required to put in place a critical infrastructure risk
management program, but that entities must effectively implement that program to
actively maintain and, wherever required, uplift the security and resilience of their asset.
548. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance and to ensure responsible entities comply with their critical infrastructure risk
management program. This penalty is commensurate with the penalty for non-compliance
with the obligation to comply with security programs under the MTOFSA and the
Aviation Transport Security Act 2004. The penalty reflects the importance of applying a
program designed to prevent and mitigate risks from harms identified.
Section 30AE Review of critical infrastructure risk management program
549. New section 30AE of the SOCI Act provides that if an entity is the responsible entity
for one or more critical infrastructure assets (that are specified for the purpose of
section 30AB) and has adopted a critical infrastructure risk management program that
applies to the entity, then the entity must also review the program on a regular basis.
550. A definitive timeframe within which the program must be reviewed is not specified in
this section. This is reflective of the different threat environments faced by the various
critical infrastructure assets and is intended to allow the responsible entity greater
discretion to determine the frequency with which this should occur noting they are best
placed to understand the context of the environment in which the asset operates. The
frequency may also change over time as the characteristics of the asset, its
interdependences, the market, or threats change or fluctuate. This approach is intended to
prevent unnecessary burden being placed on industry to review the program in a manner
disproportionate to their context. The Department will work closely with industry to
develop guidance to assist them in determining the application of the provision to their
unique circumstances.
551. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance to ensure responsible entities review their critical infrastructure risk
management program. The penalty reflects the importance of keeping risk management
programs up-to-date and accurate.
Section 30AF Update of critical infrastructure risk management program
552. New section 30AF of the SOCI Act provides that if an entity is the responsible entity
for one or more critical infrastructure assets (that are specified for the purpose of
section 30AB) and has adopted a critical infrastructure risk management program that
applies to the entity, then the entity must take all reasonable steps to ensure that the
program is up to date. This obligation to update the program complements the obligation
in section to 30AE regularly review the program.
553. Meaningful uplift of the security and resilience of critical infrastructure assets will
only occur if the risk management programs' articulation of material risks and mitigation
strategies remain current. It is therefore vital that responsible entities review their risk
management program on a regular basis and take reasonable steps to ensure it is kept up
to date. This ensures risk is being continually assessed and managed by the entity rather
than taking a 'set and forget' approach to risk management.
554. The Bill also does not define 'reasonable steps' in section 30AF, as it will depend on
the individual circumstances of each entity, their security environment and the extent of
the updates required. It is intended to ensure risk management programs are regularly
reviewed and updated in response to evolving technology, business circumstances and
changes in the threat environment.
555. Collectively, sections 30AD to 30AF of the SOCI Act are designed to reflect the
overall life cycle of an effective risk management program.
556. Breach of these obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. The penalty is
designed to deter non-compliance and to ensure responsible entities update their critical
infrastructure risk management program. The penalty reflects the importance of keeping
risk management programs up-to-date and accurate noting the significant role these
programs play in protecting critical infrastructure.
Section 30AG Responsible entity must submit annual report
557. New section 30AG of the SOCI Act sets out that a responsible entity that has adopted
a critical infrastructure risk management plan under section 30AC must submit an annual
report to the Secretary of Home Affairs.
Subsection 30AG(1)--Scope
558. Subsection (1) provides that section 30AG applies to an entity if, during a period
(known as the 'relevant period') that consists of the whole or a part of a financial year:
the entity was the responsible entity for one or more critical infrastructure
assets (paragraph (a)), and
the entity had a critical infrastructure risk management program (paragraph
(b)).
559. This is intended to capture those entities that were responsible for the asset at any
point during the relevant period.
Subsections 30AG(2) and (3)--Annual report
560. Under subsection (2), an entity that falls within subsection (1) is required to provide
an annual report that meets the requirements outlined in paragraphs (c), (d), (e) and (f)
within 90 days of the end of the financial year. This obligation does not require the
responsible entity to provide the full critical infrastructure risk management program to
the Secretary, but rather a statement that the program remains up to date and providing
details about any hazards that have had a significant impact on the asset during the
reporting period.
561. The report must be given to the relevant Commonwealth regulator. A 'relevant
Commonwealth regulator' will be specified in Ministerial rules, which will be a
legislative instrument publicly available on the Federal Register of Legislation. If there is
no 'relevant Commonwealth regulator' specified, the annual report must be provided to
the Secretary (paragraph (2)(b)).
562. It is Government's preference for existing Commonwealth regulatory bodies and
authorities to enforce compliance with Part 2A. These regulators are likely to have well-
established relationships with industry, and may have an extensive understanding of the
threat environment.
563. For this reason, and to facilitate their oversight role, paragraph (2)(a) ensures these
regulatory bodies or authorities have visibility and awareness of the threat environment in
the relevant sector and whether entities are complying with the requirements under Part
2A, and can provide assistance and guidance as required.
564. Where no relevant Commonwealth regulator exists, the Department of Home Affairs
will be the default regulator.
565. An annual report is required, if the entity had a critical infrastructure risk management
program at the end of the financial year, to include a statement as to whether or not the
program was up to date at the end of the financial year (paragraph (2)(c)). If an entity was
responsible for the asset earlier in the period but not at the end of the financial year, this
obligation is not applicable. The intention of this provision is to require the entity with
overall responsibility for the asset to certify that an effective and up to date risk
management program is in place.
566. Further, if a hazard had a significant relevant impact on one or more assets during the
relevant period, the annual report is also required to include a statement that identifies the
hazard, evaluates the effectiveness of the program in mitigating the significant relevant
impact of the hazard on the assets concerned, and outline any variation to the critical
infrastructure risk management program that is made as a result of the occurrence of the
hazard (paragraph (2)(d)). Provision of this information to the regulator to engage with
the responsible entity to determine if the entity requires further assistance and guidance to
update their program. This obligation will allow Government to build a collective picture
of the nature of threats impacting on critical infrastructure across all sectors. This will
inform and support the sharing of information and expertise on how those threats are best
managed by government and industry in partnership.
567. For the purpose of paragraph (2)(d), a relevant impact is defined in new
subsection 8G(1) of the SOCI Act as a direct or indirect impact on the availability,
integrity, reliability or confidentiality of the asset. Such an impact could fundamentally
undermine the intended operation or functioning of a critical infrastructure asset, or put at
risk the sensitive information and personal information held by the asset.
568. It is not intended that entities will be required to report day-to-day incidents - instead
the requirement will be to report incidents that have had a significant relevant impact.
569. What is regarded as significant for the purpose of paragraph (2)(d) will vary between
assets and across sectors and it will be up to the entity to determine when a relevant
impact is significant for the purposes of this reporting obligation. It is expected that a
significant impact would include one that affected the functioning of the asset or its
ability to deliver intended services. In determining the significance of a relevant impact,
entities could have regard to whether the impact of the hazard has:
a genuine impact on the availability of the asset, or services delivered by the asset
(noting that the nature and duration of impact will differ across assets and sectors)
such as would occur during a significant ransomware attack. This type of cyber
attack can cripple organisations that rely on computer systems to function, by
encrypting all connected electronic devices, folders and files and rendering systems
inaccessible
an impact that caused harm to customers or end-users such as a serious cyber attack
on a financial institution, rendering customers and businesses unable to access their
funds or utilise electronic payment methods impairing their ability to engage in
commerce, or
a detrimental impact on information security which has undermined the integrity of,
or led to the loss, theft or unauthorised access of, sensitive information or personal
information such as a significant data breach suffered by Equifax in September 2017
that exposed personal information of 147 million people.
570. The circumstances listed above are intended to provide illustrative examples of the
types of relevant impacts that may be considered to be significant. Entities must
undertake their own analysis and consider their particular circumstances and operations to
determine what is considered to be a significant relevant impact for their asset. The
Department will also work with industry to provide sector specific guidance on what may
be considered to be a significant relevant impact for this purpose.
571. The annual report must also be in the approved form (paragraph (2)(e)). The
'approved form' is defined in section 5 of the SOCI Act to be a form approved by the
Secretary of the. The approved form will be made publicly available on the Home Affairs
website (www.cicentre.gov.au).
572. If the entity has a board, council or other governing body, the report must be approved
by that body (paragraph (2)(f)). Noting the importance of risk management for critical
infrastructure assets, this requirement will ensure that there is appropriate visibility and
responsibility within the senior management of the entity. Approval must occur in
accordance with the respective practices of the body.
573. Breach of these obligation is subject to a civil penalty of up to 150 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance and to ensure responsible entities comply with their
reporting obligation. This penalty is commensurate with the non-compliance for an
obligation to comply with reporting obligations under ATSA and MTOFSA. The penalty
reflects the importance of governing bodies certifying that appropriate risk management
practices are in place and that security is being considered by the most senior officers for
these assets.
574. Subsection (3) provides that a report given by an entity under subsection (2) is not
admissible in evidence against the entity in civil proceedings relating to a contravention
of a civil penalty provision of the SOCI Act. This means that the 'relevant
Commonwealth regulator' (if applicable) or the Department cannot use information
provided in the annual report to take compliance action against a responsible entity under
the SOCI Act, including the obligations outlined in new sections 30AC, 30AD, 30AE and
30AF, relying upon information provided in the annual report.
575. This should provide comfort to industry that the annual report will only be used to
better understand the threat environment in each sector and for matters related to
providing meaningful assistance and advice to entities on ways to further enhance the
security and resilience of critical infrastructure assets.
Section 30AH Critical infrastructure risk management program
576. New section 30AH of the SOCI Act defines the requirements for a critical
infrastructure risk management program. Adoption and compliance with a critical
infrastructure risk management program will ensure responsible entities have a
comprehensive understanding of the threat environment, and develop processes and
procedures to effectively respond to the risk of any hazard impacting the availability,
confidentiality, reliability and integrity of their asset.
577. Under subsection (1), a critical infrastructure risk management program is a written
program that applies to the responsible entity for one or more critical infrastructure assets.
There is no requirement for this program to be in any specific form, other than in writing.
This ensures responsible entities are able to determine the most appropriate form for their
risk management program, including building on existing business enterprise risk
management practices. It is permissible for a responsible entity for multiple critical
infrastructure assets to adopt a combined critical infrastructure risk management program
for those assets, noting that the program must address the risks associated with each
individual asset to meet the requirements of this section.
578. The purpose of the critical infrastructure risk management program is threefold:
a) to identify each hazard where there is a material risk that the occurrence of the hazard
could have a relevant impact on the asset (subparagraph (1)(b)(i))
b) so far as it is reasonably possible to do so, to minimise or eliminate any material risk
of such a hazard occurring (subparagraph (1)(b)(ii)), and
c) to mitigate the relevant impact of such a hazard on the asset (subparagraph (1)(b)(ii)).
579. Each of these purposes are outlined further under separate heading below.
Identifying each hazard where there is a material risk that the occurrence of the hazard could
have a relevant impact on the hazard (subparagraph 30AH(1)(b)(i))
580. A hazard in the context of a critical infrastructure risk management program is
intended to mean an event which, alone or in combination with other events, has the
potential to give rise to risk. This broad interpretation (consistent with best practice
international risk management doctrine) reflects the diversity of critical infrastructure
assets which may be subject to the obligation. That is to say, a hazard can be human
induced (for example, a cyber attack or sabotage) or natural (for example an extreme
weather event). This approach is intended to ensure the obligations can evolve effectively
in response to change technology and threat environments, by ensuring the focus of a
critical infrastructure risk management program is on the impact of a hazard on the asset
as opposed to prescriptively listing the source of the hazard.
581. A relevant impact of a hazard on a critical infrastructure asset is defined in new
subsection 8G(1) of the SOCI Act to be the impact (whether direct or indirect) of the
hazard on:
the availability of the asset
the integrity of the asset
the reliability of the asset, or
the confidentiality of information about the asset, information stored in the
asset, or computer data.
582. While there may be hazards which impact a critical infrastructure asset in other ways,
these impacts are crucial to the secure operating of the asset and its continuous provision
of essential services.
583. Importantly, a critical infrastructure risk management program does not require the
entity to identify every single hazard that could pose a risk of having a relevant impact on
the hazard. Rather the obligations are limited to those hazards that pose a material risk of
having a relevant impact on the hazard. While assessing whether a risk is material must
be done on a case by case basis, recognising the unique circumstances of the asset,
subsection (7) provides that in making that determination the entity must have regard to
the likelihood of the hazard occurring, and the relevant impact of the hazard on the asset
if the hazard were to occur. That is, hazards which are incredibly improbable or for which
there would be an inconsequential impact are unlikely to be considered material. For
example, an asset that is hundreds of kilometres inland would not be required to take
steps to mitigate the physical impact of a tsunami on the asset. This is not to say that an
unlikely event that would have a substantial impact would not in all circumstances be
regarded as a material risk. The impacts of COVID-19 on the availability of workforce
and day-to-day operations of an asset are an example of such an unlikely event where
there would still be a material risk that would need to be addressed in a critical
infrastructure risk management program.
584. Having had regard to these factors, the entity must ultimately consider which risks
may be material. The approach taken to this obligation acknowledges that the entity
responsible for the asset will be best placed to understand the operating environment of
the asset, and with guidance from Government, the threats it faces. Therefore it is for the
responsible entity to undertake this risk identification process in line with existing
processes inside the business to determine how to understand and manage risk.
Minimise or eliminate any material risk of such a hazard occurring (subparagraph
30AH(1)(b)(ii))
585. The purpose of this provision is to ensure that a critical infrastructure risk
management program is directed at either minimising or eliminating the material risk of
an identified hazard occurring. The provision is qualified to provide that this must occur
so far as it is reasonably possible to do so. This qualification is intended to recognise that
the responsible entity may not be able to minimise or eliminate the risk of a hazard
occurring, for example, no reasonable steps could be taken to prevent a cyclone
occurring.
586. This feature of the critical infrastructure risk management program recognises the
importance of prevention in risk management. For example, a responsible entity for a
critical infrastructure asset may have the ability to dramatically reduce the risk of a cyber
security incident from occurring by developing and installing certain software that is
designed to uplift information security.
Mitigate the relevant impact of such a hazard on the asset (subparagraph 30AH(1)(b)(iii))
587. The purpose of this provision is to ensure that a critical infrastructure risk
management program is directed at ensuring appropriate procedures are in place to
mitigate the relevant impact of a hazard should it occur, noting that minimisation or
eliminate efforts may not be foolproof. For example, while a material risk of a cyclone
occurring may not be able to be minimised, an entity should be actively taking steps to
mitigate the impact should one occur by ensuring any critical buildings are built to an
appropriate standard to withstand such an event.
588. An appropriate mitigation will depend on the context of the asset, the relevant impact
and the hazard itself. This provision is intended to be flexible and adaptable, while
nevertheless requiring the responsible entity to achieve the required security objectives.
Critical infrastructure risk management program rules (subparagraph 30AH(1)(c))
589. Under paragraph (1)(c), the critical infrastructure risk management program must
comply with any requirements specified in rules made by the Minister under section 61 of
the SOCI Act. Any such rules will be a legislative instrument and publically available on
the Federal Register of Legislation (www.legislation.gov.au). Subsection (2) provides that
the rules may be of general application or may relate to one or more specified critical
infrastructure assets.
590. These rules will be used to provide further requirements on how the principles based
obligations set out in subparagraphs (1)(b)(i)-(iii) are to be implemented. Noting the array
of critical infrastructure assets that may be subject to the obligation to adopt and maintain
a critical infrastructure risk management program, now and into the future, this
mechanism will be crucial for ensuring the program is implemented in a risk-based and
proportionate manner for each industry sector while still achieving the desired security
outcomes and avoiding any unnecessary burden. The Department will co-design these
rules with industry and states and territories on a sector-specific basis.
591. The Government recognises that particular risks exist across different threat domains
and it is vital that a holistic approach is taken when developing a risk management
program. In particular, there may be common issues that inform sector-specific rules.
Without prejudicing the co-design process still to occur, the requirements in the rules will
set out the approach to be taken in relation to the following domains:
Physical security risks: This includes risk of harm to people and damage to physical
assets. For example, mechanical failures, natural hazards such as floods and cyclones,
as well as human induced hazards such as terrorism.
Cyber security risks: Malicious cyber activity is one of the most significant threats to
Australian critical infrastructure and can range from denial of service attacks, to
ransomware and targeted cyber intrusions.
Personnel security risks: This refers to the 'insider threat' or the risk of employees
exploiting their legitimate access to an organisations' assets for unauthorised purposes
including corporate espionage and sabotage.
Supply chain risks: The reliance on supply chains inherently involves dependencies
on other assets, or providing other entities with some level of access to, or control of,
your asset or business' deliverables. As is the case for personnel risk, supply chain
risks relate to entities exploiting their legitimate access to, or control of, an
organisations' assets for unauthorised purposes or otherwise creating a cascading
impact to dependent assets.
592. A note to subsection (2) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power
to make a legislative instrument specifying a matter may identify the matter by referring
to a class or classes of matters.
593. Subsection (3) outlines that subsection (2) of section 30AH does not, by implication,
limit subsection 33(3A) of the Acts Interpretation Act. This means that subsection 33(3A)
of the Acts Interpretation Act, which generally provides that a power to make a legislative
instrument in relation to a matter includes a power to make an instrument with respect to
some only of those matters or with respect to a particular class or classes of those matters
and to make different provision with respect to different matters or classes of matters,
continues to apply.
594. Subsection (4) provides that rules made for the purpose of paragraph (1)(c) may
require that a critical infrastructure risk management program include provisions that
require background checks of individuals to be conducted under the AusCheck scheme.
Subsection (5) clarifies that subsection (4) does not limit paragraph (1)(c).
595. The amendments to the AusCheck Act 2007 provided in item 3 of Schedule 1 to this
Bill, read together these provisions provide the ability for background checks of certain
individuals to be required. Any rules made providing for the conduct of background
checking will focus on addressing the threat posed by trusted insiders to critical
infrastructure assets. Trusted insiders are potential, current or former employees or
contractors who have legitimate access to information, techniques, technology, assets or
premises. Trusted insiders can intentionally or unknowingly assist external parties in
conducting activities against the organisation or can commit malicious acts of self-
interest. Such action by a trusted insider can undermine or severely impact the
availability, integrity, reliability or confidentiality of critical infrastructure assets and, as a
result, may undermine Australia's social or economic stability, defence and national
security.
596. Subsection (6) sets out the factors that the Minister must have regard to in specifying
the rules for the purposes of (1)(c):
any existing regulatory system of the Commonwealth, a State or a Territory
that imposes obligations on responsible entities;
the costs that are likely to be incurred by responsible entities in complying
with those rules;
the reasonableness and proportionality of the requirements in relation to the
purposes referred to in paragraph (1)(b); and
such other matters (if any) as the Minister considers relevant.
597. This requirement is intended to ensure that any rules made for the purposes of the
critical infrastructure risk management program are appropriate in all the circumstances
and avoid unnecessary duplication.
598. Subsection (7) outlines that rules made for the purpose of paragraph (1)(c) may
provide that a specified risk is taken to be a material risk for the purpose of section 30AH.
This means that the rules may deem a particular risk as one that must be addressed in a
critical infrastructure risk management program in accordance with paragraph (1)(b).
599. Subsections (8) to (11) outline that the rules made under paragraph (1)(c) may provide
that the taking of specified action:
in relation to a critical infrastructure asset is taken to be action that minimises
or eliminates any material risk that the occurrence of a specified hazard could
have a relevant impact on the asset (subsection (8)), which means that the
rules can specify matters in relation to critical infrastructure assets generally
for the purpose of subparagraph (1)(b)(ii)
in relation to a specified critical infrastructure asset is taken to be an action
that minimises or eliminates any material risk that the occurrence of a
specified hazard could have a relevant impact on the asset (subsection (9)),
which means that the rules can specify matters in relation to a specified critical
infrastructure asset for the purpose of subparagraph (1)(b)(ii)
in relation to a critical infrastructure asset is taken to be an action that
mitigates the relevant impact of a specified hazard on the asset
(subsection (10)), which means that the rules can specify matters in relation to
critical infrastructure assets generally for the purpose of
subparagraph (1)(b)(iii), and
in relation to a specified critical infrastructure asset is taken to be an action
that mitigates the relevant impact of a specified hazard on the asset
(subsection (11)), which means that rules can specify matters in relation to a
specified critical infrastructure asset for the purpose of
subparagraph (1)(b)(iii).
600. Notes to subsections (8) to (11) indicate that specification by class is permitted by
way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a
power to make a legislative instrument specifying a matter may identify the matter by
referring to a class or classes of matters.
601. Broadly speaking, rules may be made under subsections 30AH(8)-(11) in three
circumstances:
to mandate the steps responsible entities should be taking through their critical
infrastructure risk management program to address material risks. The purpose
of this provisions is to ensure that Government can, when appropriate, direct
specific action when it is necessary to assist entities with maintaining the
security and resilience of their asset,
to provide 'safe harbour' by specifying that the taking of certain actions will
acquit the entity of a specific obligation. This may be used, for example,
where duplicate obligations exist in relation to a particular hazard to ensure the
entity is not required to take two different courses of action. This could be
used to recognise existing industry standards and practices as sufficient to
meet aspects of the obligation. The Government intends to work with industry
and State and Territory governments to identify and leverage existing
regulations, frameworks and guidelines to manage risks to critical
infrastructure assets, and to minimise any duplication or unnecessary burden,
and
to de-conflict requirements for entities with assets which fall within more than
one definition of critical infrastructure asset.
Section 30AJ Variation of critical infrastructure risk management program
602. New section 30AJ of the SOCI Act provides that a critical infrastructure risk
management program may be varied, so long as the varied program is a critical
infrastructure risk management program. This means that a critical infrastructure risk
management program may be amended by a responsible entity, so long as the amended
program still has the required characteristics as outlined in new section 30AH--including
complying with any sector-specific rules prescribed made for the purpose of
paragraph 30AH(1)(c).
603. It is intended that a critical infrastructure risk management program may be varied by
a responsible entity where changes are required or desirable as a result of:
the review of the program on a regular basis under new section 30AE of the
SOCI Act
changes in the threat environment or an asset's operating environment
new rules made for the purpose of section 30AH, or
ensuring the program is up to date under section 30AF.
Section 30AK Revocation of adoption of critical infrastructure risk management
program
604. New section 30AK of the SOCI Act outlines that, if an entity has adopted a critical
infrastructure risk management program under section 30AC, Part 2A does not prevent
the entity from revoking and adopting another critical infrastructure risk management
program that applies to the entity.
Section 30AL Consultation--rules
605. New section 30AL of the SOCI Act outlines consultation requirements that must be
met by the Minister before making rules for the purpose of paragraph 30AH(1)(c). The
purpose of this section is to embed a meaningful and genuine co-design process and to
require Government to work with industry to develop any specific requirements for the
critical infrastructure risk management program. The co-design process may also be
reflected in the commencement of sector-specific rules, taking into account the level of
business transformation that may be required, as well as the costs associated with that
transformation. The Minister may choose to have an extended period between the making
and commencement of rules to allow an industry sector to have time to consider and
implement the legal requirements prescribed within.
606. It is important to note however that this statutory consultation period will occur after
extensive consultation and co-design with industry in the development of requirements to
be contained in the rules, and in relation to any future amendment of the rules.
Subsection 30AL(1)--Scope
607. Subsection (1) provides that section 30AL applies to rules made for the purpose of
section 30AH. This means that these requirements will apply in relation to any rules
prescribed under paragraph 30AH(1)(c).
Subsections 30AL(2) and (3)--Consultation
608. Subsection (2) provides that, before making or amending rules under section 30AH,
the Minister must:
cause to be published on the Department's website a notice setting out the
draft rules or amendments, inviting persons to make submissions to the
Minister about the draft rules or amendments within 28 days after the notice is
published (paragraph (a)),
give a copy of the notice to each First Minister (paragraph (b)), and
consider any submissions received within the 14-day period mentioned in
paragraph (a) (paragraph (c)). Nothing in this provision is intended to limit the
Minister's ability to consider responses received after that period
609. Subsection (3) provides that subsection (2) does not apply if:
the Minister is satisfied that there is an imminent threat that a hazard will have
a significant relevant impact on a critical infrastructure asset (paragraph (a)),
or
the Minister is satisfied that a hazard has had, or is having, a significant
relevant impact on a critical infrastructure asset (paragraph (b)).
610. This means that, in the limited circumstances specified in subsection (3), the Minister
does not need to meet the notification requirements, and consider submissions received in
response to the notice, as outlined in subsection (2). The potential urgency of the situation
and the significance of the impact, and the flow on impacts to Australia's economy,
society and defence, warrant this departure from the standard process. However in such
circumstances, a review of the rules is required to occur after their commencement as
outlined in section 30AM (see further below) to ensure there is an appropriate
consultation process and consideration of the impact of imposing the requirements
specified in the rules.
Section 30AM Review of rules
611. New section 30AM of the SOCI Act outlines requirements for the Minister and
Secretary in relation to rules made for the purpose of section 30AH when consultation
was not able to be undertaken due to the emergency circumstances identified in 30AL(3).
612. The purpose of section 30AM is to ensure that, in rare circumstances where rules are
made without consulting industry, the Secretary conducts a comprehensive review,
including industry consultation, of the operation, effectiveness and implications of those
rules. A report of the review in turn is then provided for scrutiny by the Minister and
Parliament.
Subsection 30AM(1)--Scope
613. Subsection (1) provides that section 30AM applies if, because of subsection 30AL(3),
subsection 30AL(2) did not apply to the making of rules or amendments.
Subsections 30AM(2)-(4)--Review of rules
614. Subsection (2) requires that the Secretary must:
review the operation, effectiveness and implications of the rules or
amendments (paragraphs (a) and (b) respectively)
consider whether any amendments should be made (paragraph (c)), and
give the Minister a report of the review and a statement setting out the
Secretary's findings (paragraph (d)).
615. Under subsection (3), and for the purpose of completing the review, the Secretary
must:
publish on the Department's website a notice setting out the rules or
amendments concerned and inviting persons to make submissions to the
Secretary within 28 days after publication of the notice (paragraph (a)),
give a copy of the notice to each First Minister (paragraph b), and
consider any submissions received within the 28-day period (paragraph (c)).
Nothing in this provision is intended to limit the Secretary's ability to consider
responses received after that period, noting however that under subsection (4)
the Secretary is required to complete the review within 60 days of the
commencement of the rules or amendments concerned.
616. The measures in subsections (2) to (4) are intended to provide transparency over rules
made without consultation and provide an effective mechanism for entities to scrutinise
and recommend amendments to the rules, in a similar way that would occur in non-
emergency situations. In practice, the Minister for Home Affairs is likely to consider the
outcomes of the report and submissions made by industry to determine if the rules should
be maintained, amended or repealed. The Minister's decision is likely to be based on
whether the rules:
effectively manage or respond to a hazard that has had, or may have a
significant relevant impact on a critical infrastructure asset, and
the implications of the rules on industry, including whether the requirements
are duplicative, disproportionate or unnecessarily burdensome or costly.
Subsection 30AM(5)--Minister to take statement of findings
617. Subsection (5) requires the Minister to table a copy of the statement of findings,
provided to the Minister by the Secretary under paragraph (2)(d), in each House of
Parliament within 15 sitting days of the Minister receiving the statement.
618. This ensures that the statement will be publicly available, free of charge from the
Australian Parliament House website and available for debate by Members and Senators.
It is also noted that any rules made under section 30AH of the SOCI Act will be subject to
disallowance by the Parliament under Part 2 of Chapter 3 of the Legislation Act.
Section 30AN Application, adoption or incorporation of a law of a State or
Territory etc.
619. New section 30AN of the SOCI Act modifies the application of subsection 14(2) of
the Legislation Act in relation to any rules made under section 30AH (subsection (1)).
620. Subsection 14(2) of the Legislation Act generally provides that a legislative
instrument, such as rules that may be made by the Minister under new section 30AH of
the SOCI Act, may not make provision in relation to a matter by applying, adopting or
incorporating any matter contained in an instrument or other writing as in force from time
to time. This applies to matters such as State and Territory laws and standards.
Subsection 30AN(2)--Application, adoption or incorporation of a law of a State or Territory
621. Subsection (2) provides that, despite subsection 14(2) of the Legislation Act, rules
made under section 30AH may making provision in relation to a matter by applying,
adopting or incorporating, with or without modification, any matter contained in a law of
a State or Territory as in force or existing from time to time.
622. Noting the potential for obligations to exist in State and Territory laws which would
potentially duplicate components of critical infrastructure risk management program, this
provision is intended to ensure that the rules can effectively recognise those State and
Territory laws to avoid unnecessary and duplicative regulatory burden being placed on
industry. For example, the rules may provide that an action done in compliance with a
particular State law which sets security requirements for information technology would
be taken as the required action under this Part.
Subsection 30AN(3)--Application, adoption or incorporation of a standard
623. Subsection (3) provides that, despite subsection 14(2) of the Legislation Act, rules
made under section 30AH may making provision in relation to a matter by applying,
adopting or incorporating, with or without modification, any matter contained in a
standard proposed or approved by Standards Australia as in force or existing from time to
time. A note to this subsection indicates that the expression 'Standards Australia' is
defined in section 2B of the Acts Interpretation Act.
624. This provision may be relied upon to recognise accepted and reputable standards in
relation to risk management processes, including as those standards change to
accommodate best practice.
Part 2B--Notification of cyber security incidents
625. Industry has emphasised the need for Government and industry to be both providers
and consumers of cyber intelligence to inform how networks can be best secured and how
cyber resilience can be uplifted. In response to this, notification of cyber security
incidents will play a central role to coordinating and delivering an enhanced picture of
cyber situational awareness, supported by the provision of cyber information by industry.
626. The objective of this is to facilitate the development of an aggregated threat picture
and comprehensive understanding of cyber security risks to critical infrastructure in a way
that is mutually beneficial to Government and industry. Through greater awareness, the
Government can better see malicious trends and campaigns which would not be apparent
to an individual victim of an attack. In return, the Government will share actionable,
anonymised information back out to industry to assist responsible entities improving
cyber resilience in relation to their assets or response to particular incidents.
627. This obligation will not override or displace any other legislative obligations the
entity may have in relation to reporting security incidents, for example, the notifiable data
breach scheme under the Privacy Act. However, in determining whether to apply this Part
to an asset, the consultation process will provide a mechanism to consider any
interactions and ensure that the obligations are only applied where the required security
objectives are not being met.
Section 30BA Simplified outline of this Part
628. New section 30BA of the SOCI Act is a simplified outline of Part 2B, which is
intended to aid the reader of the legislation in understanding the operation of this Part.
Under Part 2B, responsible entities for certain critical infrastructure assets will be
required to notify government about the occurrence of cyber security incidents. This is
one element of the positive security obligations for critical infrastructure assets--the
others being critical infrastructure risk management plans (new Part 2A of the SOCI Act)
and maintaining the register of critical infrastructure assets (existing Part 2 of the SOCI
Act).
Section 30BB Application of this Part
629. New section 30BB of the SOCI Act provides that the mandatory notification
requirements in Part 2B apply to a critical infrastructure asset if:
the asset is specified in rules made by the Minister under section 61 of the
SOCI Act (paragraph (a)), or
the asset is subject to a declaration under section 51 (which enables the
Minister to make a private declaration that an asset is a critical infrastructure
asset) and the declaration under section 51 determines that Part 2B applies to
the asset (paragraph (b)).
630. This effectively works as an 'on switch' through which the Minister can ensure that
this particular aspect of the positive security obligations only applies in appropriate
situations.
631. Similar to new sections 18A and 30AB the SOCI Act, this section allows for a
nuanced, sector-specific or asset-specific approach to be taken on the application of this
obligation in new Part 2B. In determining whether to make rules to apply the obligations
under Part 2B to certain critical infrastructure assets, the Minister is likely to consider the
appropriateness of any existing arrangements or requirements for responsible entities of
those assets to report to Government or regulators the occurrence of a cyber security
incident or incidents, or other arrangements to provide the required visibility of the threat
environment. If existing arrangements are deemed to be appropriate and effective, the
Minister is unlikely to activate the reporting requirements in relation to the relevant
critical infrastructure assets.
632. A note to this section indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power
to make a legislative instrument specifying a matter may identify the matter by referring
to a class or classes of matters.
633. This note has been included to clarify that the Minister has the discretion to specify in
rules that Part 2B applies to:
all critical infrastructure assets,
a category of critical infrastructure assets such as critical broadcasting assets,
a subset of assets within a category of critical infrastructure assets, such as
liquid fuel pipelines that are critical liquid fuel assets, or
a specific asset that is a critical infrastructure asset.
634. Subsection (3) outlines that the rules may provide that, if an asset becomes a critical
infrastructure asset, this Part does not apply to the asset during the period beginning when
the asset became a critical infrastructure asset (paragraph (a)) and ending at a time
ascertained in accordance with the rules (paragraph (b)). This is intended to provide the
ability to offer a delayed commencement or 'grace period' in the future when an entity
becomes a critical infrastructure asset to which the Part applies, allowing them a
reasonable period to adjust their business.
Section 30BBA Consultation--rules
635. New section 30BBA of the SOCI Act sets out consultation requirements in relation to
rules made for the purposes of section 30BB, providing that a responsible entity for a
critical infrastructure asset must comply with the requirement to report cyber security
incidents.
Subsection 30BBA(1)--Scope
636. Subsection (1) provides that section 30BBA applies to rules made for the purposes of
section 30BB of the SOCI Act.
Subsection 30BBA(2)--Consultation
637. Subsection (2) provides that, before making or amending rules for the purposes of
section 30BB, the Minister must do all of the following:
cause to be published on the Department's website a notice setting out the draft
rules or amendments and inviting persons to make submissions to the Minister
about the draft rules or amendments within 28 days of publication of the notice
(paragraph (a))
give a copy of the notice to each First Minister (paragraph (b)), and
consider any submissions received under paragraph (a) (paragraph (c)).
638. This consultation requirement will ensure that the Part is only activated in appropriate
circumstances and allow entities an opportunity to provide the Government with
submissions on any delay in the commencement of the Part necessary to allow them to
adjust their businesses without undue burden.
Section 30BC Notification of critical cyber security incidents
639. New section 30BC of the SOCI Act introduces an obligation for responsible entities
of critical infrastructure assets captured by section 30BB to report a critical cyber security
incident to a relevant Commonwealth regulator.
640. Under subsection (1), if an entity is a responsible entity for a critical infrastructure
asset captured by section 30BB and the entity becomes aware that a cyber security
incident is occurring, or has occurred, and the incident has had, or is having, a significant
impact (whether direct or indirect) on the availability of the asset, the entity must:
give the relevant Commonwealth body (as defined in section 30BF) a report
that is about the incident and includes such information, as any, as is
prescribed by the rules (paragraph (c)), and
do so as soon as practicable, and in any event within 12 hours, after the entity
becomes aware that the above circumstances exist (paragraph (d)).
641. A cyber security incident is defined in section 12M as one or more acts, events or
circumstances involving unauthorised access, modification or impairment of computer
data, a computer program or a computer.
642. Determining whether an incident is having a significant impact on the availability of
the asset will be matter of judgment for the responsible entity. The services being
provided by the asset, together with the nature and extent of the cyber security incident,
will determine the significance of the incident and whether it meets the threshold of being
a critical cyber security incident. For example, a cyber security incident which affects the
availability of a critical clearing and settlement facility for a very brief period may have
significant economic repercussions while an incident that affects the availability of a
critical education asset for the same period of time may have a substantially lower impact.
643. It is not intended that day-to-day incidents, such as the receipt of a single scam email
which is easily recognised and addressed through standard security practices without
impacting the asset's operations, are required to be reported under this section as they
would not meet the level of significance required. The impact to be considered under this
obligation is limited to the impact on the availability of the asset, and therefore incidents
which impact confidentiality and integrity which may nevertheless be serious, do not
need to be reported within 12 hours (these may be captured, however, under the
obligation in relation to reporting other cyber security incidents under section 30BD). The
Department will provide further guidance and support to industry to assist with
identifying what is a significant impact for the purpose of this section in different sectoral
contexts.
644. The investigation of a system outage may take time to finalise before it can be
determined whether the outage is a result of a 'cyber security incident' as defined by new
section 12M of the SOCI Act. Similarly, determining the significance of the impact of the
incident may equally take time. In light of this, paragraph (1)(d) means that the obligation
to report within 12 hours is only enlivened when the responsible entity becomes aware
that the incident meets the above criteria. In practice, the obligation requires the
notification of Government to be one of the first steps in the business' incident response
plan.
645. The 12 hour time frame for reporting is considered reasonable and proportionate due
to the significance of the impact on the critical asset, and the potential for that impact to
effect the provision of essential services and have cascading impacts across the economy
or the sector. The Government will use the information provided in these reports to
proactively engage with the affected entities and provide any support or guidance
necessary to respond to the incident. The Government may also proactively engage with
affected sectors more broadly, while protecting the information of the reporting entity, if
it determines that other entities have been, or will be, subject to the same attack to provide
appropriate assistance and guidance as required.
646. Alternately, and subject to addition thresholds being satisfied, consideration may be
given as to whether the serious cyber incident response powers in Part 3A are required to
effectively and appropriately respond to the incident.
647. Further, the requirement for the entity to be aware an incident is a 'cyber security
incident' before the obligation is enlivened provides further support for the
reasonableness and proportionality of the timeframe.
648. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance to ensure Government is able to engage with the
affected entity and provide support or guidance as soon as practicable.
Subsections 30BC(2)-(4)--Form of report etc.
649. Subsection (2) outlines that a report given under subsection (1) may be given orally or
in writing.
650. Subsection (3) provides that, if a report is given orally, then the entity must:
make a written record of the report in the 'approved form'
(subparagraph (a)(i)), being the form approved by the Secretary for the
purpose of this subparagraph which will be publicly available on the
Department's website (www.cicentre.gov.au).
give a copy of the written record of the report to the relevant Commonwealth
body (subparagraph (a)(ii)), and
do so within 48 hours of giving the oral report (paragraph (b)).
651. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance to ensure a written record of the incident is provided to
the relevant Commonwealth body within the shortest delays.
652. Subsection (4) provides that, if a report is given in writing, the responsible entity must
ensure that the report is in the 'approved form' (being the form approved by the Secretary
for the purpose of this subsection). This approved form will be made publicly available.
653. Breach of this obligation is also subject to a civil penalty of up to 50 penalty units.
This penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance to ensure information provided to the relevant
Commonwealth body is done so uniformly.
Section 30BD Notification of other cyber security incidents
654. New section 30BD of the SOCI Act introduces an obligation for responsible entities
for critical infrastructure assets captured by section 30BB to report a cyber security
incident to the relevant Commonwealth body in certain circumstances.
655. Under subsection (1), if an entity is a responsible entity for a critical infrastructure
asset captured by section 30BB and the entity becomes aware that a cyber security
incident is occurring, has occurred, or is imminent and the incident has had, is having, or
is likely to have, a relevant impact (whether direct or indirect) on the asset, the entity
must:
give the relevant Commonwealth body (as defined in section 30BF) a report
that is about the incident and includes such information, as any, as is
prescribed by the rules (paragraph (c)), and
do so as soon as practicable, and in any event within 72 hours, after the entity
becomes aware that the above circumstances exist (paragraph (d)).
656. A relevant impact in this context is defined in new subsection 8G(2) of the SOCI Act
to mean an impact on the availability, integrity, reliability or confidentiality of the asset.
657. This obligation differs to that outlined at section 30BC in the following key ways:
section 30BC is concerned with cyber security incidents that have occurred or
are occurring, while section 30BD is concerned with cyber security incidents
that have occurred, are occurring, or will occur imminently, and
section 30BC is focused on significant impact on availability of the asset,
while section 30BD is focused on any relevant impact. If an incident has been
reported under section 30BC, it does not need to be reported again under
section 30BD.
658. The concept of an imminent cyber security incident seeks to capture situations where,
for example, a malicious actor is attempting to exploit a known vulnerability. An example
of such a situation is where malicious actors are actively exploiting a specific
vulnerability on a system, and that vulnerability has not been patched on the entity's
system.
659. The impact of these events is not as significant, relatively, and therefore a longer time
period is provided for the report to be made - 72 hours. However, it is nevertheless
important that these incidents are reported as they may, for example:
indicate preparatory actions by a malicious actor ahead of further actions which could
have a potentially catastrophic impact on the availability of the asset and the essential
services it provides, as well as cascading impacts throughout the economy,
involve persistent targeting or attempted access to a network where the entity believes
a compromise is imminent. or
involve a compromise of sensitive commercial or personal information.
660. Similarly to section 30BC, this section recognises that an investigation into an event
may take time to finalise before it can be determined that its source was a cyber security
incident as opposed to, for example, a mechanical failure. In light of this, paragraph (1)(d)
means that the obligation to report within 72 hours is only enlivened when the responsible
entity becomes aware that the incident meets the above criteria. In practice, the obligation
requires the notification of Government to be one of the first steps in the businesses
incident response plan.
661. In light of the above factors, this reporting timeframe is considered reasonable and
proportionate. It should also be noted that it aligns with the timeframes for other security
reporting obligations such as the European Union's General Data Protection Regulation
(GDPR) and the Australian Prudential Regulation Authority (APRA) Prudential Standard
CPS 234. Article 33 of the former imposes on an entity an obligation to notify the
relevant supervisory authority of a personal data breach no later than 72 hours. Under the
latter, an APRA-regulated entity must notify APRA as soon as possible and no later than
72 hours after becoming aware of an information security incident if certain conditions
have been met.
Subsections 30BD(2)-(4)--Form of report etc.
662. Subsection (2) outlines that a report given under subsection (1) may be given orally or
in writing.
663. Subsection (3) provides that, if the report is given orally, then the entity must:
make a written record of the report in the approved form (subparagraph (a)(i)),
give a copy of the written record of the report to the relevant Commonwealth
body (subparagraph (a)(ii)), and
do so within 48 hours of giving the oral report (paragraph (b)).
664. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance to ensure a written record of the incident is provided to
the relevant Commonwealth body without delay.
665. Subsection (4) provides that, if a report is given in writing, the responsible entity must
ensure that the report is in the approved form (being the form approved by the Secretary
for the purpose of subparargaph (3)(a)(i)). The approved form will be publicly available
on the Department's website (www.cicentre.gov.au).
666. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance to ensure information provided to the relevant
Commonwealth body is done so with the requisite detail to make the report effective.
Section 30BE Liability
667. New section 30BE of the SOCI Act excludes responsible entities, and their employees
etc., from liability when acting in good faith in relation to the obligations to report cyber
security incidents as set out in Part 2B.
668. Subsection (1) provides that an entity is not liable to an action or other proceeding for
damages for or in relation to an act done or omitted in good faith in compliance with new
sections 30BC or 30BD of the SOCI Act.
669. Subsection (2) provides that an officer, employee or agent of an entity is not liable to
an action or other proceeding for damages for or in relation to an act done or omitted in
good faith in connection with an act done or omitted by the entity as mentioned in
subsection (1).
670. This provision is intended to protect entities from incurring liabilities, such as
confidentiality requirements that may exist in contracts with their customers, when
complying with these obligations.
Section 30BF Relevant Commonwealth body
671. New section 30BF of the SOCI Act defines the term 'relevant Commonwealth body'
for the purpose of Part 2B to be:
a Department that is specified in Ministerial rules made under section 61
(paragraph (a))
a body that is established under a law of the Commonwealth and is specified
in Ministerial rules (paragraph (b)), or
if neither paragraphs (a) or (b) apply, ASD (paragraph (c)).
672. This means that, absent any specific Department or Commonwealth body being
prescribed in rules under section 61 of the SOCI Act, the relevant Commonwealth body
to whom reports are to be made is ASD. Although ASD will be the relevant
Commonwealth body to whom reports are made, ASD will not perform a regulatory or
compliance role. Cyber incident reports made to ASD will only be used to inform an
enhanced cyber threat picture and develop appropriate mitigations and advice.
Part 2C--Enhanced cyber security obligations
Division 1--Simplified outline of this Part
Section 30CA Simplified outline of this Part
673. New section 30CA of the SOCI Act includes a simplified outline of Part 2C, which is
intended to aid the reader of the legislation in understanding the operation of this Part.
This section outlines that Part 2C sets out enhanced cyber security obligations that may
relate to systems of national significance (which are a particular sub-set of critical
infrastructure assets that are the subject of a declaration under new Part 6A of the Bill, see
item 66 of Schedule 1 to the Bill below).
674. The critical infrastructure cyber threat environment is worsening, in part, due to an
ever-increasing reliance on technology, and increasing interoperability and
interdependency between Australia's most critical assets. This has created a new set of
vulnerabilities that can have catastrophic cascading consequences to Australia's economy
and national security. This growing threat necessitates a strengthened relationship
between Government and industry, built on enhanced information sharing and activities
to prepare for, prevent and mitigate against significant cyber security incidents.
675. There are four different legislative mechanisms that implement the enhanced cyber
security obligations outlined in new Part 2C of the SOCI Act:
statutory incident response planning obligations (new Division 2 of Part 2C),
cyber security exercises (Division 3),
vulnerability assessments (Division 4), and
access to system information (Division 5).
Division 2--Statutory incident response planning obligations
Subdivision A--Application of statutory incident response planning obligations
Section 30CB Application of statutory incident response planning obligations--
determination by the Secretary
676. New section 30CB of the SOCI Act provides for the application of the statutory
incident response planning obligations to systems of national significance. Subsection (1)
provides that the Secretary may, by written notice given to an entity that is the responsible
entity for a system of national significance, determine that the statutory incident reporting
obligations apply to the entity in relation to the system and to cyber security incidents.
677. As clarified at paragraph (1)(a), a notice to apply the response planning obligations
can only be given to a responsible entity for a system of national significance.
678. Subsection (2) provides that a determination made by the Secretary under subsection
(1) takes effect at the time specified in the determination, which under subsection (3)
must not be earlier than the end of the 30-day period that began when the notice was
given. This provides responsible entities with a minimum 30 day notice period to make
arrangements to meet this obligation.
679. Subsection (4) provides a consultation requirement that must be met before a notice is
given under this section. The Secretary must consult the entity and, if there is a relevant
Commonwealth regulator that has functions relating to the security of that system, the
relevant Commonwealth regulator. This will minimise any unnecessary burden being
imposed on the entity as a result of the notice not being appropriately adapted to the
circumstances of the system of national significance.
680. Subsection (5) clarifies that a determination under section 30CB is not a legislative
instrument. It is reasonable and appropriate that determinations made by the Secretary
under this section are not legislative instruments. A legislative instrument should be
implemented where the purpose of the instrument is to determine the content of the law.
The Secretary's determination under subsection (1) of this section applies the law in a
particular instance to a particular system of national significance, and does not determine
the content of the law that applies--that is set out in this Subdivision.
Section 30CC Revocation of determination
681. New section 30CC of the SOCI Act provides for the revocation of determinations
made by the Secretary under section 30CB.
Subsection 30CC(1)--Scope
682. Subsection (1) outlines that section 30CC applies if a determination is in force under
section 30CB and notice of the determination was given to a particular entity.
Subsection 30CC(2)--Power to revoke determination
683. Subsection (2) provides that the Secretary may, by written notice given to the
responsible entity for a system of national significance who has been given a
determination under subsection 30CB(1), revoke the determination.
Subsection 30CC(3)--Application of Acts Interpretation Act 1901
684. Subsection (3) outlines that section 30CC does not, by implication, affect the
application of subsection 33(3) of the Acts Interpretation Act to an instrument made
under of a provision of the SOCI Act (other than this Division).
685. This means that subsection 33(3) of the Acts Interpretation Act, which generally
provides that a power to make an instrument of legislative or administrative character is
construed to include a power to repeal, rescind, revoke, amend, or vary that instrument in
the like manner and subject to the like conditions, continues to apply in relation to other
instrument-making powers in the SOCI Act.
Subdivision B--Statutory incident response planning obligations
Section 30CD Responsible entity must have an incident response plan
686. New section 30CD of the SOCI Act creates an obligation for a responsible entity for a
system of national significance that has received a determination under
subsection 30CB(1) to adopt and maintain an 'incident response plan' that applies to the
entity in relation to the system and cyber security incidents. In this regard:
'incident response plan' is defined in new section 30CJ of the SOCI Act (see
below), and
the meaning of 'cyber security incident' is outlined in new section 12M (see
item 32 of Schedule 1 to the Bill above).
687. Cyber incident response plans help an organisation identify the activities and
resources needed to respond to malicious cyber activity, and is an essential business
continuity process. Incident response plans prepare an organisation to identify and
respond to malicious cyber activity on their networks and ensures both internal and
external (including relevant government entities) contacts, roles and responsibilities are
identified before an incident. Incident response plans also allow organisations, staff and
service providers to exercise their roles and responsibilities in before and incident occurs.
Rehearsed and exercised incident response plans limit the potential disruption caused by
malicious cyber activity and ensure that normal operations can be restored as soon as
possible.
688. While improving our collective situational awareness of threats and uplifting the
cyber security critical infrastructure are important steps, there may be some threats that
cannot be thwarted. In these circumstances, incident response plans provide responsible
entities with a clear understanding of 'what to do' and 'who to call' to minimise the impact
of an incident and continue providing services to the community.
689. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. The penalty is
designed to deter non-compliance and to ensure responsible entities adopt an incident
response plan. This penalty is commensurate with the non-compliance of an obligation to
have security programs under the ATSA or MTOFSA. The penalty reflects the important
function of the incident response plan in ensuring the entity has appropriate procedures in
place to identify and respond effectively to cyber security incidents.
Section 30CE Compliance with incident response plan
690. New section 30CE of the SOCI Act creates an obligation for a responsible entity for a
system of national significance that has received a determination under
subsection 30CB(1) to comply with their incident response plan. This includes
compliance with any amendments to the incident response plan that may have been made
under section 30CK.
691. This section is an extension of section 30CD and is intended to clarify that
responsible entities are not only required to have an incident response plan in place but
that entities must actually comply with that plan and the various procedures it contains
(aligning with the requirements for a risk management program).
692. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on nature of the infringement. The penalty and
is designed to deter non-compliance and to ensure responsible entities comply with their
critical infrastructure risk management program. This penalty is commensurate with the
non-compliance of an obligation to comply with security programs under the ATSA or
MTOFSA. The penalty reflects the important function of the incident response plan in
ensuring the entity has appropriate procedures in place to identify and response
effectively to cyber security incidents.
Section 30CF Review of incident response plan
693. New section 30CF of the SOCI Act creates an obligation for a responsible entity for a
system of national significance that has adopted an incident response plan, to review that
plan on a regular basis (aligning with the requirements for a risk management program).
694. A definitive timeframe is not specified in this section. This is reflective of the
different threat environments faced by the various critical infrastructure assets and is
intended to allow the responsible entity greater discretion to determine the frequency with
which this should occur noting they are best placed to understand the context of the asset.
The frequency may also change over time as the characteristics of the asset,
organisational structures, its interdependences, the market, or threats change or fluctuate.
695. This approach is intended to prevent unnecessary burden being placed on industry to
review the program in a manner disproportionate to their context. The Department will
work closely with industry to develop guidance to assist them in determining the
application of the provision to their unique circumstances.
696. Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. It is designed
to deter non-compliance and to ensure responsible entities review their incident response
plan. The penalty reflects the importance of reviewing an incident response plan to ensure
that it is fit for purpose, and therefore, effective in managing cyber security incident
response.
Section 30CG Update of incident response plan
697. New section 30CG of the SOCI Act creates an obligation for a responsible entity for a
system of national significance that has adopted an incident response plan, to take all
reasonable steps to ensure that the plan is up to date (aligning with the requirements for a
risk management program).
698. Meaningful cyber security preparedness, and in turn resilience, will only occur if the
incident response plan remains current. It is therefore vital that responsible entities review
their incident response plan on a regular basis and take reasonable steps to ensure it is
kept up to date. This ensures risk and procedures are being continually assessed and
managed by the entity rather than taking a 'set and forget' approach to risk management.
699. The term 'reasonable steps' refers to the entity's practical efforts to update the
incident response plan relative to the changing security and organisational context.
Further, best practice dictates that incident response plans are focused on the roles of the
various individuals in the escalation chain, rather than the individuals themselves, which
will avoid the need to update a plan in response to staff movements.
700. Breach of this obligation is subject to a civil penalty of up to 200 penalty units.
Breach of these obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance and to ensure responsible entities update their incident
response plan. The penalty reflects the importance of keeping an incident response plan
up-to-date and accurate.
Section 30CH Copy of incident response plan must be given to the Secretary
701. New section 30CH of the SOCI Act creates an obligation for a responsible entity for a
system of national significance that has adopted an incident response plan, to provide a
copy of their incident response plan, and any variation of the plan, to the Secretary.
702. Subsection (1) provides that an entity that has adopted an incident response plan must
provide a copy of the plan to the Secretary as soon as practicable after the adoption.
Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance to ensure responsible entities notify the Secretary of
their incident response plan. The penalty reflects the importance of maintaining the two-
way information sharing between government and the entity to ensure both sides are well
positioned to respond to emerging threats.
703. Subsection (2) provides that an entity that has adopted an incident response plan, and
subsequently varies that plan, must provide a copy of the varied plan to the Secretary as
soon as practicable after the variation. Breach of this obligation is subject to a civil
penalty of up to 200 penalty units. This penalty is a proportionate response based on the
nature of the infringement and is designed to deter non-compliance to ensure responsible
entities notify the Secretary of variations to an incident response plan. The penalty
reflects the importance of maintaining the accuracy of two-way information sharing
between government and the entity to ensure both sides are well positioned to respond to
emerging threats.
704. This provides Government with visibility of the procedures and processes entities
have put in place to prepare for, and respond to, a cyber security incident. Practically
speaking, the Government is likely to use this plan to work with the responsible entity
should any changes be required to ensure the asset is in a better position to handle the
often sudden shocks caused by a cyber security incident. In the event that a cyber security
incident does occur, the procedures and processes outlined in the plan will be followed in
responding to the cyber security incident.
Section 30CJ Incident response plan
705. New section 30CJ of the SOCI Act describes an incident response plan. Subsection
(1) provides that an incident response plan is a written plan:
that applies to an entity that is the responsible entity for a system of national
significance (paragraph (a))
that relates to the system and to cyber security incidents (paragraphs (b) and
(c))
the purpose of which is to plan for responding to cyber security incidents that
could have a relevant impact on the system (paragraph (d)), and
that complies with such requirements (if any) as are specified in rules made
under section 61 of the SOCI Act (paragraph (e)).
706. It is not proposed that the precise form of the plan will be dictated through the rules.
Rather, these obligations are focused on achieving the required security objectives and
ensure the entity is well placed to respond to a cyber security incident. Entities are best
placed to determine how best to construct the plan, taking into regard a variety of factors
including the services provided by the asset, extent and nature of interdependencies, and
the threat environment. This also acknowledges that many responsible entities will
already have incident response plans in place, and therefore, takes a light touch approach
which is focused on security outcomes rather than form.
707. Further, the incident response plan is limited to cyber security incidents and is not
intended to address hazards more generally. Best practice incident response plans do not
apply to specific cyber security incidents (although components of them may focus on
specific types), but rather apply to cyber security incidents generally to ensure procedures
are in place to address the various methodologies that may be adopted in an attack.
708. Under subsection (2), requirements specified in Ministerial rules made for the purpose
of paragraph (1)(e) may be of general application (paragraph (a)), may relate to one or
more specified systems of national significance (paragraph (b)), or may relate to one or
more specified types of cyber security incidents (paragraph (c)).
709. A note to subsection (2) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power
to make a legislative instrument specifying a matter may identify the matter by referring
to a class or classes of matters.
710. Subsection (3) provides that subsection (2) does not, by implication, limit the
application of subsection 33(3A) of the Acts Interpretation Act. This means that
subsection 33(3A) of the Acts Interpretation Act, which generally provides that a power
to make a legislative instrument in relation to a matter includes a power to make an
instrument with respect to some only of those matters or with respect to a particular class
or classes of those matters and to make different provision with respect to different
matters or classes of matters, continues to apply.
Section 30CK Variation of incident response plan
711. New section 30CK of the SOCI Act provides that a responsible entity for a system of
national significance that has adopted an incident response plan under section 30CD may
vary their plan, so long as the varied plan is an incident response plan. This means that an
incident response plan may be amended by a responsible entity, so long as the amended
program still has the required characteristics as outlined in new section 30CJ--including
any specific requirements prescribed in Ministerial rules for the purpose of
paragraph 30CJ(1)(e).
712. It is intended that an incident response plan may be varied by a responsible entity
where changes are required or desirable as a result of the review of the program on a
regular basis under new section 30CF of the SOCI Act.
Section 30CL Revocation of adoption of incident response plan
713. New section 30CL of the SOCI Act outlines that, if an entity has adopted an incident
response plan under section 30CD, Division B of Part 2C does not prevent the entity from
revoking that adoption and adopting another incident response plan that applies to the
entity.
Division 3--Cyber security exercises
Section 30CM Requirement to undertake cyber security exercise
714. New section 30CM of the SOCI Act empowers the Secretary to require a responsible
entity for a system of national significance to undertake a 'cyber security exercise' as
defined by section 30CN.
715. Subsection (1) provides that the Secretary may, by written notice given to the
responsible entity, require the entity to undertake a cyber security exercise in relation to
the system of national significance and all types of cyber security incidents, within the
time specified in the notice. Subsection (2) provides, on similar terms, that the Secretary
may require the entity to undertake a cyber security exercise but only in relation one or
more specified types of cyber security incidents.
716. In practice, subsection (1) will be used where the Government and entity want to test
the general cyber response preparedness, mitigation and response capabilities of the asset.
Subsection (2) could be used to test responsiveness in relation to a particular threat
scenario, for example a ransomware attack.
717. An exercise may be discussion or tabletop-based, operational or functional. For
example, the responsible entity may be required to engage in a strategic discussion
exercise to build industry and Government's coordinated response to a significant cyber
incident impacting a specified sector. Through the exercise, the responsible entity would
test its internal response capability, responsibilities for key staff, and coordination with
Government. Through the exercise report, the responsible entity will benefit from a
greater understanding of the effectiveness of any response plans and build its capability to
respond to a real-life event.
718. Subsection (3) outlines that the period specified to complete the cyber security
exercise in a notice given under subsections (1) or (2) must not be less than 30 days. This
should afford sufficient opportunity to undertake and complete the exercise, noting the
consultation requirements that may occur prior to the notice being given.
719. Subsection (4) provides that a notice under subsections (1) or (2) may also require the
responsible entity for a system of national significance to do one or more of the following
things:
allow one or more designated officers to observe the cyber security exercise
and give the officers access to premises for that purpose (paragraphs (a) and
(b))
provide designated officers with reasonable assistance and facilities to allow
the officers to observe the exercise (paragraph (c))
allow designated officers to make records as are reasonably necessary for the
purposes of monitoring compliance with the notice (paragraph (d)), and
give designated officers reasonable notice of the time when the cyber security
exercise will begin, so that they can observe the exercise if they choose to do
so (paragraph (e)).
720. A designated officer is defined in section 30DQ to be an employee of the Department
or a staff member of the Australian Signals Directorate (see further below).
721. The purpose of subsection 30CM(4) is to ensure Government officials have visibility
of the way the exercise is being conducted, and, importantly, the outcome of the exercise.
Assets that are declared to be systems of national significance are of the highest criticality
to Australia's national interest. Accordingly, Government has a strong interest and a
responsibility to understand the ability of these assets to respond appropriately to, or
mitigate the impact of, a cyber security incident.
722. Subsection (5) provides a consultation requirement that must be met before a notice is
given under this section. The Secretary must consult the entity and, if there is a relevant
Commonwealth regulator that has functions relating to the security of that system, the
relevant Commonwealth regulator. This will minimise any unnecessary burden being
imposed on the entity as a result of the notice not being appropriately adapted to the
circumstances of the system of national significance.
Section 30CN Cyber security exercise
723. New section 30CN of the SOCI Act defines a cyber security exercise. Ultimately, an
exercise is designed to reveal whether the existing resources, processes and capabilities of
an entity sufficiently safeguards the system from being impacted by a cyber security
incident.
724. During consultation on the Cyber Security Strategy 2020, submissions highlighted the
importance of joint cyber security exercises involving industry and government to
improve entities' cyber resilience. Noting the interdependencies between critical
infrastructure assets, these exercises can be used to develop interoperable response
capabilities to prevent a cascading of impacts across sectors.
725. Section 30CN is purposely non-prescriptive to ensure that the focus is not on the form
of the exercise but rather the purpose of the exercise or the outcomes the exercise is trying
to achieve. However, it is imagined that the exercise could take the form of a tabletop
exercise, a function exercise, discussion exercises etc. Government will work with entities
to determine what the best exercise format may be in relation to the threat environment
and the individual characteristics of the asset to ensure maximum effectiveness.
726. Under subsection (1), a cyber security exercise is an exercise that:
is undertaken by the responsible entity for a system of national significance
(paragraph (a))
that relates to the system of national significance (paragraph (b))
that either relates to all types of cyber security incidents (i.e. as required by the
Secretary under subsection 30CM(1)) or one or more types of cyber security
incidents (as required by the Secretary under subsection 30CM(2))
(paragraph (c))
for each of the purposes outlined in (paragraph (d), i.e. where the incident
response plan accounts for all types of cyber security incidents that may target
that specific system) or (paragraph (e), i.e. where the incident response plan
only addresses specific types of cyber security incidents such as malware
attacks or Denial-of-service attacks), and
complies with any requirements (if any) as specified in rules made under
section 61 of the SOCI Act (paragraph (f)).
727. A cyber security exercise that relates to all types of cyber security incidents must,
under paragraph (1)(d), be for the purposes of:
testing the entity's ability to respond appropriately to all types of cyber
security incidents that could have a relevant impact on the system
(subparagraph (i))
testing the entity's preparedness to respond appropriately to all types of cyber
security incidents that could have a relevant impact on the system
(subparagraph (ii)), and
testing the entity's ability to mitigate the relevant impacts that all types of
cyber security incidents could have on the system (subparagraph (iii)).
728. A cyber security exercise that relates to a specified type or types of cyber security
incident must, under paragraph (1)(e), be for the purposes of:
testing the entity's ability to respond appropriately to the specified types of
cyber security incidents that could have a relevant impact on the system
(subparagraph (i))
testing the entity's preparedness to respond appropriately to the specified types
of cyber security incidents that could have a relevant impact on the system
(subparagraph (ii)), and
testing the entity's ability to mitigate the relevant impacts that the specified
types of cyber security incidents could have on the system (subparagraph (iii)).
729. With respect to rules made for the purpose of paragraph (1)(f), subsection (2) provides
that any such rules may of general application (paragraph (a)), may relate to one or more
specified systems of national significance (paragraph (b)), or may relate to one or more
specified types of systems of national significance (paragraph (c)).
730. A note to subsection (2) indicates that specification by class is permitted by way of
subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power
to make a legislative instrument specifying a matter may identify the matter by referring
to a class or classes of matters.
731. Subsection (3) provides that subsection (2) does not, by implication, limit the
application of subsection 33(3A) of the Acts Interpretation Act. This means that
subsection 33(3A) of the Acts Interpretation Act, which generally provides that a power
to make a legislative instrument in relation to a matter includes a power to make an
instrument with respect to some only of those matters or with respect to a particular class
or classes of those matters and to make different provision with respect to different
matters or classes of matters, continues to apply.
Section 30CP Compliance with requirement to undertake cyber security exercise
732. New section 30CP of the SOCI Act requires an entity to comply with a notice given to
the entity by the Secretary under section 30CM. This includes an obligation to complete
the cyber security exercise within the timeframe included in the Secretary's notice.
733. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement and is designed to deter
non-compliance to ensure responsible entities undertake a cyber security exercise. The
penalty reflects the importance of a cyber security exercise in improving entities' cyber
resilience and, potentially, develop interoperable response capabilities across critical
infrastructure assets.
Section 30CQ Internal evaluation report
734. New section 30CQ of the SOCI Act requires an entity who has undertaken a cyber
security exercise under section 30CM to prepare an 'evaluation report' (within the
meaning given by section 30CS) and give a copy to the Secretary within 30 days of
completing the exercise, unless the Secretary has allowed a longer period for the
provision of the report (subsection (1)).
735. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement and is designed to deter
non-compliance to ensure responsible entities provide evaluation reports of a completed
cyber security exercise. This penalty is commensurate with the non-compliance for an
obligation to comply with reporting obligations under the ATSA, MTOFSA and
Corporations Act. The penalty reflects the importance for entities to evaluate and reflect
on a cyber security exercise.
736. Subsection (2) provides that an evaluation report prepared by an entity under
subsection (1) is not admissible in evidence against the entity in civil proceedings relating
to a contravention of a civil penalty provision of the SOCI Act, other than proceedings
relating to subsection (1) and subsection 30CR(6). For example, the evaluation report
cannot be used in evidence to demonstrate non-compliance with the critical infrastructure
risk management program at Part 2A. This reflects the purpose of the evaluation report
and cyber security exercises which is to assist entities in better understanding and taking
any necessary steps to ensure assets of the highest criticality are safeguarded from cyber
security incidents. This approach reflects the partnership approach that will underpin
these obligations in practice, whereby Government will build strong relationships with
responsible entities for systems of national significance to ensure resilience and promote
rapid, and interoperable, responses to incidents.
Section 30CR External evaluation report
737. New section 30CR of the SOCI Act outlines the circumstances in which an entity,
who has undertaken a cyber security exercise, may be required to arrange for an
'evaluation report' (within the meaning given by section 30CS) to be prepared by an
external auditor.
Subsection 30CR(1)--Scope
738. Subsection (1) outlines that section 30CR of the SOCI Act applies to an entity that has
undertaken a cyber security exercise under section 30CM in either of the following
circumstances:
the entity has prepared, or purported to prepare, an evaluation report under
section 30CQ relating to the exercise, given the report to the Secretary and the
Secretary has reasonable grounds to believe that report was not prepared
appropriately (paragraph (a)), or
the entity has contravened section 30CQ, such as where an entity has failed to
provide a report to the Secretary (paragraph (b)).
Subsections 30CR(2)-(3)--Requirement
739. Under subsection (2) the Secretary may, by written notice given to the entity captured
by subsection (1), require the entity to all of the following:
appoint an external auditor, being a person who has been authorised by the
Secretary to be an external auditor under section 30CT (paragraph (a))
arrange for the external auditor to prepare an 'evaluation report' within the
meaning given by section 30CS and to give the report to the entity
(paragraphs (b) and (c)), and
give the Secretary a copy of the new evaluation report within the period
specified in the notice, or within a longer period as allowed by the Secretary
(paragraph (d)).
740. Subsection (3) requires that the notice given by the Secretary under subsection (2)
must specify the matters to be covered in the new evaluation report, the form of the new
evaluation report and the kinds of details it is to contain.
Subsection 30CR(4)--Consultation
741. Subsection (4) provides that, before giving a notice to an entity under this section in
connection with a cyber security exercise that relates to a system of national significance,
the Secretary must consult the entity and, if there is a relevant Commonwealth regulator
that has functions relating to the security of that system, that regulator. The Secretary
must have regard to the information provided in deciding whether to give a notice. This
will minimise any unnecessary burden being imposed on the entity as a result of the
notice not being appropriately adapted to the circumstances of the system of national
significance.
Subsection 30CR(5)--Eligibility for appointment as external auditor
742. Subsection (5) provides that an individual is not eligible to be appointed as an external
auditor by the entity as required under subsection (2) if the individual is an officer,
employee or agent of the entity. This is intended to prevent conflicts of interest and
ensure the report is independent.
Subsection 30CR(6)--Compliance
743. Under subsection (6), an entity must comply with a requirement from the Secretary
under subsection (2). Breach of this requirement is subject to a civil penalty of up to 200
penalty units. This penalty is a proportionate response based on the nature of the
infringement and is designed to deter non-compliance to ensure an entity complies with a
notice by the Secretary to arrange for an external evaluation report. The penalty reflects
the importance of obtaining accurate and comprehensive evaluation reports to review the
viability of cyber incident exercise and glean important lessons.
Subsection 30CR(7)--Immunity
744. Akin to subsection 30CQ(2) of the SOCI Act, subsection (7) provides that the new
evaluation report prepared in accordance with a requirement under subsection (2) is not
admissible in proceedings against the entity in civil proceedings relating to a
contravention of a civil penalty provision of the SOCI Act, other than a contravention of
subsection (6). This is intended to encourage open and transparent assessments and
collaboration towards improving the security practices of the asset.
Section 30CS Meaning of evaluation report
745. New section 30CS of the SOCI Act outlines what is an 'evaluation report' for the
purpose of the SOCI Act, in particular sections 30CQ and 30CR. Different meanings are
given to the term in circumstances where a report is required to be prepared as a result of
a requirement to conduct an exercise in relation to all types of cyber security incidents
under subsection 30CM(1), or where a report is required to be prepared as a result of a
requirement to conduct an exercise in relation to one or more specified types of cyber
security incidents under subsection 30CM(2).
746. Under paragraph (a), an 'evaluation report' required as a result of undertaking an
exercise under subsection 30CM(1) is a written report the purpose of which is to:
evaluate the entity's ability to respond appropriately to all types of cyber
security incidents that could have a relevant impact on the system of national
significance (subparagraph (i))
evaluate the entity's preparedness to respond appropriately to all types of
cyber security incidents that could have a 'relevant impact' on the system
(subparagraph (ii)), and
evaluate the entity's ability to mitigate the impacts that all types of cyber
security incidents could have on the system (subparagraph (iii)).
747. Under paragraph (b), an 'evaluation report' required as a result of undertaking an
exercise under subsection 30CM(2) is a written report the purpose of which is to:
evaluate entity's ability to respond appropriately to those types of cyber
security incidents specified in the notice under subsection 30CM(2) that could
have a relevant impact on the system of national significance
(subparagraph (i))
evaluate the entity's preparedness to respond appropriately to those types of
cyber security incidents that could have a relevant impact on the system
(subparagraph (ii)), and
evaluate the entity's ability to mitigate the relevant impacts that those types of
cyber security incidents could have on the system (subparagraph (iii)).
748. An 'evaluation report' must also comply with the requirements, if any, as are
prescribed in rules made by the Minister under section 61 of the SOCI Act (see
paragraph (c)). This will allow for a mechanism to provide more structure and detail to
how an evaluation report must be prepared and what it must contain.
Section 30CT External auditors
749. New section 30CT of the SOCI Act provides that the Secretary may, by writing,
authorise a specified individual to be an external auditor for the purposes of the SOCI Act
(see subsection (1)). A note to subsection (1) indicates that specification by class is
permitted by way of subsection 33(3AB) of the Acts Interpretation Act. This subsection
relevantly provides that a power to make a legislative instrument specifying a matter may
identify the matter by referring to a class or classes of matters. This means that an
authorisation under subsection (1) can authorise a class of persons to be an external
auditor for the purpose of the SOCI Act.
750. Subsection (2) clarifies that an authorisation under subsection (1) is not a legislative
instrument. This is an appropriate position to take, given that the authorisation only
applies the law in a particular instance to a particular individual or class of individuals
and therefore does not determine or alter the content of the law for the purpose of
subsection 8(3) of the Legislation Act.
751. This provision is intended to create a pool of external auditors that can be drawn on as
necessary and required to perform external evaluation reports under section 30CR.
Division 4--Vulnerability assessments
Section 30CU Requirement to undertake vulnerability assessment
752. New section 30CU of the SOCI Act sets out the circumstances in which an entity that
is the responsible entity for a system of national significance may be required to
undertake a vulnerability assessment. A 'vulnerability assessment' has the meaning given
by section 30CY (see further below).
753. A vulnerability assessment involves identifying potential points of weakness or gaps
in the systems and networks that are relevant to the continued operation, functionality and
security of systems of national significance. An assessment may include (but is not
limited to) vulnerability scanning or testing.
754. The vulnerability assessment will help the entity in identifying where further
resources and capabilities are required to improve preparedness and resilience of the
system in relation to protecting against cyber security incidents. It will also allow
Government to assess whether cyber security advice or assistance can be provided to
strengthen the security or resilience of systems of national significance, and identify
patterns of weakness across sectors and assets which could be exploited by malicious
actors.
755. Under subsection (1), the Secretary may, by written notice given to an entity that is
the responsible entity for a system of national significance, require the entity to
undertake, or cause to be undertaken, a vulnerability assessment in relation to the system
and all types of cyber security incidents within the period specified in the notice. This
would involve a broad spectrum assessment for vulnerabilities to various methodologies
of cyber security incidents.
756. Subsection (2) is drafted in similar terms, but allows for the Secretary to require the
entity to undertake a vulnerability assessment in relation to one or more specified types of
cyber security incidents specified in the notice. This form of notice would be used for a
more targeted assessment relating to one or more particular types of cyber security
incidents. For example, where credible intelligence exists that a malicious cyber actor
may launch a particular form of attack on an asset, this would allow the Government to
work with the responsible entity to determine vulnerabilities and in turn put in place
preventative and mitigation measures.
757. The Secretary is required, under subsection (3), to consult with the entity, or if there is
a relevant Commonwealth regulator, that regulator before issuing a notice under either
subsections (1) or (2). This consultation requirement will ensure that the notice is targeted
and appropriate, as well as ensuring that any unintended consequences of the assessment
can be identified and considered before a notice is issued.
Section 30CV Compliance with requirement to undertake a vulnerability assessment
758. New section 30CV of the SOCI Act makes it a requirement for an entity to comply
with a notice given to the entity by the Secretary under section 30CU.
759. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. The penalty is
designed to deter non-compliance and to ensure entities comply with a notice to
undertake a vulnerability assessment. This penalty is commensurate with the penalty for
non-compliance with an obligation to comply with directions under the MTOFSA and
ATSA. The penalty reflects the importance of this assessment in strengthening the
security or resilience of systems of national significance, and identifying patterns of
weakness across sectors and assets.
Section 30CW Designated officers may undertake a vulnerability assessment
760. New section 30CW of the SOCI Act outlines the circumstances in which a
'designated officer' may undertake a vulnerability assessment. A 'designated officer' for
this purpose means an APS employee of the Department or a staff member of ASD who
is appointed by the Secretary under subsection 30DQ(1) (see further below).
761. This provision acknowledges that responsible entities are best placed to conduct a
vulnerability assessment, and the Government's commitment for this to be the preferred
course of action. However, if the entity is incapable or unwilling to undertake the
assessment then it is appropriate for Government to take action noting the criticality of
systems of national significance to Australia's national interest and the need to ensure
their protection.
Subsection 30CW(1)--Scope
762. Subsection (1) provides that section 30CW applies if an entity is the responsible entity
for a system of national significance and either:
the Secretary has reasonable grounds to believe that if the entity were to be
given a notice under subsection 30CU(1) or (2), the entity would not be
capable of complying with the notice (subparagraph (b)(i)), or
the entity has not complied with a notice given to the entity under
subsection 30CU(1) or (2) (subparagraph (b)(ii)).
Subsections 30CW(2)-(4)--Request
763. Subsection (2) provides that the Secretary may give a designated officer a written
request to undertake a vulnerability assessment in relation to a system of national
significance and all types of cyber security incidents that apply to that system, within the
period specified in the request. Subsection (3) is drafted in similar terms, but allows for
the Secretary to request that a designated officer undertake a vulnerability assessment in
relation to one or more types of cyber security incidents specified in the request.
764. The Secretary is required, under subsection (4), to consult with the responsible entity
for the system of national significance before giving the request. The Secretary is also
required to consult with a relevant Commonwealth regulator, should one exist with
functions relating to the security of the system. This will provide an avenue for the
responsible entity to demonstrate either willingness or capability to undertake the
assessment and therefore avoid a designated officer doing so.
Subsection 30CW(5)--Requirement
765. Subsection (5) provides that, if a request under subsection (2) or (3) has been given to
a designated officer, the Secretary may, by written notice given to the entity in respect of
whom the request relates, require the entity to do all or any of the following:
provide the designated officer with access to the premises for the purposes of
undertaking the vulnerability assessment (paragraph (a))
provide the designated officer with access to computers for the purposes of
undertaking the vulnerability assessment (paragraph (b)),
provide the designated officer with reasonable assistance and facilities that are
reasonably necessary to allow the designated officer to undertake the
vulnerability assessment (paragraph (c)).
766. Things that may be reasonably necessary for the purpose of paragraph (5)(c) include
information in relation to the operation and functioning of the system. This assistance will
be crucial to preventing any unintended consequences as well as ensuring the assessment
is rigorous and able to drive meaningful security uplift.
Subsection 30CW(6)--Notification of request
767. Under subsection (6), the Secretary is required to give a copy of a request under
subsection (2) or (3) to the entity that is responsible for the system of national
significance in respect of whom the request relates. This will ensure the responsible
entity is fully apprised of the scope of the request and can test any concerns around its
validity.
Section 30CX Compliance with requirement to provide reasonable assistance etc.
768. New section 30CX of the SOCI Act provides that an entity must comply with a notice
given to the entity by the Secretary under subsection 30CW(5).
769. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the infringement. It is designed to deter non-
compliance and to ensure entities provide reasonable assistance to designated officers
undertaking vulnerability assessments on their behalf where there is a reasonable belief of
non-compliance. This penalty is commensurate with the penalty for non-compliance with
the obligation to comply with directions under the MTOFSA and ATSA. The penalty
reflects the importance for entities to not obstruct government officials, particularly
noting the objective of the intervention is to strengthen and protect the integrity of
systems of national significance.
Section 30CY Vulnerability assessment
770. New section 30CY of the SOCI Act outlines what is a 'vulnerability assessment' for
the purposes of the SOCI Act, in particular sections 30CU, 30CV, 30CW and 30CX.
771. Under subsection (1), a vulnerability assessment is an assessment:
that relates to a system of national significance (paragraph (a))
that relates to either all types of cyber security incidents or one or more
specified types of cyber security incident (paragraph (b), e.g. the Secretary
may request the responsible entity undertake a one-off host assessment to
identify system-level vulnerabilities to a key emerging threat impacting other
entities in the sector, or the Secretary may request the responsible entity
undertake a routine assessment to identify a network's vulnerabilities to all
types of cyber security incidents).
if the assessment relates to all types of cyber security incident (i.e. is
undertaken pursuant to subsections 30CU(1) or 30CW(2))--the purpose of
which is to test the vulnerability of the system to all types of cyber security
incidents (paragraph (c))
if the assessment relates to one or more specified types of cyber security
incident (i.e. is undertaken pursuant to subsections 30CU(2) or 30CW(3))--
the purpose of which is to test the vulnerability of the system to those types of
cyber security incidents (paragraph (d)), and
that complies with the requirements, if any, as are specified in the rules made
by the Minister under section 61 of the SOCI Act (paragraph (e)).
772. Subsection (2) provides that rules specified under paragraph (1)(e) may be of general
application, may relate to one or more specified systems of national significance, or may
relate to one or more specified types of cyber security incidents.
773. Subsection (3) provides that subsection (2) does not, by implication, limit the
application of subsection 33(3A) of the Acts Interpretation Act. This means that
subsection 33(3A) of the Acts Interpretation Act, which generally provides that a power
to make a legislative instrument in relation to a matter includes a power to make an
instrument with respect to some only of those matters or with respect to a particular class
or classes of those matters and to make different provision with respect to different
matters or classes of matters, continues to apply.
Section 30CZ Vulnerability assessment report
774. New section 30CZ of the SOCI Act outlines requirements in preparing a
'vulnerability assessment report' as a result of undertaking a vulnerability assessment.
The meaning of 'vulnerability assessment report' is outlined in section 30DA (see further
immediately below).
775. Under subsection (1), where an entity undertakes, or causes to be undertaken, a
vulnerability assessment as required by the Secretary under section 30CU, the entity is
required to prepare a vulnerability assessment report and give a copy of the report to the
Secretary within 30 days of completing the assessment, or within a further period allowed
by the Secretary under subparagraph (b)(ii).
776. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement. It is designed
to deter non-compliance to ensure entities report on a vulnerability assessment. The
penalty reflects the importance of obtaining accurate and comprehensive assessment
reports.
777. Subsection (2) provides that, if a designated officer undertakes a vulnerability
assessment in accordance with a request given to the designated officer by the Secretary
under section 30CW, the designated officer must prepare a vulnerability assessment
report and give a copy of the report to the Secretary within 30 days of completing the
assessment, or within a further period allowed by the Secretary under
subparagraph (b)(ii).
778. This provides Government with visibility of the potential weaknesses or gaps in assets
that are of highest criticality to Australia's national interests. In practice, it is likely that
Government will use a report to work with the responsible entity to identify and
implement proportionate measures to addresses any weaknesses contained in the report. It
will also provide Government with a comprehensive understanding of any systemic
vulnerabilities that may need to be addressed in consultation with industry
779. Subsection (3) outlines that if an entity prepares, or causes to be prepared, a report
under subsection (1), the report is not admissible in evidence against the entity in civil
proceedings relating to a contravention of a civil penalty provision of the SOCI Act, other
than a contravention of subsection (1) of this section. For example, the report cannot be
used in evidence to demonstrate non-compliance with the critical infrastructure risk
management program at Part 2A. This reflects the purpose of the report and
vulnerabilities assessments which is to assist entities in better understanding and taking
any necessary steps to ensure assets of the highest criticality are safeguarded from cyber
security incidences.
Section 30DA Meaning of vulnerability assessment report
780. New section 30DA of the SOCI Act outlines the meaning of 'vulnerability assessment
report' in relation to a vulnerability assessment for the purpose of the SOCI Act, and in
particular section 30CZ.
781. Under this section, a 'vulnerability assessment report' is a written report:
for an assessment relating to all types of cyber security incidents (i.e. under
subsections 30CU(1) or 30CW(2))--the purpose of which is to assess the
vulnerability of the system of national significance to all types of cyber
security incidents (paragraph (a))
for an assessment relating to one or more types of cyber security incidents (i.e.
under subsections 30CU(2) or 30CW(3))--the purpose of which is to assess
the vulnerability of the system to those types of cyber security incidents
specified in the notice (paragraph (b)), and
that complies with such requirements, if any, as are prescribed in Ministerial
rules made under section 61 of the SOCI Act (paragraph (c)). This will allow
for a mechanism to provide more structure and detail to how a vulnerability
assessment report must be prepared and what it must contain.
Division 5--Access to system information
782. System information is information generated by computer systems that relates to the
functioning of the computer needed to operate a system of national significance. This
information may assist with determining whether a power under this Act should be
exercised in relation to the system of national significance, in particular the powers set
out in Part 3A. System information does not include personal information within the
meaning of the Privacy Act. System information is data generated about a system for the
purposes of security, diagnostic monitoring or audit, such as network logs, system
telemetry and event logs, alerts, netflow and other aggregate or metadata that provide
visibility of malicious activity occurring within the normal functioning of a computer
network.
783. System information is crucial to quickly identifying a system or network compromise,
tracing that compromise to initial access to mitigate against similar attacks, and
understanding the impacts of a compromise and the current state of a system in order to
deploy a rapid and effective response to mitigating a cyber incident and restoring
functionality.
784. During consultation on the Cyber Security Strategy 2020, stakeholders strongly
supported initiatives to improve information sharing to make critical infrastructure more
resilient and secure. The provision of system telemetry from systems of national
significance will support the Government's ability to build a near-real time threat picture
through the CESAR capability. In return, the Government will share actionable,
anonymised information back out to industry to assist relevant entities improving cyber
resilience in relation to their assets. Aggregated system information from key assets
across the economy, overlaid with intelligence and reporting, will also enable the
Government to target its limited capabilities to the threats and vulnerabilities of greatest
consequence to the nation.
Subdivision A--System information reporting notices
Section 30DB Secretary may require periodic reporting of system information
785. New section 30DB of the SOCI Act provides for the Secretary to require an entity,
who is the relevant entity for a system of national significance, to provide periodic
reporting of system information.
Subsection 30DB(1)--Scope
786. Subsection (1) provides that section 30DB applies if both of the following apply:
a computer is needed to operate a system of national significance, or is itself a
system of national significance (paragraph (a)), and
the Secretary believes on reasonable grounds that the relevant entity for the
system of national significance is technically capable of preparing periodic
reports consisting of information that relates to the operation of the computer,
may assist with determining whether a power under the SOCI Act should be
exercised in relation to the system of national significance, and is not
'personal information' within the meaning given by the Privacy Act
(paragraph (b)).
787. The use of 'technically capable' ensures that the Secretary can only issue a notice
under section 30DB to an entity that is in a position, from a technical perspective, to fulfil
the requirements set out subsection 30DB(2). The consultation requirements in section
30DD will be important in determining the technical capability of an entity.
Subsections 30DB(2)-(4)--Requirement
788. Under subsection (2), the Secretary may, by written notice given to the entity, require
the entity to:
prepare periodic reports that consist of specified system information and relate
to such regular intervals as are specified in the notice (paragraph (a))
prepare those periodic reports in the manner and form specified in the notice,
and in accordance with the information technology requirements specified in
the notice (paragraph (b)) (for example, relating to formatting to allow system
of national significance to generate computer data and the Government's
system to ingest that data, without human intervention), and
give each periodic report to ASD within the period ascertained in accordance
with the notice in relation to the periodic report (paragraph (c)).
789. Subsection (3) provides that a notice given by the Secretary under subsection (2) is to
be known as a 'system information periodic reporting notice' for the purposes of the
SOCI Act.
790. In deciding whether to give a system information periodic reporting notice to the
entity under subsection (2), the Secretary must, under subsection (4), have regard to the
costs that are likely to be incurred by the entity in complying with the notice and any
other matters, if any, that the Secretary considers relevant.
791. Subsection (4) ensures that a reporting notice is proportionate and reasonable -
balancing the beneficial outcome of the notice with the likely impact and costs to the
affected entity when complying with the notice. To support this consideration as well as
the determination of whether the entity is technically capable of providing the report,
section 30DD mandates that the Secretary must consult with the entity prior to issuing the
notice.
792. The regularity of the intervals at which the reports must be provided will be
determined in consultation with the entity and, noting the requirement for the Secretary to
have regard to the costs of compliance, consider the level of computer automation that
would support the request. For example, a computer may be able to generate the report
will minimal resource impact at a high frequency (for example every minute). Ultimately
this assessment will be dependent upon the nature of the request, the type of information
being sought and the purpose for which it is being sought.
Subsection 30DB(5)--Matters to be set out in notice
793. Subsection (5) provides that a system information periodic reporting notice must set
out the effect of section 30DF, which relevantly requires that an entity must comply with
a system information periodic reporting notice (see further below).
Subsection 30DB(6)--Other powers not limited
794. Subsection (6) clarifies that section 30DB does not, by implication, limit a power
conferred by another provision of the SOCI Act. This ensures that the other powers in the
SOCI Act, such as the Secretary's information gathering powers at existing section 37, in
the Act are not taken to be limited as a result of this power.
Section 30DC Secretary may require event-based reporting of system information
795. New section 30DC of the SOCI Act provides for the Secretary to require an entity
who is the relevant entity for a system of national significance to provide reporting of
system information if a specified event occurs.
796. This will provide Government with visibility of specified system information as soon
as practicable after each incidence of a specified event occurring ('a system information
periodic reporting notice'). For example, a report may be required every time a particular
computer program raises a specified class of alert or error message.
Subsection 30DC(1)--Scope
797. Subsection (1) provides that section 30DC applies if each of the following apply:
a computer is needed to operate a system of national significance, or is itself a
system of national significance (paragraph (a)), and
the Secretary believes on reasonable grounds that the relevant entity for the
system of national significance is technically capable of preparing reports each
time a particular type of event occurs, and
those reports consist of information that relates to the operation of the
computer, may assist with determining whether a power under the SOCI Act
should be exercised in relation to the system of national significance, and is
not 'personal information' within the meaning given by the Privacy Act
(paragraph (b)).
798. The use of 'technically capable' ensures that the Secretary can only issue a notice
under section 30DC to an entity that is in a position from a technical perspective to fulfil
the requirements set out subsection 30DC(2). The consultation requirements in section
30DD will be important in determining the technical capability of an entity.
Subsections 30DC(2)-(4)--Requirement
799. Under subsection (2), the Secretary may, by written notice given to the entity, require
the entity to do each of the following each time an event of a specified kind occurs:
prepare a report that consists of any such information (paragraph (a))
prepare the reports in the manner and form specified in the notice, and in
accordance with the information technology requirements specified in the
notice (paragraph (b)), and
give each periodic report to ASD as soon as practicable after the event occurs
(paragraph (c)).
800. Subsection (3) provides that a notice given by the Secretary under subsection (2) is to
be known as a 'system information event-based reporting notice' for the purposes of the
SOCI Act.
801. In deciding whether to give a system information event-based reporting notice to the
entity under subsection (2), the Secretary must, under subsection (4), have regard to the
costs that are likely to be incurred by the entity in complying with the notice and any
other matters, if any, that the Secretary considers relevant.
802. Subsection (4) ensures that a notice is proportionate and reasonable - balancing the
beneficial outcome of the notice with the likely impact and costs to the affected entity
when complying with the notice. To support this consideration as well as the
determination of whether the entity is technically capable of providing the report, section
30DD mandates that the Secretary of Home Affairs must consult with the entity prior to
issuing the notice.
Subsection 30DC(5)--Matters to be set out in notice
803. Subsection (5) provides that a system information event-based reporting notice must
set out the effect of section 30DF, which relevantly requires that an entity must comply
with a system information event-based reporting notice (see further below).
Subsection 30DC(6)--Other powers not limited
804. Subsection (6) clarifies that section 30DC does not, by implication, limit a power
conferred by another provision of the SOCI Act. This ensures that the other powers in the
SOCI Act, such as the Secretary's information gathering powers at existing section 37, in
the Act are not taken to be limited as a result of this power.
Section 30DD Consultation
805. New section 30DD of the SOCI Act provides that, before giving either a system
information periodic reporting notice or a system information event-based reporting
notice, the Secretary must consult the relevant entity and, if a different entity, the
responsible entity. The Secretary must have regard to the information provided in
deciding whether to give a notice. In particular, this consultation requirement has been
included to assist the Secretary in determining whether the relevant entity is technically
capable of providing a report, considering the costs associated with complying with a
notice and ensuring that the compliance with the request will not impose any unnecessary
burden on the relevant entity.
806. For example, this consultation process may review that a system information periodic
reporting notice would not be effective as it would generate significant duplication in
reporting, which imposes unnecessary cost on industry and is of limited value to
Government. Rather the consultation may reveal that the system is capable of reporting
when the particular information becomes available and therefore a system information
event-based reporting notice may be more appropriate in achieve the desired result with
less impost on the entity.
807. Consultation with the responsible entity will also ensure that the entity with broader
and overarching responsibility for the asset has an opportunity to comment on the
appropriateness of the notice.
Section 30DE Duration of system information periodic reporting notice or system
information event-based reporting notice
808. New section 30DE of the SOCI Act sets out the timeframe for which a system
information periodic reporting notice, given under section 30DB, or a system information
event-based reporting notice, given under section 30DC, is in force.
809. Under subsection (1), a system information periodic reporting notice or a system
information event-based reporting notice comes into force when it is given, or at a later
time specified in the notice (paragraph (a)). This means that either notice cannot have a
retrospective effect. The notice remains in force for the time specified in the notice but,
under subsection (2), the period specified in the notice cannot be longer than 12 months.
810. Subsection (3) provides that, if a system information periodic reporting notice is in
force, the SOCI Act does not prevent the Secretary from giving a fresh system
information periodic reporting notice under section 30DB that is in the same, or
substantially the same, terms as the original notice and comes into force immediately after
the expiry of the original notice. Subsection (4) is drafted in substantially similar terms
relating to a system information event-based reporting notice given under section 30DC.
Although the Government intends to maintain a continuous dialogue with the entity,
including two-way information sharing of intelligence relating to the system of national
significance, this safeguard will ensure a statutorily required consultation period under
section 30DD occurs every 12 months.
Section 30DF Compliance with system information periodic reporting notice or
system information event-based reporting notice
811. New section 30DF of the SOCI Act provides that an entity must comply with a
system information periodic reporting notice or a system information event-based
reporting notice to the extent that the entity is capable of doing so.
812. Breach of this requirement is subject to a civil penalty of up to 200 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance to ensure entities comply with their periodic or event-
based reporting obligation. This penalty is commensurate with the non-compliance for an
obligation to comply with reporting obligations under the MTOFSA and ATSA. The
penalty reflects the importance of enabling Government to build a near-real time threat
picture in order to target its capabilities to those threats and vulnerabilities of greatest
consequence to Australia.
Section 30DG Self-incrimination etc.
813. New section 30DG of the SOCI Act provides that:
an entity is not excused from giving a report under sections 30DB or 30DC on
the ground that the report may incriminate the entity (subsection (1)), and
if an individual would ordinarily be able to claim the privilege against self-
exposure to a penalty in relation to giving a report under sections 30DB or
30DC, the individual is not excused from giving a report under that section on
that ground (subsection (2)).
814. A note to subsection (2) indicates that a body corporate is not entitled to claim the
privilege against self-exposure to penalty.
815. This provision highlights that the information being provided in these reports are not
intended to be used for a compliance purpose. For example, the report cannot be used in
evidence to demonstrate non-compliance with the critical infrastructure risk management
program at Part 2A. Rather these obligations are focused on building enhanced
partnerships with industry and greater, and joint, situational awareness. ASD will use this
information to develop and maintain a near-real time threat picture, positioning it to
identify threats early and provide actionable advice to industry to prevent and mitigate
threats as they emerge.
Section 30DH Admissibility of report etc.
816. New section 30DH of the SOCI Act limits how a report under sections 30DB or
30DC can be admitted into evidence. Under this section, if a report is given under those
sections, the report or the giving of the report is not admissible in evidence against an
entity:
in criminal proceedings other than proceedings for an offence against section
137.2 of the Criminal Code that relates to the SOCI Act (paragraph (c)).
Section 137.2 of the Criminal Code makes it an offence for a person to
provide a false or misleading document to another person in compliance with a
requirement under Commonwealth law (such as under section 30DF), or
in civil proceedings other than proceedings for recovery of a penalty in
relation to a contravention of section 30DF of the SOCI Act (paragraph (d)).
817. This provision is important to encourage open and accurate reporting noting the
importance of the information being provided, however equally balances the impact of
new section 30DG to ensure that the information provided is not used against the
individual as evidence. This position reflects that this information is not being sought for
a compliance purpose but rather to uplift cyber security and protect critical infrastructure.
Subdivision B--System information software
Section 30DJ Secretary may require installation of system information software
818. New section 30DJ of the SOCI Act provides that the Secretary may require a relevant
entity for a system of national significance to install and maintain a specified computer
program in limited circumstances. This is a provision of last resort, with the strong
preference of Government being for the entity to provide the information required under a
system information notice under Subdivision A using its own capabilities to minimise any
imposition on the system. However, noting the importance of this information to
government oversight of cyber security risks, where an entity is unable to provide the
required information, where an entity is unable to provide the necessary information (for
example, it would require a costly reform to their system) this will allow for the
Government to provide the entity with the necessary capability to enable the provision of
the information.
819. For example, the software could be provided by the Government to the entity, such as
a host-based sensor that enables reporting of telemetry information used to monitor
systems and networks for malicious behaviour. The functioning of any software will be
strictly limited to the acquisition and provision of specified information to ASD.
820. It should be noted that ASD does not perform a regulatory or compliance role under
the SOCI Act. System information and telemetry will be used by ASD to inform an
enhanced cyber threat picture and develop appropriate mitigations and advice.
Subsection 30DJ(1)--Scope
821. Subsection (1) provides that section 30DJ applies if all of the following apply:
a computer is needed to operate a system of national significance, or is itself
the system of national significance (paragraph (a))
the Secretary believes on reasonable grounds that the relevant entity for the
system would not be technically capable of preparing reports under
sections 30DB or 30DC, and
the reports consist of information that relates to the operation of the computer,
may assist with determining whether a power under the SOCI Act should be
exercised in relation to the system, and is not 'personal information' within the
meaning given by the Privacy Act.
822. The requirement for the Secretary to believe on reasonable grounds that the relevant
entity for the system would not be technically capable of providing the information, is
intended to ensure that this power is only used as a last resort. If the entity is able to
comply with a notice given under sections 30DB or 30DC, those options will be utilised.
The consultation requirements in section 30DK will be important in determining the
technical capability of an entity and informing the decision as to which option is to be
pursued.
Subsections 30DJ(2)-(5)--Requirement
823. Under subsection (2) the Secretary may, by written notice given to the entity captured
by subsection (1), require the entity to:
install a specified computer program on the computer within the period
specified in the notice (paragraph (a))
maintain the computer program once installed (paragraph (b)), and
take all reasonable steps to ensure that the computer is continuously supplied
with an internet carriage service that enables the computer program to function
(paragraph (c)).
824. Subsection (3) provides that a notice given by the Secretary under subsection (2) is to
be known as a 'system information software notice'.
825. Subsection (4) requires the Secretary, in deciding whether to give a system
information software notice under subsection (2), to have regard to the costs that are
likely to be incurred by the entity in complying with the notice and any other matters, if
any, as the Secretary considers to be relevant. This subsection ensures that a notice is
proportionate and reasonable - balancing the beneficial outcome of the notice with the
likely impact and costs to the affected entity when complying with the notice. To support
this consideration as well as the determination of whether the entity is technically capable
of providing the report under a notice issued under sections 30DB or 30DC, section
30DK mandates that the Secretary of Home Affairs must consult with the entity prior to
issuing the notice.
826. Subsection (5) sets out requirements for computer programs that may be specified in a
system information software notice under subsection (2). Under this provision, a
computer program may only be specified if the purpose of the computer program is to:
collect and record information that relates to the operation of the computer,
may assist with determining whether a power under the SOCI Act should be
exercised in relation to the system of national significance, and is not personal
information within the meaning given by the Privacy Act (paragraph (a)), and
cause the information collected or generated by the computer program to be
transmitted electronically to ASD (paragraph (b)).
827. This provision ensures that the program is strictly limited to provisioning of the
specified system information. It will not enable broader access to the system or the
altering of any data on that system. In essence, it will simply provide the technical
capability for the entity to undertake the actions that may be required in response to a
notice issued under section 30DB or 30DC.
828. The computer program will be provided by the Government and will for example,
operate as a host-based sensor reporting system information back to the ASD to facilitate
monitoring of the system and network for malicious behaviour.
Subsection 30DJ(6)--Matters to be set out in notice
829. Subsection (6) requires that a system information software notice given by the
Secretary under subsection (2) must set out the effect of section 30DM, which provides
that an entity must comply with a system information software notice to the extent that
the entity is capable of doing so (see further below).
Subsection 30DJ(7)--Other powers not limited
830. Subsection (7) clarifies that section 30DJ does not, by implication, limit a power
conferred by another provision of the SOCI Act. This ensures that the other powers in the
SOCI Act, such as the Secretary's information gathering powers at existing section 37, in
the Act are not taken to be limited as a result of this power.
Section 30DK Consultation
831. New section 30DK of the SOCI Act requires the Secretary to consult with a relevant
entity, and if different, the responsible entity, before giving a system information software
notice to the relevant entity. The Secretary must have regard to the information provided
in deciding whether to give a notice. In particular, this consultation requirement has been
included to assist the Secretary in determining whether the entity is technically capable of
providing a report under sections 30DB or 30DC and considering the costs associated
with complying with a notice. This further highlights that a system information software
notice is a power of last resort, with the entity able to indicate that it is not necessary as
they can provide the information required without having external software installed on
their systems.
832. Consultation with the responsible entity will also ensure that the entity with broader
and overarching responsibility for the asset has an opportunity to comment on the
appropriateness of the notice.
Section 30DL Duration of systems information notice
833. New section 30DL of the SOCI Act sets out the timeframe in which a system
information software notice under section 30DJ is in force.
834. Under subsection (1), a system information software notice comes into force when it
is given, or at a later time specified in the notice (paragraph (a)). This means that the
notice cannot have a retrospective effect. The notice remains in force for the time
specified in the notice but, under subsection (2), the period specified in the notice cannot
be longer than 12 months.
835. Subsection (3) provides that, if a system information periodic reporting notice is in
force, the SOCI Act does not prevent the Secretary from giving a fresh system
information software notice under section 30DJ that is in the same, or substantially the
same, terms as the original notice and comes into force immediately after the expiry of
the original notice.
836. Although the Government intends to maintain a continuous dialogue with the entity,
including two-way information sharing of intelligence relating to the system of national
significance, this safeguard will ensure a statutorily required consultation period under
section 30DK occurs every 12 months.
Section 30DM Compliance with system information software notice
837. New section 30DM of the SOCI Act provides that an entity must comply with a
system information software notice to the extent that the entity is capable of doing so.
Breach of this requirement is subject to a civil penalty of up to 200 penalty units.
838. This penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance with a notice to install system information software.
This penalty is commensurate with the non-compliance for an obligation to comply with
directions under the MTOFSA and ATSA. The penalty reflects the importance of
enabling Government to build a near-real time threat picture in order to target its
capabilities to those threats and vulnerabilities of greatest consequence to Australia.
Section 30DN Self-incrimination etc.
839. New section 30DN of the SOCI Act provides that:
an entity is not excused from complying with a system information software
notice given to the entity under section 30DJ on the ground that complying
with the notice might tend to incriminate the entity (subsection (1)), and
if an individual would ordinarily be able to claim the privilege against self-
exposure to a penalty in relation to complying with a system information
software notice, the individual is not excused from giving a report under that
section on that ground (subsection (2)).
840. A note to subsection (2) indicates that a body corporate is not entitled to claim the
privilege against self-exposure to penalty, noting the protections provided by section
30DP (outlined below).
841. Entities should not be excused from self-incrimination noting that the purpose of
section 30DJ is to ensure Government can actively work with entities that are responsible
for assets that are of the highest importance and criticality to Australia's national interest.
The information that is provided in this report may be crucial to protecting assets from an
imminent attack that could have cascading impacts throughout the economy or undermine
Australia's defence and national security.
842. This provision, together with section 30DP below, highlights that the information
being provided by software installed on an entity's system under this Subdivision is not
intended to be used for a compliance purpose. For example, the information provided by
the software cannot be used in evidence to demonstrate non-compliance with the critical
infrastructure risk management program at Part 2A. Rather these obligations are focused
on building enhanced partnerships with industry and greater, and joint, situational
awareness. The ASD will use this information to develop and maintain a near-real time
threat picture, positioning it to identify threats early and provide actionable advice to
industry to prevent and mitigate threats as they emerge.
Section 30DP Admissibility of information etc.
843. New section 30DP of the SOCI Act limits how information transmitted to the ASD as
a result of the operation of a computer program under a system information software
notice can be admitted into evidence. Under this section, such information is not
admissible in evidence against an entity in criminal proceedings (paragraph (c)) or in civil
proceedings other than proceedings for recovery of a penalty in relation to a
contravention of section 30DM (paragraph (d)).
844. This provision is important to encourage open and accurate reporting noting the
importance of the information being provided, however equally balances the impact of
new section 30DN to ensure that the information provided is not used against the
individual as evidence. This position reflects that this information is not being sought for
a compliance purpose but rather to uplift cyber security and protect critical infrastructure.
Division 6--Designated officers
Section 30DQ Designated officer
845. New section 30DQ of the SOCI Act provides that a 'designated officer' is an
individual appointed by the Secretary, in writing to be a designated officer for the
purposes of the SOCI Act (subsection (1)). Under subsection (2), the Secretary cannot
appoint an individual to be a 'designated officer' unless they are an APS employee in the
Department (see subsection (6)) or, with the agreement of the Director-General of ASD, a
staff member of ASD (within the meaning given by the Intelligence Services Act (see
subsection (7)). This is intended to limit those that can be designated officers to persons
with appropriate technical expertise, or administrative or regulatory officers within the
Department of Home Affairs.
846. Subsection (3) provides that the Secretary may, in writing, declare that each
Departmental employee included in a class of Departmental employees specified in the
declaration is a 'designated officer'. Subsection (4) is drafted in substantially similar
terms but allows for a declaration in respect of ASD staff members. Under subsection (5),
the Secretary must not make a declaration under subsection (4) unless the Director-
General of ASD has agreed to the declaration.
847. Subsection (8) indicates that a declaration under section 30DQ is not a legislative
instrument.
Item 40 Paragraph 32(4)(c)
848. Under existing section 32 of the SOCI Act, the Minister can give an entity that is a
responsible entity for, or operator of, a critical infrastructure asset a written direction
requiring the entity to do, or refrain from doing, a specified act or thing within the period
specified in the direction (see subsection (2) in particular). Subsection 32(4) outlines
matters to which the Minister must have regard before issuing a direction under
subsection (2).
849. Item 40 of Schedule 1 to the Bill omits the words 'industry for the critical
infrastructure asset' from paragraph 32(4)(c) of the SOCI Act and substitutes the words
'critical infrastructure sector'. The result being that the Minister is now required to have
regard to the potential consequences that the direction may have on competition in the
relevant 'critical infrastructure sector' as defined in new section 8D of the SOCI Act (see
item 21 of Schedule 1 above). This reflects the change in terminology used in the SOCI
Act, with the concept of relevant industry being replaced with critical infrastructure
sector.
Item 41 At the end of section 32
850. Item 41 of Schedule 1 to the Bill inserts a new subsection (6) at the end of section 32
of the SOCI Act. That subsection provides that section 32 does not, by implication, limit a
power conferred by another provision of the SOCI Act. This reflects the additional of
other powers, including direction powers, into the SOCI Act and the intention for these
amendments to not limit the operation of this existing power.
Item 42 Subparagraph 33(1)(a)(i)
851. Section 33 of the SOCI Act requires the Minister, before giving a direction under
subsection 32(2), to consult with certain persons including the First Minister of the State,
the Australian Capital Territory or the Northern Territory in which the relevant critical
infrastructure asset is located.
852. Item 42 of Schedule 1 to the Bill inserts the words 'wholly or partly' in front of the
word 'located' in subparagraph 33(1)(a)(i) of the SOCI Act. This clarifies that, in
circumstances where a critical infrastructure asset has physical locations in different
States and Territories, the Minister is required to consult with all relevant First Ministers
before issuing a subsection 32(2) direction noting that may involve consultation with
multiple First Ministers.
Item 43 Subparagraph 33(1)(a)(ii)
853. Item 43 of Schedule 1 to the Bill omits the words 'industry for the critical
infrastructure asset' from subparagraph 33(1)(a)(ii) of the SOCI Act and substitutes the
words 'critical infrastructure sector'. This drafting aligns with the amendments made to
paragraph 32(4)(c) of the SOCI Act (see Item 40 of Schedule 1 to the Bill above).
854. This amendment means that the Minister must consult with each Minister of the State,
the Australian Capital Territory, or the Northern Territory, who has responsibility for the
regulation or oversight of the relevant critical infrastructure sector in the State or
Territory. This reflects the change in terminology used in the SOCI Act, with the concept
of relevant industry being replaced with critical infrastructure sector.
Item 44 At the end of Part 3
855. Item 44 of Schedule 1 to the Bill inserts new sections 35AAA and 35AAB into Part 3
of the SOCI Act.
Section 35AAA Directions prevail over inconsistent critical infrastructure risk
management programs
856. New section 35AAA of the SOCI Act provides that, if a critical infrastructure risk
management program is applicable to a critical infrastructure asset, the program has no
effect to the extent to which it is inconsistent with a direction given by the Minister under
subsection 32(2). This provision clarifies that a direction under subsection 32(2) takes
precedence over any obligation that a responsible entity for a critical infrastructure asset
may have in relation to its critical infrastructure risk management program--in particular
to comply with the program under section 30AD of the SOCI Act (see item 29 of
Schedule 1 to the Bill above).
857. A direction make under section 32 will only occur in the most serious circumstances
when other mitigation methods to address the risk to security have proved ineffective.
With the insertion of obligations relating to critical infrastructure risk management
programs into the SOCI Act, this provision will make clear that section 32 directions are
matters of last resort and will override any mitigation measures that the entity may have
determined to be appropriate under their critical infrastructure risk management program.
Section 35AAB Liability
858. New section 35AAB of the SOCI Act limits the liability of an entity and its officers,
employees or agents in relation to acts or omissions done in compliance of a direction
made by the Minister under subsection 32(2).
859. Subsection (1) provides that an entity, being a responsible entity for a critical
infrastructure asset that has been given a Ministerial direction under subsection 32(2), is
not liable to an action or other proceeding for damages for or in relation to an act or
omission done or omitted in good faith in compliance with a direction under
subsection 32(2).
860. Subsection (2) provides that an officer, employee or agent of an entity is not liable to
an action or other proceeding for damages for or in relation to an act done or omitted in
good faith in connection with an act done or omitted by the entity as mentioned in
subsection (1).
861. A direction made under section 32 may require an entity, or its officers, employees or
agents, to do or stop doing certain things in order to address a security risk. Compliance
with this power may result in the entity being liable. For example, a direction requiring an
entity to cease using the services of a certain provider may result in them breaching
contractual obligations with that provider. This provision will ensure that the entity, or its
staff, will not be liable when acting in compliance with a lawful direction from the
Minister.
Item 45 After Part 3
862. Item 45 of Schedule 1 to the Bill inserts new Part 3A (responding to critical cyber
security incidents) into the SOCI Act. The government assistance powers conferred by
Part 3A, exercisable under a Ministerial authorisation granted under Division 2, include
powers to:
gather information from an entity that may assist with determining whether a
power under the SOCI Act should be exercised (Division 3)
direct that an entity do, or refrain from doing, a specified act or thing (Division
4), and
request that an authorised agency (i.e. ASD) intervene with an entity's
operations (Division 5).
863. Existing Part 2, and new Parts 2A, 2B and 2C of the SOCI Act, discussed above,
impose obligations on industry to manage risks associated with the operation of critical
infrastructure assets. As critical infrastructure assets are increasingly reliant on, and
connected via, electronic systems, cyber security vulnerabilities are a matter of increasing
and fundamental concern. As malicious actors are exploiting these vulnerabilities on an
ever more frequent basis, including in relation to critical infrastructure assets, enhanced
powers must be available. Where serious risks do eventuate which affect the ability of the
asset to deliver essential services and prejudice Australia's national interests, effective
mechanisms are required to resolve the incident.
Globally, we have recently witnessed a number of cyber security incidents in relation to
critical infrastructure assets that have had significant direct and indirect consequences. The
impacts of these cyber incidents have ranged from large scale financial losses to loss of
life.
Ukraine power outages, 2015
The 23 December 2015 Ukrainian power outages highlighted the impacts of cyber attacks
on critical infrastructure. The attack involved sophisticated malicious actors taking
command and control of the Supervisory Control and Data Acquisition (SCADA) systems
of three energy distributors, resulting in 30 substations being switched off. The attack
disabled or destroyed other digital infrastructure and wiped data from the companies'
networks. An employee reportedly watched on helplessly as the malicious actor took
substations offline. Concurrently, a call centre that provided up to date information to
consumers about the blackout became inoperable due to a denial-of-service attack. While
less than 1 per cent of the country's daily consumption of energy was disrupted, the attack
left over 225,000 Ukrainians, in the middle of winter, without power for several hours.
Two months after the attack, some control centres were still not fully operational with
manual procedures required. However, the potential for far greater consequences remain.
Cyber attacks can destroy physical components. With the capability and intent, an attack
on the energy sector could result in impacts that are significantly more difficult to repair.
WannaCry, 2017
In 2017, a large-scale ransomware campaign, commonly called WannaCry, affected some
230,000 individuals and over 300,000 computer systems in 150 countries. The incident
resulted in an estimated USD$4 billion in financial losses globally. WannaCry targeted
vulnerabilities in Microsoft Windows software, impacting communications, financial,
transport and healthcare services. This included the United Kingdom's National Health
Service which was forced to turn away non-critical patients and cancel around 20,000
appointments.
Hospital attacks, 2020
Since the COVID-19 pandemic began, hospitals have come under increasing strain due to
malicious cyber incidents, particularly ransomware attacks. The March 2020 ransomware
attack on Brno University Hospital, one of the Czechia's largest COVID-19 testing
laboratories, saw the forced shut down of its entire information technology network. In
September 2020, Dusseldorf University Hospital suffered a ransomware attack that brought
down its computer systems. As a result, an individual being transported to the hospital by
ambulance was re-routed to another hospital 30 kilometres and passed away en route.
864. The Government remains committed, first and foremost, to working in partnership
with states, territories and industry, who own, operate and regulate our critical
infrastructure to collaboratively resolve incidents when they do occur and mitigate their
impacts. Collaborative resolution will always remain the most effective method of
resolving and incident and the Government's first preference. However, noting the
importance of the services being provided by these assets and the Government's ultimate
responsibility for protecting Australia's national interests, circumstances may arise which
require Government intervention. In such emergency circumstances, it is crucial that the
Government has last resort powers to respond to the incident or mitigate the risk.
865. Part 3 of the SOCI Act currently provides the Minister for Home Affairs with the
power to issue a direction to a reporting entity or operator to require them to take action
to mitigate risks that are prejudicial to security. However, as critical infrastructure assets
have become increasingly reliant on cyber infrastructure, and noting the rapidly evolving
cyber threat environment we currently face, an additional emergency regime is required
to address the risk of a particularly serious cyber attack which seriously prejudices
Australia's national interests. Without such powers, a single cyber attack could have
cascading catastrophic, life threatening consequences.
866. Consultations have revealed a strong community expectation that, in emergency
circumstances and as a matter of last result, the Government will use its significant
technical expertise in cyber-defence to protect Australia's national interests and restore
the functioning of essential services. However, consultations also highlighted that these
powers must be used only in the most exceptional circumstances. The framework in Part
3A, as discussed below, is subject to a range of stringent safeguards and limitations to
ensure that it is only used in the most serious circumstances, in an appropriate manner,
and firmly limited to responding to the cyber security incident.
Division 1--Simplified outline of this Part
Section 35AA Simplified outline of this Part
867. New section 35AA of the SOCI Act sets out a simplified outline of Part 3A. The part
provides the Government with certain limited powers to respond to serious cyber security
incidents that are impacting critical infrastructure assets.
Division 2--Ministerial authorisation relating to cyber security incident
Section 35AB Ministerial authorisation
868. New section 35AB of the SOCI Act sets out the circumstances in which the Minister
may give an authorisation for the Secretary to exercise the government assistance powers
under Part 3A in relation to a 'cyber security incident'. 'Cyber security incident' is newly
defined in section 12M of the SOCI Act (see Item 32 of Schedule 1 to the Bill above) and
includes acts, events or circumstances involving:
unauthorised access to computer data or a computer program (paragraph (a))
unauthorised modification of computer data or a computer program
(paragraph (b)),
unauthorised impairment of electronic communications to or from a computer
(paragraph (c)), and
unauthorised impairment of the availability, reliability, security or operation of
a computer, computer data or a computer program (paragraph (d)).
Subsection 35AB(1)--Scope
869. Subsection 35AB(1) creates a high threshold for when a ministerial authorisation can
be made under subsection 35AB(2), and ensures that the powers in Part 3A are only used
in emergency circumstances, as a last resort and when it is in the national interest. In
practice, subsection 35AB(1) ensures that the Secretary will only be authorised by the
Minister to use the powers in Part 3A in exceptionally rare or emergency circumstances.
870. Subsection (1) provides that section 35AB applies where the Minister is satisfied of
all of the following matters:
a cyber security incident has occurred, is occurring or is imminent
(paragraph (a))
the incident has had, is having or is likely to have a relevant impact on a
critical infrastructure asset, known as the 'primary asset' (paragraph (b))
there is a material risk that the incident has seriously prejudiced, is seriously
prejudicing or is likely to seriously prejudice the social or economic stability
of Australia or its people, the defence of Australia or national security
(including security and international relations) (paragraph (c)), and
no existing regulatory system of the Commonwealth, a State or a Territory
could be used to provide a practical and effective response to the incident
(paragraph (d)).
Each of these factors is discussed in turn below.
Paragraph 35AB(1)(a)--A cyber security incident has occurred, is occurring or is imminent
871. Firstly, the Minister must be satisfied that a cyber security incident has occurred, is
occurring, or is imminent. Cyber security incident is defined at new section 12M and,
broadly speaking, means one or more acts, events or circumstances involving
unauthorised access, modification or impairment of computer data, a computer program
or a computer.
872. This limits the focus of Part 3A to responding to cyber security incidents. As critical
infrastructure assets are increasingly reliant on, and connected via, electronic systems,
cyber security vulnerabilities are a matter of increasing and fundamental concern. The
Government has particular expertise in responding to cyber threats that may not be
available in the private sector.
873. Paragraph (1)(a) also relates to cyber security incidents that have occurred, are
occurring or are imminent. A cyber security incident may come with warning, or
suddenly, and be rapid or prolonged, but nevertheless catastrophic in its impact. This
temporal scope is necessary to ensure that the Government may, where all the other
criteria are met, provide an effective response as the circumstances require. For example:
There may be a credible threat, evidenced by positioning and potentially attacks on
related infrastructure, that a malicious actor is about to launch a cyber attack.
Therefore it is vital that the Government, when aware an attack is imminent, can if
necessary take action to bolster defences in relation to the critical infrastructure asset
in order to attempt to prevent the incident, and its consequential impact, from
eventuating.
An attack may occur unexpectedly and action is required to mitigate the impact,
including by limiting the extent of compromise. This may include taking steps to
prevent further compromise within a network or segregate systems to limit further
damage.
Where a cyber security incident has occurred, its impact may be significant and
sustained. Even after the compromise has been addressed, significant work may be
required to restore the functioning of the asset to enable it to recommence providing
essential services.
Paragraph 35AB(1)(b)--The cyber security incident has had, is having, or is likely to have, a
relevant impact on a critical infrastructure asset
874. Secondly, the Minister must be satisfied that the cyber security incident has had, is
having, or is likely to have, a relevant impact on a critical infrastructure asset. The
exclusive objective of this regime is to defend critical infrastructure assets, in light of
their criticality to the social or economic stability of Australia or its people, the defence of
Australia, or national security. That is to say, this is not intended to be a regime that can
be used to defend assets economy-wide. While cyber security incidents can have
significantly and costly impacts on assets which are not critical, the ability for the
Government to step-in is exclusively reserved for critical infrastructure assets given the
essential services they provide to the nation. Nevertheless, the Government is committed
to working collaboratively with those other entities through other non-regulatory
mechanisms to improve cyber resilience and response capabilities.
875. Section 8G provides the definition of a relevant impact in this context, which includes
an impact on the availability, integrity, reliability or confidentiality of the asset. The use
of relevant impact in paragraph (1)(b) means that a ministerial authorisation cannot be
made if the impact, or the likely impact, of the cyber security incident is not sufficiently
serious. For example, impacting the profitability of an asset. Rather, the regime is more
focused on impact that undermine the intended operation or functioning of a critical
infrastructure asset, or put at risk the asset's networks and sensitive information holdings.
876. A relevant impact may occur directly or indirectly. That is to say that a cyber security
incident can have a relevant impact on a critical infrastructure asset, even if for example,
the incident does not involve a direct compromise of the critical infrastructure asset's
systems. This reflects that, due to the complex and extensive interdependencies of critical
infrastructure assets, a cyber security incident can significantly impede or compromise the
functioning of an asset by targeting a crucial dependency in its supply chain rendering the
primary asset inoperable. Therefore, Ministerial authorisation may be made in relation to
critical infrastructure sector assets, meaning assets that relate to a critical infrastructure
sector.
Paragraph 35AB(1)(c)--Material risk that the incident has seriously prejudiced, is seriously
prejudicing, or is likely to serious prejudice
877. Thirdly, the Minister must be satisfied that there is a material risk that the incident has
seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice:
the social or economic stability of Australia or its people; or
the defence of Australia; or
national security.
878. This criteria is important in establishing that the event must be of significant
seriousness. That is, Australia's national interests are at risk. The executive arm of
government is best placed to make this assessment, as it requires consideration of a wide
range of varying factors on a case by case basis. In particular, this assessment is likely to
rely on intelligence about the potential cascading impact of the incident.
879. 'Seriously prejudiced' has its ordinary meaning. In the context of new paragraph
35A(1)(c), the use of 'seriously prejudiced' is designed to ensure that a ministerial
authorisation is not made unless the Minister is satisfied that the impact, or likely impact,
of the cyber security incident on a critical infrastructure asset can reasonably be
considered capable of causing significant damage or harm to Australian interests. To
clarify, the Minister may be satisfied that an incident meets this criterion even if it is not
impacting on all jurisdictions. Instead, the focus of this provision is on the impact to
Australia's various national interests, recognising that an impact on, for example, a
particular part of the economy may be nationally significant.
Paragraph 35AB(1)(d)--There is no existing regulatory system that could be used to provide
a practical and effective response to the incident
880. Finally, the Minister must be satisfied that there is no existing regulatory system of
the Commonwealth, a State or a Territory that could be used to provide a practical and
effective response to the incident. This requirement is intended to cement this power as
one of last resort, acknowledging the various regulatory regimes that exist across
governments which may be utilised to manage risks. However, where those risks exceed
the capacity of those systems, this regime will offer an effective and practice response.
This ensures that, wherever possible and appropriate, consideration is given to whether
existing regimes, which are potentially less invasive or which are designed specifically to
address risks associated with particular assets, could be relied upon to effectively respond
to the incident.
881. The Minister can be satisfied of this even if those other systems, if any, have not
attempted to be used so long as the Minister considers that if they used, they would not
provide a practical and effective response. This is to ensure that futile steps are not
required to be taken and shown to fail in time critical situations before an effective
response can be initiated. In satisfying themselves of this requirement, the Minister is
likely to consult with relevant Commonwealth, State and Territory Ministers, as well as
regulators, including any relevant Commonwealth regulator designated under the
amended SOCI Act. This may also include receiving referals for action when an event has
escalated beyond their abilities.
Hypothetical scenario:
A large energy provider has been the subject of a cyber security incident which impacts its
ability to provide electricity to residents of the east coast of Australia. As a result, large
population hubs are without electricity and there are cascading impacts to other critical
infrastructure assets such as outages to critical telecommunications assets and critical
hospitals causing widespread economic and social disruption.
The Commonwealth has consulted with the relevant State regulator who has advised that
they do not have the powers to effectively respond to the incident, and has requested the
Commonwealth provide assistance.
Subsections 35AB(2)-(4)--Ministerial authorisation
882. When satisfied of the factors in subsection (1), subsection (2) provides that the
Minister may, on application by the Secretary, do any or all of the following things:
authorise the Secretary to give directions to a specified entity under
section 35AK (information gathering directions) that relate to the incident and
the 'primary asset' or a specified critical infrastructure sector asset
(paragraphs (a) and (b))
authorise the Secretary to give directions to a specified entity under
section 35AQ (action directions) that relate to the incident and the primary
asset or a specified critical infrastructure sector asset (paragraphs (c) and (d)),
or
authorise the Secretary to give a specified request under section 35AX
(intervention request) that relates to the incident and the primary asset or a
specified critical infrastructure sector asset (paragraphs (e) and (f)).
883. Subsection (3) provides that an authorisation made by the Minister under subsection
(2) is to be known as a 'Ministerial authorisation'.
884. These various forms of Ministerial authorisation must relate to the cyber security
incident, and be made in relation to the primary asset or a specified critical infrastructure
sector asset. While in most circumstances, the primary asset will be the focus of the
ministerial authorisation, in some circumstances, a Ministerial authorisation may be
required in relation to a critical infrastructure sector asset.
885. This reflects that, due to the complex and extensive interdependencies of critical
infrastructure assets, a cyber security incident can significantly impede or compromise the
functioning of an asset by targeting a crucial dependency in its supply chain rendering the
primary asset inoperable. As a result, it may be necessary for defensive action to be taken
in relation to an asset other than the critical infrastructure asset itself, although the action
must be focused on the protection and restitution of the critical infrastructure asset. This
will ensure that the necessary intervention can be made at the most appropriate and
effective place within the ecosystem of the critical infrastructure asset. However, the
Ministerial authorisation must be made in relation to a critical infrastructure sector asset,
limiting the operation of the regime to the critical infrastructure sectors.
886. For example, the Minister may authorise the Secretary to give directions to a specified
entity in relation to a specified critical infrastructure sector asset that provides information
technology services to a critical infrastructure asset. This may be necessary to better
understand the operation of the critical infrastructure asset and inform the Government's
understanding of the nature and extent of a cyber compromise. Similarly, a critical
infrastructure sector asset may be used as a vector or platform for an attack on a critical
infrastructure asset due to connectivity between the respective assets' systems. Therefore
an effective response to the incident may need to be made in relation to the critical
infrastructure sector asset to assist in mitigating the impacts on the critical infrastructure
sector asset.
887. Further, Ministerial authorisations under paragraphs (c)-(d) must specify the direction
or request that is being authorised. The Secretary, when taking steps in response to the
authorisation, does not have discretion to expand the scope of actions that can be directed
or requested. The significance of Ministerial authorisations made under those paragraphs
make it appropriate for their scope to be determined by the Minister.
888. Subsection (4) provides that subsection 33(3AB) of the Acts Interpretation Act, that
relevantly provides that a Ministerial authorisation under subsection (2) could be made
with respect to a class of assets or cyber security incidents, does not apply. This is
appropriate and necessary to include given the serious and invasive nature of the
government assistance powers that can be exercised as a result of a Ministerial
authorisation, with the effect being that the Minister will need to consider the unique
circumstances of each entity to which the authorisation will apply.
Subsections 35AB(5)-(6)--Information gathering directions
889. The first type of Ministerial authorisation that can be made relate to the gathering of
information. An effective and appropriate response to a serious cyber security incident
requires a strong understanding of the nature and extent of the incident, as well as a
strong understanding of the circumstances of the asset including its cyber maturity, its
vulnerabilities and its interdependencies. This information will inform any decisions in
relation to further Ministerial authorisations, and be important in ensuring that those
Ministerial authorisations are reasonably necessary and proportionate.
890. Subsection (5) provides that a Ministerial authorisation under paragraph (2)(a) or (b),
enabling the Secretary to give directions under section 35AK, is generally applicable to
the incident and the asset concerned, and is to be made without reference to any specific
directions.
891. Under subsection (6), the Minister must not give a Ministerial authorisation under
paragraph (2)(a) or (b) unless the Minister is satisfied that the directions under section
35AK that could be authorised by the Ministerial authorisation are likely to facilitate a
practical and effective response to the incident.
892. These subsections provide that the Minister may authorise the Secretary utilising
information gathering directions (when the factors outlined in section 35AK are met) if
doing so is likely to facilitate a practical and effective response to the incident. For
example, the Minister may consider that the use of the powers in section 35AK are
necessary to facilitate a practical and effective response to the incident, where the
Minister is aware of the severity of the incident but is unsure as to what actions are
needed to respond.
893. In comparison to Ministerial authorisations made under paragraphs (2)(c)-(f), the
authorisation will not specify the precise content of the direction or directions that can be
made by the Secretary. Noting that this provides the Secretary with a degree of discretion
in developing information gathering directions, that discretion is limited by section 35AK
to ensure that the power is only used in an appropriate way. Further, it is noted that this
information gathering power can be used in relation to critical infrastructure sector assets,
while in comparison the Secretary's existing information gathering powers provided in
existing section 37 of the SOCI Act are limited to being in relation to critical
infrastructure assets. This broader scope is warranted as the interdependencies between
critical infrastructure assets and other assets across the critical infrastructure sectors may
mean that information necessary to guide an effective response is held by an entity related
to another asset which relates to the critical infrastructure sector.
Hypothetical scenario:
A key supplier of logistical services to a critical freight service asset is subject to a cyber
security incident which results in the critical freight service asset being unable to distribute
medical supplies nationally. While the responsible entity for the critical freight service
asset is cooperating with government, the Government requires information from the
provider of the logistical services to determine the full extent of the compromise and
develop an appropriate response.
The Minister for Home Affairs authorises the Secretary of Home Affairs issuing
information gathering directions to the supplier, as the entity responsible for the critical
infrastructure sector asset, to provide the necessary information. This information is used to
jointly develop an appropriate response with the responsible entity to mitigating the
impacts of the incident on the critical freight service asset.
Subsections 35AB(7)-(9)--Action directions
894. The second type of Ministerial authorisation that can be made relate to requiring the
specified entity to do an act or thing, including an omission. In responding to an incident,
the Government acknowledges that an entity's understanding of the systems and
operation of the asset means that the entity is best positioned to take the necessary actions
to respond to the incident. Therefore, this type of Ministerial authorisation is focused on
compelling the entity to take actions, or do things, that are reasonably necessary and
proportionate to responding to the incident where the entity is unwilling or unable to
respond to the incident.
895. Subsection (7) provides that the Minister must not give a Ministerial authorisation
under paragraphs (2)(c) or (d), enabling the Secretary to give action directions under
section 35AQ, unless the Minister is satisfied of the existence of the circumstances set out
in paragraphs (a) to (d). It should be noted that these criteria are additional to those
criteria in subsection (1) of which the Minister must also be satisfied.
896. Firstly, the Minister must be satisfied that the entity is unwilling or unable to take all
reasonable steps to respond to the incident (under paragraph (7)(a)). This is reflective of
the Government's continued view that industry are primarily responsible for responding
to cyber security incidents and that Government intervention is only to be used in
emergencies and as a last resort when industry fail to resolve the incident. The
unwillingness of an entity to take all reasonable steps may be driven by various factors,
such as profit, reputation, or external influence. However noting the criticality of the asset
and the impact of the incident, as well as the material risk of serious prejudice to
Australia's national interest, in these circumstances resolving the incident must take
precedence. The inability of an entity to take all reasonable steps may be driven by a
technical lack of capacity or capability, or legal constraints such as contractual or
legislative requirements relating to continuity of service. Therefore, despite a willingness
to resolve the incident, the entity may not be able to do so. For example, an entity may be
willing to provide assistance voluntarily however is concerned about incurring liability
for disclosing commercially confidential information and in such circumstances may
request a Ministerial authorisation be made to facilitate them taking the necessary steps to
assist in resolving the incident.
897. When considering what reasonable steps to respond to the incident may involve, it is
not intended that a different tactical response to that which the Minister would pursue
would amount to an unwillingness or inability to take reasonable steps to respond to the
incident. The inclusion of the element of reasonableness will require the Minister to
consider the various approaches that may be taken to effectively respond to the incident,
with steps likely to be considered reasonable if they are capable of effectively and
practically resolving the incident. The focus is on ensuring that an adequate response is
taken, rather than being prescriptive of the exact response that must be taken.
898. However, it is important to note that certain steps may be regarded as reasonable even
if they exceed the capacity or capabilities of the particular entity. Therefore consideration
of whether all reasonable steps are being taken will require consideration of what a
reasonable person would expect a business in that position to do or be able to do.
899. Secondly, the Minister must be satisfied that the specified direction is reasonably
necessary for the purposes of responding to the incident (under paragraph (7)(b)). This
provision appropriately limits the scope of an action direction to ensure it is directly
relevant to addressing or responding to the incident. The use of 'reasonably necessary'
clarifies that an action direction and anything that compliance with it would require to be
done must be directly focused on responding to the incident. This is an important
safeguard to ensure an action direction cannot be used as a vehicle to require an entity to
do, or refrain from doing, an act that goes beyond addressing or responding to the
incident. This reflects that this regime is only to be used to defend critical infrastructure
assets from cyber security incidents, and is strictly limited to that purpose. Further the
element of reasonableness will ensure that the required actions are not only necessary but
are appropriate in the circumstances.
900. Thirdly, the Minister must be satisfied that the specified direction is a proportionate
response to the incident (under paragraph (7)(c)). This provision appropriately limits the
scope of an action direction to ensure it is proportionate. While the criteria the Minister
must be satisfied of, as set out in subsection (1), highlight that the circumstance in which
these powers will be used must be serious, it is equally important that the directions are
proportionate in light of all the circumstances. For example, and depending on the
particular circumstances, a direction may not be regarded as proportionate if it would
result in greater harm to the asset even if it would practically respond to the incident.
901. In considering proportionality, subsection (8) requires the Minister to have regard to
the impact of the direction on the activities carried on by the specified entity and the
functioning of the asset concerned, the consequences of compliance with the direction
and any other matters the Minister considers relevant. For example, while taking a
computer system offline may be reasonably necessary to mitigating a cyber security
incident, if that computer system is necessary for providing life sustaining equipment, the
Minister will need to consider the respective consequences of action and inaction, and
whether alternative options are available. Additionally, the Minister may consider the
costs for the entity in complying and whether the costs from action would outweigh the
costs of inaction, including for the entity and society more broadly. The impact on end-
users and customers of the asset may also be relevant considerations in considering
proportionately.
902. Finally, the Minister must be satisfied that the specified direction is technically
feasible (under paragraph (7)(d)). A direction is technically feasible when the direction
relates to a course of action that is reasonably possible to execute, or within the existing
capability of the relevant entity. A direction is considered not to be technically feasible if
there is no technical capability that could be utilised to produce the outcome that is
sought. The consultation requirement in section 35AD will be an important mechanism to
ensure the Minister has a sound understanding of the entities technical capabilities and
therefore whether this condition is met.
903. Subsection (9) provides further limitations on the scope of what can be authorised by
the Minister. A direction must not:
require the specified entity to permit the authorised agency to do an act or thing that
could be the subject of a request under section 35AX (paragraph (a)), or
require the specified entity to take offensive cyber action against a person who is
directly or indirectly responsible for the incident (paragraph (b)).
904. Noting that a Ministerial authorisation in relation to an intervention request is subject
to additional safeguards due to the significance of the conduct that may be authorised,
paragraph (a) ensures that action directions are not used as a backdoor to compel an entity
to permit Government officials access to the asset. Further paragraph (b) embeds the
defensive nature of the regime, noting that it would not be appropriate to require the
entity to take actions against the perpetrator of the attack that are not regarded as
defensive. For example, the directions cannot require the entity to 'hack back' or
undertake any other actions that may constitute a criminal offence such as accessing the
perpetrators computer without authority. The focus of these directions is on defending the
asset, which may include removing a perpetrator from the asset, but should not extend
into actions that would be regarded as offensive. Paragraph (b) does not limit in anyway
the responsibilities and powers that other agencies such as the Australian Signals
Directorate and Australian Federal Police have to prevent and disrupt cybercrime under
other legislative regimes.
Hypothetical scenario:
A critical data storage or processing asset, which hosts sensitive Government information,
is subject to a cyber security incident which poses an imminent risk that the confidentiality
of the Government information will be compromised. In light of information provided in
response to information gathering directions, the Minister for Home Affairs is satisfied that
the reconfiguration of the computer network to segregate the compromised computer and
prevent the exfiltration of the sensitive Government information is reasonably necessary
and proportionate to responding to the incident. Following consultation with the operator
of the asset, the Minister for Home Affairs is also satisfied that the entity is unwilling to
undertake the required action as it would affect, albeit in a limited way, the provision of
services to the data centre's other customers.
Subsections 35AB(10)-(15)--Intervention requests
905. The third type of Ministerial authorisations that can be made relate to intervention
requests. Where directing an entity to take specified action would not be practical or
effective, it may be necessary for the Government to step-in and take the necessary
actions to defend the asset. This is a last resort option, within a last resort regime, and will
only be used in extraordinary circumstances. However it must be recognised that in
emergencies where Australia's national interests are at risk of serious prejudice and
industry is unable to respond, the Government may have unique expertise that could be
deployed to prevent an incident, mitigate its impact, or restore the functioning of an asset
following an incident. In some circumstances, the cyber capabilities and technical
resources of the Australian Signals Directorate will surpass those of industry. Where
those circumstances exist, it is reasonable, appropriate and expected that the Government
has the powers to respond. Nevertheless, the significance of these powers necessity that
they are subject to stringent safeguards, limitations and oversight mechanisms to ensure
they are only used when absolutely necessary and appropriate.
906. Subsection (10) provides that the Minister must not give a Ministerial authorisation
under paragraphs (2)(e) or (f), enabling the Secretary to make a request under
section 35AQ, unless the Minister is satisfied of the existence of the circumstances set out
in paragraphs (a) to (g). It should be noted that these criteria are additional to those
criteria in subsection (1) of which the Minister must also be satisfied.
907. Firstly, the Minister must be satisfied that giving a Ministerial authorisation under
paragraph (2)(c) or (d) would not amount to a practical and effective response to the
incident (under paragraph (10)(a)). Direct Government intervention in relation to assets is
appropriately reserved for extraordinary circumstances. To guarantee that this option is
only considered as a last resort, the Minister must be satisfied that legally compelling the
entity to do the action would not amount to a practical and effective response to the
incident. For example, where the Minister has authorised a direction providing that the
entity is to take the action and they have unreasonably refused to comply with the
direction, the Minister may be satisfied that the directions power is not effective.
Alternatively, following consultation, the Minister may be aware that the required actions
require a level of technical expertise that the entity does not possess, and is not able to
acquire, and therefore a ministerial authorisation for a direction to take the action would
not be practical.
908. The Minister is not required to have made an authorisation under paragraph (2)(c) or
(d) before the Minister can be satisfied that it would not amount to a practical and
effective response to the incident. Noting the time critical nature of responding to the
serious cyber security incident, a requirement to make futile Ministerial authorisations
would not be reasonable. Rather, the Minister may, for example, be satisfied of this
matter having consider information provided through consultation and information gained
through directions issued by the Secretary under section 35K.
909. Secondly, paragraphs (10)(b) and (c) require the Minister be satisfied that the relevant
entity or entities are unwilling or unable to take all reasonable steps to respond to the
incident. This provision reflects that there may be multiple relevant entities that have a
degree of responsibility for a particular aspect of the asset and may be in a position to
take the necessary action. The Minister must be satisfied that none of these entities are
willing or able to do so.
910. A relevant entity for an asset is defined in section 5 as an entity that is the responsible
entity for the asset, a direct interest holder in relation to the asset, an operator of the asset,
or is a managed service provider for the asset.
911. This is reflective of the Government's continued view that industry are primarily
responsible for responding to cyber security incidents and that Government intervention
is only to be used in emergencies and as a last resort when industry fail to resolve the
incident. The unwillingness of an entity to take all reasonable steps may be driven by
various factors, such as profit, reputation, or external influence. However noting the
criticality of the asset and the impact of the incident, as well as the material risk of serious
prejudice to Australia's national interest, in these circumstances resolving the incident
must take precedence. The inability of an entity to take all reasonable steps may be driven
by a technical lack of capacity or capability, or legal constraints such as contractual or
legislative requirements relating to continuity of service. Therefore, despite a willingness
to resolve the incident, the entity may not be able to do so. For example, an entity may be
actively attempting to resolve the incident however the advanced nature of the
compromise exceeds their technical expertise.
912. When considering what reasonable steps to respond to the incident may involve, it is
not intended that a different tactical response to that which the Minister would pursue
would amount to an unwillingness or inability to take reasonable steps to respond to the
incident. The inclusion of the element of reasonableness will require the Minister to
consider the various approaches that may be taken to effectively respond to the incident,
with steps likely to be considered reasonable if they are capable of effectively and
practically resolving the incident. The focus is on ensuring that an adequate response is
taken, rather than being prescriptive of the exact response that must be taken.
913. However, it is important to note that certain steps may be regarded as reasonable even
if they exceed the capacity or capabilities of the particular entity. Therefore consideration
of whether all reasonable steps are being taken will require consideration of what a
reasonable person would expect a business in that position to do or be able to do.
914. Thirdly, paragraph (10)(d) requires that the Minister be satisfied that the specified
request is reasonably necessary for the purposes of responding to the incident. This
provision appropriately limits the scope of an action that can be requested to ensure it is
directly relevant to addressing or responding to the incident. The use of 'reasonably
necessary' clarifies that an request and anything that compliance with it would require to
be done must be directly focused on responding to the incident. This is an important
safeguard to ensure a request, and any action taken in response to that request, cannot be
used for any purposes other than responding to the incident. This reflects that this regime
is only to be used to defend critical infrastructure assets from cyber security incidents,
and is strictly limited to that purpose. Further the element of reasonableness will ensure
that the required actions are not only necessary but are appropriate in the circumstances.
915. Fourthly, paragraph (10)(e) requires that the Minister be satisfied that the specified
request is a proportionate response to the incident. This provision appropriately limits the
scope of a request, and the actions that may be taken in response to it, to ensure it is
proportionate. While the criteria the Minister must be satisfied of, as set out in subsection
(1), highlight that the circumstance in which these powers will be used must be serious, it
is equally important that the directions are proportionate in light of all the circumstances.
For example, and depending on the particular circumstances, a request may not be
regarded as proportionate if the actions that may be taken in response to it would result in
greater harm to the asset even if it would practically respond to the incident.
916. In considering proportionality, subsection (11) requires the Minister to have regard to
the impact of compliance with the request on the functioning of the asset concerned, the
consequences of compliance with the specified request, and any other matters the
Minister considers relevant. For example, while taking a computer system offline may be
reasonably necessary to mitigating a cyber security incident, if that computer system is
necessary for providing life sustaining equipment, the Minister will need to consider the
respective consequences of action and inaction, and whether alternative options are
available. Further, the consequences of the requested actions on the asset itself, its longer-
term functioning and associated costs, may also be considered. The impact on end-users
and customers of the asset may also be relevant considerations in considering
proportionately. The Minister may also consider the appropriateness of direct
Government intervention in relation to a privately owned asset and whether the
significance of that step is proportionate in light of the incident and its impacts.
917. Fifthly, paragraph (10)(f) requires that the Minister be satisfied that compliance with
the specified request is technically feasible. While the Australian Signals Directorate has
extensive and sophisticated capabilities, its resources are not without bounds. Therefore
the Minister must consider whether it would be technically feasible for ASD to undertake
the required action. Consultation between the Minister and the Minister for Defence will
be important in determining whether the required actions are technically feasible.
918. Finally, paragraph (10)(g) requires that the Minister be satisfied that each of the acts
or things specified in the request are acts or things covered by section 35AC. This regime
is focused exclusively on cyber security incidents, and founded on the understanding that
in some circumstances, the cyber capabilities and resources of the Australian Signals
Directorate will surpass those of industry. Reflective of this, the actions requested must
be limited to the computer related actions for which the Australian Signals Directorate
has expertise in and must not extend more broadly.
919. Subsection (12) provides further limitations on the scope of what can be authorised by
the Minister. The Minister must not give a Ministerial authorisation under paragraphs
(2)(e) or (f) if compliance with the specified request would involve the authorised agency
taking offensive cyber action against a person who is directly or indirectly responsible for
the incident. This limitation embeds the defensive nature of the regime, noting that it
would not be appropriate to require to require the entity to take actions against the
perpetrator of the attack that are not regarded as defensive. For example, the request
cannot require the authorised agency to 'hack back' or undertake any other actions
against a perpetrator. The focus of this regime is on defending the asset, which may
include removing a perpetrator from the asset, but should not extend into actions that
would be regarded as offensive. This subsection does not limit in anyway the
responsibilities and powers that the ASD may have to prevent and disrupt cybercrime
under other legislative regimes.
920. Subsection (13) provides an additional layer of oversight to reflect the significance of
these powers. The Minister must not give a Ministerial authorisation under
paragraphs (2)(e) or (f) unless the Minister has obtained the agreement of the Prime
Minister and the Defence Minister.
921. The Prime Minister, as leader of the country and chair of the National Security
Committee of Cabinet, is well positioned to assess the appropriateness of such an
authorisation. The Defence Minister, as the minister responsible for the authorised
agency, will ensure that their involvement is appropriate and consistent with other
defence priorities and interests. This ensures that an authorisation for an intervention
request is subject to a comprehensive triple lock mechanism, and any action that is
intended to be conducted by the authorised agency has been scrutinised by key members
of the executive arm of Government. The involvement of the Prime Minister and the
Defence Minister will also add additional perspective and balance to the decision making
process to ensure the impact on the entity is appropriate in the circumstances.
922. The agreement required by this subsection may be given orally or in writing
(subsection (14)) noting the potential urgency of an effective response. However
subsection (15) provides that, if agreement is given orally by either the Prime Minister or
Defence Minister for the purposes of subsection (13), the respective Minister must make a
written record of the agreement and give a copy of the written record to the Minister
within 48 hours after the agreement is given.
Hypothetical Scenario:
During incident response, the authorised agency may require access to various types of
data and information, such as systems logs and host images, to determine what malicious
activity had occurred and what systems have been affected. The authorised agency may
also need to install investigation tools, such as host-based sensors or network monitoring
capabilities, to analyse the extent of malicious activity and inform effective remediation
actions.
To remediate the cyber security incident, the authorised agency may need to remove
malicious software (e.g. web shells, ransomware, and/or reconnaissance tools) which
requires altering/removing of data in a computer. The authorised agency may need to
conduct these activities on-site with the victim or remotely, where capability exists to do
so.
The authorised agency may also implement blocking of malicious domains, may disable
internet access or may implement other specified mitigations. The authorised agency may
also require systems to be patched (altering data) or a change in network configurations, to
alter the function of the system, to prevent a similar activity.
A Ministerial authorisation may be sought for an intervention request relating to each of
these specific actions.
Subsection 35AB(16)--Ministerial authorisation is not a legislative instrument
923. Subsection (16) clarifies that a Ministerial authorisation given by the Minister under
subsection (2) is not a legislative instrument. This is reasonable in these circumstances
because:
the public disclosure of an authorisation for intervention request may not only
undermine the ability for the authorised officer to undertake any acts that have been
authorised, but may also alert nefarious actors to a potential weakness or vulnerability
in a critical infrastructure asset, and
the authorisation applies the law in a particular circumstance to particular facts, and
does not determine or alter the content of the law for the purposes of subsection 8(4)
of the Legislation Act.
Subsection 35AB(17)--Other powers not limited
924. Subsection (17) provides that section 35AB does not, by implication, limit a power
conferred by another provision of the SOCI Act.
Section 35AC Kinds of acts or things that may be specified in an intervention request
925. New section 35AC of the SOCI Act outlines the kinds of acts or things that a
Ministerial authorisation under paragraphs 35AB(2)(e) or (f) may specify in the request to
be made by the Secretary under section 35AX for the purposes of
paragraph 35AB(10)(g). These conditions serve as another limitation to ensure that the
actions are computer-related acts and appropriately targeted at responding to the cyber
security incident and reflect the specialised skills of the authorised agency which in many
circumstances surpass those of the private sector.
926. The things covered by section 35AC are:
accessing or modifying a computer or computer device that is, or is part of, the
asset to which the Ministerial authorisation relates (paragraph (a)) - For
example, a specified request may be to access a specified computer prior to
undertaking an analysis of it (where analysis is also requested).
undertaking an analysis of a computer, computer program, computer data or a
computer device that is, or is part of, the asset (paragraph (b)) - For example,
a specified request may be to undertake analysis of network activity through
logs files or server images to identify malicious software (malware).
if necessary to undertake the analysis under paragraph (b)--install a computer
program on a computer that is, or is part of, the asset (paragraph (c)) - For
example, a specified request may be to install a specified computer program to
run a vulnerability assessment to identify gaps that require patching.
access, add, restore, copy, alter or delete data held in a computer or a computer
device, that is, or is part of, the asset (paragraph (d)) - For example, a
specified request may be to identify, access, and delete malware located on a
network.
access, add, restore, copy, alter or delete a computer program that is, or a
computer program that is installed on a computer that is, or is part of the asset
(paragraphs (e) and (f)) - For example, a specified request may be to restore a
program critical to the assets operation that was previously deleted as part of a
malicious cyber activity.
alter the functioning of a computer or a computer device that is, or is part of,
the asset (paragraph (g)) - For example, a specified request may be to alter the
computer's ability to access a computer network, in order to stop it from
infecting other computers.
remove or disconnect, or connect or add, a computer or a computer device to a
computer network that is, or is part of, the asset (paragraphs (h) and (i)) - For
example, a specified request may be to disconnect an infected Universal Serial
Bus from a computer to mitigate further spread of malware.
remove a computer or computer device that is, or is part of, the asset from
premises (paragraph (j)) - For example, a specified request may be to
physically remove a computer from the premises for further analysis (where
analysis is also requested).
Section 35AD Consultation
927. New section 35AD of the SOCI Act outlines consultation requirements that must be
completed, subject to listed exceptions, by the Minister before issuing a Ministerial
authorisation. This consultation requirement ensures that (wherever possible) affected
entities are able to inform Government's use of the powers in Part 3A. The Minister must
have regard to any information provided when making a Ministerial authorisation.
928. Subsection (1) provides that, before giving a Ministerial authorisation under
paragraphs 35AB(2)(c) or (d) that would enable the Secretary to make an action direction
under section 35AQ, the Minister must consult the specified entity unless the delay that
would occur in doing so would frustrate the effectiveness of the authorisation.
929. Under subsection (2), before giving an authorisation under paragraphs 35AB(2)(e) or
(f) that would enable the Secretary to give an intervention request to the chief executive
of the authorised agency, the Minister must:
if the authorisation is given under paragraph 35AB(2)(e) in relation to a
critical infrastructure asset--consult the responsible entity, or entities, for the
asset (paragraph (a)), or
if authorisation is given under paragraph 35AB(2)(f) in relation to a critical
infrastructure sector asset--consult the owner/s or operator/s of the asset that
the Minister considers most relevant to the authorisation (paragraph (b)).
930. The Minister is not required to undertake the consultation listed in subsection (2)
where the delay that would occur in doing so would frustrate the effectiveness of the
authorisation.
931. Consultation with affected entities is vital to ensuring the Minister's decisions are
informed and appropriate. In particular, this consultation will assist with satisfying the
Minister as to whether an entity is unwilling or unable to take all reasonable steps to
respond to the incident (see paragraph 35AB(7)(a) and paragraphs 35AB(10)(b)-(c)). It is
also important to provide greater information about the circumstances of the incident to
determine whether the proposed course of action is reasonably necessary (see paragraph
35AB(7)(b) and paragraph 35AB(10)(d)), proportionate (see paragraph 35AB(7)(c) and
paragraph 35AB(10)(e)) and technically feasible (see paragraph 35AB(7)(d) and
paragraph 35AB(10)(f)).
932. However, it is equally important to recognise that due to emergency nature of the
regime, in extreme circumstances, compliance with this consultation requirement may
impede an effective and timely response to an incident. This is intended to only occur in
rare circumstances. For example, the Government may be engaging closely with a
particular entity in relation to a cyber security incident involving a particular critical
infrastructure asset (Asset 1) and it becomes clear that the malicious actor will
imminently gain unauthorised access to another, interconnected, critical infrastructure
asset (Asset 2) from the system of Asset 1 and cause catastrophic damage. In such
circumstances, the Minister may have sufficient information to determine the particular
action that must occur immediately to prevent the compromise but be unable to undertake
the required consultation before the actor compromises Asset 2.
933. Where such rare circumstances occur, the Minister will still need to satisfied of the
factors in subsection 35AB(1) as well as subsection 35AB(7) or (10) as relevant. This
provides a safeguard by ensuring that the Minister must have sufficient information to
form this satisfaction, while allowing for adaptability in the regime. Further, following
the making of the authorisation, should the entity bring any concerns to the Minister's
attention, subsection 35AH(3) places a duty on the Minister to revoke the authorisation if
no longer satisfied of its necessity. Similarly, should the entity raise any concerns with the
Secretary which result in the Secretary no longer being satisfied that the Ministerial
authorisation is required, subsection 35AH(4) places an obligation on the Secretary to
inform the Minister as soon as practicable. This ensures that any consultation that occurs
after the Ministerial authorisation is made can be used to inform its continuation or
potential revocation.
934. As responsible entities have not been identified in the legislation in relation to critical
infrastructure sectors assets, due to this being a significantly broader class of assets, the
Minister must exercise discretion as to who is the most relevant entity to consult with in
relation to the Ministerial authorisation. An owner or operator, or both, may be
considered relevant if the Ministerial authorisation will directly affect them or affect an
aspect of the asset for which they are responsible. This flexibility will allow for the most
appropriate entity or entities to be provided with the opportunity to make representations
to the Minister in relation to the proposed authorisation.
Section 35AE Form and notification of Ministerial authorisation
935. New section 35AE of the SOCI Act outlines the permitted forms of a Ministerial
authorisation given under subsection 35AB(2), and the requirements to notify relevant
entities and other stakeholders about the authorisation being given.
936. Subsection (1) provides that a Ministerial authorisation may be given orally or in
writing. However, an authorisation must not be given orally unless the delay that would
occur if the authorisation were to be made in writing would frustrate the effectiveness of
any directions that may be given under sections 35AK and 35AQ, or any requests that
may be given under section 35AX (see subsection (2)).
Subsections 35AE(3)-(5)--Notification of Ministerial authorisations given orally
937. Under subsection (3), if a Ministerial authorisation is given orally, the Minister must
make a written record of the authorisation and give a copy of the written record to the
Secretary and the IGIS within 48 hours of giving the authorisation. This will ensure there
are accurate records of the authorisation. The notification of the IGIS is important to
ensure that the Inspector-General has an opportunity to consider whether to exercise any
of their oversight powers in relation to the Ministerial authorisation, or actions taken in
response to it.
938. Subsection (4) provides that, if a Ministerial authorisation is given orally and relates
to a critical infrastructure asset, the Minister must also give a copy of a written record of
the authorisation to the responsible entity for the asset within 48 hours of giving the
authorisation. In addition, under subsection (5), if a Ministerial authorisation is given
orally and relates to a critical infrastructure sector asset that is not a critical infrastructure
asset, the Minister must also give a copy of the written record of the authorisation to the
most relevant owner/s or operator/s of the asset. These requirements mean that the
affected entity is provided with a written copy of the authorisation. This is an important
safeguard to ensure the entity has a clear understanding of the extent of the authorisation.
Subsections 35AB(6)-(8)--Notification of Ministerial authorisations given in writing
939. Under subsection (6), if a Ministerial authorisation is given in writing, the Minister
must give a copy of the authorisation to the Secretary and the IGIS within 48 hours of
giving the authorisation. The notification of the IGIS is important to ensure that the
Inspector-General has an opportunity to consider whether to exercise any of their
oversight powers in relation to the Ministerial authorisation, or actions taken in response
to it.
940. Subsection (7) provides that, if a Ministerial authorisation is given in writing and
relates to a critical infrastructure asset, the Minister must also give a copy of the
Ministerial authorisation to the responsible entity for the asset within 48 hours of giving
the authorisation. In addition, under subsection (8), if a Ministerial authorisation is given
in writing and relates to a critical infrastructure sector asset that is not a critical
infrastructure asset, the Minister must also give a copy of the Ministerial authorisation to
the most relevant owner/s or operator/s of the asset. These requirements mean that the
affected entity is provided with a written copy of the authorisation. This is an important
safeguard to ensure the entity has a clear understanding of the extent of the authorisation.
Section 35AF Form of application for Ministerial authorisation
941. Subsection 35AB(2) of the SOCI Act (outlined above) provides that the Minister may
make a Ministerial authorisation on application by the Secretary. New section 35AF of
the SOCI Act outlines requirements for the making of an application by the Secretary for
the purpose of subsection 35AB(2).
942. Subsection (1) provides that the Secretary may make the application orally or in
writing. Subsection (2) provides that the Secretary must not make an oral request for a
Ministerial authorisation unless the delay that would occur, should the application be
made in writing, would frustrate the effectiveness of any directions that may be given by
the Secretary under sections 35AK or 35AQ, or any requests given under section 35AX.
943. Under subsection (3), if a request for a Ministerial authorisation is made orally, the
Secretary is required to make a written record of the application and give a copy of the
written record to the Minister within 48 hours of making the application.
944. It is noted that any written request is already required to be given to the Minister
under subsection 35AB(2) above.
Section 35AG Duration of Ministerial authorisation
945. New section 35AG of the SOCI Act sets out the duration of a Ministerial
authorisation given under subsection 35AB(2).
Subsection 35AG(1)--Scope
946. Subsection (1) provides that section 35AG applies to a Ministerial authorisation given
in relation to a cyber security incident and an asset. This is intended to cover all types of
Ministerial authorisations that may be given under subsection 35AB(2).
Subsection 35AG(2)--Duration of Ministerial authorisation
947. Subsection (2) provides that, subject to this section, the Ministerial authorisation
remains in force for the period specified in the Ministerial authorisation which must not
exceed 20 days. That is, the duration of the Ministerial authorisation is to be included in
the authorisation itself and can be for any period up to and including 20 days.
948. Although it is recognised that the comprehensive resolution of a serious cyber security
incident is likely to take longer than 20 days, this maximum timeframe is intended to
reflect the emergency nature of the intervention. This regime is only intended to be used
as a last resort to achieve outcomes that are considered necessary in light of the severity
of the impact to the nation and for no longer than strictly necessary. It is noted that
subsection 35AH(3) requires the Minister to revoke an authorisation if satisfied that it is
no longer required, further ensuring that the authorisation does not continue for any
longer than necessary.
Subsection 35AG(3)-(5)--Fresh Ministerial authorisations
949. Under subsection (3), if a Ministerial authorisation is in force, the SOCI Act does not
prevent the Minister from giving a further fresh Ministerial authorisation that is in the
same, or substantially the same, terms as the original authorisation and that comes into
force immediately after the expiry of the original authorisation.
950. In deciding whether to give a fresh Ministerial authorisation in accordance with
subsection (3), in addition to the various factors the Minister must be satisfied of in
section 35AB, the Minister must also have regard to the number of occasions on which
Ministerial authorisations have been made in relation to the incident and the asset (under
subsection (4)). Subsection (5) clarifies that subsection (4) does not, however, limit the
matters to which the Minister may have regard to in deciding whether to give a fresh
Ministerial authorisation.
951. These subsections are intended to allow the Minister, if satisfied that a Ministerial
authorisation continues to be required, to make a fresh authorisation. However, in making
a further authorisation, the Minister must meet all the requirements that would ordinarily
be required in relation to the making of a Ministerial authorisation, in addition to having
regard to the extra consideration in subsection (4).
Section 35AH Revocation of Ministerial authorisation
952. New section 35AH of the SOCI Act sets out how a Ministerial authorisation given
under subsection 35AB(2) can be revoked.
Subsection 35AH(1)--Scope
953. Subsection (1) provides that section 35AH applies to a Ministerial authorisation that is
in force in relation to a cyber security incident and an asset. This is intended to cover all
types of Ministerial authorisations that may be given under subsection 35AB(2).
Subsection 35AH(2)--Power to revoke Ministerial authorisation
954. Subsection (2) provides that the Minister may, in writing, revoke a Ministerial
authorisation. The revocation must be made in writing, and cannot be done orally.
Subsections 35AH(3)-(4)--Duty to revoke Ministerial authorisation
955. Under subsection (3), if the Minister is satisfied that the Ministerial authorisation is no
longer required to respond to the cyber security incident concerned, the Minister must, in
writing, revoke the authorisation.
956. Subsection (4) further provides that, if the Secretary is satisfied that the Ministerial
authorisation is no longer required to respond to the cyber security incident, the Secretary
must notify the Minister that the Secretary is so satisfied and do so as soon as practicable
after the Secretary becomes so satisfied. This notification will cause the Minister to
reconsider the Ministerial authorisation, and if no longer satisfied that it is required,
subsection (3) would require it to be revoked.
Subsections 35AH(5)-(7)--Notification of revocation
957. Subsection (5) provides that, if any Ministerial authorisation is revoked, the Minister
must give a copy of the revocation to the Secretary, the IGIS and each relevant entity to
which the authorisation relates within 48 hours of the revocation.
958. Under subsection (6), if the revocation relates to a critical infrastructure asset, the
Minister must also give a copy of the revocation to the responsible entity for the asset.
Subsection (7) further provides that, if the revocation relates to a critical infrastructure
sector asset that is not a critical infrastructure asset, the Minister must also give a copy of
the revocation to the owner or operator of the asset the Minister considers to be most
relevant.
Subsection 35AH(8)--Revocation is not a legislative instrument
959. Subsection (8) clarifies that a revocation of a Ministerial authorisation is not a
legislative instrument. This is reasonable in these circumstances because:
the public disclosure of the authorisation may reveal weakness or
vulnerabilities in critical infrastructure assets that could be exploited by
nefarious actors or otherwise cause damage in relation to the asset.
the authorisation applies the law in a particular circumstance to particular
facts, and does not determine or alter the content of the law for the purposes of
subsection 8(4) of the Legislation Act.
Subsection 35AH(9)--Application of Acts Interpretation Act 1901
960. Subsection (9) provides that section 35AH does not, by implication, affect the
application of subsection 33(3) of the Acts Interpretation Act to an instrument made
under a provision of the SOCI Act (other than Part 3A).
Section 35AJ Minister to exercise powers personally
961. New section 35AJ of the SOCI Act provides that the power of the Minister under
Division 2 of Part 3A (in particular under subsection 35AB(2) to give a Ministerial
authorisation) may only be exercised by the Minister personally and cannot be delegated
on an implied basis, noting that there is no express provision enabling delegation of the
Minister's powers in the SOCI Act or included the Bill. Given the serious nature of the
powers in Part 3A, it is reasonable and appropriate to require these powers to be exercised
personally by the elected official with responsibility for ensuring the security of
Australia's critical infrastructure.
Division 3--Information gathering directions
962. New Division 3 of Part 3A of the SOCI Act provides for the Secretary, when
authorised to do so by the Minister, to give directions to entities to provide information to
the Secretary.
Section 35AK Information gathering direction
963. New section 35AK of the SOCI Act sets out when the Secretary may give an
information gathering direction.
Subsection 35AK(1)--Scope
964. Subsection (1) provides that section 35AK applies if a Ministerial authorisation has
been given under paragraphs 35AB(2)(a) or (b) in relation to a cyber security incident and
an asset.
Subsections 35AK(2)-(6)--Direction
965. Subsection (2) applies where an entity is a relevant entity for the asset to which the
Ministerial authorisation relates and the Secretary has reason to believe that the entity has
information that may assist with determining whether a power under this Act should be
exercised in relation to the incident and the asset. In these circumstances, the Secretary
may direct the entity to:
give any such information to the Secretary (paragraph (c)), and
do so within the period, and in the manner, specified in the direction
(paragraph (d)).
966. An effective and appropriate response to a serious cyber security incident requires a
strong understanding of the nature and extent of the incident, as well as a strong
understanding of the circumstances of the asset including its cyber security maturity, its
vulnerabilities and its interdependencies. This information will inform any decisions in
relation to further Ministerial authorisations, and be important in ensuring that those
Ministerial authorisations are reasonably necessary and proportionate.
967. A direction under subsection (2) may be given under a Ministerial authorisation given
under paragraphs 35AB(2)(a) or (b). These types of Ministerial authorisations differ from
other types outlined in paragraphs 35AB(2)(c) to (f). In particular, Ministerial
authorisations given under paragraphs 35AB(2)(a) and (b) provide a level of discretion to
the Secretary to determine the content of the Secretary's directions under subsection (2),
as well as allowing multiple directions to be made, subject to the conditions set out in
section 35AK. By comparison, Ministerial authorisations given under 35AB(2)(c) to (f)
only permit the Secretary to make directions or requests that are explicitly authorised by
the Minister.
968. This flexibility in relation to information gathering directions reflects the fact that the
relevant directions that can be made under subsection (2) are less invasive than the types
of directions that can be given under the Ministerial authorisations to which paragraphs
35AB(2)(c) to (f) relate, and that information gathering can be an iterative process and
therefore administrative flexibility is required to achieve an effective outcome. The
information provided in response to one direction may raise the need for further
information to be provided, precipitating a further direction to be given by the Secretary
under the same Ministerial authorisation. For example, the information reveals that a
particular part of a computer network has been compromised and to assist in determining
whether a Ministerial authorisation is required for an action direction, the Secretary first
needs to know the purpose and significance of that part of the system and any mitigation
measures in place.
969. Under subsection (3), the period specified in the direction under paragraph (2)(d)
must end at or before the end of the period for which the Ministerial authorisation is in
force--noting that the authorisation can be in force for a specified period not exceeding
20 days (subsection 35AG(2)).
970. Subsections (4) and (5) provide further limitations on the giving of directions under
subsection (2). Subsection (4) provides that the Secretary must not give the direction
under subsection (2) unless the Secretary is satisfied that the direction is a proportionate
means of obtaining the information (paragraph (a)) and compliance with the direction be
the entity is technically feasible (paragraph (b)).
971. The proportionality test at paragraph (4)(a) is intended to ensure the Secretary
considers whether the information can be obtained through other less invasive avenues,
and whether the value of the information to assisting with determining whether a power
under the Act should be exercised is proportionate to the nature of the request.
972. The requirement for directions to be technically feasible under paragraph (4)(b) is a
further limitation on the information gathering directions that can be issued by the
Secretary. A direction is technically feasible when the direction relates to a course of
action that is reasonably possible to execute, or within the existing capability of the
relevant entity. A direction is considered not to be technically feasible if there is no
technical capability that could be utilised to produce the outcome that is sought. For
example, a direction to produce a data set that does not exist, and cannot technically be
generated, would not be regarded as technically capable.
973. The consultation requirement at subsection (6) ensures that the effected entities are
afforded an opportunity to provide meaningful advice and guidance to the Secretary when
determining the proportionality and technical feasibility of a direction. However, this
consultation requirement does not apply if the delay that would occur in complying with
the requirement would frustrate the effectiveness of the direction.
974. In addition, subsection (5) provides a further limitation on the directions that the
Secretary can give under this section to ensure they are reasonable and appropriate.
Subsection (5) provides that the Secretary must not give a direction that would require the
entity to:
do an act or thing that would be prohibited by sections 7 or 108 of the
Telecommunications (Interception and Access) Act 1979 (the TIA Act)
(paragraphs (a) and (b)), or
do an act or thing that would, disregarding the SOCI Act, be prohibited by
sections 276, 277 or 278 of the Telecommunications Act (paragraph (c)).
975. The TIA Act and the Telecommunications Act, respectively, provide specific
protections for telecommunications data, including stored communications and data
relating to the provision of carriage services, and for that data only to be accessible where
the specific authorisation provisions in those Acts are available. The intention of
subsection (5) of this section is to ensure that a direction given by the Secretary under
subsection (2) does not enable the Secretary to collect such telecommunications data.
Should this information be required, the dedicated mechanisms provided in the TIA Act
and Telecommunications Act would need to be used. This regime is not to be used as an
alternative pathway to access those forms of information.
Subsection 35AK(7)--Other powers not limited
976. Subsection (7) provides that section 35AK does not, by implication, limit a power
conferred by another provision of the SOCI Act. This ensures that the other powers in the
SOCI Act, such as the Secretary's information gathering powers at existing section 37, in
the Act are not taken to be limited as a result of this power. It is important to note that the
Secretary's powers under section 37 are limited to a reporting entity for, or an operator of,
a critical infrastructure asset, while a Ministerial authorisation made under paragraph
35AB(2)(b) may extend to a relevant entity for a critical infrastructure sector asset.
Section 35AL Form of direction
977. New section 35AL of the SOCI Act provides that a direction from the Secretary under
section 35AK may be given orally or in writing (see subsection (1)). Under
subsection (2), the Secretary must not give a direction orally unless the delay that would
result from doing in writing would frustrate the effectiveness of the direction. Under
subsection (3), if the Secretary gives a direction orally, the Secretary must make a written
record of the direction and give a copy of the written record to the entity to which the
direction relates within 48 hours of the direction being given.
Section 35AM Compliance with an information gathering direction
978. New section 35AM of the SOCI Act requires an entity to comply with a direction
given to the entity under section 35AK to the extent that the entity is capable of doing so.
That an entity will not be in breach of this obligation if they are not capable of complying
is important to accommodate, for example, for situations where consultation has not been
able to occur (see subsection 35AK(6)) and therefore the entity was not able to inform the
Secretary that compliance would not be technically feasible.
979. Breach of this obligation is subject to a civil penalty of up to 150 penalty units. This
penalty is a proportionate response based on the nature of the infringement and is
designed to deter non-compliance with an information gathering direction. This penalty is
commensurate with the non-compliance for an obligation to comply with directions under
the ATSA and MTOFSA. The penalty reflects the importance of enabling government to
obtain information relevant to the prevention of, mitigation of or restoration from a
serious cyber security incident in a timely and effective manner.
Section 35AN Self-incrimination etc.
980. New section 35AN of the SOCI Act provides that:
an entity is not excused from giving information under section 35AK (as
required under section 35AM) on the ground that the information might tend
to incriminate the entity (subsection (1)), and
if an individual would ordinarily be able to claim the privilege against self-
exposure to a penalty in relation to giving information under section 35AK,
the individual is not excused from giving information under that section on
that ground (subsection (2)).
981. A note to subsection (2) indicates that a body corporate is not entitled to claim the
privilege against self-exposure to penalty.
982. This provision highlights that the importance of the information being sought to
provide the necessary understanding to support Government's decisions as to the
necessary actions to respond to a serious cyber security incident. The information is not
intended to be used for a compliance purpose (as reflected by section 35AP) and it is
crucial that timely and accurate information is provided to prevent further prejudice to
Australia's national interests.
Section 35AP Admissibility of information etc.
983. New section 35AP of the SOCI Act limits how information given to the Secretary
under a section 35AK direction can be admitted into evidence. This provides important
protections for the entity noting that section 35AN abrogates their ordinary rights in
relation to self incrimination and exposure to penalty. Under this section, such
information is not admissible in evidence against an entity:
in criminal proceedings other than proceedings for an offence against section
137.1 and 137.2 of the Criminal Code, which relate to providing false and
misleading statements and documents to the Commonwealth, that relate to the
SOCI Act (paragraph (c)), and
in civil proceedings other than proceedings for a recovery of a penalty in
relation to a contravention of section 35AM (paragraph (d)).
984. When read together, section 35AN and 35AP facilitate open and transparent
information gathering to support the operation of the Part in emergencies, while
guaranteeing that the information provided by the entity cannot later be admitted as
evidence in a proceeding against the court except in relation to failing to comply with the
direction, or doing so in a false or misleading manner.
985. This provision is important to encourage open and accurate reporting noting the
importance of the information being provided, however equally balances the impact of
new section 35AN to ensure that the information provided is not used against the
individual as evidence. This position reflects that this information is not being sought for
a compliance purpose but rather protect critical infrastructure in an emergency.
Division 4--Action directions
986. New Division 4 of Part 3A of the SOCI Act provides for the Secretary, when
authorised to do so by the Minister, to give directions to relevant entities to take, or
refrain from taking, certain actions in the circumstances outlined below.
Section 35AQ Action direction
987. New section 35AQ of the SOCI Act provides that the Secretary may, pursuant to a
Ministerial authorisation, give the relevant entity for a critical infrastructure asset or a
critical infrastructure sector asset a direction that directs the entity to do, or refrain from
doing, a specified act or thing within the period specified in the direction (see
subsection (1)).
988. Under subsection (2), the Secretary must not give a direction under section 35AQ
unless the direction:
is identical to a direction specified in a Ministerial authorisation under
paragraphs 35AB(2)(c) or (d) (paragraph (a))
includes a statement to the effect that the direction is authorised by the
Ministerial authorisation (paragraph (b)), and
specifies the date on which the Ministerial authorisation was given
(paragraph (c)).
989. The effect of paragraph 35AQ(2)(a) is that the Secretary actions the direction that is
authorised by the Minister.
990. A note to subsection (2) reminds the reader that a Ministerial authorisation must not
be given unless, amongst other things, the Minister is satisfied that the direction is
reasonably necessary for the purposes of responding to a cyber security incident, as
outlined under section 35AB above (see paragraph 35AB(7)(b) in particular).
991. Subsection (3) provides that the period specified in the direction as required under
paragraph (2)(c) must end at or before the end of the period for which the Ministerial
authorisation is in force-- noting that the authorisation can be in force for a period no
longer than 20 days under subsection 35AG(2). The intention of this provision is to
clarify that a direction authorised under a Ministerial authorisation cannot extend beyond
the authorisation itself. This reflects that the direction is the operationalising of the
authorisation.
992. Subsection (4) provides that a direction under section 35AQ is subject to such
conditions, if any, as are specified in the direction. This provides flexibility and ensures
any direction can be narrowed to reflect the unique circumstances of the incident.
993. Under subsection (5), the Secretary must not give a direction under section 35AQ that
would require an entity to give information to the Secretary. The more appropriate
mechanism to require information to be provided are the information gathering directions
under Division 2 of Part 3A of the SOCI Act, as outlined above. That mechanism has
been designed for that express purpose and has tailored and proportionate safeguards, and
therefore should be the mechanism used to gather information should it be required.
Subsection 35AQ(6)--Other powers not limited
994. Subsection (6) provides that section 35AQ does not, by implication, limit a power
conferred by another provision of the SOCI Act.
Section 35AR Form of direction
995. New section 35AR of the SOCI Act provides that a direction given by the Secretary
under section 35AQ may be given orally or in writing (subsection (1)). Under subsection
(2), the Secretary must not, however, give a direction orally unless the delay that would
result from doing in writing would frustrate the effectiveness of the direction. Under
subsection (3), if the Secretary gives a direction orally, the Secretary must make a written
record of the direction and give a copy of the written record to the entity to which the
direction relates within 48 hours of the direction being given.
Section 35AS Revocation of direction
996. New section 35AS of the SOCI Act sets out how a direction given by the Secretary
under section 35AQ is revoked.
Subsection 35AS(1)--Scope
997. Subsection (1) provides that section 35AS applies if a direction is in force under
section 35AQ in relation to a Ministerial authorisation (given under
paragraphs 35AB(2)(c) or (d)) and the direction was given to a particular entity.
Subsection 35AS(2)--Power to revoke direction
998. Subsection (2) provides that the Secretary may, by written notice given to the entity,
revoke the direction. This means that the Secretary may elect to revoke the direction
should the Secretary consider that it is no longer appropriate (see in particular subsection
35AS(3)).
Subsection 35AS(3)--Duty to revoke direction
999. Under subsection (3), if the Secretary is satisfied that the direction is no longer
required to respond to the cyber security incident to which the Ministerial authorisation
relates, the Secretary must, by written notice given to the entity, revoke the direction. This
is an important safeguard to ensure that the direction is not in place for any longer than
strictly necessary. It also ensures that, should continued engagement with the entity reveal
new information which changes the need for the direction, or the circumstances
themselves change which render the direction to be no longer necessary, the Secretary has
a duty to revoke the direction. For example, if the direction relates to deleting a computer
program and, as a result of unauthorised activity, that program is already deleted, upon
learning of this, the Secretary may revoke the direction.
Subsection 35AS(4)--Automatic revocation of direction
1000. Subsection (4) provides that, if the Ministerial authorisation ceases to be in force
(either by expiration of the duration of the authorisation under subsection 35AG(2) or
revocation under section 35AH), the direction is automatically revoked. As the direction
is operationalising the authorisation, the termination of the authorisation appropriately
triggers the termination of the direction to ensure that no unauthorised action occurs.
Subsection 35AS(5)--Application of Acts Interpretation Act 1901
1001. Subsection (5) provides that section 35AS does not, by implication, limit a power
conferred by another provision of the SOCI Act.
Section 35AT Compliance with direction
1002. New section 35AT of the SOCI Act provides that an entity commits an offence if all
of the following apply:
the entity is given a direction by the Secretary under section 35AQ
(paragraph (a))
the entity engages in conduct after receiving the direction (paragraph (b)), and
the entity's conduct breaches the direction (paragraph (c)).
1003. Subsection (1) provides that the offence does not apply if the entity took all
reasonable steps to comply with the direction. This is intended to ensure that the entity is
not liable for failing to comply with the direction when compliance is not technically
possible, for example due to an unforeseen lack of capability, or due to changing
circumstances. For example if a direction provides that the entity must alter the
configuration settings on a computer program, and before they can do so, the malicious
actor renders the computer, on which the program sits, inaccessible making compliance
impossible. However, this subsection is not intended to provide an avenue to excuse
unwillingness to comply with the direction.
1004. The penalty for this offence is imprisonment for 2 years or 120 penalty units, or both.
If the entity who commits the offence is a corporation, the penalty will be 600 penalty
units by application of subsection 4B(3) of the Crimes Act 1914 (the Crimes Act). This
penalty is a proportionate response based on the nature of the conduct and is designed to
deter non-compliance with an action direction. This penalty is commensurate with the
offence of obstruction of Commonwealth public officials at section 149.1 of the Criminal
Code. This offence has a similar purpose to section 149.1 of the Criminal Code and the
penalty reflects the significance of the circumstances that led to the direction being
issued, and the potential prejudice to Australia's national interest should it not be
complied with.
Section 35AU Directions prevail over inconsistent critical infrastructure risk
management programs
1005. New section 35AU of the SOCI Act provides that, if a critical risk management
program is applicable to the entity under Part 2A, the program has no effect to the extent
to which it is inconsistent with a direction given to the entity by the Secretary under
section 35AQ. This provision will ensure that entities in receipt of a direction do not
breach their obligation under section 30AD to comply with their critical infrastructure
risk management program (see Item 39 of Schedule 1 to the Bill, above). The primacy of
the directions reflect that an appropriate response to an emergency may warrant a
deviation from standard practice, noting that the objectives of both the directions and the
critical infrastructure risk management programs are to ensure the security of the critical
infrastructure asset.
Section 35AV Directions prevail over inconsistent obligations
1006. New section 35AV of the SOCI Act provides that, if an obligation under the SOCI
Act is applicable to an entity, the obligation has no effect to the extent to which it is
inconsistent with a direction given to the entity by the Secretary under section 35AQ.
This provision ensures that any action required under section 35AQ takes precedence
over any potential contradictory requirements under other parts of the SOCI framework.
The primacy of the directions reflect that an appropriate response to an emergency may
warrant a deviation from the other obligations contained in the Act. For example, a
direction made by the Secretary under section 35AQ in response to exception
circumstances may require a departure from the entity's incident response plan that they
are ordinarily required to comply with under section 30CE.
Section 35AW Liability
1007. New section 35AW of the SOCI Act provides that:
an entity is not liable to an action or other proceedings for damages for or in
relation to an act done or omitted in good faith in compliance with a direction
given under section 35AQ (subsection (1)), and
an officer, employee or agent of an entity is not liable to an action or other
proceedings for damages for or in relation to an act done or omitted in good
faith in connection with an act done or omitted by the entity as mentioned in
subsection (1) (subsection (2)).
1008. This ensures that relevant entities, when acting in response to a compulsory legal
direction, are no subjected to civil liabilities. The absence of such an immunity would
result in the entity being forced to choose between complying with the lawful direction or
for example, contractual obligations. Noting the objectives of the directions are to
respond to a serious cyber security incident that poses a material risk of serious prejudice
to Australia's national interests, it is important that there are no barriers to the entity
complying with such a direction and that they are not penalised for doing so. For
example, a direction may require the entity, or its representatives, to temporarily disable
customers' access to a particular system as that portal is being exploited by the malicious
actor and needs to be reconfigured to uplift the security. Compliance with such a direction
may breach contractual arrangements the entity, or it's representatives, have with their
customers in relation to continuity of service.
Division 5--Intervention requests
1009. New Division 5 of Part 3A of the SOCI Act provides for the Secretary, when
authorised to do so by the Minister, to make requests to the chief executive of the
authorised agency.
Section 35AX Intervention request
1010. New section 35AX of the SOCI Act empowers the Secretary to give the chief
executive of the authorised agency a request that the authorised agency do one or more
specified acts or things within the period specified in the request (see subsection (1)). The
chief executive of the authorised agency is defined in section 5 to mean the Director-
General of ASD.
1011. Subsection (2) provides that the Secretary must not give a request under
subsection (1) unless the request:
is identical to a request specified in a Ministerial authorisation under
paragraph 35AB(2)(e) or (f) (paragraph (a))
includes a statement to the effect that the request is authorised by the
Ministerial authorisation (paragraph (b)), and
specifies the date on which the Ministerial authorisation was given
(paragraph (c)).
1012. A note to subsection (2) reminds the reader that a Ministerial authorisation must not
be given unless, amongst other things, the Minister is satisfied that the request is
reasonably necessary for the purposes of responding to a cyber security incident, as
outlined under section 35AB above (see paragraph 35AB(10)(d) in particular).
1013. Subsection (3) provides that the period specified in the request as required under
subsection (2)(c) must end at or before the end of the period for which the Ministerial
authorisation is in force-- noting that the authorisation can be in force for a period no
longer than 20 days under subsection 35AG(2). The intention of this provision is to
clarify that a request authorised under a Ministerial authorisation cannot extend beyond
the authorisation itself. This reflects that the request is the operationalising of the
authorisation.
1014. Subsection (4) provides that a request under section 35AX is subject to such
conditions, if any, as are specified in the request. This provides flexibility and ensures any
direction can be narrowed to reflect the unique circumstances of the incident.
1015. Subsection (5) provides that a request made by the Secretary does not extend to:
doing an act or thing that would be prohibited by sections 7 or 108 of the
Telecommunications (Interception and Access) Act 1979 (the TIA Act)
(paragraphs (a) and (b)), or
doing an act or thing that would, disregarding the SOCI Act, be prohibited by
sections 276, 277 or 278 of the Telecommunications Act (paragraph (c)).
1016. The TIA Act and the Telecommunications Act, respectively, provide specific
protections for telecommunications data, including stored communications and data
relating to the provision of carriage services, and for that data only to be accessible where
the specific authorisation provisions in those Acts are available. The intention of
subsection (5) of this section is to ensure that a request given by the Secretary under
subsection (2) does not enable the authorised agency to collect such telecommunications
data. Should this information be required, the dedicated mechanisms provided in the TIA
Act and Telecommunications Act would need to be used. This regime is not to be used as
an alternative pathway to access those forms of information.
Subsection 35AX(6)--Other powers not limited
1017. Subsection (6) provides that section 35AX does not, by implication, limit a power
conferred by another provision of the SOCI Act.
Section 35AY Form and notification of request
1018. New section 35AY of the SOCI Act provides that a request under section 35AX may
be given orally or in writing (see subsection (1)). The Secretary must not, however, give a
section 35AX request orally unless the delay that would result from doing in writing
would frustrate the effectiveness of the request (subsection (2)). Under subsection (3), if
the Secretary gives a direction orally, the Secretary must make a written record of the
request and give a copy of the written record of the request to the chief executive of the
authorised agency within 48 hours of the request being given.
Subsections 35AY(3)-(5)--Notification of requests given orally
1019. Subsection (3) requires the Secretary, if a request is given orally, to make a written
record of the request and give a copy of the written record of the request to the chief
executive of the authorised agency within 48 hours of giving the request.
1020. If a request is given orally in relation to a critical infrastructure asset, under
subsection (4), the Secretary must give a written record of the request to the responsible
entity for that asset within 48 hours of giving the request. Alternatively, under
subsection (5), if a request is given orally in relation to a critical infrastructure sector asset
that is not a critical infrastructure asset, the Secretary must also give a written record of
the request to the owner/s or operator/s of that asset that the Secretary considers to be
most relevant to the request. These obligations will ensure that affected entities have
sufficient visibility of the exact scope of the request. Should the entity consider that the
approved staff member of the authorised agency, when acting in response to the request
exceeds the scope of the request, the entity will be able to make a complaint to the
Inspector-General of Intelligence and Security.
Subsections 35AY(6)-(8)--Notification of requests given in writing
1021. Subsection (6) requires the Secretary to provide a copy of a written request under
section 35AX to the chief executive of the authorised agency within 48 hours of making
the request.
1022. If a request is given in writing in relation to a critical infrastructure asset, under
subsection (7), the Secretary must give a written record of the request to the responsible
entity for that asset within 48 hours. In addition, under subsection (8), if a request is given
in relation to a critical infrastructure sector asset that is not a critical infrastructure asset,
the Secretary must give a written record of the request to the owner/s or operator/s of that
asset that the Secretary considers to be most relevant to the request within 48 hours.
Section 35AZ Compliance with request
1023. New section 35AZ of the SOCI Act is intended to clarify that the authorised agency is
authorised to do an act or thing in compliance with a request under section 35AX (see
subsection (1)). This provisions clarifies that the authorised agency has lawful authority
to do acts or things in compliance with a request.
1024. Subsection (2) is a deeming provision, which provides that an act or thing done by the
authorised agency in compliance with a request under section 35AX is taken to be done in
the performance of the function conferred on the authorised agency by paragraph 7(1)(f)
of the Intelligence Services Act, which provides that it is a function of ASD to cooperate
with and assist bodies referred to in section 13A in accordance with that section.
1025. Section 13A of the Intelligence Services Act provides that an agency governed by the
Act may cooperate with and assist the bodies listed in subsection 13A(1) in the
performance of their functions, subject to any arrangements made or directions given by
the responsible Minister for that agency (paragraph 13A(2)(a)) and upon request from the
head of the body (paragraph 13A(2)(b)). Paragraph 13A(1)(c) lists a Commonwealth
authority, or a State authority, that is prescribed by the regulations for the purpose of that
paragraph as a body that an agency may cooperate with and assist. It is intended that the
Home Affairs Department, being the Department administered by the Minister
administering the SOCI Act, will be prescribed in regulations on or before the
commencement of the Bill--meaning that it is possible for ASD to have the function of
cooperating and assisting ASD.
1026. The effect of subsection (2) is that any activities done by ASD in relation to a request
from the Secretary under section 35AX will be within the existing functions of ASD for
the purposes of the Intelligence Services Act.
Section 35BA Revocation of request
1027. New section 35BA of the SOCI Act sets out the circumstances in which a request
under section 35AX is revoked.
Subsection 35BA(1)--Scope
1028. Subsection (1) provides that section 35BA applies if a request is in force under
section 35AX in relation to a Ministerial authorisation (given under
paragraphs 35AB(2)(e) or (f)).
Subsection 35BA(2)--Power to revoke request
1029. Subsection (2) provides that the Secretary may, by written notice given to the chief
executive of the authorised agency, revoke the request.
Subsection 35BA(3)--Duty to revoke request
1030. Under subsection (3), if the Secretary is satisfied that the request is no longer required
to respond to the cyber security incident to which the Ministerial authorisation relates, the
Secretary must, by written notice given to the entity, revoke the request.
1031. Under subsection (3), if the Secretary is satisfied that the request is no longer required
to respond to the cyber security incident to which the Ministerial authorisation relates, the
Secretary must, by written notice given to the chief executive of the authorised agency,
revoke the request. This is an important safeguard to ensure that the request is not in place
for any longer than strictly necessary. It also ensures that, should continued engagement
with the entity reveal new information which changes the need for the request, or the
circumstances themselves change which render the direction to be no longer necessary,
the Secretary has a duty to revoke the request. For example, if the entity advises, and the
Secretary is satisfied, that the entity has been able to take all reasonable necessary steps to
respond to the incident the Secretary must revoke the request.
Subsection 35BA(4)--Automatic revocation of direction
1032. Subsection (4) provides that, if the Ministerial authorisation ceases to be in force
(either by expiration of the duration of the authorisation under subsection 35AG(2) or
revocation under section 35AH), the request is automatically revoked. As the request is
operationalising the authorisation, the termination of the authorisation appropriately
triggers the termination of the request to ensure that no unauthorised actions occur.
Subsection 53BA(5)--Notification of revocation of request
1033. Under subsection (5), if a request under section 35AX is revoked by the Secretary, the
Secretary must give a copy of the revocation to the chief executive of the authorised
agency and each relevant entity for the asset as soon as practicable after the revocation.
Subsection 35BA(6)--Application of Acts Interpretation Act 1901
1034. Subsection (6) provides that section 35BA does not, by implication, affect the
application of subsection 33(3) of the Acts Interpretation Act 1901, other than a provision
under Part 3A of the SOCI Act.
Section 35BB Relevant entity to assist the authorised agency
1035. New section 35BB of the SOCI Act makes it a requirement for an entity to assist the
authorised agency for the purposes of complying with the request made by the Secretary
under section 35AX.
1036. Under subsection (1), if a request under section 35AX is in force in relation to a
critical infrastructure asset or a critical infrastructure sector asset and the entity is a
relevant entity for the asset, then an approved staff member of the authorised agency may
require the entity to:
provide the approved staff member with access to the premises for the purpose
of the authorised agency complying with the request (paragraph (c)), or
provide the authorised agency with specified information or assistance that is
reasonably necessary to allow the authorised agency to comply with the
request (paragraph (d)).
1037. Paragraph (1)(c) is intended to ensure that the cooperation of the entity is sought to
facilitate access to the premises as required to comply with the request, for example, prior
to any force being used.
1038. Paragraph (1)(d) is required to ensure that the authorised agency can obtain any
necessary incidental information and assistance to assist them in complying with the
request. This is crucial to prevent any unintended consequences that may otherwise occur
which would be contrary to the purpose of the request. In taking the actions set out in the
request, the authorised agency may need to seek the assistance of the entity to understand
the most effective and appropriate way to, for example, execute a computer program or
locate the relevant data. This will assist the entity from unintended consequences or
unnecessary actions. The information and assistance that can be request must be
reasonably necessary to comply with the request, ensuring that this obligation is strictly
limited to facilitating compliance and cannot be used for any alternative purposes.
1039. A note to subsection (1) directs the reader of the legislation to also see section 149.1
of the Criminal Code, which deals with obstructing and hindering Commonwealth public
officials, which includes approved staff members of the authorised agency. Failing to
comply with a requirement under this sector may amount to a criminal offence under that
provision of the Criminal Code.
1040. Subsection (2) provides that a staff member of the authorised agency cannot require
the entity to provide the approved staff member with access to premises under
paragraph (1)(c) where the premises is used solely or primarily as a residence. This
limitation is intended to ensure no undue invasion of personal privacy. Should these
powers be required to be used, the focus is likely to be on the premises of large corporate
entities where the relevant asset is located.
1041. Subsection (3) provides that an entity must comply with a requirement under
subsection (1). Breach of this obligation is subject to a civil penalty of up to 150 penalty
units. This penalty is a proportionate response based on the nature of the infringement and
is designed to deter non-compliance with a requirement for an entity to assist an
authorised agency to do an act or thing in compliance with an intervention request. The
penalty reflects the significance of the circumstances that led to the request being made,
and the potential prejudice to Australia's national interest should the entity not provide
the necessary incidental assistance to the authorised agency to allow for the request to be
complied with.
1042. Subsection (4) provides that an entity is not liable to an action or other proceeding for
damages for or in relation to an act done or omitted in good faith in compliance with
subsection (1).
1043. Subsection (5) provides that an officer, employee or agent of an entity is not liable to
an action or other proceeding for damages for or in relation to an act done or omitted in
good faith in connection with an act done or omitted by the entity as mentioned in
subsection (4).
1044. These protections ensure that the entity, and its officers, employees or agents, are able
to fully cooperate with the approved staff member in responding to the incident.
Section 35BC Constable may assist the authorised agency
1045. New section 35BC of the SOCI Act provides that, if an entity refuses or fails to
provide a staff member of the authorised agency with access to premises when required to
do so under subsection 35BB(1) then:
the approved staff member may enter the premises for the purpose of the
authorised agency complying with the relevant section 35AX request
(paragraph (1)(a)), and
a constable may assist the approved staff member in gaining access to the
premises using reasonable force against property (subparagraph (1)(b)(i)) and
if necessary to assist, enter the premises (subparagraph (1)(b)(ii)).
1046. Subsection (2) provides that, if an approved staff member of the authorised agency
has entered premises for the purpose of complying with a request under section 35AX, a
constable may:
assist the authorised agency in complying with the request by using reasonable
force against property located on the premises (paragraph (a)), and
enter the premises for this purpose (paragraph (b)).
1047. Constable is defined to have the same meaning given by the Crimes Act. This means
that a member or special member of the Australian Federal Police, or a member of a
police force of a State or Territory, is able to use force to enter premises in limited
circumstances, or to assist the authorised agency in complying with the section 35AX
request, under these provisions. Constables are trained in the use of force against
property and are subject to various oversight regimes, for example, the Australian Federal
Police is subject to oversight by the Commonwealth Ombudsman. An entity will be
permitted to make a complaint to the Commonwealth Ombudsman in relation to any
concerns with the operation of the powers.
1048. It is reasonable and proportionate to permit a constable to use force for the express
and strictly limited purpose of assisting the authorised agency with fulfilling an
intervention request noting the likely ramification to Australia's national interest if the
cyber security incident is not addressed. The constable would be permitted to use force
against (for example) a locked door to a room that an authorised officer requires access to
in order to comply with the request from the Secretary and the relevant entity is refusing
to provide the necessary assistance. Read together with section 35BB, the use of force
against property is intended to be used as a last resort, when strictly necessary, to
implement the request. The significance of this, further justifies the need for the Prime
Minister and Defence Minister to agree to the giving of a relevant Ministerial
authorisation.
1049. Nevertheless, section 35BE clarifies that the use of force against a person by a
constable or a staff member of the authorised agency is not authorised under this regime.
This however would not exclude a police officer using force to arrest a person, under
powers derived from other Commonwealth laws, who is obstructing a Commonwealth
official in the performance of their functions (an offence under section 149.1 of the
Criminal Code).
Section 35BD Removal and return of computers etc.
1050. New section 35BD of the SOCI Act sets out obligations on approved staff members of
the authorised agency to remove and return computers. This is an importance provision in
ensuring that the asset, and its components, are reinstated as soon as practicable and to the
extent possible to minimise any unnecessary impact of the exercise of the powers.
Subsection 35BD(1)-(2)--Removal of computers etc.
1051. The connection of computers or other devices may be necessary to comply with a
request under section 35AX, such as those of the authorised agency, may be required to,
for example, undertake an analysis of a system onsite using specialised software.
Subsection (1) provides that, if the authorised agency adds or connects a computer or
device to a computer network and, whilst the relevant section 35AX request is in force, a
staff member of the authorised agency forms a reasonable belief that the computer or
device is no longer required to comply with the request, then the authorised agency must
remove or disconnect the computer or device as soon as practicable. This ensures that the
intervention continues for no longer than is strictly necessary to comply with the request.
1052. Under subsection (2), the obligation to remove a computer or device as soon as
practicable also applies in circumstances where the request under section 35AX ceases to
be in force--such as where the request expires or is revoked by the Secretary under
section 35BA.
Subsection 35BD(3)-(4)--Return of computers etc.
1053. The removal of computers may be necessary to comply with a request under section
35AX, for example, in instances where the authorised agency requires the use of
specialised equipment located off-site to undertake the requested analysis.
1054. Subsection (3) provides that, if the authorised agency removes a computer or device
and, whilst the relevant section 35AX request is in force, an approved staff member of the
authorised agency forms a reasonable belief that the removal of the computer or device is
no longer required to comply with the request, then the authorised agency must return the
computer or device as soon as practicable. This ensures that the intervention continues for
no longer than is strictly necessary to comply with the request.
1055. Under subsection (4), the obligation to return a computer or device as soon as
practicable also applies in circumstances where the request under section 35AX ceases to
be in force--such as where the request expires or is revoked by the Secretary under
section 35BA.
Section 35BE Use of form against an individual not authorised
1056. New section 35BE outlines that nothing in Division 5 of Part 3A of the SOCI Act (in
particular, but not limited to, section 35BC) authorises the use of force against an
individual. This is an important clarifying provision to ensure that, despite the importance
of the powers being exercised, the use of force against a person is not justified under this
regime noting its focus is on resolving cyber security incidents. This does not limit the
use of force against a person being used concurrently when authorised under another law
of the Commonwealth.
Section 35BF Liability
1057. New section 35BF of the SOCI Act provides that the chief executive of the authorised
agency, an approved staff member of the authorised agency or a constable is not liable to
an action or other proceeding (whether civil or criminal) for, or in relation to, an act or
matter done or omitted to be done in the exercise of any power or authority conferred by
Division 5 of Part 3A of the SOCI Act. That is, the agency, staff member or constable is
immune from liability when acting with lawful authority, providing the requisite legal
certainty for those officers to take the necessary steps to comply with the request and
protect Australia's national interests.
1058. This immunity provision is reasonable and proportionate noting the various
safeguards in place to ensure that actions or things lawfully authorised to be done or
omitted under the Division are strictly limited, justified in the context of the cyber
security incident and its impacts, and otherwise appropriate in all the circumstances.
Further the oversight arrangements in place under the respective regimes of the Inspector-
General of Intelligence and Security and Commonwealth Ombudsman will ensure any
misuse of the powers is identified and addressed.
Section 35BG Evidentiary certificates
1059. New section 35BG of the SOCI Act provides that the Inspector-General of
Intelligence and Security may issue a written certificate setting out any facts relevant the
question of whether anything done, or omitted to be done, by the authorised agency, or an
approved staff member of the authorised agency, was done, or omitted to be done, in the
exercise of any power or authority conferred by the Division. For example, the
evidentiary certificate may go to whether the execution of a computer program in a
particular manner was in compliance with a request from the Secretary, and therefore
authorised to occur. This is likely to rely on a strong understanding of technical matters
which the Inspector-General of Intelligence and Security is well versed.
1060. Subsection (2) provides that a certificate under subsection (1) is admissible in
evidence in any proceedings as prima facie evidence of the matters stated in the
certificate.
1061. Evidentiary certificates are intended to streamline the court process by reducing the
need to contact numerous officers and experts to give evidence. Evidentiary certificates
also assist with maintaining the confidentiality of the sensitive methodologies and
capability of the authorised agency. In this circumstance the matters it can be expected to
cover are technical and non-controversial matters.
Section 35BH Chief executive of the authorised agency to report to the Defence
Minister and the Minister
1062. New section 35BH of the SOCI Act sets out requirements for the chief executive of
the authorised agency to report on any activities undertaken under Division 5 of Part 3A
of the SOCI Act.
1063. This section establishes a requirement for the authorised agency to prepare a post-
activity report that is to be provided to the Defence Minister, as Minister responsible for
the authorised agency, and the Minister for Home Affairs, as the Minister responsible for
the security of critical infrastructure and who authorised the request. This obligation is to
ensure the relevant Ministers have visibility of the actions that were taken and how they
contributed to an effective response. This will assist the Government in monitoring the
use of these powers, but also support future decision making in similar circumstances.
1064. Subsection (1) applies where the Secretary has given a request to the chief executive
under section 35AX, that was authorised by a Ministerial authorisation given under
paragraphs 35AB(2)(e) or (f), and the authorised agency does one or more acts or things
in compliance with the request--as specified in the Ministerial authorisation and listed in
section 35AC.
1065. If subsection (1) applies, the chief executive of the authorised agency must:
prepare a written report that sets out details of the acts or things done and
explains the extent to which doing those acts or things has amounted to an
effective response to the cyber security incident concerned (paragraph (c)),
and
give a copy of the report to the Defence Minister and Minister for Home
Affairs (paragraphs (d) and (e)).
1066. Subsection (2) requires the chief executive of the authorised agency to comply with
the obligations under subsection (1) as soon as practicable after the end of the period
specified in the section 35AX request and, in any event, within 3 months after the end of
that period. This means that the report described in paragraph (1)(c) must be prepared and
given to the respective Ministers no later than 3 months after the end of the period
specified by the Secretary in the section 35AX request.
Section 35BJ Approved staff members of the authorised agency
1067. Subsection (1) provides that the chief executive of the authorised agency may, in
writing, declare that a specified staff member of the authorised agency is an approved
staff member of the authorised agency for the purposes of this Act. Subsection (2)
provides that subsection (1) is not a legislative instrument.
Item 46 Section 36 (paragraph beginning "information")
1068. Item 46 of Schedule 1 to the Bill repeals the second paragraph in section 36 of the
SOCI Act, which is a simplified outline of Part 4 of that Act. The paragraph to be
repealed currently provides an overview of what is 'protected information'. The
amendments will remove the explanation of protected information and will instead, as
explained in item 47 below, make reference to the defined term in section 5 of the Act. As
a result, the second paragraph of the simplified outline is no longer required.
Item 47 At the end of section 36
1069. Item 47 of Schedule 1 to the Bill inserts a note at the end of the simplified outline.
The note makes reference to 'protected information' being a term that is defined in
section 5 of the Act. This supports the removal of the paragraph in Item 46 as outlined
above.
Item 48 Subparagraph 42(2)(a)(viii)
1070. Subsection 42(2) of the SOCI Act provides that the Secretary may, in certain
circumstances, disclose protected information to the persons listed in that subsection.
Subparagraph 42(2)(a)(viii) currently provides that the Secretary may disclose protected
information to the Commonwealth Minister who has responsibility for the regulation or
oversight of the relevant industry for the critical infrastructure asset to which the
protected information relates. The definition of 'relevant industry' is being repealed by
the Bill, and replaced by the concept of 'critical infrastructure sector'. Item 48 of
Schedule 1 to the Bill makes the amendments necessary to reflect this change in
terminology.
Item 49 Paragraph 42(2)(b)
1071. Subsection 42(2) of the SOCI Act provides that the Secretary may, in certain
circumstances, disclose protected information to the persons listed in that subsection.
Paragraph 42(2)(b) currently provides that the Secretary may disclose protected
information to the State or Territory Minister who has responsibility for the regulation or
oversight of the relevant industry for the critical infrastructure asset to which the
protected information relates. The definition of 'relevant industry' is being repealed by
the Bill, and replaced by the concept of 'critical infrastructure sector'. Item 49 of
Schedule 1 to the Bill makes the amendments necessary to reflect this change in
terminology.
Item 50 After section 43
1072. Item 50 of Schedule 1 to the Bill inserts new sections 43A, 43B, 43C and 43D into the
SOCI Act, which authorise the use and disclosure of 'protected information' to particular
specified bodies. The definition of protected information in section 5 has been expanded
(as outlined in Item 11 of Schedule 1 to the Bill above) to capture the additional types of
sensitive information that may be generated under the SOCI Act. In light of this
expansion, and the related provisions, additional permitted information use and disclosure
circumstances are required.
1073. Section 43A provides that the Secretary may disclose protected information to an
IGIS official for the purposes of exercising powers, or performing duties or functions, as
an IGIS official, and make a record of or use protected information for the purpose of that
disclosure. This provides an authorisation for the purposes of excluding the application of
the offence in section 45 of the SOCI Act.
1074. Sections 43B and 43C provide that the Inspector General of Intelligence and Security
and Ombudsman are permitted to share with one another information and documents that
are protected information to facilitate their oversight function, particularly in relation to
their duties under the SOCI Act. This provides an authorisation for the purposes of
excluding the application of the offence in section 45 of the SOCI Act. Importantly, an
entity that is subject to a direction, or to whom an intervention request relates, will be
permitted to make a complain to either of these oversight bodies, as relevant.
1075. Section 43D allows ASD to use information or documents that are protected
information in the performance of their functions as set out in section 7 of the Intelligence
Services Act. This authorisation reflects the additional role of ASD in relation to the
security of critical infrastructure, including being the recipient agency for reports
provided under new Part 2B and Division 5 of Part 2C. These obligations are being
introduced to assist in providing ASD with an enhanced awareness of the cyber threat
environment, in particular as it relates to critical infrastructure, to allow it to perform its
functions which notably include providing advice and other assistance relating to the
security and integrity of information that is processed, stored or communicated by
electronic or similar means (paragraph 7(1)(ca) of the Intelligence Services Act).
1076. This aligns with the existing use and disclosure regime under the SOCI Act which
currently permits the Secretary for Home Affairs to share protected information to law
enforcement and national security agencies and officers of those agencies in
circumstances where the information would assist the agency or officer to exercise their
powers, functions or duties (as provided at existing subsection 42(2)). The Secretary can
also disclose protected information to an enforcement body (within the meaning of the
Privacy Act) if the Secretary believes it is reasonably necessary for one or more
enforcement related activities (within the meaning of that Act) conducted by or on behalf
of the enforcement body (see existing section 43).
Section 43A Authorised disclosure to IGIS official
1077. New section 43A of the SOCI Act provides that the Secretary may disclose may
disclose protected information to an IGIS official for the purposes of exercising powers,
or performing duties or functions, as an IGIS official, and make a record of or use
protected information for the purpose of that disclosure.
1078. The effect of this section is the Secretary does not commit the offence in section 45 of
the SOCI Act when disclosing information to an IGIS official.
1079. A note to the provision clarifies that this section is an authorisation for the purposes of
other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy
Principle 6.2 provides that the disclosure of personal information is permitted where the
disclosure is required or authorised by or under an Australian law.
Section 43B Authorised use and disclosure--Ombudsman official
1080. New section 43B of the SOCI Act provides that protected information may be
disclosed by an Ombudsman official to an IGIS official for the purpose of the IGIS
official exercising their powers or performing their functions or duties as an IGIS official.
1081. The effect of this section is that an Ombudsman official does not commit the offence
in section 45 of the SOCI Act when disclosing information to an IGIS official.
1082. A note to the provision clarifies that this section is an authorisation for the purposes of
other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy
Principle 6.2 provides that the disclosure of personal information is permitted where the
disclosure is required or authorised by or under an Australian law.
Section 43C Authorised use and disclosure--IGIS official
1083. New section 43C of the SOCI Act provides that protected information may be
disclosed by an IGIS official to an Ombudsman official for the purpose of the
Ombudsman official exercising their powers or performing their functions or duties as an
Ombudsman official.
1084. The effect of this section is that an IGIS official does not commit the offence in
section 45 of the SOCI Act when disclosing information to an Ombudsman official.
1085. A note to the provision clarifies that this section is an authorisation for the purposes of
other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy
Principle 6.2 provides that the disclosure of personal information is permitted where the
disclosure is required or authorised by or under an Australian law.
Section 43D Authorised use and disclosure--ASD
1086. New section 43D of the SOCI Act provides that the Director-General of ASD or a
staff member of ASD may make a record of, use or disclose protected information for the
purposes of the performance of the functions of ASD set out in section 7 of the
Intelligence Services Act.
1087. The effect of this section is that the Director-General, or a staff member, of ASD does
not commit the offence in section 45 of the SOCI Act when making a record, using or
disclosing protected information in the performance of ASD's functions.
1088. A note to the provision clarifies that this section is an authorisation for the purposes of
other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy
Principle 6.2 provides that the disclosure of personal information is permitted where the
disclosure is required or authorised by or under an Australian law.
Item 51 Paragraph 45(1)(a)
1089. Section 45 of the SOCI Act creates an offence for an entity to make a record of,
disclose or use protected information without being appropriately authorised or required
to do so noting the sensitivities associated with that information. Paragraph 45(1)(a)
currently provides that the offence applies where an entity obtains protected information.
1090. Item 51 of Schedule 1 to the Bill amends this paragraph to provide two subparagraphs
covering obtaining information (as covered by existing paragraph (a)) and the generation
of information for the purposes of complying with the SOCI Act. This additional
subparagraph is intended to capture the range of circumstance where, under the
amendments made by this Bill, an entity is required to generate certain information that is
sensitive and would be regarded as protected information. For example, an entity may be
required to generate a vulnerability assessment report under new Division 4 of Part 2C,
which following these amendments, would be protected information and subject to the
information use and disclosure provisions contained in Division 3 of Part 4 of the SOCI
Act.
1091. This amended offence provision should be read together with the various provisions
which authorise use and disclosure, or provide exceptions to the offence, which ensure
that the entity or other bodies are not impeded in using the protected information for a
legitimate purpose or in a manner appropriate in light of the sensitivities associated with
the information.
Item 52 Paragraph 45(1)(d)
1092. Item 52 of Schedule 1 to the Bill amends paragraph 45(1)(d) of the SOCI Act to
provide that an entity that is required under a 'notification provision' to make a record of,
disclose or otherwise use protected information will not be committing the section 45
offence. 'Notification provision' is newly defined in section 5 to include the two existing
provisions currently captured in paragraph 45(1)(d) (subsections 51(3) and 52(4)) as well
as a further 17 specific provisions being inserted by the Bill (see Item 7 of Schedule 1 to
the Bill, above) which require the disclosure etc. of protected information.
Item 53 Paragraph 46(1)(a)
1093. Section 46 of the SOCI Act lists exceptions to the secrecy offence in section 45.
Those exceptions currently include where the making of the record, disclosure or use of
the record is required or authorised by a law of the Commonwealth, other than
Subdivision A or subsections 51(3) or 52(4) under paragraph 46(1)(a).
1094. Item 53 of Schedule 1 to the Bill amends the de-confliction provision in
paragraph 46(1)(d) of the SOCI Act to replace the reference to subsections 51(3) and
52(4) with a reference to 'a notification provision'. As outlined under Item 52 above, this
definition includes those subsections as well as a further 17 specific provisions being
inserted by the Bill which may require the disclosure etc. of protected information.
Item 53A Subsection 46(2)
1095. Section 46 provides that the offence in section 45 does not apply if required or
authorised by certain laws. Subsection 46(2) provides that for the purposes of subsection
(1), the Corporations Act (except a provision of that Act prescribed by the rules) or a law,
or a provision of a law, of the Commonwealth prescribed by the rules, are taken not to
require or authorise the making of a record, or the disclosure, of the fact that an asset is
declared under section 51 to be a critical infrastructure asset.
1096. Item 53A of Schedule 1 to the Bill amends subsection 46(2) to add the fact that an
asset is declared under section 52B to be a system of national significance as a further
exception. This reflects that, similarly to declarations made under section 51, the fact that
an asset is a system of national significance may pose risks to the security of the asset.
Item 54 Subsection 46(3)
1097. Subsection 46(3) of the SOCI Act provides a further exception to the secrecy offence
in section 45. Relevantly, under that subsection, section 45 does not apply to an entity
when acting in good faith in purported compliance with subsections 51(3) or 52(4). Item
54 of Schedule 1 to the Bill amends paragraph 46(1)(d) of the SOCI Act to replace the
reference to subsections 51(3) and 52(4) with a reference to 'a notification provision'. As
outlined under Item 52 above, this definition includes those subsections as well as a
further 17 specific provisions being inserted by the Bill which may require the disclosure
etc. of protected information.
Item 54A Section 47
1098. Item 54A of Schedule 1 to the Bill omits the words 'Except where it is necessary to
do so for the purposes of giving effect to this Act, an entity is not', and substitutes them
with '(1) An entity is not (subject to subsection (2))'. This amendment rephrases the
section to accommodate item 54B of Schedule 1 to the Bill (discussed below).
Item 54B As the end of section 47
1099. Item 54A of Schedule 1 to the Bill adds subsection (2) to section 47 which provides
that subsection (1) does not prevent an entity from being required to disclose protected
information, or to produce a document containing protected information, if it is necessary
to do so for the purposes of giving effect to any of the following:
the SOCI Act;
the Inspector-General of Intelligence and Security Act 1986 (IGIS Act), or any
other Act that confers functions, powers or duties on the Inspector-General of
Intelligence and Security; or
a legislative instrument made under either the SOCI Act or the IGIS Act.
1100. The effect of this amendment is to extend that exception to also apply when it is
necessary to disclose or produce protected information for the purposes of the IGIS Act,
or any other Act conferring functions, powers or duties on the IGIS, or for the purposes of
an instrument made under one of those Acts, or under the SOCI Act.
1101. The extension of this exception is intended to ensure that the IGIS is able to compel
access to information that may be relevant to an inquiry despite the protection against
disclosure provided by section 47.
1102. The amendment would clarify that information and records can be shared with IGIS
officials for the purpose of the IGIS performing oversight functions. This is necessary to
support the IGIS's oversight functions by ensuring they have full access to all relevant
information.
Item 55 At the end of section 48
1103. Section 48 contains a simplified outline of Part 5 of the SOCI Act. Item 55 of
Schedule 1 to the Bill inserts additional material into the simplified outline to take into
account the additional provisions being inserted in Items 56 and 57 of Schedule 1 to the
Bill, as outlined below.
Item 56 Subsections 49(2) and (3)
1104. The Regulatory Powers Act provides for a standard suite of provisions in relation to
monitoring and investigation powers, as well as civil penalties, infringement notices,
enforceable undertakings and injunctions.
1105. The standard provisions of the Regulatory Powers Act are an accepted baseline of
powers required for an effective monitoring, investigation or enforcement regulatory
regime, providing adequate safeguards and protecting important common law privileges.
1106. Item 56 of Schedule 1 to the Bill repeals and replaces subsections 49(2) and (3) of the
Bill, to provide for the effective operation of those Parts of the Regulatory Powers Act
that are currently triggered by the SOCI Act, as outlined below.
Subsections 49(2)-(3)--Authorised applicant
1107. Subsection 49(2) of the SOCI Act currently provides that, for the purposes of Part 4 of
the Regulatory Powers Act and as that Part applies to civil penalty provisions, the
'authorised applicant' is the Minister and the Secretary. New subsection (2) provides that
the Secretary and a person appointed under new subsection (3) are an authorised
applicant. This allows the enforcement and compliance powers to be vested with another
agency or body should they regulate compliance with certain measures under the SOCI
Act.
1108. The Secretary is empowered, under new subsection (3), to appoint a person to be an
authorised applicant where the person is:
the chief executive officer (however described) of a relevant Commonwealth
regulator (paragraph (a))
an SES, or acting SES, employee of the Department or a relevant
Commonwealth regulator (paragraph (b)), or
a person that holds or is acting in a position within a relevant Commonwealth
regulator that is equivalent to, or higher than, an SES employee
(paragraph (c))
1109. A note to subsection (3) outlines that the terms 'SES employee' and 'acting SES
employee' are defined in section 2B of the Acts Interpretation Act.
1110. This provision will ensure that the Secretary, along with any specified relevant
Commonwealth regulator, and officers of an appropriate seniority within their
organisations, are empowered to exercise the relevant powers under Part 4 of the
Regulatory Powers Act. Most relevantly, this includes applying to a court for an order
that a person, who is alleged to have contravened a civil penalty provision, pay the
Commonwealth a pecuniary penalty. A body or Department may be prescribed in the
rules as a relevant Commonwealth regulator for the purposes of the SOCI Act where,
following consultation with the relevant Minister, it has been determined that they are
well-positioned to manage the oversight of the regime in relation to a particular sector.
This provision will ensure that such regulators, alongside the Secretary, can effectively
fulfil this oversight function.
Subsections 49(3A)-(3B)--Authorised person
1111. Subsection 49(3) of the SOCI Act currently provides that the Minister and the
Secretary are an 'authorised person' for the purposes of Parts 6 and 7 of the Regulatory
Powers Act, as those Parts apply to civil penalty provisions. New subsection (3A)
provides that the Secretary and a person appointed under new subsection (3B) are an
authorised applicant. This allows the enforcement and compliance powers to be vested
with another agency or body should they regulate compliance with certain measures
under the SOCI Act.
1112. The Secretary is empowered, under new subsection (3B), to appoint a person to be an
authorised applicant where the person is:
the chief executive officer (however described) of a relevant Commonwealth
regulator (paragraph (a))
an SES, or acting SES, employee of the Department or a relevant
Commonwealth regulator (paragraph (b)), or
a person that holds or is acting in a position within a relevant Commonwealth
Regulator that is equivalent to, or higher than, an SES employee
(paragraph (c))
1113. A note to subsection (3B) outlines that the terms 'SES employee' and 'acting SES
employee' are defined in section 2B of the Acts Interpretation Act.
Item 57 At the end of Part 5
1114. Item 57 of Schedule 1 to the Bill inserts new Divisions 3 and 4 into Part 5 of the
SOCI Act, to trigger the exercise of additional powers under the Regulatory Powers Act.
Division 3 of Part 5 triggers the monitoring and investigation powers available under
Parts 2 and 3 respectively of the Regulatory Powers Act. Division 4 of Part 5 triggers the
availability of infringement notices under Part 5 of the Regulatory Powers Act.
Division 3--Monitoring and investigation powers
Section 49A Monitoring powers
1115. New section 49A of the SOCI Act will trigger the availability of monitoring powers
under Part 2 of the Regulatory Powers Act. Part 2 of the Regulatory Powers Act creates a
framework for monitoring whether the provisions of an Act or a legislative instrument
have been, or are being, complied with. A simplified outline of that Part can be found in
section 6 of the Regulatory Powers Act.
1116. Noting the additional obligations being introduced into the SOCI Act, it is important
that the Secretary, or any relevant Commonwealth regulator, has appropriate powers to
monitor compliance with the regime to ensure its effectiveness in achieving the required
security objectives. The triggering of the monitoring powers under the Regulatory Powers
Act will give these regulators the accepted baseline of monitoring powers required to
effectively fulfil their role.
1117. Division 1 of Part 2 of the Regulatory Powers Act contains a number of provisions
that need to be addressed in the SOCI Act for the monitoring powers to apply. For
example, under subsection 11(1) of the Regulatory Powers Act a person is only an
authorised applicant if 'an Act provides that the person is an authorised applicant'.
Meaning, that for any person to act as an authorised applicant for the purposes of the
monitoring powers set out in the Regulatory Powers Act, the SOCI Act is required to
make provision for who is an authorised applicant.
Subsection 49A(1)--Provisions subject to monitoring
1118. Subsection (1) provides that a provision is subject to the monitoring powers in Part 2
of the Regulatory Powers Act if it is an offence against section 35AT or section 45 of the
SOCI Act (paragraph (a)), or if it is a civil penalty provision of the SOCI Act
(paragraph (b)). This satisfies the requirement under section 8 of the Regulatory Powers
Act that an Act, in this case the SOCI Act, must specifically make a provision subject to
the monitoring powers in Part 2 of the Regulatory Powers Act.
Subsection 49A(2)--Information subject to monitoring
1119. Subsection (2) provides that information given in compliance or purported
compliance with this Act is subject to the monitoring powers in Part 2 of the Regulatory
Powers Act. This satisfies the requirement under section 9 of the Regulatory Powers Act
that an Act, in this case the SOCI Act, must specifically make information subject to the
monitoring powers in Part 2 of the Regulatory Powers Act.
Subsections 49A(3)-(4)--Authorised applicant
1120. Subsection (3) provides that a person appointed by the Secretary under subsection (4)
is an authorised applicant. Under subsection (4), the Secretary may appoint the following
persons by writing to be an authorised applicant under subsection (3):
an SES, or acting SES, employee of the Department or a relevant
Commonwealth regulator (paragraph (a)), or
a person that holds or is acting in a position within a relevant Commonwealth
Regulator that is equivalent or higher than an SES employee (paragraph (b)).
1121. A note to subsection (3) outlines that the terms 'SES employee' and 'acting SES
employee' are defined in section 2B of the Acts Interpretation Act.
1122. Together subsections (3) and (4) satisfy the requirement in section 11 of the
Regulatory Powers Act that an authorised applicant must be identified as such in the
relevant Act, in this case the SOCI Act.
Subsections 49A(5)-(6)--Authorised person
1123. Subsection (5) provides that a person appointed by the Secretary under subsection (6)
is an authorised person. Under subsection (6), the Secretary may appoint the following
persons by writing to be an authorised person under subsection (5):
an APS employee of the Department or a relevant Commonwealth regulator
(paragraph (a)), or
an officer or employee of a relevant Commonwealth regulator (paragraph (b)).
1124. Together subsections (5) and (6) satisfy the requirement in section 12 of the
Regulatory Powers Act that an authorised person is a person identified as such in the
relevant Act, in this case the SOCI Act.
Subsection 49A(7)--Issuing officer
1125. Subsection (7) provides that a magistrate is an issuing officer for the purpose of the
monitoring powers under Part 2 of the Regulatory Powers Act. This subsection satisfies
the requirement in section 14 of the Regulatory Powers Act that a person or class of
persons is only an issuing officer if an Act, in this case the SOCI Act, specifies that they
are an issuing officer.
Subsections 49A(8)-(11)--Relevant chief executive
1126. Subsection (8) provides that the Secretary is the relevant chief executive in relation to
the monitoring powers in Part 2 of the Regulatory Powers Act, for the purpose of
section 15 of that Act. Subsection (9) provides that the Secretary may delegate these
powers to an SES employee or an acting SES employee. The note to subsection (9)
identifies that the terms SES employee and acting SES employee are defined in section
2B of the Acts Interpretation Act.
1127. Subsection (10) provides that the powers that can be delegated include those under
Part 2 of the Regulatory Powers Act (see paragraph (a)) and those that are incidental to
the Part 2 powers (see paragraph (b)). Subsection (11) provides that any person exercising
powers that have been delegated to them under subsection (9) must do so in accordance
with any directions given by the relevant chief executive.
Subsection 49A(12)--Relevant court
1128. Subsection (12) is included for the purpose of section 16 of the Regulatory Powers
Act, and provides that Federal Court of Australia, the Federal Circuit Court of Australia
and a court of a State or Territory that has jurisdiction in relation to matters arising under
the SOCI Act are relevant courts.
Subsection 49A(13)--Premises
1129. Subsection (13) provides that, for the purpose of exercising the Part 2 monitoring
powers, an authorised person cannot enter a premises if the premises are used solely or
primarily as a residence.
Subsection 49A(14)--Person assisting
1130. Subsection (14) triggers section 23 of the Regulatory Powers Act to provide that an
authorised person may be assisted by another person in exercising monitoring powers
under Part 2 of the Regulatory Powers Act.
Subsection 49A(15)--External Territories
1131. Subsection (15) confirms that the monitoring powers under Part 2 of the Regulatory
Powers Act extend to the external Territories. This is necessary to align with the scope of
the SOCI Act.
Section 49B Investigation powers
1132. New section 49B of the SOCI Act triggers the use of investigation powers under Part
3 of the Regulatory Powers Act. Part 3 of the Regulatory Powers Act creates a framework
for gathering material that relates to the contravention of offence provisions and civil
penalty provisions. A simplified outline of that Part can be found in section 36 of the
Regulatory Powers Act.
1133. Noting the additional obligations being introduced into the SOCI Act, it is important
that the Secretary, or any relevant Commonwealth regulator, has appropriate powers to
investigate possible non-compliance with the regime to ensure its effectiveness in
achieving the required security objectives. The triggering of the investigation powers
under the Regulatory Powers Act will give these regulators the accepted baseline of
investigation powers required to effectively fulfil their role.
Subsection 49B(1)--Provisions subject to investigation
1134. Subsection (1) provides that a provision is subject to the investigation powers in Part
3 of the Regulatory Powers Act if it is an offence against section 35AT or section 45 of
this Act (paragraph (a)), or if it is a civil penalty provision of this Act (paragraph (b)).
This provision satisfies the requirement under section 38 of the Regulatory Powers Act
that an Act, in this case the SOCI Act, must specifically make a provision subject to
investigation powers.
Subsections 49B(2)-(3)--Authorised applicant
1135. Subsection (2) provides that a person appointed under subsection (3) is an authorised
applicant in relation to the provisions mentioned in subjection (1). Subsection (3)
provides that the Secretary may, by writing, appoint the following as an authorised
applicant:
an SES, or acting SES, employee of the Department or a relevant
Commonwealth regulator (paragraph (a)), or
a person that holds or is acting in a position within a relevant Commonwealth
Regulator that equivalent to or higher than an SES employee (paragraph (b)).
1136. The note to subsection (3) identifies that the terms SES employee and acting SES
employee are defined in section 2B of the Acts Interpretation Act. Together subsections
(2) and (3) satisfy the requirement in section 41 of the Regulatory Powers Act that an
authorised applicant is identified as such in the relevant Act, in this case the SOCI Act.
Subsections 49B(4)-(5)--Authorised person
1137. Subsection (4) provides that a person appointed under subsection (5) is an authorised
person in relation to evidentiary material that relates to the provision mentioned in
subjection (1). Subsection (5) provides that the Secretary may, by writing, appoint the
following as an authorised person:
an APS employee of the Department or a relevant Commonwealth regulator
(paragraph (a)), or
an officer or employee of a relevant Commonwealth regulator (paragraph (b)).
1138. Together subsections (4) and (5) satisfy the requirement in section 42 of the
Regulatory Powers Act that an authorised person is only so if the Act, in this case the
SOCI Act, provides for them to be an authorised person.
Subsection 49B(6)--Issuing officer
1139. Subsection (6) provides that a magistrate is an issuing officer for the purpose of the
investigation powers under Part 3 of the Regulatory Powers Act. This subsection is
satisfying the requirement in section 44 of the Regulatory Powers Act that a person or
class of persons is only an issuing officer if the relevant Act, in this case the SOCI Act,
identifies them as such.
Subsections 49B(7)-(10)--Relevant chief executive
1140. Subsection (7) provides that the Secretary is the relevant chief executive in relation to
the investigation powers in Part 3 of the Regulatory Powers Act, for the purpose of
section 45 of that Act. Subsection (8) provides that the Secretary may delegate the powers
to an SES employee or an acting SES employee. The note to subsection (8) identifies that
the terms SES employee and acting SES employee are defined in section 2B of the Acts
Interpretation Act.
1141. Subsection (9) provides that the powers that can be delegated include those under Part
3 of the Regulatory Powers Act (see paragraph (a)) and those that are incidental to the
Part 3 powers (paragraph (b)). Subsection (10) provides that any person exercising
powers that have been delegated to them under subsection (8) must do so in accordance
with any directions given by the relevant chief executive.
Subsection 49B(11)--Relevant court
1142. Subsection (11) is included for the purpose of section 46 of the Regulatory Powers
Act, and provides that Federal Court of Australia, the Federal Circuit Court of Australia
and a court of a State or Territory that has jurisdiction in relation to matters arising under
the SOCI Act are relevant courts.
Subsection 49B(12)--Person assisting
1143. Subsection (12) triggers section 53 of the Regulatory Powers Act to provide that an
authorised person may be assisted, by another person, in exercising their powers in
relation to the Part 3 investigation powers.
Subsection 49B(13)--External Territories
1144. Subsection (13) confirms that the investigation powers under Part 3 of the Regulatory
Powers Act extend to the external Territories. This is necessary to align with the scope of
the SOCI Act.
Division 4--Infringement notices
Section 49C Infringement notices
1145. New section 49C of the SOCI Act triggers the powers in Part 5 of the Regulatory
Powers Act. Part 5 of the Regulatory Powers Act creates a framework for the use of
infringement notices where an infringement officer reasonably believes that a provisions
has been contravened. A simplified outline of that Part can be found in section 98 of the
Regulatory Powers Act.
1146. Noting the importance of graduated enforcement regime, the triggering of Part 5 of
the Regulatory Powers Act provides an important mechanism that can be utilised to
address purported instances of non-compliance in a less serious and less resource intense
way relative to, for example, civil penalty proceedings.
Subsection 49C(1)--Provisions subject to an infringement notice
1147. Subsection (1) provides that all civil penalty provisions within the SOCI Act are
subject to the Part 5 infringement notices under the Regulatory Powers Act. The note to
subsection (1) notes that Part 5 of the Regulatory Powers Act creates a framework for
using infringement notices.
1148. The provision satisfied the requirement in section 100 of the Regulatory Powers Act
that an Act, in this case the SOCI Act, must specifically make a provision subject to an
infringement notice under Part 5 of that Act.
Subsections 49C(2)-(3)--Infringement officer
1149. Subsection (2) provides that, for the purposes of Part 5 of the Regulatory Powers Act,
a person appointed under subsection (3) is an infringement officer in relation to the
provisions mentioned in subsection (1). Subsection (3) provides that the Secretary may,
by writing, appoint the following persons to be an infringement officer:
an SES, or acting SES, employee of the Department or a relevant
Commonwealth regulator (paragraph (a)), or
a person that holds or is acting in a position within a relevant Commonwealth
Regulator that is equivalent to or higher than an SES employee
(paragraph (b)).
1150. The note to subsection (3) identifies that the terms SES employee and acting SES
employee are defined in section 2B of the Acts Interpretation Act. Together subsections
(2) and (3) satisfy the requirement in section 101 of the Regulatory Powers Act that a
person is an infringement officer if an Act, in this case the SOCI Act, provides that the
person is an infringement officer for the purposes of Part 5 of that Act.
Subsections 49C(4)-(6)--Relevant chief executive
1151. Subsection (4) provides that the Secretary is the relevant chief executive in relation to
infringement notices in Part 5 of the Regulatory Powers Act, for the purpose of
section 102 of that Act. Subsection (5) provides that the Secretary may delegate these
powers to an SES employee or an acting SES employee. The note to subsection (5)
identifies that the terms SES employee and acting SES employee are defined in section
2B of the Acts Interpretation Act.
1152. Subsection (6) provides that any person exercising powers that have been delegated to
them under subsection (4) must do so in accordance with any directions given by the
relevant chief executive.
Subsection 49C(7)--External Territories
1153. Subsection (7) confirms that infringement notices under Part 5 of the Regulatory
Powers Act extend to the external Territories. This is necessary to align with the scope of
the SOCI Act.
Item 58 Paragraphs 51(1)(b) and (c)
1154. Section 51 of the SOCI Act provides for the Minister to make a private declaration
that a particular asset is a critical infrastructure asset, relevantly where the circumstances
outlined in paragraphs (1)(a)-(c) apply. Those circumstances currently include where the
asset relates to a 'relevant industry' (paragraph (b)) and the Minister is satisfied of certain
the matters outlined in paragraph (c).
1155. Item 58 of Schedule 1 to the Bill repeals paragraphs 51(1)(b) and (c) and replaces
them with new provisions, and also inserts a further paragraph (1)(d). Paragraph (1)(b) is
updated to reflect that the term 'relevant industry' is being repealed from the SOCI Act,
and replaced with the concept of 'critical infrastructure sector' (see further at new
section 8D, at Item 21 of Schedule 1 to the Bill above).
1156. Paragraph (1)(c) is being redrafted to provide that, before making a private
declaration that an asset is a critical infrastructure asset, the Minister must also be
satisfied that the asset is critical to one or more of the following:
the social or economic stability of Australia or its people (subparagraph (i)),
the defence of Australia (subparagraph (ii)), or
national security (subparagraph (iii)).
1157. This condition mirrors existing paragraph 9(3)(a), which provides that the Minister
may prescribe an asset to be a critical infrastructure asset if, amongst other things, they
are critical to the above criteria. This is a broadening of the existing subparagraph
51(1)(c)(i) which is limited to national security. This limitation is not considered
appropriate given the essential services provided by critical infrastructure assets to the
various vital aspects of Australia being social and economic stability and defence, in
addition to national security.
1158. New paragraph (1)(d) provides that, in addition to the circumstances outlined in
paragraphs (1)(a)-(c), there must also be a risk to one or more of the following if it were
publicly known that the asset is a critical infrastructure asset:
the social or economic stability of Australia or its people (subparagraph (i)),
the defence of Australia (subparagraph (ii)), or
national security (subparagraph (iii)).
1159. This change aligns with the broadening of the aspects of criticality to provide that this
mechanism for identifying a critical infrastructure asset can be used, as an alternative to
the rule making power in subsection 9(3) where a risk would arise should the status of the
asset as a critical infrastructure asset arise from its public listing.
Item 59 Subsection 51(1) (note 1)
1160. Item 59 of Schedule 1 to the Bill repeals the first note from section 51. The note being
repealed refers the reader to the definition of 'relevant industry'. This amendment is
consequential to the repeal of that term from the SOCI Act.
Item 60 Subsection 51(1) (note 2)
1161. Item 60 of Schedule 1 to the Bill amends the second note to make it a reference to a
singular note. This amendment is a technical amendment required as a result of Item 59.
Item 61 After subsection 51(2)
1162. Item 61 of Schedule 1 to the Bill inserts a new subsection 51(2A) into the SOCI Act.
That subsection provides that, when the Minister makes a declaration that an asset is a
critical infrastructure asset under subsection (1), the Minister may do all or any of the
following:
determine that Part 2 of the SOCI Act (concerning providing information to
the register) applies to the asset (paragraph (a))
determine that Part 2A of the SOCI Act (concerning critical infrastructure risk
management programs) applies to the asset (paragraph (b)),
determine that Part 2B of the SOCI Act (concerning mandatory cyber incident
reporting) applies to the asset (paragraph (c)).
1163. This provision is to operate in a similar way to the 'on switch provisions' (see new
sections 18A, 30AB and 30BB, as described above) but reflects that assets that are
privately declared under section 51 cannot be identified in those rules due to risks
associated with their status being publicly know.
Item 62 Paragraph 51(3)(b)
1164. Item 62 of Schedule 1 to the Bill repeals paragraph 51(3)(b) of the SOCI Act and
replaces it with a new paragraph. The current provision requires that if the Minister
makes a declaration under subsection (1) they must notify the First Minister of the State
or Territory in which the asset is located.
1165. New paragraph 51(3)(b) clarifies this policy to make clear that, where the asset is
located in more than one jurisdiction, each First Minister must be notified.
Item 63 Subsection 51(4)
1166. Item 63 of Schedule 1 to the Bill repeals subsection 51(4) SOCI Act which is a
requirement that a notice made under subsection 51(3) must specify the obligations of the
reporting entity under the Act. This provision is no longer required due to the new
subsection (2A) inserted by item 61 of Schedule 1 to the Bill.
Item 64 After section 51
1167. Item 64 of Schedule 1 to the Bill inserts new section 51A into the SOCI Act, which
includes an express requirement for the Minister to conduct consultation before making a
private declaration under section 51. This clarifies that consultation must involve giving
the entity a notice setting out the proposed declaration and inviting submissions within a
specified time period.
Section 51A Consultation--declaration
1168. Subsection (1) provides that, before making a declaration under section 51 that a
specified entity is the responsible entity for an asset, the Minister must give the entity a
notice that sets out the proposed declaration (paragraph (a)), and invite the entity to make
submissions regarding the proposal within 28 days or a shorter specified period
(paragraph (b)). The Minister is the required, under subsection (2), to consider any
submissions received within the specified period.
1169. Subsection (3) provides that the Minister must not specify a shorter period unless they
are satisfied that it is necessary due to urgent circumstances. Subsection (4) provides that
the notice must set out the reasons for making the declaration unless they are satisfied that
doing so would be prejudicial to security.
1170. Further the notice to the entity must set out the reasons for making the declaration
unless the Minister is satisfied that doing so would be prejudicial to security. For
example, the Minister's consideration of the criticality of the asset to the defence of
Australia may rely on sensitive and classified information in relation to critical
dependencies of defence capabilities and associated vulnerabilities. However the Minister
should provide the reasons to the greatest extent possible without prejudicing security.
Item 65 Subsection 52(5)
1171. Item 65 of Schedule to the Bill repeals subsection 52(5) from the SOCI Act. Section
52 deals with the Secretary being notified of changes to a reporting entity for an asset. A
requirement under the section is that the Secretary give the new reporting entity a notice
that the asset they are responsible for is a critical infrastructure asset. Subsection 52(5)
requires that the notice specifies the obligations of the entity.
Item 66 After Part 6
1172. Item 66 of Schedule 1 to the Bill inserts new Part 6A into the SOCI Act, concerning
the declaration of systems of national significance.
1173. The critical infrastructure threat environment is worsening, in part, due to an ever-
increasing reliance on technology, and increasing interoperability and interdependency
between Australia's most critical assets. This has created a new set of vulnerabilities that
can have catastrophic cascading consequences to Australia's economy and national
security. This growing threat necessitates a strengthened relationship between
Government and industry, built on enhanced information sharing and activities to prepare
for, prevent and mitigate significant cyber security.
1174. This is most important for systems of national significance, which are a smaller subset
of critical infrastructure assets declared by the Minister because of a higher degree of
criticality. These systems of national significance may be subject to enhanced cyber
security obligations under new Part 2C of the Act.
Part 6A--Declaration of systems of national significance by the Minister
Division 1--Simplified outline of this Part
Section 52A Simplified outline of this Part
1175. New section 51A of the SOCI Act is a simplified outline of Part 6A which deals with
the Minister declaring a system of national significance. The first paragraph notes that the
Minister may privately declare a system of national significance. The second paragraph
notes that a Minister must notify the reporting entity for a system of national significance
if a declaration has been made. The third paragraph notes that a reporting entity for a
system of national significance must notify the Secretary of changes to who the reporting
entity is.
1176. A note to this section identifies that it is an offence to disclose that an asset is a
system of national significance under section 45. This reflects the declaration being
protected information under the expanded definition in section 5. However it should also
be noted that it is an exemption to this defence if the entity making the disclosure is the
entity to whom the protected information relates (existing paragraph 46(4)(b)). Therefore,
the responsible entity for a system of national significance will be able to disclose the fact
that such a declaration has been made in relation to the asset. This is important to ensure
that the entity is able to effectively manage the security of the asset and comply with
obligations under the Act, while acknowledging that the entity is well positioned to
sensitively manage any risks that may be associated with the disclosure.
Division 2--Declaration of systems of national significance by the Minister
Section 52B Declaration of systems of national significance by the Minister
1177. New section 52B of the SOCI Act sets out how the Minister may privately declare an
asset to by a system of national significance.
1178. Under subsection (1), the Minister may, in writing, declare a particular asset to be a
system of national significance if:
the asset is a critical infrastructure asset (paragraph (a)), and
the Minister is satisfied that the asset is of national significance, as determined
in accordance with subsection (2) (paragraph (b)).
1179. This means that systems of national significance are a subset of critical infrastructure
assets that have an additional element of criticality based on their national significance.
National significance does not require the asset to operate nationally, or provide a service
which impacts the entirety of Australia. Rather the asset, and it's functioning, must be
significant from a national perspective.
1180. Subsection (2) sets out factors that the Minister must have regard to for the purpose of
determining if an asset is of national significance.
1181. Paragraph (2)(a) requires the Minister to have regard to the consequences that would
arise for the social or economic stability of Australia or its people, the defence of
Australia, or national security if a hazard were to occur that had a significant relevant
impact on the asset. A relevant impact of a hazard on the asset is defined in section 8G
and refers to the impact (whether direct or indirect) of the hazard on the availability,
integrity, reliability and confidentiality of information in relation to the asset. For
example, should the asset be degraded or destroyed, would it result in serious damage to
Australia's national interests.
1182. Paragraph (2)(b) further requires that, if the Minister is aware of one or more
interdependencies between the asset and one or more other critical infrastructure assets,
the Minister have regard to the nature and extent of those interdependencies. The complex
and interconnected nature of Australia's economy means that the functionality and
operability of a large portion critical infrastructure assets are disproportionately
dependent on the services offered by a small set of critical infrastructure asset. In
particular, this relationship is often dependent on, or facilitated by, an interconnected
digital network or internet-connected systems which has many economic benefits for
owners and operators.
1183. However, the interconnectedness and overreliance on a limited number of assets
creates a new set of vulnerabilities. The compromise of one of these assets could have
first, second and third order consequences which may cascade and compromise other
critical infrastructure assets.
1184. The Minister however is not required to be aware of, or consider, every
interdependency of the asset but rather be satisfied of the assets national significance
having had regard to those interdependencies of which the Minister is aware.
1185. However, focusing on the extent of interdependencies alone may not always provide
the necessary context to consider national significance. The requirement for the Minister
to also have regard to the nature of those interdependencies, including where they are
small in number but particularly significant.
1186. Paragraph (2)(c) clarifies that the Minister may also have regard to any other matters
the Minister considers relevant to determining the national significance of the asset.
1187. Subsection (3) provides that within 30 days of declaring an asset to be a system of
national significance the Minister must, in writing, notify each reporting entity for the
asset and, if the asset is a tangible asset located (wholly or partly) within a State or
Territory, the relevant First Minister or First Ministers.
1188. This ensures that the entities affected by the declaration are notified that it has
occurred and made aware of the obligations that may flow from such a declaration under
Part 2C.
1189. Subsection (4) clarifies that an instrument under subsection (1) is not a legislative
instrument for the purposes of the Legislation Act. This is reasonable in these
circumstances because:
systems of national significance are an attractive target for malicious actors,
particularly those with the capability and motive to do significant harm to
Australia's national interests. Due to these factors and the security
vulnerabilities that may emerge if the extent of the assets national significance
were widely known, it would be inappropriate and negligent to publicly
disclose the identity of a system of national significance. This approach aligns
with that taken for assets declared by the Minister for Home Affairs under
current section 51 of the SOCI Act, and
the authorisation applies the law in a particular circumstance to particular
facts, and does not determine or alter the content of the law for the purposes of
subsection 8(4) of the Legislation Act.
1190. Subsection (5) provides that, to avoid doubt, an asset may be the subject of a
declaration under subsection (1) even if the asset is not a 'system'. Subsection 52B(5)
clarifies that the use of 'system' does not mean that systems, either computer based or
otherwise, can only be declared by the Minister to be a system of national significance.
As provided at paragraph 52B(1)(a), systems of national significance can be any asset that
is a critical infrastructure asset. However, the additional test at paragraph 52B(1)(b)
means that, practically speaking, only a small subset of critical infrastructure assets are
likely to be declared to be a system of national significance.
Section 52C Consultation--declaration
1191. New section 52C of the SOCI Act details express consultation requirements for the
making of a declaration under subsection 52B(1). This ensures that the entity is afforded
an opportunity to consider and scrutinise the matters the Minister has considered or taken
into regard when proposing to declare the asset to be a system of national significance.
These consultation requirements align with those in new section 51A in relation to private
declarations of critical infrastructure assets.
1192. Subsection (1) provides that before making a declaration the Minister must give the
responsible entity a notice that sets out the proposed declaration and invites the entity to
make submissions regarding the declaration within 28 days, or a shorter timeframe
specified in the notice.
1193. Subsection (2) provides that the Minister must consider any submissions, made by the
responsible entity, within 28 days of the notice being given, or within the shorter period
specified in the notice.
1194. Subsection (3) provides that the Minister must not specify a shorter period for
submissions to be made and considered unless they are satisfied that it is necessary due to
urgent circumstances.
1195. Subsection (4) provides that the notice must set out the reasons for the Minister
making the declaration, unless the Minister is satisfied that doing so would be prejudicial
to security. For example, the Minister's consideration of the national significance of the
asset may rely on sensitive and classified information in relation to critical dependencies
with national security assets and capabilities that are not publicly known, or even fully
known to the entity. However the Minister should provide the reasons to the greatest
extent possible without prejudicing security.
Section 52D Notification of change to reporting entities for asset
1196. Similar to section 52 of the SOCI Act, which deals with notification of a change to
reporting entities for critical infrastructure assets, new section 52D provides for a
notification of a change to reporting entities for a system of national significance.
Subsection 52D(1)--Scope
1197. Subsection (1) provides that the section applies if a reporting entity for a system of
national significance (known as the 'first entity') stops being the reporting entity for the
asset, or becomes aware of another reporting entity for the asset.
Subsections 52D(2)-(4)--Notification
1198. Subsection (2) provides that within 30 days of becoming aware of the change the first
entity must notify the Secretary of the change and if there is another reporting entity, the
details of that entity. A note to this subsection directs the reader to see Division 2 of Part
7 if the entity is not a legal person.
1199. This provision is required as the Minister's declaration of an asset is private and
protected information under section 5. Without this provision Government may not have
visibility of any changes to reporting entities as the provisions relating to protected
information may limit subsequent reporting entities from being aware of the status of the
asset and associated obligations.
1200. Breach of the obligation in subsection (1) is subject to a civil penalty of up to 150
penalty units. This penalty aligns with non-compliance with the notifications
requirements at current section 52 of the SOCI Act.
1201. Subsection (3) provides that the first entity must use their best endeavours to
determine the name and address of the new relevant entity. This ensures the first entity is
not liable to a penalty if they took all reasonable steps to obtain the information.
1202. Subsection (4) provides that if the Secretary is given a notification under this section
they must notify the new reporting entity that the asset is a system of national
significance, in writing, within 30 days of the notification. This ensures the entity is
aware of their obligations as a reporting entity for a system of national significance under
the legislation.
Section 52E Review of declaration
1203. New section 52E of the SOCI Act provides a mechanism through which a responsible
entity for an asset can request a review of the Minister's declaration, under section 52B,
that the asset is a system of national significance. Australia's economic, defence and
security environments are constantly evolving and consequently the assets that are most
critical will change over time. It is important that the assets declared as systems of
national significance are up to date to ensure that appropriate protections are in place to
those nationally significant assets. However, it is equally important, noting the obligations
that may be imposed on a system of national significance in new Part 2C of the SOCI
Act, that declarations are not in force for any longer than is necessary.
1204. The nature of an asset can change over time, and so to can the circumstances in which
it operates. Therefore, it is important that a responsible to request a review to avoid any
unnecessary regulatory burden.
1205. Subsection (1) provides that the section applies if an asset is declared under
subsection 52B(1) to be a system of national significance.
1206. Subsection (2) provides that the responsible entity for the system of national
significance may, by written notice given to the Secretary, request the Secretary review
whether the asset is of national significance. Subsections (3)-(5) set out the requirements
for the review.
1207. Subsection (3) provides that the Secretary must review whether the asset is of national
significance and give the Minister a report of the review and a statement setting out the
Secretary's findings. This must be done within 60 days of the Secretary receiving the
request.
1208. Subsection (4) provides that the review must be undertaken in consultation with the
responsible entity for the asset. This will ensure the entity has the opportunity to bring
any relevant information to the Secretary's attention, including any change in
circumstances in relation to the asset.
1209. Subsection (5) provides that in undertaking the review, the Secretary must have
regard to:
the consequences that would arise for the social or economic stability of Australia
or its people, or the defence of Australia, or national security, if a hazard were to
occur that had a significant relevant impact on the asset; and
if the Secretary is aware of one or more interdependencies between the asset and
one or more other critical infrastructure assets--the nature and extent of those
interdependencies; and
such other matters (if any) as the Secretary considers relevant.
1210. These factors align with the factors that the Minister must have regard to being
satisfied as to whether an asset is nationally significant.
1211. Subsection (6) limits the frequency with which a review can be requested by the entity
to no more than once during a 12 month period.
Section 52F Revocation of determination
1212. New section 52F of the SOCI Act provides for circumstances in which a declaration
made under subsection 52B(1) must be revoked. This provision imposes a duty on the
Minister to revoke a declaration when no longer satisfied that the asset is of national
significance. The Minister may form this view in a number of ways, including having
considered a report and associated statement of findings prepared by the Secretary under
new section 52E.
1213. Subsection (1) provides that the section applies if a declaration under subsection
52B(1) is in force in relation to an asset, and the Minister is no longer satisfied that the
asset is of national significance.
1214. Subsection (2) imposes a duty on the Minister to revoke the declaration if the
circumstances in subsection (1) exist.
1215. Subsection (3) clarifies that a revocation is not a legislative instrument.
1216. Subsection (4) provides that section 52F does not, by implication, affect the
application of subsection 33(3) of the Acts Interpretation Act to an instrument made
under a provision of the SOCI Act.
1217. Subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a
power to make, grant or issue any instrument of a legislative or administrative character
(including rules, regulations or by-laws), the power shall be construed as including a
power exercisable in the like manner and subject to the like conditions (if any) to repeal,
rescind, revoke, amend, or vary any such instrument.
Item 67 Subsection 59(1)
1218. Subsection 59(1) of the SOCI Act currently provides that the Secretary may delegate
any of their 'powers, functions or duties under this Act.' Item 67 of Schedule 1 to the Bill
inserts the words '(other than Part 3A)' after 'this Act'. This ensure that any powers,
functions or duties of the Secretary under Part 3A, which relates to dealing with a serious
cyber security incident, must be exercised personally and cannot be delegated. This
limitation on the power to delegate reflects the significance of the powers, functions and
duties that the Secretary may have under Part 3A and the appropriateness for these to not
be exercised by more junior officers.
Item 68 Division 4 of Part 7 (at the end of the heading)
1219. Item 68 of Schedule 1 to the Bill is a technical amendment to insert the word 'etc.' at
the end of the heading of Division 4 of Part 7, so that it now reads as 'Periodic reports,
reviews and rules etc.'. This reflects that the Division contains additional content,
including new sections 60AA and 60AB (see Item 70 of Schedule 1 to the Bill, below).
Item 69 At the end of subsection 60(2)
1220. Under subsection 60(1) of the SOCI Act, the Secretary must give the Minister, for
presentation to the Parliament, a report on the operation of the SOCI Act for each
financial year. The report under subsection 60(1) must deal with the matters listed in
paragraphs (2)(a)-(e).
1221. These amendments reflect the expanded scope of the obligations and powers to be
introduced into the SOCI Act by this Bill and serves as an important oversight mechanism
by providing transparency and accountability to Parliament and the public about the
operation of the SOCI Act.
1222. Item 69 of Schedule 1 to the Bill inserts the following additional paragraphs into
subsection (2), as matters that the Secretary's report to the Minister under subsection (1)
must contain:
the number of annual reports given under section 30AG during the financial
year (paragraph (f))
the number of annual reports given under section 30AG during the financial
year that included a statement to the effect that a critical infrastructure risk
management program was up to date at the end of the financial year
(paragraph (g))
the number of cyber security incidents reported during the financial year under
section 30BC (paragraph (h))
the number of cyber security incidents reported during the financial year under
section 30BD (paragraph (i))
the number of notices given to entities under section 30CB during the financial
year (paragraph (j))
the number of notices given to entities under section 30CM during the
financial year (paragraph (k))
the number of notices given to entities under section 30CU during the
financial year (paragraph (l))
the number of notices given to entities under Division 5 of Part 2C during the
financial year (paragraph (m))
the number of Ministerial authorisations given under section 35AB during the
financial year (paragraph (n))
the number of Ministerial authorisation given under paragraph 35AB(2)(a) or
(b) during the financial year (paragraph (o))
the number of Ministerial authorisations given under paragraph 35AB(2)(c) or
(d) during the financial year (paragraph (p))
the number of Ministerial authorisations given under paragraph 35AB(2)(e) or
(f) during the financial year (paragraph (q)), and
the number of declarations of assets as a system of national significance that
were made under section 52B during the financial year (paragraph (r)).
Item 70 After section 60
1223. Item 70 of Schedule 1 to the Bill inserts new sections 60AA and 60AB into the SOCI
Act.
Section 60AA Compensation for acquisition of property
1224. New section 60AA of the SOCI Act deals with the acquisition of property (what is
known as a 'historic shipwrecks' clause after the first legislation that introduced this type
of provision). Subsection (1) provides that if the operation of the Act would result in an
acquisition of property, within the meaning of paragraph 51(xxxi) of the Constitution,
otherwise than on just terms, the Commonwealth is liable to pay a reasonable amount of
compensation.
1225. Subsection (2) provides that if the Commonwealth and the entity do not agree on the
amount of compensation, the entity may institute proceedings in either the Federal Court
of Australia (paragraph (a)), or in the Supreme Court of a State or Territory (paragraph
(b)).
1226. While nothing in the Bill is expressly targeted at the acquisition of property, it is
recognised that this could occur in extremely rare circumstances incidental to the
operation of the powers set out in Part 3A in particular. Should it be necessary, it is
important that the Government can respond effectively to a serious cyber security incident
however if that requires the acquisition of property it is important that reasonable
compensation is paid.
Section 60AB Service of notices, directions and instruments by electronic means
1227. New section 60AB of the SOCI Act provides that paragraphs 91(1)(d) and (2)(d) of
the Electronic Transactions Act 1999 (the Electronic Transactions Act) do not apply to a
notice, direction or instrument under the SOCI Act, any Ministerial rules made under
section 61 of that Act, or the Regulatory Powers Act (so far as that Act relates to the
SOCI Act).
1228. A note to this section explains that the provisions from the Electronic Transactions
Act deal with the consent of the recipient of information, to the information being given
by way of electronic communication.
1229. Noting that the vast majority of responsible entities for critical infrastructure assets
are large corporate entities, this provision will allow efficient service through utilising
electronic methods where appropriate.
Part 2--Application provisions
1230. Part 2 of Schedule 1 to the Bill deals with the application of amendments to
subsections 9(3) and (4) of the SOCI Act (see Items 27, 28 and 29) and to section 51 (see
Items 58-63).
Item 71 Application--subsections 9(3) and (4) of the Security of Critical
Infrastructure Act 2018
1231. Item 71 of Schedule 1 to the Bill provides that the amendments of subsections 9(3)
and (4) of the SOCI Act made by Schedule 1 apply in relation to rules made after the
commencement of Item 71.
1232. This application provision is required to ensure that rules made in relation to assets
prior to the commencement of Item 71 continue to have effect despite the changes to
section 9. This will allow for continuity in the operation of the SOCI Act.
Item 72 Application--section 51 of the Security of Critical Infrastructure Act
2018
1233. Item 72 of Schedule 1 to the Bill provides that the amendments of section 51 of the
SOCI Act made by Schedule 1 apply in relation to a declaration made after the
commencement of Item 72.
1234. This application provision is required to ensure that declarations made in relation to
assets prior to the commencement of Item 72 continue to have effect despite the changes
to section 51. This will allow for continuity in the operation of the SOCI Act.
Part 3--Amendments contingent on the commencement of the Federal Circuit and
Family Court of Australia Act 2020
1235. Part 3 of Schedule 1 to the Bill provides for amendments to the SOCI Act that are
contingent upon the commencement of the proposed Federal Circuit and Family Court of
Australia Act 2020. This is currently a Bill under consideration by the Parliament, and
provides for the amalgamation of the Federal Circuit Court and Family Court of
Australia.
Security of Critical Infrastructure Act 2018
Item 73 Paragraphs 49A(12)(b) and 49B(11)(b)
1236. Item 73 of Schedule 1 to the Bill provides that, in both paragraphs 49A(12)(b) and
49B(11)(b) (as outlined at Item 57 of Schedule 1, above), the words 'Federal Circuit
Court of Australia' are omitted and the words 'Federal Circuit and Family Court of
Australia (Division 2)'. This will reflect the change in terminology that will result from
the commencement of the proposed Federal Circuit and Family Court of Australia Act
2020.
1237. As outlined in clause 2 of the Bill, if the proposed Federal Circuit and Family Court
of Australia Act 2020 never commences, the amendment in this item does not commence.
Part 4--Amendments contingent on the commencement of the National Emergency
Declaration Act 2020
1238. Part 4 of Schedule 1 to the Bill provides for amendments to the National Emergency
Declaration Act 2020 (National Emergency Declaration Act) and SOCI Act that are
contingent upon the commencement of the proposed National Emergency Declaration
Act. This is currently a Bill under consideration by the Parliament, and provides for the
declaration of a national emergency by the Governor-General.
National Emergency Declaration Act 2020
Item 74 Section 10 (after paragraph (za) of the definition of national
emergency law)
1239. Section 10 of the National Emergency Declaration Act provides a number of
definitions for the purposes of that Act. The definition of 'national emergency law'
provides an authoritative list of the provisions across the statute book that contain powers
that may be enlivened, or the operation of which may be modified, while a national
emergency declaration is in force. The fact that a provision is listed in the definition of
national emergency power is not intended to otherwise affect the interpretation or
operation of the provision.
1240. Item 74 of Schedule 1 to the Bill will insert an additional paragraph, paragraph (zaa),
into the definition of national emergency law which provides that section 35AB of the
Security of Critical Infrastructure Act 2018 is a national emergency law for the purposes
of the National Emergency Declaration Act.
Security of Critical Infrastructure Act 2018
Item 75 After subsection 35AB(1)
1241. Item 75 of Schedule 1 to the Bill will insert an alternative application provision to
new section 35AB of the SOCI Act. In particular, this subsection 35AB(1A) will provide
that the section applies if the Minister is satisfied of, amongst the other factors, that the
incident relates to an emergency specified in a national emergency declaration (within the
meaning of the National Emergency Declaration Act) that is in force.
1242. The purpose of this item is to simplify the process for the Minister to authorise the
Secretary to exercise powers under Part 3A in relation to a cyber security incident, where
a national emergency declaration under the National Emergency Declaration Act is in
force and the incident relates to the national emergency. The item removes the
requirement for the Minister to be satisfied that the incident has seriously prejudiced, is
seriously prejudicing, or is likely to seriously prejudice one or more of the matters
specified in paragraph 35AB(1)(c), given that the Prime Minister must be satisfied that an
emergency has caused, is causing or is likely to cause nationally significant harm before
the Governor-General may declare a national emergency.
1243. New subsection 35AB(1A) provides that the section also applies if the Minister is
satisfied of all of the following factors:
a cyber security incident has occurred, is occurring, or is imminent; and
the incident has had, is having, or is likely to have, a relevant impact on a
critical infrastructure asset (the primary asset); and
the incident relates to an emergency specified in a national emergency
declaration (within the meaning of the National Emergency Declaration Act)
that is in force; and
no existing regulatory system of the Commonwealth, a State or a Territory
could be used to provide a practical and effective response to the incident.
Schedule 2--Australian Signals Directorate
1244. Schedule 2 to the Bill makes amendments to the Criminal Code to limit liability for
certain acts performed by ASD.
1245. The purpose of the amendments is to update the existing, limited immunities afforded
to staff members and agents of the Australian Signals Directorate to ensure they remain
effective in light of technological change. The underlying purpose of the immunities
framework is to ensure that the staff members and agents of the Australian Signals
Directorate are protected from civil and criminal liability for activities that are done in the
proper performance of the Australian Signals Directorate's functions, including activities
targeted offshore that are done to protect Australian critical infrastructure. These activities
might otherwise be prohibited by Commonwealth, state or territory laws dealing with
computer-related acts.
Criminal Code Act 1995
Item 1 Subsection 476.4(2) of the Criminal Code
1246. Section 476.4 provides that Part 10.7 of the Criminal Code (which contains offences
related to unauthorised use of, and access to, computers) is not intended to exclude or
limit the operation of any other law of the Commonwealth, a State or a Territory
(subsection (1)). Subsection (2) of that section then provides that the operation of
subsection (1) is subject to section 476.5. Item 1 of Schedule 2 to the Bill amends
subsection 476.4(2) of the Criminal Code to provide that subsection (1) has effect subject
to section 476.5 as well as the new section 476.6 (see Item 6 of Schedule 2, below).
Item 2 Section 476.5 of the Criminal Code (at the end of the heading)
1247. Item 2 of Schedule 2 to the Bill makes a technical amendment to the heading to
section 476.5 to insert reference to 'ASIS and AGO' (the Australian Secret Intelligence
Service and the Australian Geospatial Organisation). This reflects the amendments being
made to section 476.5 (see Items 3, 4 and 5 of Schedule 2, below) that mean that this
section will now only limit liability for certain acts done by ASIS and AGO, with new
section 476.6 of the Criminal Code dealing with the liability of acts done by ASD.
Item 3 Subsection 476.5(1) of the Criminal Code
1248. Item 3 of Schedule 2 to the Bill removes a reference to ASD in subsection 476.5(1) of
the Criminal Code, reflecting that this section will no longer relate to the acts of ASD.
Item 4 Subsection 476.5(3) of the Criminal Code
1249. Item 4 of Schedule 2 to the Bill removes the definition of 'ASD' from section 476.5
of the Criminal Code, reflecting that this section will no longer relate to the acts of ASD.
Item 5 Subsection 476.5(3) of the Criminal Code (definition of ASD)
1250. The current definition of 'staff member' in subsection 476.5(3) of the Criminal Code
refers to staff members of the ASD. Item 5 of Schedule 2 to the Bill removes the
reference to staff members of ASD (see paragraph (b) of the definition), reflecting that
this section will no longer relate to the acts of ASD.
Item 6 At the end of Division 476 of the Criminal Code
1251. Item 6 of Schedule 2 to the Bill inserts new section 476.6 into the Criminal Code,
which is a new provision dealing solely with the liability of staff members and agents of
ASD.
Section 476.6 Liability for certain acts--ASD
1252. New section 476.6 of the Criminal Code provides for the limitation of liability for
staff members or agents of ASD.
1253. Subsection (1) provides that a staff member or agent of ASD is not subject to any civil
or criminal liability for engaging in conduct inside or outside of Australia if both of the
following apply:
the conduct is engaged in on the reasonable belief that it is likely to cause a
computer-related act, event, circumstance or result to take place outside
Australia (whether or not it in fact takes place outside Australia)
(paragraph (a)), and
the conduct is engaged in in the proper performance of a function of ASD, as
outlined in section 7 of the Intelligence Services Act (paragraph (b)).
1254. This largely replicates the limitations on liability that exist in current section 476.5 of
the Criminal Code, with the notable exception of the inclusion qualification that the
conduct is engaged in on the 'reasonable belief that it is likely' to take place outside
Australia.
1255. This amendment is required in response to changes in technology, in particular the
increasing prevalence of online, internet-based communications, which obscure the
geographic location of parties to communications. The amendments update the Australian
Signals Directorate's immunities to ensure it can continue to operate efficiently in an
increasingly challenging online environment, where it is not always possible to reliably
determine the geographic location of a device or computer.
1256. This challenge is exacerbated for the Australian Signals Directorate where adversaries
(including foreign intelligence services and terrorist organisations) undertake cyber
activities that harm Australia's critical infrastructure. To effectively perform its functions,
and defend and respond to serious cyber security incidents, the Australian Signals
Directorate may need to engage in computer-related acts offshore, such as affecting the
adversary's computer or device. However, where an adversary takes active steps to
obfuscate their physical location, or where it is impossible for the Australian Signals
Directorate to reliably determine their physical location, it is necessary to protect staff
members and agents from liability if they inadvertently affect a computer or device
located inside Australia.
1257. The amendment will not provide staff members or agents of the Australian Signals
Directorate with immunity from liability in circumstances where they know or believe an
adversary's computer or device to be located in Australia. Nor will it provide such
persons with immunity where their belief that an adversary's computer or device is
located outside Australia is not reasonable. Consistent with current subsection 476.5(1),
the immunity will continue to apply only where a staff member's or agent's conduct is
done in the proper performance of an Australian Signals Directorate function.
1258. Subsection (2) provides that a person is not subject to any civil or criminal liability for
engaging in conduct inside or outside of Australia if all of the following apply:
the conduct is preparatory to, in support of, or otherwise directly connected
with, overseas activities of ASD (paragraph (a))
the conduct, taken together with a computer-related act, event, circumstance or
result that took place, or was intended to take place, outside Australia could
amount to an offence but, in the absence of that computer-related act, event,
circumstance or result, would not amount to an offence (paragraph (b)), and
the conduct is engaged in in the proper performance of a function of ASD, as
outlined in section 7 of the Intelligence Services Act (paragraph (c)).
1259. Subsection (3) restricts the scope of the liability limitation in subsection (2), by
providing that subsection (2) is not intended to permit any conduct in relation to premises,
persons, computers, things, or carriage services in Australia, being:
conduct which ASIO could not engage in without a Minister authorising it by
warrant issued under Division 2 of Part III of the ASIO Act or under Part 2-2
of the TIA Act (paragraph (a)), or
conduct engaged in to obtain information that ASIO could not obtain other
than in accordance with Division 3 of Part 4-1 of the TIA Act.
1260. Subsection (4) provides that subsections (1) and (2) have effect despite anything in a
law of the Commonwealth or of a State or Territory, whether passed or made before or
after the commencement of this subsection, unless the law expressly provides otherwise.
Subsection (5) clarifies that subsection (4) does not affect the operation of subsection (1).
Subsections 476.6(6)-(7)--Certificate
1261. Evidentiary certificates are intended to streamline the court process by reducing the
need to contact numerous officers and experts to give evidence. Evidentiary certificates
also assist with maintaining the confidentiality of the sensitive methodologies and
capability of the authorised agency.
1262. Subsection (6) provides that the Inspector General of Intelligence and Security may
give a certificate in writing certifying any fact relevant to the question of whether conduct
was engaged in, in the proper performance of a function of ASD.
1263. Subsection (7) provides that a certificate given under subsection (6) is prima facie
evidence of the facts certificate in any proceedings, including both court and tribunal
proceedings.
Subsections 476.6(8)-(9)--Notice to Inspector-General of Intelligence and Security
1264. Subsection (8) applies if all of the following apply:
a person engages in conduct referred to in subsection (1) or (2) in relation to
ASD (paragraph (a))
the conduct causes material damage, material interference or material
obstruction to a computer (within the meaning of section 22 of the ASIO Act)
in Australia (paragraph (b)), and
apart from this section, the person would commit an offence against Part 10.7
of the Criminal Code (paragraph (c)).
1265. If subsection (8) applies, the agency head (within the meaning of the Intelligence
Services Act) of ASD must, as soon as practicable, give a written notice to the Inspector-
General of Intelligence and Security that:
informs the Inspector-General of Intelligence Security of the fact
(paragraph (d)), and
provides details about the conduct that caused the damage, interference or
obstruction to the computer (paragraph (e)).
1266. Subsection (9) provides that section 476.6 of the Criminal Code has effect in addition
to, and does not limit, section 14 of the Intelligence Services Act.
1267. While this limitation on liability will only apply where the conduct was engaged in on
the reasonable belief that it is likely to cause a computer-related act, event, circumstance
or result to take place outside Australia, should it later be determined that the a computer
in Australia was impacted, it is important that the Inspector-General of Intelligence
Security is made aware of the matter given its significance. This will allow the Inspector-
General of Intelligence Security to, should they wish, investigate the actions taken to
ensure they were lawful.
Subsection 476.6(10)--Definitions
1268. Subsection (10) provides the following definitions that apply in section 476.6 of the
Criminal Code.
'ASD' means the Australian Signals Directorate.
'civil or criminal liability' means any civil or criminal liability (whether under
this Part, under another law or otherwise).
'computer-related act, even, circumstance or result' means an act, event,
circumstance or result involving the reliability, security or operation of a
computer (paragraph (a)), access to, or modification of, data held in a
computer or on a data storage device (paragraph (b)), electronic
communication to or from a computer (paragraph (c)), the reliability, security
or operation of any data held in or on a computer, computer disk, credit card,
or other data storage device (paragraph (d)), possession or control of data held
in a computer or on a data storage device (paragraph (e)), or producing,
supplying or obtaining data held in a computer or on a data storage device
(paragraph (f)).
'staff member', in relation to ASD, means the Director-General of ASD, or a
member of the staff of ASD (whether an employee of ASD, a consultant or
contractor to ASD, or a person who is made available by another
Commonwealth or State authority or other person to perform services for
ASD).
Item 7 Application of amendments
1269. Item 7 of Schedule 2 to the Bill provides that the amendments to the Criminal Code
made by Schedule 2 only apply in relation to conduct engaged in after the commencement
of Schedule 2, as outlined in clause 2 to the Bill.
Attachment B
REGULATORY IMPACT STATEMENT (RIS)
1. WHAT IS THE POLICY PROBLEM YOU ARE TRYING TO
SOLVE?
1.1. Overview of the problem
The security of critical infrastructure is vital to Australia's social and economic stability, defence and
national security. It enables the provision of essential services such as food, water, health services,
education, energy, communications, transportation and banking. Without these services, our economic
prosperity and public safety are threatened. The resilience of Australia's critical infrastructure is
integral to the prosperity of the nation.
The existing framework governing critical infrastructure is being outpaced by an evolving threat
environment as natural hazards become more prevalent, information technology and operational
systems converge, the complexity of cyber threats grow, and foreign intelligence activities against
Australian interests increase in frequency and sophistication. At the same time there are limited
mechanisms in place to drive an uplift in all hazards risk management across all critical infrastructure
sectors.
Without proper safeguards, security vulnerabilities in interconnected infrastructure can deliberately or
inadvertently cause disruption that cascade across Australia's social and economic stability, defence
and national security. While businesses have a strong incentive to ensure the resilience of their own
critical infrastructure, the increasingly interconnected nature of critical sectors means that weaknesses
within unprotected infrastructure can easily cascade and disrupt assets and systems vital to Australia's
prosperity. As such, a wholesale uplift in security resilience is key to ensuring that critical
infrastructure assets are able to withstand significant compromise from a range of hazards.
The Department of Home Affairs (the Department) has undertaken industry focussed consultation to
guide these reforms. Consultation considered the details of an enhanced critical infrastructure security
regulatory regime, and how it should be approached. During consultation industry reaffirmed the lack
of consistent national guidance available to assist in uplifting their security. As such, a wholesale
uplift in all hazards security and resilience practices is integral to securing Australia's critical
infrastructure. This will allow Australians to be assured that the Government is taking steps to manage
threats to critical infrastructure and protect Australia's future.
1.2. What is critical infrastructure?
The 2015 Critical Infrastructure Resilience Strategy defines critical infrastructure as 'those physical
facilities, supply chains, information technologies and communication networks which, if destroyed,
degraded or rendered unavailable for an extended period, would significantly impact the social or
economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure
national security'.
Building on this definition, the Government intends to provide greater clarity on what is regulated as
critical infrastructure. For the proposed reforms, critical infrastructure sectors are to be defined as:
Critical Definitions Examples
infrastructure
sectors
Financial The sector of the Australian economy that involves: Banks, superannuation entities, financial
Services and market infrastructure.
markets (a) carrying on banking business; or
(b) operating a superannuation fund; or
(c) carrying on insurance business; or
(d) carrying on life insurance business; or
(e) carrying on health insurance business; or
(f) operating a financial market; or
(g) operating a clearing and settlement facility;
(h) operating a derivative trade repository; or
(i) administering a financial benchmark; or
(j) operating a payment system; or
(k) carrying on financial services business; or
(l) carrying on credit facility business.
Communications The sector of the Australian economy that involves:: Broadcasters, telecommunication
companies.
(a) supplying a carriage service; or
(b) providing a broadcasting service; or
(c) owning or operating assets that are used in
connection with the supply of a carriage service; or
(d) owning or operating assets that are used in
connection with the transmission of a broadcasting
service; or
(e) administering an Australian domain name system.
Data storage and The sector of the Australian economy that involves providing Cloud service providers, data centres.
processing data storage or processing services on a commercial basis.
Defence The sector of the Australian economy that involves the provision
industry of critical defence capabilities.
Higher The sector of the Australian economy that involves: Universities.
Education and
research (a) being a higher education provider; or
(b) undertaking a program of research that:
a. is supported financially (in whole or in
part) by the Commonwealth; or
b. is relevant to a critical infrastructure
sector (other than the higher education
and research sector)
Energy The sector of the Australian economy that involves: Liquid fuel includes crude oil and
condensate, refined products such as
(a) the production, distribution or supply of electricity; petrol, diesel and jet fuels, and ethanol
or
and biodiesel.
(b) the production, processing, distribution or supply
of gas; or
Gas means a substance that:
(c) the production, processing, distribution or supply
of liquid fuel.
is in a gaseous state at standard
temperature and pressure; and
consists of naturally occurring
hydrocarbons, or a naturally
occurring mixture of hydrocarbons
and non-hydrocarbons, the
principal constituent of which is
methane; and
is suitable for consumption.
Food and The sector of the Australian economy that involves: Supermarkets, distribution centres.
grocery
(a) manufacturing; or
(b) processing; or
(c) packaging; or
(d) distributing; or
(e) supplying;
food or groceries on a commercial basis.
Health care and The sector of the Australian economy that involves: Hospitals.
medical
(a) the provision of health care; or
(b) the production, distribution or supply of medical
supplies.
Space The sector of the Australian economy that involves the Ground stations, control centres.
technology commercial provision of space-related services.
Note: The following are examples of space-related services:
(a) position, navigation and timing services in relation to
space objects;
(b) space situational awareness services;
(c) space weather monitoring and forecasting;
(d) communications, tracking, telemetry and control in
relation to space objects;
(e) remote sensing earth observations from space;
(f) facilitating access to space.
Transport The sector of the Australian economy that involves: Public transport companies, freight
logistic companies, aviation and
(a) owning or operating assets that are used in maritime entities.
connection with the transport of goods or passengers on
a commercial basis; or
(b) the transport of goods or passengers on a
commercial basis.
Water and The sector of the Australian economy that involves operating Water utilities, desalination plants.
sewerage water or sewerage systems or networks.
These definitions were designed through close consultation within industry, as outlined in detail in
section 5.
1.3. Why is critical infrastructure important?
The above sectors are critical to the functioning and prosperity of Australia's social and economic
stability, defence and national security. If any of these sectors or key assets within these sectors, are
destroyed, degraded or rendered unavailable for an extended period, it would significantly impact the
social and economic wellbeing of the nation or affect Australia's ability to conduct national defence
and ensure national security.
Due to the increasingly connected nature of critical infrastructure, the impacts of compromises to
critical infrastructure can spread rapidly across the economy with immediate and cascading
consequences. For example, the consequences of a prolonged and widespread failure in the energy
sector (through threats such as a cyber incident, weather events, or unlawful interference) could be
catastrophic, causing:
shortages or destruction of essential medical supplies that need refrigeration;
instability in the supply of food and groceries;
impacts to water supply and sanitation;
impacts to telecommunications networks that are dependent on electricity;
disruptions to transport, traffic management systems and fuel;
reduced services or shutdown of the banking, finance and retail sectors; and
inability for businesses and governments to function.
1.4. What are the risks to critical infrastructure?
The primary objective of the reforms is to increase the resilience of Australia's critical infrastructure
from all hazards. All hazard threats include both natural threats (including meteorological or weather
events) and man-made threats (including unlawful interference, cyber incident, espionage, chemical
or oil spills, trusted insiders) that have the potential to significantly disrupt critical infrastructure.
Australia's social and economic stability, defence and national security are underpinned by secure and
resilient critical infrastructure. Government, industry and the Australian public will have greater
confidence in the resilience of Australia's critical infrastructure providers through a clear uplift in all-
hazards risk management and contingency planning.
All hazard threats can be realised through inadequate protections within four key risk domains:
Physical - the organisation's systems and networks, specifically protecting and mitigating
them from natural, and human induced threats.
Cyber - the digital systems, computers, datasets, and networks that underpin critical
infrastructure system, and protecting them from cyber threats.
Supply chain - the systems of organisations, people, activities, information, and resources
that support Australia's critical infrastructure, and protecting their operations by
understanding supply chain risk.
Personnel - the employees, owners, operators, contractors, and subcontractors engaged with
Australia's critical infrastructure, and the policies supporting these personnel.
The vital functions of critical infrastructure, such as the provision of electricity, food and health
services, means that security must be considered from an all hazards approach, to ensure Australia's
essential services and the Australian way of life is not disrupted or degraded, regardless of the source
of a threat.
1.5. Increasing threats, connectivity and complexity of critical infrastructure
Critical infrastructure owners and operators, whether publicly or privately owned, operate in a market
environment characterised by interconnectivity and an increasing reliance on technology. This
connectivity and technology delivers efficiencies and economic benefits, but can also present new
vulnerabilities when combined with the evolving critical infrastructure all hazards threat environment.
Vulnerabilities and increasing threats mean that a range of hazards have the potential to significantly
compromise the supply of essential services across Australia. This year alone COVID-19 has
demonstrated how quickly the consequences of significant incidents spread throughout the nation,
with substantial security, social and economic impacts. During the COVID-19 pandemic there have
been delays in a range of goods and services due to disruptions within different segments of supply
chains, such as food and grocery delays due to interruptions at distribution centres.
An asset is only as strong as its weakest link. The interconnected nature of critical infrastructure
means that a disruption to a critical infrastructure asset or their supply chains can have extensive, and
costly externalities cascading beyond their immediate environment and network. It is not enough for
an asset to have secure practices in place that protect them from all hazard threats, their supply chain
must also be secure.
For example, disruption to the operability of the energy sector would have a significant domestic
impact on the banking and finance sector.9 This is due to the reliance the banking and finance sector
has on the energy sector, through powering communications, online banking, automated teller
machines, etc. Similarly, a significant disruption to the operability of the transport sector would have
a cascading impact on the food and grocery sector. This is due to the reliance the food and grocery
sector has on the trucking industry as the primary source of delivery for food and groceries to major
distribution centres and supermarkets.
Prolonged disruptions to Australia's critical infrastructure can have severe flow on consequences to
our economy, as demonstrated by several incidents of critical infrastructure disruption.
A state-wide blackout in 2016, triggered by severe weather that damaged transmission and
distribution assets, resulted in the suspension of the wholesale market in South Australia for
13 hours, costing an estimated $120,000 per minute for businesses operating in South
Australia.10
A Telstra outage in July 2019 impacted ATMs and EFTPOS machines across the country.
According to National Retailers Association the five hour outage cost $100m in lost sales.11
In 2018, a single morning peak hour disruption on the Sydney Harbour Bridge, caused by a
member of the public climbing onto the bridge, resulted in disruptions that were estimated to
have had an economic cost up to $10 million.12
Costs of natural disasters in 2015 were estimated to be $9 billion, with an expected increase to
$33 billion by the year 2050.13
The number all hazards impacting the operation of critical infrastructure through weaknesses in
supply chains, personnel security, cyber connectivity, and physical characteristics are expected to
increase over the coming years, especially within the cyber domain and from foreign intelligence
services. The Australian Cyber Security Centre has reported that malicious cyber activity against
Australia's national and economic interests is increasing in frequency, scale, sophistication and
severity. Australia's Cyber Security Strategy 2020 noted that critical infrastructure providers were the
victims of around 35 per cent of reported cyber incidents perpetrated by malicious actors in the year to
30 June 2020.14 It is estimated that a four week interruption to digital infrastructures resulting from a
significant cyber incident would cost the economy $30 billion (1.5 per cent of Australia's Gross
Domestic Product) and around 163,000 jobs.15
Similarly, the Australian Security Intelligence Organisation's (ASIO) 2018-19 Annual Report
identified that Australia continues to be a target for espionage and foreign interference. The report
states that "Foreign intelligence services seek to exploit Australia's businesses for intelligence
purposes" and "[t]hat threat will persist across critical infrastructure, industries that hold large
amounts of personal data, and emerging sectors with unique intellectual property that could provide
an economic or strategic edge".
1.6. Existing legislative arrangements are insufficient for the current threat environment
9
Operability is defined as the ability of industry to keep its systems, networks, and infrastructure, functional to deliver goods and services
at ordinary levels of productivity. An operability disruption is a disruption to the sector which results in the sector producing goods and
services at a level below the ordinary level of productivity.
10
AAP (2016) "SA blackout cost business $367 million", SBS News, https://www.sbs.com.au/news/sa-blackout-cost-business-367-million,
viewed 24/08/2020
11
Infrastructure Australia (2019) "Asset Management for Critical Infrastructure",
, accessed 22/07/2020
12
Wade, Matt & Clun, Rachel (2018) "Traffic chaos from Sydney Harbour Bridge drama cost city up to $10 million" The Sydney Morning
Herald, , accessed 22/07/2020
13
Deloitte (2017) "Building resilience to natural disasters in our states and territories",
, accessed 9/09/2020
14
Australian Government (2020), "Australia's Cyber Security Strategy 2020", p.13.
15
AustCyber (2020), "Australia's Digital Trust Report 2020", https://www.austcyber.com/resource/digitaltrustreport2020
There are a range of legislative frameworks in place across critical infrastructure sectors that go to
uplifting sections of critical infrastructure against aspects of all hazard threats. Many operators of
critical infrastructure, particularly in the banking, finance, aviation, maritime and communications
sectors already operate under regulatory frameworks that impose risk management, reporting and
transparency obligations. Regulators in those sectors are already equipped to supervise those entities,
identify emerging threats, and assist regulated entities respond to those threats. Existing regulatory
frameworks often do not consider all hazard threats, and government powers are very limited in
purpose and functions which do not meet security and resilience policy objectives. Some of the
current regulators, frameworks and legislation includes:
The Australian Energy Regulator regulates the Australian electricity and gas market. Their
governance, functions, powers and duties include inspection and audit powers, however these
powers are tied to the purposes and function of the National Electricity Laws and National
Gas Laws. The Laws establish the key obligations surrounding the national electricity market,
the regulation of access to electricity networks, access to gas pipelines and establishment of
the gas market bulletin board to ensure reliable energy supply but critically, do not impose
baseline all hazards risk reduction requirements on entities.
The Aviation and Maritime Security (AMS) Division within the Department regulates the
aviation and maritime transport sectors under the Aviation Transport Security Act 2004
(ATSA) and the Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA).
These Acts (and their associated regulations) put in place a number of regulatory
requirements on aviation and maritime operators to protect their operations from the threat of
unlawful interference. In addition, security regulated airports, aircraft operators, regulated
cargo agents, regulated ports, regulated ships, and regulated offshore facility operators are
required to conduct security risk assessments. Security risks and vulnerabilities identified
through these assessments inform the mitigation measures contained in a security plan that is
submitted to AMS for approval. AMS also conducts compliance activities and has the power
to impose infringements and penalties on operators who fail to comply with requirements.
The ATSA and MTOFSA frameworks are not presently capable of applying in the context of
naturally occurring risks to safety, human made risks to business operations, or risks which
are otherwise not connected with unlawful interferences. The focus of existing legislative
schemes is on security or safety of operations, not business continuity in a serious emergency.
This means that the existing legislative schemes would not generally envisage the impacts of
all hazards to the availability, confidentiality and integrity of aviation or maritime operations
to be addressed.
In New South Wales, the Independent Pricing and Regulatory Tribunal (IPART) is
responsible for licencing arrangements some of which include critical infrastructure licence
conditions such as physical and data security.16 These licencing conditions were established in
consultation with the Critical Infrastructure Centre (CIC) and do not exist in other states.
These conditions also only apply for certain assets within the electricity and water sector, and
not more broadly across all critical infrastructure.
The Security of Critical Infrastructure Act 2018 (SoCI) currently does not impose security
obligations on critical infrastructure assets (electricity, gas, water and maritime ports).
Requirements on industry, such as reporting obligations, are limited and do not require them
to take active steps to manage their security. While reporting is a useful mechanism to
increase visibility of assets and notify the Government of potentially problematic changes, it
does not improve all hazards risk management. The existing Ministerial directions power
requires remediation action to improve asset security but these are reactive powers and are
only applicable in the most extreme circumstances.
16
Examples of licence conditions: https://www.ipart.nsw.gov.au/Home/Industries/Energy/Energy-Networks-Safety-Reliability-eand-
Compliance/Electricity-networks/Licence-conditions-and-regulatory-instruments
The Telecommunication and Other Legislation Act 2017 was passed to enhance security
obligations for Australian carriers and carriage service providers (through the
Telecommunications Sector Security Reforms). The Telecommunications Sector Security
Reforms framework establishes a security obligation and notification obligation on industry,
and provides the Government with an information gathering power and directions power.
However, the Directions Power under s315A and s315B is not adequate to address time-
sensitive security concerns. In order to exercise the Directions Power, the Australian Security
Intelligence Organisation must provide an Adverse Security Assessment (ASA) in relation to
the entity being directed, and the Direction must be given by the Minister for Home Affairs.
Both of these processes can be quite lengthy and as a result could risk the direction not being
able to be issued until well after the prejudicial security action has been taken by the
offending entity. The current security obligations under the Telecommunications Act 1997
also require Carriers and Carriage Service Providers to "do their best" to protect networks and
facilities, but does not explicitly outline the specific security conditions which will be a core
feature of the proposed reforms.
In other critical infrastructure sectors there is minimal regulation addressing all-hazards risks. For
example, within the food and grocery sector, existing regulators are mostly focused on enforcing
compliance with food standards, not in addressing threats from all hazards. Within the health sector,
most entities are regulated at a state and territory level with minimal, consistent, overarching guidance
from Federal Government, particularly against all hazards threats.
Where critical infrastructure owners and operators have taken positive voluntary steps to address all-
hazards risks (such as improving cyber security arrangements), these can be ad-hoc and inconsistent
across sectors. For example the Australian Cyber Security Centre's Essential Eight advises on broad
baseline cyber security strategies that businesses can implement. However, entities are able to select
the strategies they implement, how they implement them, and even whether they implement them at
all, ultimately resulting in inconsistent standards across industry.
Without a clear and consistent approach it can be difficult for businesses to justify expenditure on
uplifting all hazards security practices. This will increasingly lead to greater vulnerabilities being
exposed in the nation's critical infrastructure. To ensure sector-wide resilience and security, industry
must continue to adapt and keep up with the latest innovation and research. Without a more proactive
stance on all hazards risk management there is a greater likelihood of critical infrastructure incidents.
While certain critical infrastructure assets may have mature security practices, they may rely on an
industry or asset with less secure practices creating inherent vulnerabilities within their supply chains.
This means that without a complete, sector-wide uplift in security the true benefits of reform cannot
be realised.
If a significant cyber incident on critical infrastructure happened today, there is a risk that the
Government may not have the mechanisms to act decisively to support an entity to stop or prevent an
attack, nor does industry have obligations to report significant cyber incidents or apply minimum
cyber security standards.
Foreign Acquisitions and Takeovers Act 1975
The inability of the Government to impose requirements on entities to protect their assets is a
significant shortcoming in the current threat environment. This has created an over-reliance on the
Foreign Acquisitions and Takeovers Act 1975 (FATA) to manage risks. As the geopolitical
environment continues to evolve, and as our national economy and critical infrastructure become ever
more complex and interconnected, it is essential that the foreign investment review framework as set
out in the FATA and the risk management framework under the SoCI adapt to meet these challenges.
The critical infrastructure reforms look to compliment the FATA by providing an ownership agnostic
risk management framework.
The Department is one of several national security partners the Treasury consults in preparing advice
for the decision-maker on foreign investment applications under the FATA. CIC undertakes risk
assessments on a case by case basis where an acquisition is in one of Australia's critical
infrastructure sectors. Where national security risks are identified, the CIC may recommend imposing
mitigations, which include a spectrum of binding conditions on the acquisition or, in the most extreme
cases, that no conditions would manage the risk posed by the transaction.
Since the creation of the CIC in January 2017, there has been an average 61 per cent annual increase
in critical infrastructure-related foreign investment applications being referred to the CIC for review.
In the first year of its existence, the CIC assessed 242 cases (2017/18). Since then, case numbers have
increased significantly with 626 cases assessed by the CIC in 2019-20. On 29 March 2020, the
Treasurer announced temporary changes to Australia's foreign investment review framework in
response to the COVID-19 pandemic, setting a $0 monetary screening threshold for all proposed
foreign investment in Australian businesses and land. The change resulted in a significant spike in the
volume of applications referred to the Department for scrutiny, which it would not normally see under
the regular monetary thresholds.
The proposed reforms within this RIS intend to address the increasing threats to our critical
infrastructure sectors by placing obligations on critical infrastructure owners and operators to protect
their assets against all hazards. This is designed to over time relieve the pressure on the foreign
investment process, by allowing sector-wide obligations to take the place of case-by-case national
security conditions. Sector-wide obligations will also ensure that foreign-owned and Australian-
owned businesses are held to the same security standards. These reforms will, however, have limited
effectiveness in mitigating risks where a foreign-owned entity is deliberately and deceptively acting to
undermine Australia's national security. The changes contemplated in the FATA reforms will
complement the critical infrastructure security reforms by effectively managing national security risk
arising from ownership.
The proposed critical infrastructure enhanced framework will further align with the FATA reforms
through a linked understanding of 'national security business'. The FATA Reforms proposes a new
national security test which requires the mandatory notification of any proposed direct interest in a
sensitive 'national security business' (including starting such a business). The definition of a national
security business will be prescribed in the accompanying Regulation and will, among other things,
include critical infrastructure assets as defined in the SoCI.
1.7. The Government currently has limited visibility and power to act
Globally, we have recently witnessed a number of cyber security incidents in relation to critical
infrastructure assets that have had significant direct and indirect consequences. The impacts of these
cyber incidents have ranged from large scale financial losses to loss of life.
Ukraine power outages, 2015
The Ukrainian power outages on 23 December 2015 highlighted the potential impacts of cyber attacks
on critical infrastructure. The attack involved sophisticated malicious actors taking command and
control of the Supervisory Control and Data Acquisition networks of three energy distributors,
resulting in 30 substations being switched off. The attack disabled or destroyed other digital
infrastructure and wiped data from the companies' networks. An employee reportedly watched on
helplessly as the malicious actor took substations offline. Concurrently, a call centre that provided up
to date information to consumers about the blackout became inoperable due to a denial-of-service
attack. While less than 1% of the country's daily consumption of energy was disrupted, the attack left
over 225,000 Ukrainians, in the middle of winter, without power for several hours. Two months after
the attack, some control centres were still not fully operational with manual procedures required.
However, the potential for far greater consequences remain. Cyber attacks can destroy physical
components. With the means and motive, an attack on the energy sector could result in impacts that
are significantly more difficult to repair.
Wannacry, 2017
In 2017, a large-scale ransomware campaign, commonly called WannaCry, affected some 230,000
individuals and over 300,000 computer systems in 150 countries. The incident resulted in an
estimated USD$4 billion in financial losses globally. Wannacry targeted vulnerabilities in Microsoft
Windows software, impacting communications, financial, transport and healthcare services. This
included the United Kingdom's National Health Service which was forced to turn away non-critical
patients and cancel around 20,000 appointments.
Hospital attacks, 2020
Since the COVID-19 pandemic began, hospitals have come under increasing strain due to malicious
cyber incidents, particularly ransomware attacks. The March 2020 ransomware attack on Brno
University Hospital, one of Czechia's largest COVID-19 testing laboratories, saw the forced shut
down of its entire information technology network. In September 2020, Dusseldorf University
Hospital suffered a ransomware attack that brought down its computer systems. As a result, an
individual being transported to the hospital by ambulance was re-routed to another hospital 30
kilometres away and passed away en route.
In Australia, current legislative regimes do not provide the Government with the ability to develop
adequate visibility of threats to Australia's most significant systems (near real-time situational
awareness), or provide directions to critical infrastructure entities in response to significant cyber
incidents, if entities are unwilling or unable to resolve the incident.
As the majority of critical infrastructure assets are owned and/or operated by the private sector,
Government may not be aware of threats or cyber security incidents impacting industry and the
Government has limited power to assist if it is not requested by the affected entity. This can result in
delays that substantially impact the Government's ability to successfully assist in resolving an
incident, especially when dealing with time sensitive matters such as cyber incident.
1.8. Regulation is wanted and needed to drive a wholesale uplift in security and resilience
Consultation for the Cyber Security Strategy 2020 highlighted that industry seeks greater direction
from the Government in the protection of critical infrastructure. For the Cyber Security Strategy 2020,
the Government:
met with more than 1,400 people from across the country in face-to-face consultations,
including workshops, roundtables and bilateral meetings; and
received 215 submissions in response to the Cyber Security Strategy 2020 Discussion Paper.
The Government heard that Australia's critical systems are facing a worsening threat environment and
the nation needs to address vulnerabilities in supply chain security, control systems and operational
technology. This is consistent with advice from the national intelligence community and other
sources.17 Timely and actionable information sharing was identified as a critical gap.
To ensure sector-wide resilience and security, industry must continue to adapt and keep up with the
latest innovation and research. Without a more proactive stance on all hazards risk management there
is a greater likelihood of critical infrastructure incidents as industry is left to develop their own.
The Government values its ongoing engagement with critical infrastructure entities. Mechanisms like
the Trusted Information Sharing Network (TISN) are important forums for cross sector dialogue,
facilitating ongoing discussion on critical infrastructure resilience, including national security.
Extensive engagement with industry and states and territories has revealed broad support for the
introduction of an enhanced framework to secure critical infrastructure. Consultation on proposed
reforms were conducted through six virtual town halls (attended by 620 representatives from business
17
For example, see the Australian Strategic Policy Institute's report, Protecting national critical infrastructure in an era of IT and OT
convergence (2019).
and civil society), 22 virtual workshops (attended by 949 individuals) and 194 submissions in
response to the Protecting Critical Infrastructure and Systems of national significance Consultation
Paper. This was further complemented by an additional four town halls and numerous bilateral
conversations across industry as well as state and territory Government. A number of submissions
were also received in response to a publically released exposure draft Bill.
Consultations highlighted that the Australian public looks to both the Government and critical
infrastructure providers to secure the delivery of essential services. Collaboration and preparation
ahead of time is needed so that everyone knows what their role is and what they need to do in an
emergency. To do this, the Government and critical infrastructure entities need the right processes,
authorisations and powers in place to respond rapidly and decisively.
2. WHY IS GOVERNMENT ACTION NEEDED?
2.1. Overview
The safe and secure functioning of Australia's critical infrastructure is essential to Australia's social
and economic stability, defence and national security. Recognising the challenges outlined above, the
existing regulatory framework across government is insufficient to manage the growing risks to
critical infrastructure. The Government must act now to ensure a consistent and nation-wide uplift to
the security and resilience of critical infrastructure assets.
2.2. How can the Government successfully intervene?
The Government will work closely with industry to ensure that any reforms are directed at the most
critical entities regardless of their ownership arrangements. This will achieve the broadest and most
effective uplift and will create an even playing field for owners and operators. This will also maintain
Australia's existing open investment settings, and ensure that businesses who take security seriously
are not at a commercial disadvantage.
Ultimately, the objective of each option within the Regulation Impact Statement is to ensure that
Australia has resilient critical infrastructure for the benefit of all Australians. This could be achieved
through addressing the shortfalls in our current critical infrastructure framework and strengthen the
Government's ability to:
safeguard Australia's critical infrastructure against increasingly complex all hazards risks
through increased industry responsibility;
manage these risks collaboratively with industry through strengthened engagement and a
more structured relationship with the owners and operators of our most critical systems
(including cyber security activities to proactively identify vulnerabilities);
identify and mitigate cyber threats to Australia's most critical systems through increased
situational awareness of the threat environment;
provide directions to industry where necessary in response to cyber incidents;
respond rapidly in exceptional circumstances by making it clear what the Government is
authorised to do; and
maintain Australia's open investment policy settings, when in the national interest, in an ever
evolving geopolitical and economic landscape.
2.3. Externalities
The increasingly interconnected nature of critical infrastructure means that disruption to critical
infrastructure assets or their supply chains can have extensive and costly externalities. While an entity
may have stringent security practices in place, if a third party responsible for a core component of
their supply chain is not secure, it can have cascading and damaging effects. For example, while a
hospital may have secure cyber practices, a data centre that holds their patient data may not. As such,
a compromise within a data centre could have cascading effects on a hospital, even though a hospital
itself has done everything in its power to secure its patient records. Consequently, market forces are
not sufficient to safeguard all critical infrastructure against all hazard threats. Government action is
needed to provide greater assurance that vulnerabilities are proactively detected, prevented and any
realised incidents impacting Australia's critical infrastructure are resolved without negatively
influencing Australia's social and economic stability, defence and national security, or the reliability
and security of other critical infrastructure assets.
3. QUESTION THREE: WHAT POLICY OPTIONS ARE YOU
CONSIDERING?
The Department has considered three broad options to address the identified problems:
Option 1: Maintaining the existing arrangements without amendment.
Option 2: Strengthened government regulation, enhanced compliance and voluntary engagement
through the TISN for Critical Infrastructure Resilience.
Option 3: No legislative change, achieve improvements to critical infrastructure resilience with
voluntary engagement through the TISN and publishing additional guidance alongside the updated
Critical Infrastructure Resilience Strategy
The detailed costs and benefits of all three options are provided within section 4.
3.1. Option One - No regulatory change or enhanced compliance
This option involves no legislative reform and maintaining the status quo of the TISN, the Australian
Cyber Security Centre and their Joint Cyber Security Centres. The Government would have no direct
involvement or influence over the security practices of owners and operators of critical infrastructure
assets in Australia, have little understanding of Australia's most vital systems beyond water,
electricity, gas and maritime ports, and lack the ability to source real-time situational awareness or
assist industry to prevent or respond to threats in exceptional circumstances. Owners and operators
would continue to have minimal security requirements in many critical infrastructure sectors.
This approach would not address the current risk to critical infrastructure outlined within section 1.
3.2. Option Two - Strengthened government regulation, enhanced compliance and voluntary
engagement through the Trusted Information Sharing Network for Critical Infrastructure
Resilience
Option two involves legislative amendments to SoCI to enhance existing powers, combined with
revitalising the TISN and releasing a new Critical Infrastructure Resilience Strategy. Collectively
these measures will go to addressing the problems defined within section 1, helping to reduce the risk
and consequence of security incidents.
Option two will introduce a range of regulatory obligations and non-regulatory mechanisms for three
broad classes of entities:
1. Critical infrastructure sectors - as defined within section 1.2;
2. Critical infrastructure assets - a specific subset of assets within critical infrastructure sectors
that will be defined within SoCI. The thresholds for critical infrastructure assets are further
explained in Attachment 1;
3. Systems of national significance - those assets declared by the Minister for Home Affairs to
be most critical to Australia's social and economic stability, defence and national. These
systems will be a specific and limited subset of Critical infrastructure assets. It is proposed
that SoCI be amended to allow the Minister to declare, in writing, that a particular asset is a
system of national significance if:
o the asset is a critical infrastructure asset; and
o the Minister is satisfied that the asset is of national significance having considered:
the extent of shared interdependencies of the asset across the economy; and
any other matters the Minister considers relevant.
The Minister for Home Affairs will be able to declare a system of national significance once
legislation has passed. However, it is proposed that there will be a consultation requirement
within the legislation dictating that the Minister for Home Affairs must first consult with an
entity before declaring it a system of national significance.
The four elements of the enhanced framework under Option Two include Positive Security
Obligations, Enhanced Cyber Security Obligations, Government Assistance and Ministerial
Directions as further detailed below. The following entities will be subject to each of the measures:
Entities within Critical Critical Infrastructure Systems of National
Infrastructure Sectors Assets Significance
Positive Security
No Yes Yes
Obligations*
Enhanced Cyber
Security No No Yes
Obligations
Government
Yes Yes Yes
Assistance
Ministerial
No Yes Yes
Direction
* The obligations under the Positive Security Obligations will need to be "turned on" (through the making of a rule) for each
class of assets, meaning that there will be no regulatory burden experienced by industry under the Positive Security
Obligations until defined within the Rules.
3.2.1. Positive Security Obligations is the collective name for three regulatory obligations intended
to uplift the security and resilience of critical infrastructure assets, build cyber situational
awareness and enable the Government and industry to more effectively prevent, defend
against and recover from all hazards. These obligations will apply to critical infrastructure
assets and each of the obligations will need to be explicitly turned on (through the making of
a rule) for each asset or class of assets. This will be used to offset potential regulatory burden
through managing any potential areas of duplication with existing arrangements, recognising
equivalent regimes that are already in place. There will be three distinct obligations within the
Positive Security Obligations:
o Register of Critical infrastructure asset - Part 2 of the current SOCI created a
Register of Critical infrastructure assets which was designed to assist the
Government in gaining greater visibility of who owns, controls and has access to
critical infrastructure assets, including board structures, and outsourcing and
offshoring information ultimately ensuring the security and resilience of critical
infrastructure. The Register requires reporting entities, who are either direct interest
holders or the responsible entity of critical infrastructure assets, to provide interest
and control information and operational information to the Secretary within a certain
timeframe. The number of entities required to report to Register is expected to
increase in conjunction with the expanded definition of critical infrastructure assets.
However, the obligation to report to the register will not be activated until the
Minister for Home Affairs, through the rules, has activated the obligation for
particular critical infrastructure assets after consultation with industry. This is
intended to prevent duplication, offset the potential regulatory burden experienced by
industry by not requiring further reporting on top of existing obligations.
The expansion of the Register will be in line with existing protections already in the
SoCI Act, consistent with the Australian Privacy Principles
The Government recognises that a range of mechanisms to manage certain hazards
already exist. The Government does not propose to duplicate or replace these existing
mechanisms but instead will work with key stakeholders (including industry, peak
bodies, regulators, and state and territory governments) to leverage existing
regulations and frameworks, and where necessary build on them to deliver a more
consistent approach to managing risk across all sectors. This will be achieved through
deferring to existing regulatory obligations where they are equivalent to components
of the risk management obligations.
o Critical Infrastructure Risk Management Program - under this obligation, assets that
are considered critical infrastructure assets will be required to develop and comply
with a critical infrastructure risk management program. The program is intended to
increase resilience across critical infrastructure assets, address vulnerabilities across
physical, cyber, supply chain and personnel domains, provide a wholesale uplift in
the security of critical infrastructure and reassure Government that critical
infrastructure assets are appropriately safeguarded against all hazard risks (as
explored in section 1).The Bill will set out the overarching obligations for the risk
management programs with the more detailed, sector-specific requirements to be
contained within the rules. The risk management program will require a responsible
entity of a critical infrastructure asset to identify material risks to their asset, propose
a plan to mitigate risks so as to prevent incidents, minimise the impact of any realised
risks and have appropriate risk management oversight arrangements in place for their
program. The Minister for Home Affairs, through the rules, will be required to
activate the obligation for critical infrastructure assets.
The Minister for Home Affairs will also have a rule making power to specify how an
entity must meet these security obligations. These rules will be legislative instruments
and disallowable by Parliament. Sector-specific rules will be co-designed with
industry to provide clarity around expectations, and what would be considered a
reasonable and proportionate response to meeting the obligations. Following
commencement and the enactment of sector-specific rules, industry would be
provided a grace period during which they are legally obliged to comply with the
obligation but no enforcement action can be taken. This will provide industry time for
the necessary uplifts to occur with the support of extensive outreach and education
from the CIC.
Where a risk management plan is in place, the responsible entity of that critical
infrastructure asset must provide a report to the Secretary of Home Affairs, or
relevant Commonwealth regulator, within 90 days of the end of the financial year.
The report must:
a) state whether or not the program was up to date during the financial year;
b) if a hazard had a significant relevant impact on one or more of those
assets during the relevant period--includes a statement that identifies the
hazard; evaluates the effectiveness of the program in mitigating the
significant relevant impact of the hazard on the assets concerned; and
outlines any variations made to the program as a result of the hazard
occurring.
All costs associated with the critical infrastructure risk management program will be
costed within future RIS(s) - including the costs associated with an entity's
obligation to report annually to the Secretary of Home Affairs.
o Notification of cyber security incidents - the responsible entity of a critical
infrastructure asset, who is not subject to an equivalent obligation elsewhere, will be
required to report cyber security incidents which involves a direct compromise of the
system or impacts the functioning of the asset.18 This obligation imposes a two-tiered
reporting obligation on the responsible entity for a critical infrastructure asset based
on the severity of a cyber security incident. The first tier is where an entity is
experiencing a cyber security incident that has had, or is having, a significant impact
on the availability of the asset and must report the incident within 12 hours of the
entity becoming aware of the incident.19 The second tier is where an entity is
experiencing a cyber security incident that has had, is having, or is likely to have, a
relevant impact on an asset and must report the incident within 72 hours of the entity
becoming aware of the incident.20 The reports must be made to the Australian Cyber
Security Centre (unless another Commonwealth body is prescribed in the rules), and
made orally or in writing. For example, the entity will be required to report the
detection of malware on their system or a denial of service attack that disrupts the
service, but not phishing emails that do not have an impact on the entity. These
reporting obligations are only engaged (i.e. the clock starts) when the entity becomes
aware of the incident, and therefore may not be activated until sometime after the
incident has occurred and an internal investigation has revealed the source of the
problem.
These reports will be used by the Australian Cyber Security Centre:
where appropriate, to initiate an offer of assistance or in particularly serious
situations, an application for government assistance (discussed below), and
provide intelligence to support the development of an improved national
situation awareness.
This obligations will provide Government with greater visibility of the current cyber
environment that critical infrastructure assets are operating within, allowing
Government to develop an aggregate threat picture which can then be used to inform
industry of, and assist industry to deal with, the threats they face.
The Bill will define the obligations, however the Minister for Home Affairs, through
the rules, is required to activate the obligation for particular critical infrastructure
assets.
3.2.2. Enhanced Cyber Security Obligations will only apply to assets which are considered to be of
the highest criticality (systems of national significance). These obligations are intended to
18
In order to cost the notification of cyber security incidents for industry a total maximum cost is calculated where all critical
infrastructure entities required to report cyber breaches, acknowledging that this may not be the case where equivalent obligations
already exist.
19
What is considered a 'significant impact' is likely to vary between assets and across sectors and it will be up to the entity to determine
when a relevant impact is significant for the purposes of this reporting obligation.
20
'Relevant impact' means a direct or indirect impact on the availability, integrity, reliability or confidentiality of a critical infrastructure
asset, information about the asset, or data or information stored in the asset.
build upon the existing strong Government-industry partnership and provide the Government
with the information and understanding necessary to reduce the risk and potential impacts of
significant cyber incidents. It will also provide the Government with assurance that assets of
the highest criticality are actively safeguarding their assets from cyber vulnerabilities above
and beyond their requirements under the Positive Security Obligations. Due to the
increasingly interconnected nature of critical infrastructure, it is vital that those of the highest
criticality (systems of national significance) are actively safeguarding against significant
cyber security incidents to reduce the occurrence and impacts of such incidents. The Minister
for Home Affairs will provide an annual report to Parliament on the use of these powers.
There will be four distinct components of the Enhanced Cyber Security Obligations which
will be activated only on request (meaning there is no standing obligation):
o Develop and maintain incident response plans - under this obligation the Secretary
may require the responsible entity for a system of national significance to establish
and maintain an incident response plan. Incident response plans are designed to
ensure an entity has established processes and tools to prepare for and respond to
cyber security incidents. It is intended that the plan would need to comply with any
requirements specified in the rules, which may include details on procedures to be
included in the plan for responding to a particular cyber security incident. An incident
response plan typically includes profiles of common incident types and response
activities for the organisation and sector, roles, responsibilities and contact details,
and checklist of actions (for detection and analysis, containment and eradication,
communications and recovery) and templates to use when required. Engagement with
industry has indicated that many systems of national significance are likely to already
have an existing incident response plan that can be provided to the Government upon
request.
o Undertake a scenario based exercise - under this obligation the Secretary may require
the responsible entity for a system of national significance to undertake a cyber
security exercise. It is intended that the Secretary of Home Affairs may, by written
notice, require a system of national significance to undertake a cyber security exercise
in relation to all types of cyber security incidents, or one or more specified types of
cyber security incidents (for example, a denial of service or ransomware attack).
Conducting a cyber security exercise is an important activity for an organisation to
test and improve their cyber resilience. The scope of the exercise will be determined
based on threats and incident trends, as well as consideration of the consequential or
cascading effects that may occur should the system be impacted by a cyber security
incident. This is intended to test an entity's ability to respond appropriately to a cyber
security incident, preparedness to respond to a cyber security incident and ability to
mitigate relevant impacts of a cyber security incident.
o Conduct a vulnerability assessment - under this obligation the Secretary may require
the responsible entity for a system of national significance to undertake a
vulnerability assessment. Vulnerability assessments are a routine cyber security
practice undertaken to identify vulnerabilities or 'gaps' in systems which expose them
to particular types of cyber incidents. These preparatory activities also enable the
entity to evaluate the risk of particular vulnerabilities. This will enable entities that
operate Australia's systems of national significance to remediate vulnerabilities
before they can be exploited by malicious actors. A vulnerability assessment can
consist of a documentation-based review of a system's design, a hands-on assessment
or automated scanning with software tools. In each case, the goal is to identify
security vulnerabilities and the requirements of the assessment will be outlined in the
request made by the Secretary. This assessment can be undertaken by the entity or a
third party on behalf of the responsible entity. Where an entity is unable to conduct an
assessment, Government may also to undertake a vulnerability assessment of the
asset on the assets behalf.
o Provide access to system information relating to the functioning of a system - An
organisation's ability to detect and respond to a cyber incident depends on having
visibility across their technology environment. This visibility is provided in the form
of telemetry (often referred to as system logs or systems information) that are usually
aggregated into a centralised security operations capability. Under the ECSO, the
Secretary may require the responsible entity for a system of national significance to
provide such system information. If the Secretary of Home Affairs believes on
reasonable grounds that the responsible entity for the system of national significance
is technically capable of doing so, the Secretary may require the entity to provide the
Australian Signals Directorate with periodic reports consisting of specified system
information ('a system information periodic reporting notice'). The Secretary may
specify the intervals, manner and form in which the information is to be provided, as
well as any other information technology requirements relating to the provision of the
information. Depending on the information required and the ability for automated
provision (such as automated machine-to-machine cyber threat intelligence sharing),
these reports may be required to be made at rapid intervals, for example, every
minute.
If an entity is requested to provide access to telemetry (host, gateway, etc), they could
utilise existing arrangements or procure relevant technology. Most large organisations
are likely to have an already established cyber security function or existing
engagement with a cyber security service provider. This information could be
streamed or dumped. Software delivers this function and can be configured as
required. The 'serviceability' of this software is likely within the ability of in house
IT functions. After initial set up/deployment, monitoring the serviceability and
maintenance of the software could easily be integrated into BAU practices. If in
house cyber security wanted to use the program for their own monitoring (other than
to undertake this obligation), then this would likely be integrated into BAU processes
as well. The type of technology required will vary between networks.
Importantly information able to be requested under these obligations will be limited
to information about networks and systems and not information about consumers.
Any incidental personal or commercially sensitive information collected will be
subject to the Australian Privacy Principles and principles on data minimisation, to
the greatest extent possible. Notifiable data breaches will be reported to the Office of
the Australian Information Commissioner.
3.2.3. Government assistance to relevant entities within critical infrastructure sectors in response to
significant cyber attacks that impact on Australia's critical infrastructure assets. Entities
outside of critical infrastructure sectors will not be subject to these measures. Entities are
primarily responsible for managing cyber security risks through calibrated risk management,
preparatory activities and enhanced situational awareness. However, in exceptional
circumstances, the enhanced framework will provide the Government with the power to take
appropriate steps to prevent and address cyber security incidents that threaten serious
prejudice to Australia's interests, mitigate the impacts of such incidents on critical
infrastructure, and restore the functioning of those assets. These powers will provide
Government with the power to act in exceptional circumstance in order to protect our nation's
critical infrastructure assets. This will be achieved by enabling the Minister for Home Affairs
to authorise the Secretary of Home Affairs to issue an information gathering direction, an
action direction or an intervention request (as explained below).
Importantly, prior to authorising the Secretary of Home Affairs to issue directions to a critical
infrastructure asset, the Minister for Home Affairs would need to be satisfied that:
o a cyber security incident has occurred, is occurring, or will imminently occur
o the incident has had, is having, or is likely to have, a relevant impact on a critical
infrastructure asset
o there is a material risk that the incident has, is, or is likely to, seriously prejudice:
the social or economic stability of Australia or its people, or
the defence of Australia, or
national security, and
no other existing Commonwealth, State or Territory regulatory regime could
more effectively be used to respond to the incident.
In considering an application in relation to the exercise of information gathering, action
direction or intervention powers, as a matter of practice, the Minister for Home Affairs will
notify other relevant Commonwealth Ministers at an appropriate time. Those other Ministers
may choose to make representations to the Minister for Home Affairs or Prime Minister to
support their respective decisions. An operational protocol, to be agreed by Government, will
be developed to support the implementation of this regime and will expressly articulate
procedures for consultation, including for example, circumstances where the Prime Minister
would call a meeting of the National Security Committee of Cabinet or consultation with
relevant regulators to coordinate action. This will allow the Government to determine the
most appropriate way of ensuring relevant Ministers are involved in the decision making
process.
Furthermore, an authorisation made for directions or intervention powers will cease after 20
days, unless the Minister for Home Affairs has revoked the authorisation earlier due to the
resolution of the incident or compulsory powers no longer being required. Where an
emergency continues beyond this time period, the Minister for Home Affairs may make
another authorisation in relation to the particular incident if satisfied of all the necessary
criteria. In the event that the Minister for Home Affairs seeks another authorisation to a
particular event, the Minister for Home Affairs will again require the agreement of the
Minister for Defence and the Prime Minister.
Under the Government Assistance measures the Minister for Home Affairs to authorise the
Secretary of Home Affairs to do one or more of the following:
o Information gathering direction - the Secretary may require the responsible entity for
an asset within a critical infrastructure sector to provide information in order to
support the Minister for Home Affairs' decision as to whether to pursue further
direction or intervention powers (as discussed below) in light of a cyber security
incident. Importantly, the Secretary of Home Affairs must not give a direction unless
satisfied that the direction is a proportionate means of obtaining the information and
compliance with the direction is technically feasible or is reasonably possible to
execute. This direction would only be made upon suspicion of a cyber-crime having
occurred, occurring, or occurring imminently.
An entity is not excused from giving information in response to a direction if the
information could potentially incriminate the entity and any information provided is
not admissible in evidence against the entity except in relation to proceedings for
providing false or misleading information or documents and failing to comply with
the direction. This reflects that the purpose of information gathering power is to better
understand the situation to facilitate a better response to an incident.
Scenario (information gathering direction):
A key supplier of logistical services to a critical freight service asset is subject to a cyber
security incident which results in the critical freight service asset being unable to distribute
medical supplies nationally.
The Minister for Home Affairs would authorise the Secretary to issue an information
gathering direction to the supplier, to provide the necessary information. This information
could be used to jointly develop an appropriate response with the responsible and determine
whether further Government assistance is required to mitigate the incident.
o Action direction - the Secretary may require the responsible entity for an asset within
a critical infrastructure sector to prevent a cyber security incident, mitigate the
impact of the incident, or restore the functionality of a critical infrastructure asset
affected by the incident. The Secretary will also be required, if practicable, to consult
with the responsible entity prior to making any direction to ensure a proper
understanding of potential unintended consequences, and may consult with relevant
Commonwealth agencies in determining necessary actions. In practice, the Secretary
of Home Affairs will work closely with relevant agencies to determine necessary
directions. For example, the Australian Signals Directorate may advise the Secretary
that a relevant software patch is likely to be effective in preventing an imminent
incident, advice which forms the basis of the Secretary's direction.
The Minister may authorise the Secretary making directions which:
are prescribed in the legislation and are reasonably necessary and
proportionate to achieving the objective of resolving the incident, or
such other directions as the Minister for Home Affairs expressly authorises
and are reasonably necessary and proportionate to achieving the objective of
resolving the incident.
If a direction is required which is not prescribed, or has not been directly authorised,
the Secretary would need to return to the Minister for authorisation to make such a
direction. This allows the flexibility to respond to a fast-moving cyber emergency,
while ensuring the Minister retains oversight of directions being made.
The ability to direct the entity to provide a government official with direct access to a
network will be expressly excluded to ensure it cannot be used as a backdoor to these
powers.
It is not proposed that directions can be issued to private sector entities who are not
otherwise connected with the operation of the asset as it would not be appropriate to
compel an unconnected third party. Rather any direction to a related critical
infrastructure sector asset must be necessary to respond to the incident and if the
entity cannot respond appropriately, direct intervention should be limited to the
Government to minimise impacts on the privacy of the asset.
It will be a criminal offence for an entity to fail to comply with a lawfully issued
direction. Noting this, the entity, or officers acting on its behalf, will be provided with
immunities from any civil claim when acting in accordance with such a direction.
Similarly, an industry provider that provides voluntary assistance in line with a
request will be provided immunities from any civil claim. This will support the
Government receiving the necessarily technical advice in an emergency.
o Intervention request - in the event that an entity is not responding to an information
gathering direction or an action direction, the Secretary would be able to request
assistance from, the Australian Signals Directorate through the exercise of
intervention request powers in relation to a cyber incident. Essentially, this will be a
last resort power and would also require the agreement of the Minister for Defence
and the Prime Minister. This intervention request will be limited to the ASD
accessing an entities computer, undertaking analysis of computer data, altering data
held in a computer and altering the functioning of a computer. This serves as a limiter
to ensure that the actions are computer-related acts and appropriately targeted as
responding to the cyber security incident.
The use of force against a person or offensive cyber activities (for example, hacking
back) will be expressly prohibited from occurring under the Government Assistance
portion of this regime. The Australian Federal Police will support the Australian
Signals Directorate in the exercise of these powers as required, including using force
to gain entry to a premise.
Noting the complexity of a nationally significant cyber security incident and the
systems being impacted, it is crucial that any direct action taken by the Government is
done by experts to ensure quick resolution with limited collateral impacts. Officers of
the Australian Signals Directorate will remain subject to any relevant legislation, as
well as their own organisation and ministerial oversight arrangements when
considering and responding to a request for cooperation or assistance.
It is a criminal offence, under section 149.1 of the Criminal Code, for a person to
hinder or obstruct a Commonwealth officer in the exercise of their powers. A person
obstructing an Australian Signals Directorate official exercising powers under this
regime would be liable to imprisonment of up to 2 years.
Officers of the Australian Signals Directorate, including any industry contractors that
are engaged by the entity through the Intelligence Services Act 2001, will be
provided with immunity from any civil claims when exercising Government
Assistance powers at the request of the Secretary. Further, those officers will also be
provided criminal immunities when acting in good faith in compliance with lawful
authority, similar to those provided under other domestic intelligence and law
enforcement regimes. Noting the express exclusion of the use of force against a
person, the criminal immunities will not extend to conduct that is intended to cause
death or serious injury to any person.
It is proposed that are a range of safeguards be included to ensure that an intervention
request only occurs as a last resort. These safeguards include the need for the Minister
for Home Affairs to be satisfied that the entity is unwilling or unable to take all
reasonably necessary steps to appropriately resolve the incident. The Minister for
Home Affairs must not make such an authorisation unless satisfied that the request is
reasonably necessary for the purpose of responding to the incident, the specified
request is a proportionate response to the incident, and the authorisation of an action
direction would not be practical or effective response to the incident.
Scenario (action direction and intervention request):
During an incident response, the authorised agency may require access to various types of
data and information, such as systems logs and host images, to determine what malicious
activity had occurred and what systems have been affected. The authorised agency may also
need to install investigation tools, or network monitoring capabilities, to analyse the extent of
malicious activity and inform effective remediation actions.
To remediate the cyber security incident, the authorised agency may need to remove
malicious software (e.g. web shells, ransomware, and/or reconnaissance tools) which requires
altering/removing of data in a computer. The authorised agency may need to conduct these
activities on-site with the victim or remotely, where capability exists to do so.
The authorised agency may also implement blocking of malicious domains, may disable
internet access or may implement other specified mitigations. The authorised agency may also
require systems to be patched (altering data) or a change in network configurations, to alter
the function of the system, to prevent a similar activity.
A Ministerial authorisation may be sought for an action direction relating to each of these
specific actions. Where an action direction is not actioned by the respective entity (either
through a refusal to do so, or a lack of capability), then an intervention request relating to
each of these specific actions.
Oversight
The Commonwealth Ombudsman, within its current mandate, will have the ability to receive,
consider and take action in relation to complaints made by an entity in relation to a direction
issued by the Secretary of Home Affairs under this power or the Australian Federal Police's
actions in supporting the Australian Signals Directorate. The Inspector-General of
Intelligence and Security, within its current mandate, will have the ability to oversight any
exercise of the Government Assistance powers by the Australian Signals Directorate as well
as any advice provided to the Secretary of Home Affairs by an intelligence agency within its
jurisdiction to support the making of a direction. Information sharing provisions will be
included to ensure these two oversight bodies can work effectively together. The oversight
powers of the Inspector-General of Intelligence and Security in relation to the regime will be
significantly greater than those of the Ombudsman, which is proportionate to the nature of the
respective powers over which they have supervision.
The Secretary of Home Affairs will be required to provide the Minister for Home Affairs a
report on the exercise of powers under the authorisation including how they contributed to the
resolution of the cyber security incident and an assessment of any prejudice caused. Where
Government Assistance powers were used, this report will be copied to the Minister for
Defence and the Prime Minister.
It is proposed that the ministerial authorisation, and administrative decisions made in
accordance with that authorisation, will not be subject to judicial review under the
Administrative Decisions (Judicial Review) Act 1977 or obligations to consult the relevant
entity prior to making the authorisation. This is reflective of the emergency nature of these
powers, national security information that will used to satisfy the various decision makers,
and their connection with the protection of Australia's national security, defence, economy
and social stability. However, the bias rule aspect of procedural fairness will be unaffected,
and judicial review will remain available by way of section 75(v) of the Constitution and
section 39B of the Judiciary Act 1903.
3.2.4. Ministerial Direction power
Option 2 would also include expanding the assets to which the current Ministerial Direction
within the SoCI may apply.21 Current section 32 of the SoCI allows the Minister for Home
Affairs to issue a direction to an owner or operator of a critical infrastructure asset. The
primary purpose of this existing directions power is to ensure that, as a last resort, the
21
Increasing the number of entities subject to the power from approximately 167 critical infrastructure assets to 1,700
critical infrastructure assets.
Government can address risks to critical infrastructure assets that are prejudicial to security
(within the meaning of the ASIO Act 1979).
For example, a Ministerial Direction may require a business to limit any offshore access to its
industrial control systems unless approved by Government where underlying security risks,
such as the potential for extrajudicial influence, are identified. This scenario is costed with
section 4 of the RIS.
The expansion of the Ministerial Directions power will ensure the Government has the
necessary powers to address security risks across all critical infrastructure assets, including
the newly defined critical infrastructure assets proposed under this reform, where these
cannot be managed through other mechanisms. The current SOCI explicitly mandates that the
Government must consider the use of existing mechanisms, including state and territory
regimes, before issuing a direction. This mandate provides safeguards that will ensure the
power is used appropriately and not exercised beyond the remit of specific risks that are
prejudicial to security that cannot be addressed through other means. Further stringent
safeguards include the need for the directions to only be issued in connection with the
operation of a critical infrastructure asset or the delivery of a service by a critical
infrastructure asset, where there is a risk of an act of omission, and that the risk would be
prejudicial to security
The Government Assistance measures are a necessary in addition to the expansion of the
Ministerial Direction powers in order to respond to fast moving and significant cyber security
incidents affecting critical infrastructure assets. While Ministerial Directions can only be
issued to critical infrastructure assets and their operators, Government Assistance measures
are intended to be directed at an asset within a critical infrastructure sector that is impacting a
critical infrastructure assets. This allows measures to be directed at the entity best placed to
respond to an incident. This reflects the complex and interconnected nature of Australia's
economy where the functionality and operability of critical infrastructure assets are
dependent on the services of a variety of assets within critical infrastructure sectors. In
particular, this relationship is often dependent on, or facilitated by, an interconnected digital
network or internet-connected systems.
Voluntary engagement through the Trusted Information Sharing Network for Critical Infrastructure
Resilience (TISN)
The proposed measures are intended to leverage and enhance existing regulatory frameworks, and
will be enriched by enhanced government-industry engagement and collaboration through the TISN.
The TISN was established in 2003 and is the primary voluntary engagement mechanism for industry-
government information sharing and resilience building initiatives. The refreshed TISN will better
support the wide-ranging regulatory reforms to SoCI, reflecting the increased interdependency of
critical infrastructure sectors. The success of the regulatory changes outlined above will be
underpinned by enhancements to the network, which include greater engagement, education, guidance
and collaboration with industry.
The TISN will support the implementation and delivery of the proposed reforms to SoCI by providing
a forum to co-design sector specific regulations and best practice guidance to ensure the obligations
are fit for purpose and to support industry to comply with its obligations. The TISN will expand the
number of sector groups to better support the range of critical infrastructure owners and operators in
the 11 identified critical infrastructure sectors, reflecting the broader regulatory environment. The
TISN structure will also provide greater opportunities for cross-sector collaboration, in recognition of
increasing sector interdependencies. This approach will encourage all affected entities, large and
small, to participate in the design process and ensure the resulting regulations provide a level playing
field for all participants. It will also enable members to better understand, and therefore fulfil, their
regulatory responsibilities, which will result in a decrease in the need and cost of compliance activity.
By facilitating government-industry engagement across a broader range of sectors and issues, owners
and operators of critical infrastructure assets will have an improved ability to ensure continuity of
service of critical infrastructure assets in the face of all-hazards.
The refreshed TISN will also help achieve the objective of the new Critical Infrastructure Resilience
Strategy (due for release in early 2021) to establish a common understanding of critical infrastructure
resilience and to promote critical infrastructure that can withstand and mitigate the effects of all
hazards and to quickly return to service after any periods of disruption.
Compliance and enforcement
The Department, as the primary regulator, will have various monitoring and investigation powers to
support compliance and enforcement activities. In addition to those powers already contained in SoCI,
Parts 2 and 3 of the Regulatory Powers (Standard Provisions) Act 2014 will be activated in relation to
provisions of SoCI. These powers will also be able to be conferred on another relevant
Commonwealth regulator where it is determined that they are best placed to regulate compliance with
the obligations in a particular sector.
These monitoring and investigation powers will be supported by a series of civil penalties and
criminal sanctions which attach to non-compliance with the obligations under the Act. Civil penalties
range from 150 to 200 penalty units per day of non-compliance. This is to ensure that the penalties
associated with the new obligations are proportionate to the existing penalties within the current SoCI
as well as reflect the seriousness of inaction and dissuade entities from not meeting their obligations.
The amendments will provide the Department or alternative regulator, with a range of graduated
enforcement options which can be scaled to address the particular circumstances of non-compliance.
For example, non-compliance which derives from a misunderstanding can be dealt with through
closer engagement and education, while significant penalties could be pursued for repeated, serious
violations by a non-cooperative entity.
It is proposed that the Department will take a risk based approach to compliance and enforcement by
prioritising monitoring of assets based on their criticality, with more proactive monitoring focused on
systems of national significance.
The expansion of Government powers and regulations necessitate significant transparency and
oversight. Consequently, it is proposed that the Department would expanded its reporting
requirements to Parliament under the current SoCI to include all proposed new measures and powers.
This would enable Parliamentary scrutiny as well as provide public oversight on the extent of actions
being undertaken by the Government under the powers granted under the proposed reforms. Under
current SoCI the Secretary must give the Minister, for presentation to the Parliament, a report on the
operation of SoCI for a financial year including information regarding the number of notifications
made to the Register of Critical Infrastructure Act, directions made under Ministerial Direction
powers, the declaration of critical infrastructure assets by the Minister and the enforcement of SoCI. It
is proposed that this will be expanded to also include information on:
the number of annual reports provided under the risk management program;
the number of cyber incidents reported under the mandatory cyber reporting obligation;
the number of systems of national significance required to undertake incident response
plans, provision of telemetry, vulnerability assessment and cyber security exercise;
the number of Ministerial authorisations for all aspects of the Government Assistance
measures; and
the number of systems of national significance declared.
3.3. Option Three - No legislative change, achieve improvements to critical infrastructure
resilience with voluntary engagement through the Trusted Information Sharing Network
and publishing additional guidance alongside the updated Critical Infrastructure Resilience
Strategy
The third option focusses on the additional government resources, outlined under Option Two, to
enhance engagement on all hazards resilience for critical infrastructure through refreshing the TISN
and re-writing the Critical Infrastructure Resilience Strategy to identify and provide guidance to
Australia's critical infrastructure. This could occur without legislative reform.
Greater engagement with industry would be undertaken through the TISN sector groups as outlined
above, noting that industry engagement would continue to be on a voluntary basis. This option would
involve a voluntary version of the Positive Security Obligations, Enhanced Cyber Security Obligation
and Government Assistance outlined within Option Two. Industry would be encouraged to work with
the Government to uplift security against all-hazards and accept Government Assistance where
necessary.
However, this option will have limited effectiveness without the support of legislative change.
Enforcement under legislation provides a greater degree of assurance to the Government that national
security risks are being managed, not just considered. The benefits associated with the additional
resources will be restricted as it will be at the discretion of industry to inform the Government of
problems and vulnerabilities within critical infrastructure networks. The interconnected nature of
these networks also means that any information provided by industry would be incomplete if all assets
within a supply chain did not participate.
Entities could be encouraged to report to the Register of Critical Infrastructure. However, this would
be reliant on the voluntary provision of information and would therefore likely be incomplete.
Further, the Government would have limited scope to utilise this information to better protect these
assets without legislative change. Given the interdependent nature of Australia's critical
infrastructure, weaknesses in one critical asset could have cascading consequences across sectors.
Current TISN members tend to have a higher level of security and resilience maturity, and this option
is likely to further widen the gap between those organisations, and organisations that do not place a
high value on resilience beyond commercial imperatives. It is likely that the more mature entities in
each sector would engage, but that those entities currently lacking a mature security posture would
continue in this posture.
4. RIS QUESTION FOUR: WHAT IS THE LIKELY NET BENEFIT OF
EACH OPTION?
4.1. Option One - No regulatory change or enhanced compliance (status quo)
Maintaining the status quo will mean that the Government is unable to provide support and direction
to critical infrastructure owners and operators on managing security risks in a timely manner. While
organisations likely already consider threats to business operations and utilise security standards as a
result of existing frameworks, the level of security is not sufficiently robust across all critical
infrastructure sectors.
Some critical infrastructure owners and operators may take steps to address risks (such as improving
cyber security standards) irrespective of any regulatory change. The benefit of no regulatory change is
that owners and operators have the flexibility to address these challenges as they see fit. However,
these steps are generally ad-hoc, influenced by commerciality and either not consistent, or limited to a
specific critical infrastructure sector.
This option would have the least upfront impost on business given there would be no requirement to
uplift security practices. Given existing challenges with COVID-19 this may offer short term benefits
to industry. The additional regulatory burden to business, community organisations and individuals
under Option One will be nil as no regulatory obligations would be introduced above those that
already exist. However, the potential costs of a significant disruption to critical infrastructure assets
could be catastrophic to Australia's social and economic stability, defence and national security.
The cost of inaction
Synergy Group, undertook high level economic modelling to determine the costs of inaction without
the reforms being introduced. The costs of inaction was quantified by the maximum potential cost of
operability disruption to 10% of each of the critical infrastructure sectors for a single week.
Uncertainty around the likelihood and severity of all hazards makes it almost impossible to know
what the costs of inaction would be. However, to give a sense of the magnitude of the cost of inaction
on other critical infrastructure sectors and the broader Australian economy, an operability disruption
of 10 per cent has been modelled for each critical infrastructure sector. The possible costs of this
scenario for each sector for a single week is estimated at:
$2.4 billion for the Energy Sector
$3.0 billion for the Financial Services and Market Sector
$0.9 billion for the Communications Sector
$1.0 billion for the Data Storage and Processing Sector
$1.6 billion for the Higher Education and Research Sector
$0.7 billion for the Food and Grocery Sector
$0.6 billion for the Health Care and Medical Sector
$0.06 billion for the Space Technology Sector
$1.2 billion for the Transport Sector
$0.2 billion for the Water and Sewerage Sector
These costs represent the maximum possible cost of inaction if an incident occurred causing a
disruption to 10% of a critical infrastructure sector for a single week, with smaller incidents likely to
cost less. These costs take into account the flow on impacts to other critical infrastructure areas and
the broader Australian economy. These costs have not been tested with industry.
The Defence Industry Sector is currently regulated by the Defence Industry Security Program and
therefore is unlikely to experience costs of inaction as they are already governed by significant
Government oversight preventing significant hazards from having cascading impacts.
Cost assumptions
The cost of the shock is estimated by:
multiplying total output of the relevant sector by 1/52 to determine the output per week of the
sector;
this figure is then multiplied by 10% to determine the impact - or loss of output - from a
disruption to 10% of the critical sector per year.
For example, if the energy critical infrastructure sector suffered a 10% operability shock it would
imply that Australia's energy critical infrastructure sector is only operating at 90% of its ordinary
productivity level. A 10% operability shock within the energy sector could occur through a number of
cyber failings or incidents within the energy sector. For example, a 10% operability shock could occur
if a supplier of critical SCADA equipment was subject to a cyber incident which impacted multiple
SCADA systems across a number of critical energy assets in turn causing the failure of those assets.
This in turn would affect the availability of energy causing cascading and compounding disruptions
across all the critical infrastructure sectors dependant on energy, and the broader Australian
economy.
A 10% operability shock within the transport sector could occur if the control centre of the
organisation was subject to a weather event resulting in the shutdown of their control centre until
alternative arrangements for their operation of the entity could be arranged. This would have
significant flow on affects for other critical infrastructure sectors such as the food and grocery sector
and liquid fuels sub-sector which both rely heavily on the transport sector for transportation of goods
from one part of the country to another.
An operability shock of 10% has been employed as it is unlikely that within any critical infrastructure
sector there will be an entity with a greater than 10% monopoly on the operations of the sector.
Therefore, if an entity were disrupted, it is unlikely to have a greater than 10% disruption to the
sector.
These costs are indicative. It is difficult to determine the exact extent of the cost of inaction due to the
complex, interrelated nature of the critical infrastructure sectors and the potential cascading impacts
disruptions could have on other critical infrastructure sectors and the broader social and economic
stability, defence and national security of Australia.
Without proper safeguards across Australia's critical infrastructure sectors, hazards may cause long
lasting and far reaching consequences.
Benefits Costs and Limitations
Affords owners and operators greater Could have significant flow on effects
flexibility to address risks to critical to the broader Australian economy if a
infrastructure significant hazard were to occur in a
No upfront or ongoing compliance costs critical infrastructure sector.
to industry to uplift resilience Does not provide direction and support
for owners and operators and leaves
industry exposed to a greater risk of all
hazard threats
Does not address concerns raised by
industry requesting guidance from
Government
Unlikely to result in widespread
changes in business behaviour or
increased security of critical
infrastructure and subsequently will not
provide the Government greater
assurance that risks are being
appropriately managed
4.2. Option Two - Legislative change, a compliance and assurance capability
This section provides the costs and benefits of each element of the reforms as described in Question 3.
These costs have not been consulted with industry to date. Instead, they have been developed
internally with the assistance of both consultants with subject matter expertise and the Australian
Cyber Security Centre for the cyber related elements of the reforms, and build on costings developed
prior the SOCI being enacted in 2018.
The maximum aggregated, annual costs to industry as a result of the Register of Critical Infrastructure
Assets and the mandatory cyber reporting are below if all critical infrastructure assets were required to
comply with these obligations.
Average annual regulatory costs ($ million)
Industry Community Individuals Total
Cost $2.19 - - $2.19
Note: the aggregated table does not include the Enhanced Cyber Security Obligations or the
Ministerial Directions power. These elements of the reforms do not require ongoing industry
obligations and are upon request. Providing aggregate, average annual costs of these elements would
likely mislead stakeholders. Instead, the below numbers represent individual costs to entities if
directed by Government:
ECSO (applicable only to SoNS):
Incident response plans - maximum annual compliance burden $28,091.30 for a single SoNS
assuming annual requirements.
Telemetry - maximum annual compliance burden $81,250 for a single medium SoNS and
$361,250 for a single large SoNS assuming annual requirements.
Vulnerability assessments - maximum annual compliance burden $46,875 for a single medium
SoNS and $117,375 for a large SoNS assuming annual requirements.
Cyber Security exercises - maximum annual compliance burden $61,425 for a single SoNS
assuming annual requirements.
Ministerial Directions (applicable to all critical infrastructure sector assets):
Scenario 1 - annual compliance burden for this scenario is estimated at $4,999 on average per
entity assuming the direction power will be used once every three years.
Scenario 2 - annual compliance burden for this scenario is estimated at $280,741 on average per
entity assuming the direction power will be used once every three years.
Scenario 3 - annual compliance burden for this scenario is estimated at $279,541 on average per
entity assuming the direction power will be used once every three years.
Option Two of the Regulation Impact Statement is likely to have the highest overall net benefit.
Recalibrating industry's risk posture to safeguard against all hazard threats will make strong and
effective security practices part of doing business in Australia. It will improve industry resilience,
creating a more secure and reliable market for both regulated and non-regulated sectors, ultimately
decreasing the impacts of potential disruptions to critical infrastructure.
This option aligns with industry and community expectations for the Government to protect
Australia's critical infrastructure, as well as safeguard Australia's social and economic stability,
defence and national security more broadly. Furthermore, clear uplift in all hazard mitigation
standards across critical infrastructure will provide the Government, industry and consumers with
greater confidence in the resilience of Australia's critical infrastructure providers and the essential
services they rely on.
4.2.1 Positive Security Obligations
The Positive Security Obligations (PSO) will contain three elements:
1. The Critical Infrastructure Risk Management Program;
2. Register of Critical infrastructure assets; and
3. Notification of cyber security incidents.
Government acknowledges there will be costs and benefits to critical infrastructure assets through the
introduction of the PSO. This RIS includes the qualitative impact of the (1) risk management
programs, and the qualitative and quantitative impact of the (2) register of critical infrastructure
assets and (3) notification of cyber incidents. The quantitative impact of the (1) risk management
program will be developed in a future RIS(s) when the sector specific obligations are further
developed and costs and benefits can be more accurately identified with industry.
1. The Critical Infrastructure Risk Management Programs
Costs
There is a risk of duplicating existing regulations across states and territories. The Government will
minimise the risk of regulatory duplication and the subsequent regulatory impact on business by
engaging with industry to co-design the sector specific rules for the Risk Management Program. This
will help to ensure:
Government actively considers offsetting the potential regulatory burden experienced by
industry
Industry has greater certainty about how the reforms impact them, focusing specifically on the
risks to their business, and how they can best comply with the proposed regulations, avoiding
unnecessary costs as a result of misinterpretation.
The Government better understands the potential regulatory overlap as a result of the reforms,
ensuring that duplication is minimised as much as possible.
That existing regulations, frameworks and guidelines are leveraged to minimise regulatory
cost wherever possible.
There will be greater continuity for foreign investors regarding their security obligations and
understanding that the Positive Security Obligations provide a level playing field for all
critical infrastructure assets regardless of ownership.
That Government leverages existing regulations to avoid supressing innovation.
It is expected that some sectors will already have existing measures in place to manage all hazards and
as a result there will only be a small regulatory impost. The costs associated with additional regulation
will be further explored in future RIS(s), where detailed economic modelling will be undertaken
alongside industry and state and territory governments.
Benefits
Introducing the risk management program will ensure that industry has the necessary direction and
guidance to address all hazard risks to critical infrastructure assets where those risks are not currently
managed, or are not addressed consistently across critical infrastructure sectors.
A positive externality of the reforms is that the uplift of one entity's security against all hazards risks
will increase the resilience of downstream entities. For example:
The sensitive data created and held within the health sector needs to be protected by both the
sector and the data centres that may store such information. If not properly protected and
stored, the content of the data could have significant security ramifications including
additional burden of customer reporting as a result of a data breach, reputational damage and
legal penalties.
Lax personnel security within a telecommunications company can result in weaknesses being
exploited within a network and can impact a range of critical infrastructure assets that rely on
telecommunication services to function. This could include, freight and passenger rail and
electricity transmission networks, having flow on affects to all areas of Australia.
These externalities can be small in size, but more often than not the depth of interconnectivity
between critical infrastructure assets mean that consequences of failings within critical infrastructure
sectors can be severe.
Another externality is created through an increase in job opportunities, and long term employment for
households. In implementing the proposed regulation, opportunities exist for the Australian industries
that specialise in products and services that can assist critical infrastructure assets in meeting the
objectives of the proposed reforms. For example, business process improvements, risk mitigation and
support, and operational resilience.
The industries most likely to benefit from the new regime are the public administration and safety
sector, cyber security sector, and professional, scientific and technical services. For example, an uplift
in Australia's cyber security will build Australia's cyber security industry and bolster the technical
skills required to support the nation's growing digital economy. The quantitative benefits of such
externalities and the possible costs of resulting externalities, such as shortages of staff will be further
explored in future RIS(s).
Households will also benefit through an increase in the resilience of Australia's critical infrastructure
which reduces the likelihood of significant disruptions to essential services. Increased resilience
creates stability in household income due to industrial production resilience, security, and stability
which in turn promotes job growth and job security. Further benefits would also be derived from
employment opportunities in the provision of goods and services to ensure critical infrastructure
sectors achieve regulatory compliance.
This option will support the Government to shape a market that considers all-hazards risks. The risk
management program will ensure that the Government can drive industry-wide management of risks
in the absence of market drivers, avoiding any market imbalances that currently result from the case-
by-case application of security controls through the FATA. This option also provides certainty and
consistency for the critical infrastructure owners and operators by creating a level playing field for
both domestic and foreign investors.
While there will continue to be a need for case-by-case assessments of investment applications, the
PSO will reduce the existing burden on the foreign investment review framework to manage risks.
Currently, the Department advises the Department of Treasury on conditions that it considers should
be imposed on critical infrastructure foreign investment. Through the proposed SoCI reforms there is
the ability to have conditions already in place for critical infrastructure assets to manage risk.
Previously, the CIC has made recommendations to the Department of Treasury that certain foreign
businesses acquiring critical infrastructure in Australia under the FATA take certain steps to manage
the security of data. Through the proposed SoCI reforms, this type of recommendation may no longer
be necessary as the Act will provide the opportunity to address this risk through ongoing obligations
within the risk management program. It is expected that this will streamline consideration of lower
risk acquisitions (under current and future foreign investment settings) providing benefits for foreign
investors, and enable Government resources to be focused on managing higher risk investments.
The co-design of sector specific rules in early 2021 with industry will help minimise innovation from
being stifled as a result of increased regulations. By co-designing the specific rules for the Risk
Management Program, industry will be able to guide the development and design of the rules,
presenting opportunities for industry to source innovative solutions to uplifting the security of critical
infrastructure.
2. Register of Critical infrastructure assets
Costs
In total, it is expected that no more than 1,700 entities will fall within the definition of critical
infrastructure assets across the 11 sectors. Currently, 167 entities already report to the Register of
Critical infrastructure assets and their regulatory burden for this obligation will not change as a result
of the introduction of the proposed reforms. The remaining 1,500 or so entities that do not currently
report to the Register of Critical infrastructure assets, will experience an increase in regulatory
burden if that obligation is switched on. This will be done through the Minister declaring within the
sector specific rules which critical infrastructure assets will be subject to the reporting requirements.
The largest regulatory cost burden for entities lies in obtaining and inputting information about legal
and beneficial ownership, given that most entities are likely to have multiple legal and beneficial
owners. Many of the costing assumptions have been informed by those that were provided in the SoCI
2018 Explanatory memorandum when the register was first introduced.
The following method was used to calculate the annual cost of complying with the register for an
average entity. This method is in line with Office of Best Practice Regulation guidance.
Annual cost for entity = (time required to report * hourly cost ($41.74)* wage multiplier (1.75))
* (times performed annually * number of staff)
Cost description Cost
Upfront cost for a single entity (Year 1) $4,041.80
Annual administrative cost for a single entity $259.59
10 year cost for a single entity $6,378.10
Aggregated cost for all Critical Infrastructure assets (over 10 years) $9,567,135.97
*Maximum cost assuming the obligation is applied to all assets
Costing assumptions
Each critical infrastructure asset spends 55 hours providing the operational, initial interest
and control information and then 3.6 hours on average updating interest and control
information annually.
The average period that a direct interest holder holds its interest in an asset is 4.3 years.22
Therefore, in the ten-year costing timeframe, reporting a change in a direct interest holder is
assumed to happen 2.3 times.
The average period in which an 'other entity' holds an interest in a direct interest holder is 2.5
years.23 Therefore, in the 10 year costing timeframe, reporting a change in details of an 'other
entity' is assumed to happen four times.
Hourly rate is $73.05 as per OBPR guidance. It is assumed that there will be no legal
expertise required to complete the register on the online portal and guidance provided by the
CIC will assist entities in understanding their obligations.
Interest and control information includes direct interest holders' details, name and citizenship
details of board members, ownership thresholds and voting rights for board members, and
access rights and privileges to operational systems and corporate network for board members.
The CIC has existing guidance that it will update to assist new critical infrastructure assets to
understand their obligations. This guidance is expected to be provided to all impacted entities through
22
SoCI 2018 Explanatory Memorandum
23
Ibid
the TISN and will be published on the CIC's website. The upfront labour cost is unlikely to vary
across different sized organisation as understanding the obligation and reporting will be the same for
all business regardless of their size. Furthermore, the size of the entity does not necessarily determine
the complexity of the organisational or ownership structure, therefore costings have not been
differentiated based on size. The costs will decrease if it is found that there are existing adequate
reporting obligations that sectors are already subject too.
The Government IT solution for the Register already exists and as such, minimal costs to Government
are expected to result from the expansion of the register to capture all newly defined critical
infrastructure assets.
Benefits
The benefit of the Register is that it provides a single comprehensive resource of information on legal
and beneficial ownership and control of critical infrastructure assets. Information from the Register
would also be able to be shared with states and territories in prescribed circumstances to assist in their
understanding of critical infrastructure assets in their jurisdiction.
The increased scope of the Register enables the Government to develop and maintain a
comprehensive picture of national security risks, and apply mitigations where necessary. Analysis of
the information in the Register will enable the CIC to:
assess ultimate ownership of assets and influences by particular individuals or
companies,
analyse interdependencies among critical infrastructure assets and sectors, and
identify commonalities in services being used by critical infrastructure assets, such as
shared IT service providers or shared control systems.
3. Notification of cyber security incidents
Costs
Cost description Cost
Upfront cost for a single entity (Year 1) $237.41
Annual administrative cost for a single entity (small) $219.15
Annual administrative cost for a single entity (medium) $657.45
Annual administrative cost for a single entity (large) $1,095.75
10 year cost for a single entity (small) $2,428.91
10 year cost for a single entity (medium) $6,811.91
10 year cost for a single entity (large) $11,194.91
Aggregated cost for all 1,700 critical infrastructure assets (over 10 years) $12,325,361.25
It is unlikely that the quantitative regulatory burden experience by organisations will vary between the
two tiers of cyber reporting defined in section 3, as the same response is required from the affected
entity just within different time frames. It is recognised however that entities may have to reprioritise
work to meet the differing deadlines and this may have flow on costs to their organisation, such as the
postponement of other work or a delay in the provision of services. These costs are difficult to
quantify but should be acknowledged when considering costs of the obligation. These costs have been
reviewed by the Australian Cyber Security Centre.
Cost Assumptions:
The scaled up rate of $73.05 per hour has been used to reflect OBPR guidance.
Approximately 1,700 businesses may be subject to the obligation. Approximately 340 small
businesses, 850 medium business, and 510 large businesses.
The ACSC currently sees 1,268 cyber reports a year (from 2019/2020) under their voluntary
reporting scheme or approximately 2.5 reports a year from large businesses.24 This number is
expected to increase if these reforms are implemented and reporting requirements are
mandated for all critical infrastructure assets.
No legal expertise are expected to be required to understand the obligations to report or to
report if there is a cyber incident.
Upfront
One member per business would dedicate approximately 3 hours of their time to become
aware of their obligations to report a cyber security incident to the Australian Cyber Security
Centre. This would include one hour for an individual to read guidance documents that will
be provided by CIC on an entity's obligations, an estimated two hours dedicated to creating
standard operating procedure documentation for the organisation to adhere to their
obligations, and a final 15 minutes for an individual to disseminate the information
throughout their organisation (likely a business wide email informing employees of their
obligations).
The upfront labour cost is unlikely to vary across different sized organisation as
understanding the obligation will be the same for all business regardless of their size.
Ongoing
One member per business would dedicate approximately 3 hours of their time once a year to
report a cyber security incident to the Australian Cyber Security Centre. This would involve a
member of an organisation becoming aware of a cyber security incident, identifying the key
components of the incident, such as what type of incident it was and how it occurred (i.e.
through a phishing email) and then summarising the incident in an email or through a phone
call to the Australian Cyber Security Centre.
Small businesses will experience approximately one cyber incident annually significant
enough to require being reported to the Australian Cyber Security Centre.
Medium businesses will experience approximately three cyber incident annually significant
enough to require being reported to the Australian Cyber Security Centre.
Large businesses will experience approximately five cyber incident annually significant
enough to require being reported to the Australian Cyber Security Centre.
This assumes an annual total of 340 cyber reports annually across all small organisations,
2,550 across all medium organisations and 2,550 across all large organisations - or a total of
5,440 reports annually across all critical infrastructure assets. Given the ACSC experienced
1,268 cyber reports in 2018/19, 5,440 reports assumes that once the reforms are implemented
there will be a marked increase.
Benefits
The objective of this part of the reforms is to facilitate the development of an aggregated threat picture
and comprehensive understanding of cyber security risks to critical infrastructure assets in a way that
is mutually beneficial to Government and industry. Through greater awareness, the Government can
24
ACSC Annual Cyber Threat Report July 2019 to June 2020,
better see malicious trends and campaigns which would not be apparent to an individual victim of an
attack. This will support the Australian Government's investment in a national situational awareness
capability and enhanced threat-sharing platform under the Cyber Enhanced Situational Awareness and
Response package (CESAR).
This will better inform both proactive and reactive cyber response options - ranging from the
Government issuing targeted guidance on preventing particular cyber attack methodologies, working
with industry to uplift broader security standards and providing immediate assistance to industry in
response to an incident. This will ultimately reduce the risks of security incidents by ensuring industry
and Government have the most up to date visibility of threats within the cyber domain. It will address
the lack of Government visibility addressed within section 1.
4.2.2. Enhanced Cyber Security Obligations
In identifying the costs and benefits of the Enhanced Cyber Security Obligations,
PricewaterhouseCoopers Consulting (PwC) were engaged. PwC have significant cyber security
experience which informed the underlying costing assumptions including the skills required and the
industry rates. The Australian Cyber Security Centre and the Office of the Chief Economist from the
Department, also undertook a high level review of the approach taken by PwC.
Costs
The regulatory costs of imposing Enhanced Cyber Security Obligations would vary widely depending
on the scope of the obligations and the individual circumstances of the entity subject to the
obligations. The obligations will only be enlivened on request. The Australian Government will
continue to build on the strong voluntary engagement and cooperation with critical infrastructure
entities that has underpinned the success of the relationship to date. This includes providing voluntary
support and guidance in an effort to reduce regulatory burden and offset potential costs. However,
there may be instances where entities are unwilling or unable to voluntarily cooperate and the
Enhanced Cyber Security Obligations are necessary. Government will seek to provide assistance
wherever possible in systems of national significance complying with these obligations.
It is expected that there would be approximately 40 SoNS declared by the Minister.
1. Incident response plan
Incident response plans are designed to strengthen a business' preparedness for a cyber security
breach.
Cost description Cost
Upfront cost for a single entity (Year 1) $25,538 - $76,613
Annual administrative cost for a single entity $10,215 - $20,430
Cost assumptions:
Although many SoNS are likely to already have an existing incident response plan that can be
provided to the CIC, this analysis assumes each SoNS will need to at least update their
incident response plan to comply with the obligation.
Three people within an organisation would be required to develop an incident response plan
(a security operations lead at $250 an hour, a security operations analyst at $188 an hour and
a head of security at $486 an hour).
All entities will have the same upfront costs to either develop an incident response plan or
update an existing plan.
It is expected that it will take between 1-3 weeks to develop an incident response plan with
one week being the low scenario and three weeks being the high scenario. The low and high
scenario will depend on the level of an entity's existing maturity.
To maintain and update an incident response plan annually, it would require the same three
individuals from the organisation.
It would take between 2 and 4 days for an entity to update their response plan with 2 days
being the low scenario and 4 days being the high scenario.
Due to the nature of a SoNS it is not expected that a small organisation would be declared a
SoNS.
2. Provision of telemetry
An organisation's ability to detect and respond to a cyber incident depends on having visibility across
their technology environment. This visibility is provided in the form of telemetry (often referred to as
system logs) that are usually aggregated into a centralised security operations capability. Where an
organisation does not have the capability to provide telemetry, these services will be provided by the
Government.
Cost description Cost
Upfront cost for a single medium entity (Year 1) $18,750
Upfront cost for a single large entity (Year 1) $18,750
Annual administrative cost for a single medium entity $49,375 - $79,375
Annual administrative cost for a single large entity $209,375 - $359,375
Cost assumptions
Upfront costs include a security operations lead at $250 an hour for two weeks being required
to set up the capability to transmit telemetry.
Ongoing costs include the cost of a security operations lead at $250 an hour for one week
being required for the ongoing reporting and an annual cost for technology deployment.
Upfront costs of technology deployment: an entity may opt to choose their own technology to
provide access. Sensors can cost anywhere between $20-35 per/host/year for both the
technology and analysis. The size of the organisation will drive cost in this regard as well as
the degree of coverage. For a medium size organisation (less than 2,000 hosts) it would cost
$40,500-$70,000 per annum and for a large organisation (over 10,000 hosts) $200,000-
$350,000 per annum. The low range assumes $40,500 and $200,000 and the high range
assumes $70,000 and $350,000. We assume 50 per cent of all organisations would uptake this
cost.
Reporting costs for the compilation and transmission of telemetry to be shared with
Government: this consists of an upfront cost to set up the reporting procedures in place in the
first year and ongoing reporting costs on annual basis. It is estimated that the initial upfront
process would take two weeks with the annual reporting to be one week of full time work for
a security operations lead.
PwC has made these assumptions based on their own experiences and desktop research.
Due to the nature of a systems of national significance it is not expected that a small
organisation would be declared a system of national significance.
3. Vulnerability assessment
Conducting a vulnerability assessment in relation to a specific computer system or network can
inform the effectiveness of the cyber security arrangements in place. The goal is to identify as many
security vulnerabilities as possible.
If a vulnerability assessment is required to be undertaken by an organisation there will be consultation
between Government and the entity to determine whether they have the capability to undertake this. If
the Secretary has reasonable grounds to believe that an entity would not be capable of complying with
a request or has not complied with request in the past than the Government may offer assistance to
provide the service on behalf of the directed entity.
If an entity did not already undertake vulnerability assessments as a matter of course, the entity could
procure software or engage third party contractors to undertake vulnerability assessments. The cost of
a vulnerability assessment will vary depending on the size of the network, speed, frequency and
experience of the tester. Costs to outsource this work if the skills are not held internally are accounted
for in these costings.
Cost description Cost
Annual cost for a single medium entity $46,875
Annual cost for a single large entity $117,375
Cost assumptions
There are no upfront costs associated with conducting a vulnerability assessment.
The costs of conducting a vulnerability assessment differs based on the size of an
organisation's network as well as their technology environment. This has significant
implications on duration and resourcing required. For the purpose of this analysis, two main
components have been factored:
o Size of organisation: This refers to the number of systems on a network. We assume a
vulnerability assessment for an organisation with a medium network would require
one security operations lead, where a large network would require two additional
security operations analyst for support. This is due to the additional time it takes for
vulnerability scans to run, and for the results to be manually interpreted. We assume
the assessment would be done for subset of systems/networks that are the highest
risk/criticality for the organisation, rather than every system on the network.
o Technology environment: There are significant differences in how vulnerabilities can
be assessed in IT versus OT networks. OT systems necessitate a more manual
approach due to the risks of running automated scans, and this is more time
consuming and complex. OT systems can often be in remote locations which also
increases the time for an assessment. We have assumed two thirds of SoNS have a
notable amount of OT in their environment (e.g. multiple critical OT based systems),
based on our experience working across critical infrastructure sectors.
We assume that each organisation only conducts one vulnerability assessment per annum.
The annual administrative costs for a medium organisation are calculated assuming that a
single security operations lead at $250 per hour would require one week to conduct a
vulnerability assessment on their IT system, and 4 weeks on their IT/OT systems.
The annual administrative costs for a large organisation are calculated assuming that one
security operations lead at $250 per hour and two security operations analysts at $188 per
hour would require one week to conduct a vulnerability assessment on their IT system, and 4
weeks on their IT/OT systems.
Due to the nature of a systems of national significance it is not expected that a small
organisation would be declared a system of national significance.
4. Cyber security exercise
Conducting a cyber security exercise is an important activity for an organisation to test and improve
their cyber resilience. A tabletop exercise (paper based walkthrough) and a functional exercise (end-
to-end simulation) has been costed. The functional exercise is significantly more detailed and resource
intensive.
Cost description Cost
Annual cost for a single entity $30,488 - $61,425
Cost assumptions
It is not expected that the cost of conducting a cyber security exercise would differ between a
medium and a large organisation.
There are no upfront costs associated with conducting a cyber security exercise.
Preparing a tabletop cyber security exercise will require one week of work from a security
operation lead at $250 per hour and a security operations analyst at $188 per hour.
One cyber security exercise is undertaken annually.
Undertaking a tabletop cyber security exercise will require five individuals from across an
organisation (security, legal, operations, HR and public affairs) to partake in an exercise
expected to take 1.5 days' worth of work. This includes a half day for the event and another
day to write-up the lessons learnt.
Undertaking a functional cyber security exercise will require six individuals from across an
organisation (security, legal, operations, HR and public affairs) to partake in an exercise
expected to take 4 days' worth of work, this includes 1 day for reporting on lessons learned.
The functional exercise is more resource intensive and provides organisations to realistically
test their cyber resilience and response processes.
Benefits
The benefits of the Enhanced Cyber Security Obligations align with those that will be experienced
through the Positive Security Obligations (positive industry and household externalities; aligning
industry and community expectations of the Government; and lifting the resilience of Australia's
critical infrastructure businesses).
The Enhanced Cyber Security Obligations will also ensure that the Government has the necessary
powers to increase cyber security preparedness for Australia's most critical infrastructure, actively
protecting their cyber networks and having plans in place to prevent, react to and mitigate cyber-
attacks which are posing increasing threats. Specifically:
Incident response plans will strengthen a business' preparedness for a cyber security breach,
driving an uplift in security and resilience.
Telemetry will improve an organisation's ability to detect and respond to a cyber incident by
providing visibility across their technology environment. This measure will improve
situational awareness across Government which can in-turn be used to inform industry on
possible threats to improve preparedness, reducing the likelihood of a cyber incident.
Conducting a vulnerability assessment in relation to a specific computer system or network
will seek to inform the effectiveness of the cyber security arrangements in place for an entity.
Conducting cyber security exercises will form an important activity for an organisation to test
and improve their cyber resilience.
Without this power, the Government would only be able to request that critical infrastructure owners
mitigate their own cyber risks, and rely on mutual interest to ensure cyber risks are addressed. The
four components of the Enhanced Cyber Security Obligations each look to reduce the risks of cyber
security incidents occurring.
These reforms align with business and community expectations for Government action to safeguard
the continued supply of essential services all Australians rely upon. Through consultation it was
highlighted that the Australian public looks to both the Government and critical infrastructure
providers to secure the delivery of essential services. These reforms ensure that the Government is
able to work alongside industry to provide assistance in emergencies and is able to proactively secure
Australia's critical infrastructure.
4.2.3. Government Assistance
The Government Assistance measure would only occur in the event of a cyber-crime being committed
and as such quantification of regulation costs have not be conducted. This is because those costs
arising from non-compliance, or a suspicion of non-compliance, are excluded from the Government's
Regulatory Burden Measurement framework.
Costs
The regulatory costs of imposing Government Assistance would vary widely depending on the scope
of the request (whether it be an information gathering request, an action direction or an intervention
direction) and the individual circumstances of the entity subject to the assistance.
There is a minor risk Government intervention leads to adverse, unintended consequences which may
occur as a result of Government not understanding a critical infrastructure assets control systems. To
mitigate this risk, only suitably qualified cyber specialists will be engaged and ongoing consultation
will be maintained between Government and the critical infrastructure entity to ensure that any
actions are informed by specialist advice from the entity. Furthermore, extensive consultation will be
conducted with the affected entity prior to any Government action providing further safeguards
against damage occur to an asset as a result of Government Assistance measures.
There are also potential moral hazards that may arise from the use of the Government Assistance
measures where Government steps in to provide assistance during a cyber-security incident. For
example, entities may engage in riskier behaviour and may not address cyber security vulnerabilities
or implement response plans to cyber security incidents if they believe that the Government may step
in and assistance, thereby removing the burden and responsibility from industry and placing the onus
on Government. The risk of moral hazards can be reduced through extensive industry-Government
engagement where Government reiterates that these powers are intended purely as a last resort
method only for use in extreme circumstance. The mandatory requirement for critical infrastructure
assets to also implement risk management programs, and the associated penalties for non-compliance,
will also ensure that critical infrastructure assets are proactively protecting themselves against
potential significant cyber incidents.
Benefits
The Government remains committed, first and foremost, to working in partnership with states,
territories and industry, who own, operate and regulate our critical infrastructure to collaboratively
resolve incidents when they do occur and mitigate their impacts. However, noting the importance of
the services being provided by these assets and the Government's ultimate responsibility for
protecting Australia's national interests, circumstances may arise which require Government
intervention. In such circumstances, it is crucial that the Government has last resort powers to resolve
the incident or mitigate the risk.
Introducing the Government Assistance measure will ensure the Government has the necessary
powers to address cyber risks to critical infrastructure where these cannot, or will not, be managed by
the entity affected. Without this power, the Government would only be able to request assistance from
critical infrastructure owners to mitigate cyber risks, and rely on mutual interest to ensure the cyber
risk is addressed.
This measure will also provide critical infrastructure assets with timely support from Government
where needed. Without this measure, entities may be hesitant to accept voluntary assistance from
Government without a clear directive to do so. Where an entity is subject to a cyber-attack there is
often a need to respond in a timely manner as any delay can increase consequences exponentially.
4.2.4. Expansion of Ministerial Direction
The regulatory costs of imposing a Ministerial direction would vary widely depending on the scope of
the direction and the individual circumstances of the entity subject to the direction. In assessing the
expected costs to industry as a result of the expansion of the Ministerial Directions powers, we have
applied the same methodology to that which was used in the SoCI 2018 Regulation Impact Statement.
While the Ministerial Directions powers will be expanded to all new critical infrastructure sectors, it
is not expected that the costs would deviate significantly from the original sector cost estimates
provided in the SoCI 2018 Regulatory Impact Statement.
In the SoCI 2018 Regulatory Impact Statement, four scenarios were modelled for the original sectors
captured under SoCI (electricity generation, electricity transmission/ distribution, gas
processing/storage, gas transmission/ distribution, ports and water) with breakdowns provided across
small, medium and large organisation. Note: this Regulation Impact Assessment costs three of these
scenarios given one of the scenarios previously costed is no longer relevant.
Costs
Scenario 1 - Direction requiring a business to limit any offshore access to its industrial control
systems unless where approved by Government.
a. Assuming the Direction power will be used once every three years (frequency of 3.33
across the 10 year costing timeframe) the annual compliance burden for this scenario is
estimated at $4,999 on average per sector.
b. The annual cost of a single occurrence of the ministerial direction power over a ten year
period, averaged for each sector is estimated at $86,875 for a small business, $81,353 for
a medium business and $77,672 for a large business.
Scenario 2 - A direction preventing a business from outsourcing the operations of its core
network to certain low-cost, low-quality providers.
a. Assuming the Direction power will be used once every three years (frequency of 3.33
across the 10 year costing timeframe) the annual compliance burden for this scenario is
estimated at $280,741 on average per sector.
b. The annual cost of a single occurrence of the ministerial direction power over a ten year
period, averaged for each sector is estimated at $1,385,499 for a small business,
$4,020,916 for medium a business and $6,656,332 for a large business.
Scenario 3 - A direction preventing a business from sourcing core operational systems
technology from certain low-cost, low-quality providers.
a. Assuming the Direction power will be used once every three years (frequency of 3.33
across the 10 year costing timeframe) the annual compliance burden for this scenario is
estimated at $279,541 on average per sector.
b. The annual cost of a single occurrence of the ministerial direction power over a ten year
period, averaged for each sector is estimated at $1,419,972 for a small business,
$3,514,742 for a medium business and $7,096,694 for a large business.
Note: the ministerial directions power has not been used since introduction in 2018. As such, (b) the
annual cost of a single occurrence of the ministerial direction power over a ten year period for each
sector and business size category is illustrative only. Assuming a ministerial direction is used (a) once
every 3 years is considered more realistic and subsequently more representative of the likely costs to
industry.
Cost assumptions:
The following method was used to calculate the annual cost of complying with the register for
an average entity. This method is in line with Office of Best Practice Regulation guidance.
o Regulatory burden = (time required to report * hourly cost ($41.74)* wage
multiplier (1.75)) * (times performed annually * number of staff)
o Where relevant, the time required to report has been informed by a complexity
multiplier, and/or a SCADA expertise multiplier and/or an industry multiplier to
account for different levels of complexity across sectors. The averages have been
used to inform costs.
The sectors (electricity generation, electricity transmission/ distribution, gas
processing/storage, gas transmission/ distribution, ports and water) that were costed in the
SoCI 2018 Explanatory Memorandum provide a suitable analogue for all critical
infrastructure sectors.
Independent compliance audits, staff training, procurement related to SCADA systems or new
communications infrastructure providers, costs of breaking existing contracts and software
updates and maintenance have been considered in costings.
a. Ministerial direction is used every 3 years
The ministerial directions power will be used once every three years (resulting in a frequency
of 3.33 across the 10 year costing timeframe).
Each of the three scenarios is assigned an equal probability of occurring (33% each).
Within each of the three scenarios, the 33% probability is split between small, medium, large
entities types.
A medium and large sized entity is twice as likely to be affected by a Ministerial Direction
power direction compared to a small sized entity.
b. Ministerial direction for each sector and business size once every 10 years
The costs for small, medium and large businesses have been determined using the modelling
work undertaken in the 2018 SoCI Regulation Impact Statement and averaging the costs of all
sectors for a small, medium or large business.
The Minister's use of the directions power may change foreign investors' perceptions of sovereign
risk in Australia if it is considered that the directions power is being abused. This would have a
significant impact on the Australian economy which is highly dependent on foreign capital which is
needed to grow the economy, increase productivity and living standards, and to create jobs. However,
the fact that the Ministerial direction power has been in force for the last two years and has not yet
been used should alleviate these concerns.
Benefits
The Ministerial directions power was introduced into current SoCI to ensure that the Government had
the necessary powers to address national security risks to critical infrastructure where they could not
be managed through other mechanisms. Since its introduction, there have been no incidents where the
Ministerial directions power has been required.
Without this power, the Government would only be able to request assistance from critical
infrastructure owners to mitigate risks, and rely on mutual interest to ensure the risk is addressed. The
benefit of the directions power is in instances where assistance is not provided and risks are not
mitigated. Subject to the safeguards in issuing a direction, this power allows the Government to
ensure that the underlying national security risks are addressed.
As critical infrastructure has become increasingly interconnected over recent years it is important that
the Ministerial Direction powers are expanded to include all newly defined critical infrastructure
assets.
4.2.5. Voluntary engagement through the Trusted Information Sharing Network (TISN)
Costs
Participation within the TISN will be on a voluntary basis and therefore will not result in a regulatory
burden to industry. For those that voluntarily participant, there will likely be a number of events that
participants will be invited to join as well as a number of guidance documents and briefing materials
provided to industry
Benefits
By complimenting legislative change with revitalising the TISN and the Critical Infrastructure
Resilience Strategy further cost benefits for industry will be realised. Revitalising the TISN and the
Critical Infrastructure Resilience Strategy will help to encourage the successful development and
implementation of standards, uplifting the overall security of critical infrastructure. However, as
engagement with the network and the strategy will be voluntary only those businesses that choose to
participate will incur costs. Further, businesses are able to choose to participate in some components
of the program and not others as best suits them, only incurring costs associated with their chosen
components.
Participants engaging with the revitalisation of the TISN and the Critical Infrastructure Resilience
Strategy will receive a number of benefits. Through the various components of the program,
participants will have access to Government risk information, expertise and advice on the threat
environment and managing security risks to their business, targeted threat information and briefings
from security agencies, guidance from the Government and fellow industry participants on security
practices, and the opportunity to shape the development of industry codes of conduct and standards.
Engagement will assist participating owners and operators to make more informed and effective
security investment decisions, and assist those operators already subject to existing regulation meet
their obligations. Additionally, active engagement in the TISN will be taken into consideration if and
when compliance action is required. All of these will benefit participants by supporting improved
security outcomes and more efficient practices and standards.
Financial Support
The Government does not intend to offer financial support to critical infrastructure owners and
employees in meeting the proposed reforms. However, the Government will use the refreshed TISN
engagement mechanism to provide assistance in the way of education and training for critical
infrastructure owners and operators to meet the new standards and reporting requirements. The
Government also believes that a wide reaching uplift in security across critical infrastructure sectors
(regardless of regulatory coverage) will provide long term benefits to industry through greater security
across their supply chains and greater assurance and clarity around real threats to their assets and
appropriate measures to safeguard themselves.
Flow on costs to individuals
Some of the costs experienced by industry through an uplift in all hazard risk management will be
passed onto households that consume the critical infrastructure outputs; for example electricity and
water. This cost pass-through must be balanced against the resilience benefits for households and
businesses, as less significant disruptions will result in greater continuity and resilience of services.
Variability of costs
The costs provided in the Regulation Impact Statement are contingent on a range of variables. These
variables include: size and complexity of the entity's operations; which sector/s the entity exists
within; entity type; investor and consumer pressure; reputational risk; financial resources; perceived
costs and benefits of compliance; understanding of the regulations and level of engagement with the
regulations; and the current maturity of an entity and whether they already comply with similar
regulations.
Costs to the Government
An engagement focussed, risk based approach to compliance will be taken by Home Affairs which is
anticipated to be the primary regulator for most, if not all sectors. Co-design of sector specific rules
will occur throughout 2021 with the rules being 'switched on' following a designated grace period.
Once the Department has gained greater clarity on the number of entities that will have obligations
and the type of specific obligations under the PSO after co-design with industry then the Department
will be able to provide quantified costs to Government. These will be provided within future RIS(s)
and publicly available through future Budget papers.
The CIC will focus on education and assistance wherever possible with enforcement of compliance
only being used where absolutely necessary to mitigate risks. To deliver industry engagement,
guidance and compliance there will need to be an investment in specialist knowledge and skills to
ensure effective consultation across industry and states and territories.
In the development of the costs to Government, the Department will work closely with central
agencies to ensure there is broad agreement to the approach being taken.
Benefits Costs and Limitations
Safeguards Australia's social and The regulatory option may impose significant
economic stability, defence and national upfront cost on critical infrastructure assets and
security by increasing critical Systems of National Significance to comply. This
infrastructure resilience. may impact their viability and ability to innovate.
Provides certainty for businesses by As a result of increased regulation costs to
setting clear standards for action and industry, it is expected that some of the costs will
creating a level playing field in the be passed onto consumers through increased bills
Australian market for businesses (e.g. electricity, food costs).
considered critical infrastructure. This option is expected to have the highest cost to
Aligns with business and community Government as a result of engagement, guidance
expectations for Government action. and compliance measures required as a result of a
Drives improved all hazards supply regulatory approach.
chain management. There is a risk that the regulatory obligations
Enables the Government to develop imposed on critical infrastructure assets and
real-time situational awareness from Systems of National Significance create
high criticality entities allowing the unnecessary administrative burden that is not
Government to respond effectively and commensurate with the risk.
efficiently to emergencies. PSO:
Provides business with access to Mandatory Cyber Reporting - average annual
Government risk information, expertise compliance burden of $242.89 per small entity,
and advice on the threat environment $681.19 per medium entity, and $1,119.49 per large
and managing security risks to their entity.
business.
Register of Critical Infrastructure Assets - average
Provides business with guidance from
annual compliance burden of $637.81 per entity.
Government and fellow industry
participants on security practices.
ECSO:
Incident response plans - maximum annual
compliance burden $28,091.30 for a single SoNS
assuming annual requirements.
Telemetry - maximum annual compliance burden
$81,250 for a single medium SoNS and $361,250 for
a single large SoNS assuming annual requirements.
Vulnerability assessments - maximum annual
compliance burden $46,875 for a single medium
SoNS and $117,375 for a large SoNS assuming
annual requirements.
Cyber Security exercises - maximum annual
compliance burden $30,488 for a single SoNS
assuming annual requirements.
Ministerial Directions:
Scenario 1 - average annual compliance burden for
this scenario is estimated at $4,999 per entity.
Scenario 2 - average annual compliance burden for
this scenario is estimated at $280,741 per entity.
Scenario 3 - annual compliance burden for this
scenario is estimated at $279,541 on average per
entity.
4.3. Option Three - No legislative change, revitalising the Trusted Information Sharing Network
and the Critical Infrastructure Resilience Strategy
Revitalising the TISN alone could have a number of benefits and may assist critical infrastructure
owners and operators in responding more effectively to national security risks without imposing
additional compliance costs through new regulation. Promoting voluntary action would allow owners
and operators to work collaboratively to design and implement industry-led responses, reducing the
need for Government intervention.
However, the success of voluntary, non-regulatory measures is contingent on business engagement.
While industry engagement is expected to be positive, it will continue to be piecemeal. The lack of
legislative reform diminishes the effectiveness of this program due to the lack of enforcement
capabilities. The most likely owners and operators to adopt voluntary principles or utilise guidance
material are those already acting to mitigate national security risks. Those deterred by the commercial
disincentives are less likely to voluntarily take action.
For the TISN to succeed positive industry engagement is vital. This will result in the successful
development and implementation of standards and uplifting the overall security posture of critical
infrastructure. However, without the support of greater enforcement mechanisms and the proposed
legislative security regulatory regime, the Government is not confident that real and sustained security
outcomes can be achieved. Without legislative reform, the Government will continue to manage
national security risks through the FATA and subsequently not deliver a security uplift for critical
infrastructure that is domestically owned and operated.
The cost to industry would be dependent on who within industry voluntarily engages with the TISN
and voluntarily uplifts their security through non-regulatory versions of the Positive Security
Obligations, Enhanced Cyber Security Obligation, and Government Assistance. It is likely that not all
entities deemed critical infrastructure would participate and therefore the costs to industry in reality
would be significantly lower than the cost of making the obligations regulatory. Similarly, the
corresponding benefits would also be significantly lower than Option Two.
An increase in resilience in some critical infrastructure assets would provide greater benefits to the
security and resilience of Australia's social and economic stability, defence and national security.
However, due to the interconnected nature of critical infrastructure a broad uplift across sectors is
required to substantially improve the resilience of critical infrastructure, and this is unlikely to occur
without regulatory obligations.
Benefits Costs and Limitations
Owners and operators have the Costs to industry dependent on level of industry
flexibility to address risks to engagement.
critical infrastructure Success in meeting the Government objectives
Addresses concerns raised by of the reform is contingent on industry
industry requesting guidance from engagement
Government Lack of legislative drivers diminishes
Reduced need for the Government effectiveness due to lack of enforcement
to intervene capabilities
No new regulatory compliance Without regulatory obligations providing clear
costs for business and the direction, many businesses will lack a clear
Government mandate to uplift all hazards risk management
Those not already utilising guidance material are
unlikely to voluntary engage in mitigating
identified risks
Continued overreliance on FATA, impacting
Australia's investment reputation
The gaps between organisations with high
security and resilience maturity and those with
low maturity will continue to widen
5. FEEDBACK
This section provides an overview of the Government's public consultation process. This section
explains the purpose and objective of the consultation process and provides detail about the
Government's consultation strategy. This section also provides a summary of key feedback from
consultations, including written submissions.
5.1. Consultation Process - overview
Consultation paper engagement
On 6 August 2020, the Minister for Home Affairs announced a proposal to introduce regulatory
reforms to protect critical infrastructure and systems of national significance as a key measure of the
Cyber Security Strategy 2020. On 12 August 2020, the Minister for Home Affairs published the
Protecting Critical Infrastructure and Systems of national significance Consultation Paper.
The Consultation Paper outlined a framework of regulatory (Positive Security Obligations, Enhanced
Cyber Security Obligations and Government Assistance) and non-regulatory (Enhanced Government-
Industry Partnership) proposals to protect Australia's critical infrastructure from all hazards, including
dynamic cascading threats enabled by cyber attacks. It sought the views of governments, industry and
the community to shape the detail of the legislative reforms and Government's approach to
implementing them on a sectoral basis.
The Department received 194 public and confidential (not released on the Department's website)
submissions in response to the Consultation Paper, including submissions from all states and
territories, as at the close of the submission period on 16 September 2020.
Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020
On 9 November 2020, the Department released the Exposure Draft of the Security Legislation
Amendment (Critical Infrastructure) Bill 2020, accompanied by an Explanatory Document for public
consultation. Consultation closed on 27 November 2020 with Home Affairs speaking to over 1,000
individuals on the Exposure Draft Bill, with 117 formal submissions being made.
Home Affairs undertook an accessible and transparent consultation process, structured to target key
stakeholders for bilateral meetings, including businesses, peak bodies and state and territory
governments that could be impacted by the proposed regulations.
This approach was informed by the first round of public consultation on the Protecting Critical
infrastructure and Systems of National Significance Consultation Paper and through extensive
consultation with counterparts across the Australian Government, state and territory governments and
industry.
Feedback received on the Exposure Draft Bill remained consistent with that received on the
Consultation Paper. Consultation continued to reveal broad in-principle support for the uplift to the
security and resilience of critical infrastructure and need to enhance Government's security-focused
relationship with industry. Industry remains concerned about the Bill's regulatory impost, its possible
duplication with existing frameworks, timeframes for implementation, and extent of the
Government's intervention powers. Stakeholders have expressed gratitude for Home Affairs' genuine
willingness to engage with entities on the Consultation Paper and Exposure Draft Bill.
Sector-specific surveys
Sector-specific surveys were provided to entities operating within the 11 critical infrastructure
sectors specified in the Consultation Paper. Survey questions were designed to better understand
industry views of the proposed reforms, as well as develop a clear understanding of each sector and its
key cross-sector interdependencies.
The survey focused primarily on defining:
Relevant industry sectors: Banking and Finance; Communications; Data and the Cloud;
Defence Industry; Education and Research; Energy; Food and Grocery; Health; Space;
Transport; and Water;
Critical functions: relevant industry sector outputs that directly contribute to Australia's
social and economic stability, defence and national security;
Components: physical facilities, supply chains, information technologies or communications
networks required to deliver a critical function; and
Operational requirements: the systems and/or services an organisation relies upon to ensure
its capabilities, technologies, and performance measures effectively deliver Components or
Critical Functions (e.g. fuel supply, SCADA software updates).
Survey results have supported the Department in identifying areas of potential duplication and
overlap, to avoid unnecessary or disproportionate regulatory burden within critical infrastructure
sectors offsetting potential regulatory costs that may be incurred by industry. Information received
will continue to be used to feed into the Department's mapping and identification of Australia's
systems of national significance.
Virtual Consultation
Town Halls
The second element of consultation in August involved six virtual town halls that were open to all
members of the public to comment on the Consultation Paper. Additional town halls were held with
the Business Council of Australia and the Australian Banking Association and their members. More
than 620 representatives from business, civil society and state and territory governments attended
these town halls, as well as 5 attendees from overseas.
Another four town halls for the Exposure Draft Bill were held in November 2020 and were open to all
member of the public to comment on the Exposure Document and draft Legislation. Approximately
500 people registered for the town halls. An additional town hall was held with members of BSA (The
Software Alliance) with over 100 attendees.
Sector-specific workshops
Engagement on the Consultation Paper involved 990 participants in 22 sector-specific workshops
across 11 sectors (two workshops per sector). During these two-hour (on average) workshops,
participants were encouraged to offer opinions and advice relating to the proposed reforms, and its
application to their sector.
During the workshops, the Department worked through each sector to determine which assets should
fall within the purview of the legislative reforms. The Department also sought industry's views during
the workshops on existing regulatory frameworks and the costs associated with compliance.
Other engagements
For the Consultation Paper engagement, the workshops were complemented by over 30 bilateral
discussions (over 400 individuals) with industry (including peak bodies) and state and territory
governments to consider specific issues impacting entities and provide further input on the design of
the framework.
For consultation on the Exposure Draft Bill, virtual town halls were complemented by bilateral
discussions (over 400 individuals) with industry (including peak bodies) and state and territory
governments to consider sector-specific issues and seek further input on the design of the framework.
These included meetings with, among others, the Business Council of Australia, Council of Financial
Regulations, Australian Banking Association, Critical Infrastructure Advisory Committee, Amazon
Web Services and Council of Financial Regulators Cyber Working Group.
Cyber Security Strategy 2020 engagements
Over 1,200 individuals have been engaged through the Department's public engagement efforts to
message key elements of the Cyber Security Strategy 2020. This has prominently featured the
Protecting Critical Infrastructure and Systems of national significance package.
Direct engagement with states and territories
The Department has taken an active approach to engaging with state and territory governments on
these reforms. Prior to the 12 August launch, the Department arranged a round table with senior level
officers from all state and territory First Ministers Offices through the National Coordination
Mechanism, outlining the objectives of the proposed reforms and intention to not duplicate or replace
existing arrangements in those jurisdictions. States and territories expressed in-principle support for
the reforms during this meeting.
These points were reiterated in a letter sent by the Minister for Home Affairs to all First Ministers
immediately prior to the launch, which emphasised the need for officials to work in partnership to
identify Australia's most critical entities and design the detail that sits underneath the features of the
new framework, to ensure, wherever possible, that the reforms complement and leverage existing
security regulations and initiatives within jurisdictions.
Following the launch of the reforms, the Department convened a further meeting with state and
territory First Ministers' departments and relevant state and territory agencies. This meeting provided
further opportunity for state and territory governments to learn more about the reforms and discuss
opportunities to align and integrate with existing regulatory arrangements. These round table
discussions have been complemented by a number of bilateral discussions with state and territory
agencies on specific aspects of the reforms and the active involvement of states and territories in the
sector specific workshops and town halls.
During consultation on the Draft Bill, Home Affairs met regularly with state and territory First
Ministers' departments, briefed the National Cyber Security Committee and engaged on a bilateral
basis with interested state and territory agencies. Home Affairs will continue to engage with states and
territories, to ensure the views of jurisdictions are considered throughout the reforms' sectoral co-
design and implementation phases.
5.2. What the Department heard and how has Government responded?
Key findings
Virtual consultations and submissions in response to the Consultation Paper and the Exposure Draft of
the Bill revealed broad in-principle support for the introduction of the reforms, with certain sectors
strongly supporting their inclusion within the proposed coverage of the framework, given their level
of criticality and currently limited regulatory environment.
Industry concerns primarily centred on the sectoral implementation of the reforms. These included:
The need for true co-design of sector-specific requirements and recognition that voluntary
partnerships remain the first preference for resolving incidents.
Reduce regulatory duplication by using existing frameworks where appropriate.
Lack of clarity around the definition of critical infrastructure sectors and assets and systems of
national significance.
Unclear and possibly high regulatory impost, as well as possible duplication with existing
regulatory frameworks (particularly in sectors with existing, mature security frameworks).
Timeframes for implementing these reforms.
Lack of consultation on an exposure draft of proposed legislative amendments to SoCI.
Extent of the proposed Government Assistance powers.
Costs associated with the reforms.
At the core of these reforms will be an enhanced Government-industry relationship, focused on
partnerships with industry and outcomes-based compliance mechanisms. In response to industry
concerns, the reforms will feature clear coverage, as outlined in primary legislation, with appropriate
implementation and co-design timeframes that leverage existing regulations to balance regulatory
impost with security outcomes. Government Assistance measures will also be limited by robust
oversight mechanisms and in order to provide further opportunity to key stakeholders to refine the
legislative reforms, the Department also released and consult on an exposure draft of the Bill with an
accompanied explanatory document.
Supporting the need for reform
Industry, states and territories have expressed broad support for, and understanding of, Governments
decision to introduce an enhanced critical infrastructure security regulatory regime. The Department
heard that Australia's current critical infrastructure regulatory arrangements need strengthening to
build the nation's security posture.
The Department worked closely with stakeholders across sectors to determine appropriate thresholds
for the reforms' obligations. Submissions showed support for the 11 sectors identified by the
Government. A number of organisations self-identified as critical infrastructure assets to be covered
by the reforms.
Some stakeholders proposed alternative approaches to building critical infrastructure security and
resilience. These included, for example, a vulnerability disclosure scheme; national critical services
overlay network; use of environmental surveillance network instrumentation to show changes to risk
leading indicators in near real time. However, these suggestions were piecemeal and ultimately
aligned with Government's security objectives.
Reduce regulatory duplication with existing regulatory frameworks
Industry and governments remain concerned with the Bill's regulatory burden, and interactions
between the measures proposed and existing regulatory frameworks. Some stakeholders have called
for obligations across sectors to be harmonised or Government leverage domestic or international
standards, to achieve a consistent security uplift.
Home Affairs notes that the Bill embeds the need to reduce regulatory duplication throughout the
regime by, for example, requiring the Minister to consult with industry on the introduction of Rules
(s 30AL), implement the Positive Security Obligation on a sectoral-basis by 'switching on'
obligations (ss 30AB, 30BB, 18A), and exercise Government Assistance measures only where other
regulatory measures cannot be used (s 35AB). Home Affairs shares industry's view that the reforms
should reduce regulatory duplication and will continue to engage with entities to identify and mitigate
areas of duplication.
On Coverage
Some stakeholders called for clarity over the coverage of the reforms. Others stated a preference for
greater flexibility, by setting thresholds in delegated legislation. The Department has engaged with
participants from each sector to help workshop and design the coverage of each of the reforms'
measures. This also included workshopping the definition of critical infrastructure sector and critical
infrastructure assets with Commonwealth counterparts, industry and peak bodies to ensure that only
those assets that should be captured by the reforms are captured. For example:
The Department has worked with industry and Commonwealth counterparts to refine the
'critical broadcasting asset' definition. Notably, amendments were made to exclude
retransmission assets unless they are prescribed by the rules. This change takes into account
concerns that the inclusion of all retransmission assets did not serve the policy intent and
would place an unreasonable regulatory burden on their owners and operators.
The financial service and markets sector sectoral definition, and the sector's critical
infrastructure asset definitions, were shaped by input from Commonwealth partners and
existing financial regulators. For example, the Department incorporated input on what should
be included in the financial services and markets sector definition, and which assets within the
sector should be captured as critical infrastructure assets. This also included a shift in terms of
the criticality for financial services and markets sector critical infrastructure assets to be
focused on entities rather than their assets.
The Department worked with industry and Commonwealth counterparts to refine the
definition of "critical liquid fuels assets". Originally the definition proposed a legislated
volume threshold to capture liquid fuel storage takes, however consultation with industry
indicated that such a threshold may be difficult to enforce and may cause confusion over who
is and is not regulated. Instead, it has been proposed that a broad definition of a liquid fuel
storage terminal be included in the legislation with the Rules to be developed with industry to
ensure that the appropriate assets are covered, also allowing flexibility as the industry
changes.
The threshold for a "critical water asset" has not been altered from the original definition
currently with SoCI. The idea of using a principles based test for what is or is not a critical
water asset was suggested by industry, however further discussion with industry and the
Commonwealth determined that such a method would not provide industry with enough
certainty in the legislation around who is and who isn't covered. It was ultimately agreed with
industry that retaining the current thresholds was the best course of action.
Leveraging existing regimes and reducing regulatory impost
Stakeholders expressed concern over the regulatory impost of the reforms. Stakeholders emphasised
the need to reduce this burden by co-designing the Positive Security Obligations with industry and
leveraging existing frameworks. It was noted that smaller critical infrastructure providers would be
required to do comparably more to build security and resilience. Some members of industry suggested
the Positive Security Obligations remain principles-based to avoid over-regulation. Other stakeholders
advocated for a clear set of obligations for industry operators to provide regulatory clarity for
operators.
Stakeholders across sectors clearly articulated the need to reduce duplication with existing
frameworks. States and territories called for alignment with existing jurisdictional requirements. A
number of stakeholders pointed to existing international standards and examples of best practice.
Stakeholders agreed that Government will need to work with operators to develop and implement the
Positive Security Obligations in way that reduces its impost. Industry recommended that Government
and operators work together to better understand and reduce the economic impacts of the reforms, as
critical infrastructure assets would not presently able to provide cost estimates.
The Department is committed to reducing duplication and unnecessary regulatory impost by
identifying potential offsets through the co-design of the risk management program. The Department
will work in tandem with industry and existing regulators to develop and implement the Positive
Security Obligations. Key to this process will be the identification of sector regulators and existing
regulatory standards, guidance or international exemplars that:
meet the Positive Security Obligation's high-level security outcomes; and
meet the needs of the sector's operators and regulator.
During this process, the Department will work with entities to conduct economic modelling on a
sectoral basis to draw out key risks and impacts, and build this information in to the Positive Security
Obligation's co-design.
Enhanced Cyber Security Obligations
Through consultation, industry has also clearly articulated that the Enhanced Cyber Security
Obligations must be proportionate to entities' cyber risks and consequences. To meet this
requirement, only a limited subset of entities are expected to be subject to these obligations. Coverage
will be informed by work being undertaken by the CIC to map critical infrastructure
interdependencies, identify the nation's most critical entities, and support the Minister's designation
using a methodology tested with industry and government. The methodology considers sectors'
critical functions, the reliance of others on those functions, and their operational features of each
sector. This enables the identification of entities that would represent a systemic threat if
compromised, due to the significant number of critical functions across sectors directly or indirectly
impacted.
Government Assistance
Industry consultation on the Government Assistance measure has revealed cautious support. Industry
reiterated the need for appropriate thresholds and oversight, and recognition that voluntary
partnerships remain the Government's first preference for resolving incidents. In response to this
feedback, it is proposed that the Secretary of Home Affairs, on advice from relevant organisations,
will have the power to seek an authorisation from the Minister for Home Affairs to take steps to
prevent, mitigate or restore functionality of an asset following a nationally significant cyber incident,
if an entity is unable or unwilling to do so. The proposed option will cover any asset within a critical
infrastructure sector, to ensure the Government can effectively intervene if there were a nationally
significant cyber incident impacting critical infrastructure. This broader scope will ensure the
Government can take necessary steps to manage significant risks at appropriate points in the supply
chain of critical infrastructure assets.
Co-design and implementation are key
Industry, states and territories expressed strong concern over the short timeframe allocated for
consultation on the enhanced legislative framework. Entities are keen to work closely once the co-
design process is initiated. In light of the short consultation timeframes, a number of stakeholders
across industry, states and territories additionally called for release of an Exposure Draft of the Bill.
The Department has engaged in targeted engagement with sectors to consider the details of the
legislative framework, with sectoral co-design of requirements giving effect to the Positive Security
Obligations to occur in late-2020 to mid-2021. Prior to introduction of the Bill to Parliament, the
Department released an Exposure Draft of the legislative reforms to seeking further feedback from
operators on thresholds and obligations outlined in the draft Bill.
Building a Government-Industry partnership through ongoing engagement
Stakeholders recognised that key to the required uplift of security and resilience in Australia's critical
infrastructure, is an enhanced relationship between operators and governments. The Department heard
that the Government's non-regulatory engagement with operators needs to be strengthened.
Stakeholders advised that the value of the TISN has diminished and that its reinvigoration would
require genuine and valuable information exchange, and guidance from Government. Industry noted
that expansion of the TISN, in line with the reforms' coverage, will bring additional insights and
information sharing to the networks.
A number of submissions called for monetary support from Government to assist them uplift their
security and comply with legislative obligations.
The Department is committed to building its voluntary engagement mechanisms, including through
the TISN. The Department is exploring a number of measures to improve Government's operator
engagement and build a collective understanding of risk within and across sectors, including by: co-
designing best practice guidance; providing all hazard threat assessments; and, introducing a two-way
industry-government secondment program. This support will assist entities meet their legislated
obligations, as well as building the security and resilience of non-regulated entities. Through the
Cyber Security Strategy 2020, the Department is also building its cyber security industry outreach
capability by establishing a permanent presence within the Joint Cyber Security Centres.
Importantly, engagement with industry does not end here. Co-design of the sector-specific approaches
is expected to continue into early 2021 to both meet the needs and appropriately lift the capabilities of
regulated entities. This includes working closely with entities and regulators to prepare sector-specific
guidance and provide clear understanding of the requirements of the Risk Management Program
under the Positive Security Obligations, and who will be required to report to the Register of Critical
Infrastructure and engage in Mandatory Cyber Reporting. This will be influenced heavily by existing
regulations experienced currently by each sector. This will also enable the Government to build on its
current partnership with industry to develop a stronger and more collaborative approach to
engagement, communication and information sharing.
The role of states and territories
In round tables and in bilateral meetings, state and territory agencies have highlighted the importance
of aligning these reforms with existing arrangements in their jurisdictions and working in partnership
with the Commonwealth to design and implement these reforms. States and territories have the
opportunity to be involved in the co-design of the sector specific standards, information sharing
arrangements and the Government Assistance measures. The Tasmanian Government told the
Department, "any powers developed that give the Australian Government the ability to declare a
sector specific emergency should only be done in consultation with jurisdictions, and then only by the
relevant portfolio/sector minister". Industry stakeholders also identified that collaboration with states
and territories could assist in building security outcomes. Industry advised that, for example, state and
local government agreement could be sought to enhance physical security by security perimeters
around critical assets.
The Department will continue to work with states and territories throughout the implementation of
these reforms to build information sharing capability across jurisdictions and leverage existing
security relationships. The Department will continue to work with Commonwealth agencies and states
and territories to uplift the security and resilience of Australia's Government and Democracy.
5.3. Risk management program - co-design process to address stakeholder concerns
Partnerships with industry sit at the foundation of these reforms. As such, consultation will not end
with the introduction of the enhanced legislative framework. The Government will continue to work
with industry and state and territory governments to make sure that existing regulations, frameworks
and guidelines are leveraged, and to minimise any duplication, ensuring costs are offset to minimise
regulatory burden. Close co-design will be integral to understanding the most effective way to
implement the proposed reforms, and ensure the impost to industry is well understood and addresses
any concerns they may have, balanced against Government's policy objectives to uplift critical
infrastructure resilience and security against all hazards.
The co-design period will commence in early 2021 and will be phased on a sector by sector basis over
a period of 18 months. During co-design the Department, Commonwealth and state and territory
agencies, sector regulators, and key industry stakeholders will work closely together to develop the
sector-specific requirements that underpin the risk management program. It will be important to take
this time to ensure these requirements clearly outline expectations, and what would be considered a
reasonable and proportionate response to meeting this element of the Positive Security Obligation.
Undertaking a co-design process will ensure the specific requirements:
recognise and do not duplicate existing regulatory or non-regulatory approaches across
sectors
are principles-based and proportionate to the risk profile of the particular sector, and
impose the least regulatory burden necessary to achieve the security outcomes.
To offset costs to industry, wherever possible, the Positive Security Obligation provides an on-switch
mechanism to activate the elements of the obligations including the risk management program. This
on-switch is intended to prevent duplication where arrangements in sectors already exist which
impose equivalent obligations to the risk management program. In these circumstances, the SoCI
obligations will remain dormant, with those existing obligations continuing to apply without
duplication.
For example, the security and resilience of critical defence industry assets is currently
managed through existing frameworks and obligations under the Defence Industry Security
Program (DISP). The DISP is a non-regulatory risk management program run by the
Department of Defence (Defence) that strengthens security practices in partnership with
industry. Existing defence security mechanisms under the DISP are considered sufficient and
as such the risk management program is unlikely to be turned on for this class of assets,
absent a significant change in the threat environment or in industry practices - ensuring no
duplication of regulatory burden for Australia's defence industry.
It is clear the risk management program will have a regulatory impact on industry, while recognising
the concurrent benefits to the economy, national security and sovereignty of Australia. The depth and
breadth of this economic impact will vary based on the existing maturity within sectors and the scope
of the sector-specific rules. To ensure there is a collective understanding across Government and
industry of the impact of these reforms and addresses any concerns, Home Affairs will procure
economic modelling experts to assess the anticipated regulatory impact of uplifting the security and
resilience of Australia's critical infrastructure. This will allow robust economic modelling across the
critical infrastructure sectors as part of the development of the sector specific rules and guidelines to
assist in the interpretation of the rules. The economic modelling will form a key aspect of engagement
with industry and government during the co-design process and will focus on a number of key
elements:
Provide a breakdown of the administrative compliance costs to industry in meeting the risk
management program.
Provide a breakdown of other substantive costs to industry as a result of the risk management
program.
Develop scenarios to assess the administrative and substantive compliance costs. These
scenarios would consider the directions and actions likely to be issued in different situations
and the impact of these on owners and operators.
Outline costs to industry in terms of staffing, skill requirements and time commitments.
The potential returns on additional investment required to meet the risk management program.
The savings from a reduced frequency of security incidents, and the costs to owners and
operators should no action be taken.
6. WHAT IS THE BEST OPTION FROM THOSE YOU HAVE
CONSIDERED?
This Regulation Impact Statement recommends that the Government pursue Option Two through
targeted regulatory action involving a Positive Security Obligations, an Enhanced Cyber Security
Obligation, Government Assistance and an expanded Ministerial Direction power which will all be
underpinned by an enhanced Government-industry partnership through the TISN.
As outlined below Option Two most effectively responds to the policy problem outlined in section 1.
Critical infrastructure is increasingly interconnected and interdependent and this interconnectivity has
created an evolving and increasing set of threats. Without enforceable safeguards, vulnerabilities can
deliberately or inadvertently cause disruption that could result in catastrophic and cascading
consequences across Australia's social and economic stability, defence and national security. It is
appropriate that the Government takes regulatory action to support the business community to combat
this issue.
6.1. Option Two - Legislative change, a compliance and assurance capability
This Regulation Impact Statement assesses that Option Two is likely to deliver the greatest benefit in
terms of providing industry with consistent direction, assistance and guidance that will provide an
uplift in security across all critical infrastructure, safeguarding Australia's social and economic
stability, defence and national security.
This will support business to better address the risks to critical infrastructure and assist investors and
consumers with their investing decisions and long term business plans through greater clarification
and consolidation of security requirements. The benefits arising from these cost are commensurate
with: the Government's objectives for reform; the nature and extent of risks to critical infrastructure;
the benefits of the regulation and the creation of a level playing field for industry.
The maximum aggregated, annual costs to industry as a result of the Register of Critical Infrastructure
Assets and the mandatory cyber reporting are estimated at $2.19 million annually. This cost does not
include the Enhanced Cyber Security Obligations or the Ministerial Directions power as these
elements of the reforms do not require ongoing industry obligations but rather are upon request.
Consequently, where a request is made the ESCO and Ministerial Directions are expected to cost
industry the following:
ECSO (applicable only to SoNS):
Incident response plans - maximum annual compliance burden $28,091.30 for a single SoNS
assuming annual requirements.
Telemetry - maximum annual compliance burden $81,250 for a single medium SoNS and
$361,250 for a single large SoNS assuming annual requirements.
Vulnerability assessments - maximum annual compliance burden $46,875 for a single medium
SoNS and $117,375 for a large SoNS assuming annual requirements.
Cyber Security exercises - maximum annual compliance burden $61,425 for a single SoNS
assuming annual requirements.
Ministerial Directions (applicable to all critical infrastructure sector assets):
Scenario 1 - annual compliance burden for this scenario is estimated at $4,999 on average per
entity assuming the direction power will be used once every three years.
Scenario 2 - annual compliance burden for this scenario is estimated at $280,741 on average per
entity assuming the direction power will be used once every three years.
Scenario 3 - annual compliance burden for this scenario is estimated at $279,541 on average per
entity assuming the direction power will be used once every three years.
However, it is considered that these costs are outweighed by the benefits provided by these reforms
through addressing the key aspects of the policy challenge outlined within section 1.
6.1.1. Increase the resilience of Australia's critical infrastructure from all hazards
The reforms will ensure entities take an all-hazards approach when identifying risks that may affect
the availability, integrity, reliability and confidentiality of their assets. This will require consideration
of both natural and human induced hazards which pose a material risk. This may include
understanding how these risks might accumulate throughout the supply chain, understanding the way
systems are interacting, and outlining which of these risks may have a significant consequence to core
service provision.
Whilst Option Two will have the highest regulatory impost, these costs must be considered within the
broader context of the savings that can be created by increasing critical infrastructure resilience and
reducing the likelihood and severity of incidents. It is estimated that cyber security breaches cost the
Australian economy approximately $29 billion per year25 with natural disasters costing more than $13
billion per year and expected to rise to $39 billion per year by 2050.26 Even a modest saving as a
result of Government and industry investment in these reforms will represent a significant cost saving
to industry and Australian consumers.
6.1.2. Protection against physical, cyber, supply chain and personnel domains
It is intended that the risk management programs under the PSO will require entities to take into
account material risks, whether natural or human induced hazards, encouraging a holistic risk
management approach in the safeguarding of critical infrastructure. At a minimum, it is proposed that
sector-specific rules, to be developed with industry, will require responsible entities to consider and
address risks within these four domains. This will enable entities to better prepare for and respond to
significant security incidents regardless of source or vector.
6.1.3. Increasing threats, connectivity and complexity of critical infrastructure
The reforms respond to clear concerns raised during public consultations for the Australian Cyber
Security Strategy, and consultation held in response to the proposed reforms, around the risks posed
by the connectivity and complexity of critical infrastructure. Specifically, stakeholders noted the
importance of the Government uplifting security and resilience in critical infrastructure especially in
the face of increasing interconnectivity.
In particular, concentrating critical infrastructure resilience within the Department of Home Affairs
through the proposed reforms enables a coordinated, national approach toward the management of
critical infrastructure. Currently, the management of critical infrastructure sectors and assets are
categorised by sector, or according to state and territory jurisdictions. The envisioned reforms enable
the Department of Home Affairs to build awareness and management of issues that cut across critical
infrastructure sectors, while recognising relevant regulations that exist in particular sectors or state
and territory jurisdictions.
6.1.4. Existing legislative arrangements are insufficient for the current threat environment
If a significant cyber incident on critical infrastructure happened today, there is a risk that the
Government may not have the mechanisms to act decisively to support an entity to stop or prevent an
attack, nor does industry have obligations to report significant cyber incidents or apply minimum
cyber security standards. Key gaps in current legislative arrangements relate to Government lacking
the ability to assist assets during exceptional cyber security incidents.
The proposed reforms address these issues:
the Positive Security Obligations which will set and enforce baseline protections for critical
infrastructure assets, implement sector specific standards and strengthen sectoral regulatory
oversight;
25
Microsoft and Frost and Sullivan, 2018, Understanding the Cybersecurity Threat landscape in Asia Pacific: Securing the
Modern Enterprise in a Digital World.
26
Deloitte Access Economics, 2017, Building resilience to natural disasters in our states and territories,
file://din.bcz.gov.au/users/CBR01/JT97ZF/home/Downloads/deloitte-au-economics-building-resilience-
natural%20disasters-states-territories-161117.pdf.
the Enhanced Cyber Security Obligation which will provide a framework for 'incident
response plans' setting out response arrangements, build a near real-time threat picture and
further strengthen the cyber resilience of systems of national significance; and
the Government Assistance will ensure the Government has the ability to respond in an
effective and timely manner to nationally significant cyber security attacks in exceptional
circumstances.
6.1.5. The Government currently has limited visibility and power to act
Without compulsory requirements around the management of critical infrastructure, the Government
will have limited abilities to:
Create an accurate picture of emerging threats (whether cyber or otherwise), and address
potential inconsistencies across sectoral approaches to critical infrastructure
Monitor and enforce compliance around the management of security for critical
infrastructure, and
Provide assistance to support a responsible entity to stop or prevent a cyber-attack.
This gap is addressed through the introduction of the Positive Security Obligation, Enhanced Cyber
Security Obligations and Government Assistance measures collectively. These measures will provide
both Government and Industry with the necessary tools to identify, deter and mitigate potential
security incidents as well as appropriately respond to security incidents that do occur.
6.1.6. Regulation is wanted and needed to drive a wholesale uplift in security and resilience
Multiple phases of consultation have shown broad industry support for the Government to proceed
with the development and implementation of the regulations and an enhanced collaboration between
the Government and industry.
"Although industry should lead, in the sense that it accepts principal responsibility for its own
security, the essential role of Government is to create the environment and the opportunities for
consultation, coordination and collaboration in and between all critical infrastructure sectors
and beyond, leading to cultural change and to wide acceptance that security, in all its forms, is a
plus for business and not a cost to be endured." - CyberOps.27
Without a clear and consistent approach established in regulation it can also be difficult for businesses
to justify expenditure on uplifting all hazards security practices, or even to confidently identify which
material risks should be prioritised. This will be addressed by the reforms, which establish over-
arching standards.
6.3 Alternate options
Option 3: Maintain the status quo
This RIS canvasses the impact of maintaining the status quo (section 4). Failing to actively encourage
a sustained uplift in critical infrastructure resilience will mean the threats to critical infrastructure will
continue, if not intensify. The interconnected nature of our critical infrastructure means that
compromise in one essential function can have a domino effect that degrades or disrupts others.
Recent events, particularly COVID-19, have demonstrated how threats can have flow on effects
across multiple sectors:
Over the last two years, we have seen several cyber-attacks in Australia that have targeted the
Federal Parliamentary Network, airports and universities.
27
CyberOps, Submission provided 24 September 2020, page 12. https://www.homeaffairs.gov.au/reports-and-pubs/files/critical-
infrastructure-consultation-submissions/Submission-009-CyberOps.PDF.
Malicious actors have taken advantage of the pressures COVID-19 has put on the health
sector by launching cyber-attacks on health organisations and medical research facilities.
Key supply chain businesses transporting groceries and medical supplies have also been
targeted.
As discussed within section 3, an operability disruption has been modelled for each critical
infrastructure sector to provide an estimate of the cost to the Australian economy. While uncertainty
around the likelihood and severity of all hazards makes it almost impossible to know the exact costs
of an operability disruption, it is estimated that a 10 per cent operability disruption over one week will
cost between $0.06 billion to $3.0 billion depending on the critical infrastructure sector.
Further, extensive consultations with Commonwealth, State and Territory counterparts and industry
has highlighted support for reforms. Specifically, industry has recognised the increasing vulnerability
of critical infrastructure and the need to implement meaningful safeguards. During consultation
UniSys noted that "[t]he opportunity cost of not being cyber resilient must also be considered. For
example, in the area of cyber risk management it is important that organisations are able to
communicate cyber risk to Boards and Executives. This is one of the key reasons why businesses
underinvest in cyber security and addressing this will ultimately lead to better cyber resilience for
businesses."28
Option 3: Voluntary obligations
Option three contemplates no legislative change, encouraging critical infrastructure resilience through
voluntary engagement through the Trusted Information Sharing Network and publishing additional
guidance alongside the updated Critical Infrastructure Resilience Strategy.
Industry consultations has highlighted the value of creating uniform, consistent, mandatory standards
around the management of critical infrastructure assets. Risk professionals have argued that without
clear mandatory standards, it has been difficult to drive organisational changes that uplift security
practices. Without clear risk management standards and the ability to monitor and enforce
compliance, Government cannot be adequately assured that appropriate risk mitigation of critical
infrastructure is in place.
While voluntary obligations will go some way toward addressing the policy problem - for instance
encouraging a holistic consideration of material risks that may affect critical infrastructure -
implementing the mandatory requirements in Option Two while enlivening mechanisms to enhance
partnerships with private industry will provide a greater degree of certainty for industry and assurance
to the Government that national security risks to critical infrastructure are being managed.
7. HOW WILL YOU IMPLEMENT AND EVALUATE YOUR CHOSEN
OPTION?
This section sets out how the Government proposes to implement and evaluate the proposed
regulatory changes.
7.1. Implementation Plan
The Government aims to implement the proposed measures in a way that ensures:
Relevant entities understand and comply with their obligations,
Relevant entities, critical infrastructure owners and operators engage with the Government to
understand risks and collaborate to drive effective baseline security standards,
28
Unisys, Submission provided 24 September 2020, page 4, https://www.homeaffairs.gov.au/reports-and-
pubs/files/critical-infrastructure-consultation-submissions/Submission-011-Unisys.PDF.
Robust economic modelling is undertaken ahead of sector specific rules being made,
Appropriate powers to respond in the event of cyber security incident,
Relevant entities receive appropriate and consistent direction, assistance and guidance from
the Government to comply with the obligations and support an uplift in security posture, and
National security risks in entities' operations and supply chains are identified, assessed and
mitigated.
A timetable for implementation and key tasks is set out below.
Activity Estimated date
Mapping of critical infrastructure sectors, identification of systems of May 2020 - ongoing
national significance.
Identification of regulators, regulator uplift. May 2020 - February 2021
Cost benefit analysis July 2020 - ongoing
Drafting of legislation August 2020 - November 2020
Introduction of legislation to Parliament, referral to Parliamentary Joint December 2020
Committee for Intelligence and Security.
Legislation considered. Autumn sitting period 2021
Education and engagement program. January - July 2021
Co-design of sector specific standards with industry. January 2021 - ongoing
Economic modelling of sector specific obligations and subsequent RIS/s. January 2021 - ongoing
Preparation of guidance for industry on compliance with new obligations. January 2021 - ongoing
Preparation for enforcement of legislated obligations. Ongoing as Rules are
established
Government Assistance and Enhanced Cyber Security Obligations commence. 1 July 2021
Positive Security Obligations commences. Six month grace period before
enforcement of obligations.
Enforcement of PSO commences 1 January 2022
Post-Implementation Review 2026
7.2. Legislation
To meet the Government's objectives, the Government will develop and introduce into Parliament
amendments to SoCI, and associated regimes where necessary, to establish the legal framework for
the enhanced critical infrastructure security framework. To assist in the development of the legislative
amendments, and support their implementation by industry, the Department will undertake a range of
preparatory activities.
The Department has worked with key sectors to identify which entities should fall under the purview
of amended SoCI and those that are to be declared as systems of national significance.
The Government aims to have the amendments developed and introduced to Parliament by the end of
2020, The Government Assistance powers will commence upon Proclamation. The Enhanced Cyber
Security Obligations will also commence upon Proclamation. However, these obligations would not
be imposed on any entity until the Minister has designated an asset as a system of national
significance. The Positive Security Obligations will commence upon Proclamation. However, these
obligations will not be applied to critical infrastructure assets until the sector-specific co-design has
been completed and the sector-specific rules have been made. There will be a six month 'grace
period' following the introduction of the sector specific rules.
7.3. Establishing regulatory functions
To implement the proposed divested model of security obligations and compliance, the Department
will engage with appropriate regulators. Alongside the development, introduction and passage of
legislation, the Department has worked with Commonwealth agencies and state and territory
governments to identify appropriate regulatory bodies to enforce the proposed security obligations.
Where no regulatory body exists or is willing to undertake this role, the Department will be the
regulator.
The Department and identified regulators will collaborate on sector specific guidance for entities to
assist them reach compliance with the new security obligations. Guidance may include case studies,
clear definitions, frequently asked questions, threat information, risk advice, tips on best-practice and
additional information about the Government's expectations. The Government will draft this guidance
in consultation with industry and sectors experts and bodies. This guidance will be made available as
soon as practicable after legislation is passed.
Critical Infrastructure Centre (CIC)
To undertake the above activities, the Department will expand the CIC to engage a significant number
of staff and contractors with key subject matter and technical expertise, as well as dedicated staff to
undertake industry engagement. The Centre will also draw on the expertise of secondees from other
Australian Government agencies to ensure that the proposed amendments are developed and
implemented through collaboration across the Government. The Australian Signals Directorate's
expertise will ensure alignment with the CESAR capability and help entities to meet their Enhanced
Cyber Security Obligations.
In meeting their Enhanced Cyber Security Obligations, entities will provide information to the
Australian Cyber Security Centre. The Australian Cyber Security Centre will analyse information
provided, determine the need for preparatory assessments and activities and report back to the entity.
Where appropriate, the Australian Cyber Security Centre will share near-real time threat information.
Entities would be expected to take steps to minimise potential cyber threats as appropriate.
The Australian Cyber Security Centre and CIC will work closely together to determine if Government
Assistance is required to prevent, disrupt or respond to an incident identified by the Government or
reported by an entity.
The Department will also regulate certain sector's Positive Security Obligations where no alternative
regulator has been identified. The costs of this responsibility will be detailed in future RIS(s) and be
available in Budget papers.
Reporting
The Department will report on the implementation of the proposed measures in its annual report to
Parliament under section 60 of the Act.
7.4. Challenges / risks to implementation
There are several key risks to the successful implementation of the proposed regulatory changes and
enhanced Government-industry engagement: lack of awareness of the new obligations, lack of proper
implementation and engagement with regulations by industry, and lack of government capability to
enforce compliance.
Awareness
As part of the development of the reforms and proposed legislative changes, the Department has and
is continuing to lead detailed stakeholder consultation with critical infrastructure providers across
Australia, state and territory governments, and other relevant entities on the proposed legislative
reforms. This includes bilateral meetings, industry roundtables and open forums. As a result, it is
unlikely any affected entities will be surprised by the proposed legislation or the extent of obligations.
Uptake
For the proposed obligations to be successfully implemented, the Government must ensure that key
stakeholders (including critical infrastructure owners and operators, states and territories and
international investors) recognise the net benefit associated with this proposal. Strong stakeholder
support and engagement is important to maximising implementation of the reforms by industry, and
their success in producing real risk outcomes and security uplift. Industry cooperation with, and the
effectiveness of, the Government's emergency step-in powers will also rely on positive and
constructive relationships between the Government and industry.
Consultations over the last few years have shown broad industry support for the Government to
proceed with the development and implementation of the regulations and enhanced Government-
industry engagement. This includes strong support from large businesses that would be covered by the
proposed regulation. The Department has engaged widely to ensure industry support for the
regulatory changes proposed, and will engage in extensive industry consultation and co-design of
security standards, as well as a roadshow (physical or virtual) following passage of legislation to
ensure industry buy-in and to provide guidance to assist entities to meet their new obligations.
The Department has, and will continue to, work closely across the Government and with industry
stakeholders to ensure any new regulatory obligations are not duplicative or overly burdensome for
stakeholders.
Government capability
To address this risk, the Department will undertake a significant hiring and training program to ensure
officials engaging with industry are knowledgeable security professionals, highly skilled at
identifying vulnerabilities in specific assets and are able to recommend effective mitigations to
manage those risks. Enhancing capability at the Government level will also be undertaken to
understand and assess compliance with security obligations. The funding in this proposal will support
the recruitment of staff with specific expertise including compliance, assurance and data analysis
skills as well as contracting private sector technical and cyber security expertise. Staff will be trained
to become security experts, highly skilled at identifying vulnerabilities in specific assets and
recommending effective mitigations to manage those risks.
The staffing levels needed to effectively implement the proposed changes will be provided to the
Government for consideration as part of funding proposals for later years. The level of staffing will
depend heavily on the outcomes of the co-design with industry early next year.
7.5. Monitoring and evaluation
The effectiveness of the reforms will be assessed on an ongoing basis, including the annual report to
Parliament, Senate Estimates processes and feedback from stakeholders including, other Government
regulators business and industry. Mechanisms for review include:
Reporting: Section 60 of SoCI currently requires an annual report to Parliament on directions
made, regulatory action undertaken, information sought and assets declared. These will be
expanded to require reporting on the exercise of the proposed new powers under option 2.
Assurance: there will be a whole of government compliance and assurance capability
designed to enhance compliance with existing legislation and to engage with industry on risk.
Through this, the Department will routinely evaluate performance of the reforms during and
after implementation. Evidence of adoption of standards and practices by industry will be
available to the Department on an ongoing basis as it manages the reporting, information
gathering and enforcement of the Positive Security Obligations component of the reforms.
Regulators will be responsible for providing assurance to the Government that obligations are
being met.
Engagement: Informal review of implementation and policy effectiveness will be an ongoing
part of the Department's engagement with industry through the revitalised TISN program.
Industry uptake and engagement with the voluntary assistance program will also provide a
key source of data that will inform development of the reforms.
In the event of a significant cyber security incident involving government intervention, a post-
action review will be undertaken to assess the effectiveness of arrangements and make
recommendations for future preparedness.
7.6. What will success look like?
If the proposed reforms are successful, the Government, industry and the Australian public will have
greater confidence in the resilience of our critical infrastructure providers through a clear uplift in all
hazards risk management. The Government and industry will share near real-time threat information
to mitigate risks, and have the authorities and capabilities to respond to a significant incident.
Importantly for our bilateral relationships, Australia will rely less on foreign investment review
frameworks to mitigate risks and support the rules-based order. Economic openness and investment
attraction will be maintained and not impede improved risk management.
RIS Attachment 1
Critical Infrastructure Thresholds
Asset
Critical (1) critical telecommunications asset means:
telecommunications
asset a) a telecommunications network that is:
a. owned or operated by a carrier; and
b. used to supply a carriage service; or
b) a telecommunications network, or any other asset, that is:
a. owned or operated by a carriage service provider; and
b. used in connection with the supply of a carriage service.
Critical broadcasting (1) One or more broadcasting transmission assets are a critical broadcasting asset if:
transmission asset
a) the broadcasting transmission assets are:
a. owned or operated by the same entity; and
b. located on a site, that, in accordance with subsection (2), is a critical
transmission site; or
b) the broadcasting transmission assets are:
a. owned or operated by the same entity; and
b. located on at least 50 different sites;
c. not broadcasting re-transmission assets; or
c) the broadcasting transmission assets are owned or operated by an entity, that, in
accordance with subsection (3), is critical to the transmission of a broadcasting
service.
Critical domain name An asset that:
system
a) is managed by entity, that, in accordance with subsection (2), is critical to the
administration of an Australian domain name system; and
b) is used in connection with the administration of an Australian domain name system.
Critical data storage An asset is a critical data storage or processing asset if:
or processing asset a) it is owned or operated by an entity that is a data storage or processing provider; and
b) it is used wholly or primarily to provide a data storage or processing service that is
provided by the entity on a commercial basis to an end-user that is:
(i) the Commonwealth; or
(ii) a body corporate established by a law of the Commonwealth; or
(iii) a State; or
(iv) a body corporate established by a law of a State; or
(v) a Territory; or
(vi) a body corporate established by a law of a Territory; and
c) the entity knows that the asset is used as described in paragraph (b).
Critical Defence (1) critical defence industry asset means an asset that:
industry asset
(a) is being, or will be, supplied by an entity to the Defence Department, or the
Australian Defence Force, under a contract; and
(b) consists of, or enables, a critical defence capability.
Critical banking asset
(1) An asset is a critical banking asset if it is any of the following assets:
(a) an asset that:
(i) is owned or operated by an authorised deposit-taking institution, that,
in accordance with subsection (2), is critical to the security and
reliability of the financial services and markets sector; and
(ii) is used in connection with the carrying on of banking business;
(b) an asset that:
(i) is owned or operated by a body corporate that is a related body
corporate of an authorised deposit-taking institution and that, in
accordance with subsection (3), is critical to the security and reliability
of the financial services and markets sector; and
(ii) is used in connection with the carrying on of banking business.
Note: The rules may prescribe that a specified critical banking asset is not a critical
infrastructure asset (see section 9).
(2)For the purposes of subparagraph (1)(a)(i), the rules may prescribe:
(a) specified authorised deposit-taking institutions that are critical to the security
and reliability of the financial services and markets sector; or
(b) requirements for an authorised deposit-taking institution to be critical to the
security and reliability of the financial services and markets sector.
(3)For the purposes of subparagraph (1)(b)(i), the rules may prescribe:
(a) specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector; or
(b) requirements for a body corporate to be critical to the security and reliability
of the financial services and markets sector.
Critical
(1)An asset is a critical superannuation asset if:
superannuation asset
(a) it is owned or operated by a registrable superannuation entity, that, in
accordance with subsection (2), is critical to the security and reliability of the
financial services and markets sector; and
(b) it is used in connection with the operation of a superannuation fund.
Note: The rules may prescribe that a specified critical superannuation asset is not a critical
infrastructure asset (see section 9).
(2)For the purposes of paragraph (1)(a), the rules may prescribe:
(a) specified registrable superannuation entities that are critical to the security and
reliability of the financial services and markets sector; or
(b) requirements for a registrable superannuation entity to be critical to the
security and reliability of the financial services and markets sector.
Critical insurance (1) An asset is a critical insurance asset if it is any of the following assets:
asset
(a) an asset that:
(i) is owned or operated by an entity that carries on insurance business
and that, in accordance with subsection (2), is critical to the security and
reliability of the financial services and markets sector; and
(ii) is used in connection with the carrying on of insurance business;
(b) an asset that:
(i) is owned or operated by a body corporate that is a related body
corporate of an entity that carries on insurance business and that, in
accordance with subsection (3), is critical to the security and reliability of the
financial services and markets sector; and
(ii) is used in connection with the carrying on of insurance business;
(c) an asset that:
(i) is owned or operated by an entity that carries on life insurance
business and that, in accordance with subsection (4), is critical to the security
and reliability of the financial services and markets sector; and
(ii) is used in connection with the carrying on of life insurance business;
(d) an asset that:
(i) is owned or operated by a body corporate that is a related body
corporate of an entity that carries on life insurance business and that, in
accordance with subsection (5), is critical to the security and reliability of the
financial services and markets sector; and
(ii) is used in connection with the carrying on of life insurance business;
(e) an asset that:
(i) is owned or operated by an entity that carries on health insurance
business and that, in accordance with subsection (6), is critical to the security
and reliability of the financial services and markets sector; and
(ii) is used in connection with the carrying on of health insurance
business;
(f) an asset that:
(i) is owned or operated by a body corporate that is a related body
corporate of an entity that carries on health insurance business and that, in
accordance with subsection (7), is critical to the security and reliability of the
financial services and markets sector; and
(ii) is used in connection with the carrying on of health insurance
business.
Note: The rules may prescribe that a specified critical insurance asset is not a critical
infrastructure asset (see section 9).
(2) For the purposes of subparagraph (1)(a)(i), the rules may prescribe:
(a) specified entities that are critical to the security and reliability of the financial
services and markets sector; or
(b) requirements for an entity to be critical to the security and reliability of the
financial services and markets sector.
(3) For the purposes of subparagraph (1)(b)(i), the rules may prescribe:
(a) specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector; or
(b) requirements for a body corporate to be critical to the security and reliability
of the financial services and markets sector.
(4) For the purposes of subparagraph (1)(c)(i), the rules may prescribe:
(a) specified entities that are critical to the security and reliability of the financial
services and markets sector; or
(b) requirements for an entity to be critical to the security and reliability of the
financial services and markets sector.
(5) For the purposes of subparagraph (1)(d)(i), the rules may prescribe:
(a) specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector; or
(b) requirements for a body corporate to be critical to the security and reliability
of the financial services and markets sector.
(6) For the purposes of subparagraph (1)(e)(i), the rules may prescribe:
(a) specified entities that are critical to the security and reliability of the financial
services and markets sector; or
(b) requirements for an entity to be critical to the security and reliability of the
financial services and markets sector.
(7) For the purposes of subparagraph (1)(f)(i), the rules may prescribe:
(a) specified bodies corporate that are critical to the security and reliability of the
financial services and markets sector; or
(b) requirements for a body corporate to be critical to the security and reliability
of the financial services and markets sector.
Critical financial
(1)An asset is a critical financial market infrastructure asset if it is any of the following
market infrastructure
assets:
asset
(a) an asset that:
(i) is owned or operated by an Australian body corporate that holds an
Australian market licence; and
(ii) is used in connection with the operation of a financial market, that, in
accordance with subsection (2), is critical to the security and reliability
of the financial services and markets sector;
(b) an asset that:
(i) is owned or operated by an associated entity of an Australian body
corporate that holds an Australian market licence; and
(ii) is used in connection with the operation of a financial market, that, in
accordance with subsection (2), is critical to the security and reliability
of the financial services and markets sector;
(c) an asset that:
(i) is owned or operated by an Australian body corporate that holds an
Australian CS facility licence; and
(ii) is used in connection with the operation of a clearing and settlement
facility, that, in accordance with subsection (3), is critical to the
security and reliability of the financial services and markets sector;
(d) an asset that:
(i) is owned or operated by an associated entity of an Australian body
corporate that holds an Australian CS facility licence; and
(ii) is used in connection with the operation of a clearing and settlement
facility, that, in accordance with subsection (3), is critical to the
security and reliability of the financial services and markets sector;
(e) an asset that:
(i) is owned or operated by an Australian body corporate that holds a
benchmark administrator licence; and
(ii) is used in connection with the administration of a significant financial
benchmark, that, in accordance with subsection (4), is critical to the
security and reliability of the financial services and markets sector;
(f) an asset that:
(i) is owned or operated by an associated entity of an Australian body
corporate that holds a benchmark administrator licence; and
(ii) is used in connection with the administration of a significant financial
benchmark, that, in accordance with subsection (4), is critical to the
security and reliability of the financial services and markets sector;
(g) an asset that:
(i) is owned or operated by an Australian body corporate that holds an
Australian derivative trade repository licence; and
(ii) is used in connection with the operation of a derivative trade
repository, that, in accordance with subsection (5), is critical to the
security and reliability of the financial services and markets sector;
(h) an asset that:
(i) is owned or operated by an associated entity of an Australian body
corporate that holds an Australian derivative trade repository licence;
and
(ii) is used in connection with the operation of a derivative trade
repository, that, in accordance with subsection (5), is critical to the
security and reliability of the financial services and markets sector;
(i) an asset that is used in connection with the operation of a payment system,
that, in accordance with subsection (6), is critical to the security and
reliability of the financial services and markets sector.
Note: The rules may prescribe that a specified critical financial market infrastructure asset is
not a critical infrastructure asset (see section 9).
(2)For the purposes of paragraphs (1)(a) and (b), the rules may prescribe:
(a) specified financial markets that are critical to the security and reliability of
the financial services and markets sector; or
(b) requirements for a financial market to be critical to the security and
reliability of the financial services and markets sector.
(3)For the purposes of paragraphs (1)(c) and (d), the rules may prescribe:
(a) specified clearing and settlement facilities that are critical to the security
and reliability of the financial services and markets sector; or
(b) requirements for a clearing and settlement facility to be critical to the
security and reliability of the financial services and markets sector.
(4)For the purposes of paragraphs (1)(e) and (f), the rules may prescribe:
(a) specified significant financial benchmarks that are critical to the security
and reliability of the financial services and markets sector; or
(b) requirements for a significant financial benchmark to be critical to the
security and reliability of the financial services and markets sector.
(5)For the purposes of paragraphs (1)(g) and (h), the rules may prescribe:
(a) specified derivative trade repositories that are critical to the security and
reliability of the financial services and markets sector; or
(b) requirements for a derivative trade repository to be critical to the security
and reliability of the financial services and markets sector.
(6)For the purposes of paragraph (1)(i), the rules may prescribe:
(a) specified payment systems that are critical to the security and reliability of
the financial services and markets sector; or
(b) requirements for a payment system to be critical to the security and
reliability of the financial services and markets sector.
(7)For the purposes of this section, Australian body corporate means a body corporate that is
incorporated in Australia.
Critical food and
(1)An asset is a critical food and grocery asset if it is a network that:
grocery asset
(a) is used for the distribution or supply of:
(i) food; or
(ii) groceries; and
(b) is owned or operated by an entity that is:
(i) a critical supermarket retailer, in accordance with subsection (2); or
(ii) a critical food wholesaler, in accordance with subsection (3); or
(iii) a critical grocery wholesaler, in accordance with subsection (4).
Note: The rules may prescribe that a specified critical food and grocery asset is not a critical
infrastructure asset (see section 9).
(2)For the purposes of subparagraph (1)(b)(i), the rules may prescribe:
(a) specified entities that are critical supermarket retailers; or
(b) requirements for an entity to be a critical supermarket retailer.
(3)For the purposes of subparagraph (1)(b)(ii), the rules may prescribe:
(a) specified entities that are critical food wholesalers; or
(b) requirements for an entity to be a critical food wholesaler.
(4)For the purposes of subparagraph (1)(b)(iii), the rules may prescribe:
(a) specified entities that are critical grocery wholesalers; or
(b) requirements for an entity to be a critical grocery wholesaler.
Critical hospital Critical hospital means a hospital that has a general intensive care unit.
Critical education Critical education asset means a university that is owned or operated by an entity that is
asset registered in the Australian university category of the National Register of Higher Education
Providers.
Critical space Bill does not insert a specific definition of a critical space technology asset as entities would
technology asset be captured as carriers and carriage service providers under the TSSR.
Critical Port An asset is a critical port if it is land that forms part of any of the following security regulated
ports:
(a) Broome Port;
(b) Port Adelaide;
(c) Port of Brisbane;
(d) Port of Cairns;
(e) Port of Christmas Island;
(f) Port of Dampier;
(g) Port of Darwin;
(h) Port of Eden;
(i) Port of Fremantle;
(j) Port of Geelong;
(k) Port of Gladstone;
(l) Port of Hay Point;
(m) Port of Hobart;
(n) Port of Melbourne;
(o) Port of Newcastle;
(p) Port of Port Botany;
(q) Port of Port Hedland;
(r) Port of Rockhampton;
(s) Port of Sydney Harbour;
(t) Port of Townsville;
(u) A security regulated port prescribed by the rules for the purposes of this
paragraph.
Critical Aviation (a) an asset that:
Asset (i)is used in connection with the provision of an air service; and
(ii)is owned or operated by an aircraft operator; or
(b) an asset that:
(i)is used in connection with the provision of an air service; and
(ii)is owned or operated by a regulated air cargo agent; or
(c)an asset that is used by an airport operator in connection with the operation of an airport.
(1)
Critical Freight
(1)An asset is a critical freight infrastructure asset if it is any of the following:
Infrastructure Asset
(a) a road network that, in accordance with subsection (2), functions as a
critical corridor for the transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres;
(b) a rail network, that, in accordance with subsection (3), functions as a
critical corridor for the transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres;
(c) an intermodal transfer facility, that, in accordance with subsection (4), is
critical to the transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres.
Note: The rules may prescribe that a specified critical freight infrastructure asset is not a
critical infrastructure asset (see section 9).
(2)For the purposes of paragraph (1)(a), the rules may prescribe:
(a) specified road networks that function as a critical corridor for the
transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres; or
(b) requirements for a road network to function as a critical corridor for the
transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres.
(3)For the purposes of paragraph (1)(b), the rules may prescribe:
(a) specified rail networks that function as a critical corridor for the
transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres; or
(b) requirements for a rail network to function as a critical corridor for the
transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres.
(4)For the purposes of paragraph (1)(c), the rules may prescribe:
(a) specified intermodal transfer facilities that are critical to the transportation
of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres; or
(b) requirements for an intermodal transfer facility to be critical to the
transportation of goods between:
(i) 2 States; or
(ii) a State and a Territory; or
(iii) 2 Territories; or
(iv) 2 regional centres.
(5)For the purposes of this section, road network includes a part of a road network.
(6)For the purposes of this section, rail network includes a part of a rail network.
Critical Freight
(1)An asset is a critical freight services asset if it is a network that is used by an entity
Services Asset
carrying on a business, that, in accordance with subsection (2), is critical to the
transportation of goods by any or all of the following:
(a) road;
(b) rail;
(c) inland waters;
(d) sea.
Note: The rules may prescribe that a specified critical freight services asset is not a critical
infrastructure asset (see section 9).
(2)For the purposes of subsection (1), the rules may prescribe:
(a) specified businesses that are critical to the transportation of goods by any or
all of the following:
(i) road;
(ii) rail;
(iii) inland waters;
(iv) sea; or
(b) requirements for a business to be critical to the transportation of goods by
any or all of the following:
(i) road;
(ii) rail;
(iii) inland waters;
(iv) sea.
Critical Public Critical public transport asset means a public transport network or system that:
Transport Asset
(a) is managed by a single entity; and
(b) is capable of handling at least 5 million passenger journeys per month.
Critical electricity (1) An asset is a critical electricity asset if it is:
asset
(a) a network, system, or interconnector, for the transmission or distribution of
electricity to ultimately service at least 100,000 customers; or
(b) an electricity generation station that is critical to ensuring the security and
reliability of electricity networks or electricity systems in a State or Territory,
in accordance with subsection (2).
(2) For the purposes of paragraph (1)(b), the rules may prescribe requirements for an
electricity generation station to be critical to ensuring the security and reliability of electricity
networks or electricity systems in a particular State or Territory.
Critical gas asset (1) An asset is a critical gas asset if it is any of the following:
(a) a gas processing facility that has a capacity of at least 300 terajoules per day
or any other capacity prescribed by the rules;
(b) a gas storage facility that has a maximum daily quantity of at least 75
terajoules per day or any other quantity prescribed by the rules;
(c) a network or system for the distribution of gas to ultimately service at least
100,000 customers or any other number of customers prescribed by the rules;
(d) a gas transmission pipeline that is critical to ensuring the security and
reliability of a gas market, in accordance with subsection (2).
(2) For the purposes of paragraph (1)(d), the rules may prescribe:
(a) specified gas transmission pipelines that are critical to ensuring the security
and reliability of a gas market; or
(b) requirements for a gas transmission pipeline to be critical to ensuring the
security and reliability of a gas market.
Critical liquid fuel
(1)An asset is a critical liquid fuel asset if it is any of the following:
asset
(a) a liquid fuel refinery that is critical to ensuring the security and reliability of
a liquid fuel market, in accordance with subsection (2);
(b) a liquid fuel pipeline that is critical to ensuring the security and reliability
of a liquid fuel market, in accordance with subsection (3);
(c) a liquid fuel storage facility that is critical to ensuring the security and
reliability of a liquid fuel market, in accordance with subsection (4).
Note: The rules may prescribe that a specified critical liquid fuel asset is not a critical
infrastructure asset (see section 9).
(2)For the purposes of paragraph (1)(a), the rules may prescribe:
(a) specified liquid fuel refineries that are critical to ensuring the security and
reliability of a liquid fuel market; or
(b) requirements for a liquid fuel refinery to be critical to ensuring the security
and reliability of a liquid fuel market.
(3)For the purposes of paragraph (1)(b), the rules may prescribe:
(a) specified liquid fuel pipelines that are critical to ensuring the security and
reliability of a liquid fuel market; or
(b) requirements for a liquid fuel pipeline to be critical to ensuring the security
and reliability of a liquid fuel market.
(4)For the purposes of paragraph (1)(c), the rules may prescribe:
(a) specified liquid fuel storage facilities that are critical to ensuring the
security and reliability of a liquid fuel market; or
(b) requirements for a liquid fuel storage facility to be critical to ensuring the
security and reliability of a liquid fuel market.
Critical energy Critical energy market operator asset means an asset that:
market operator asset
(a) is owned or operated by:
(i) Australian Energy Market Operator Limited (ACN 072 010 327); or
(ii) Power and Water Corporation; or
(iii) Regional Power Corporation; or
(iv) Electricity Networks Corporation; and
(b) is used in connection with the operation of an energy market or system; and
(c) is critical to ensuring the security and reliability of an energy market;
but does not include:
(d) a critical electricity asset; or
(e) a critical gas asset; or
(f) a critical liquid fuel asset.
Critical water asset critical water asset means one or more water or sewerage systems or networks that:
(a) are managed by a single water utility; and
(b) ultimately deliver services to at least 100,000 water connections or 100,000
sewerage connections.
Attachment C
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Security Legislation Amendment (Critical Infrastructure) Bill 2020
This Bill is compatible with the human rights and freedoms recognised or declared in the
international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011.
Overview of the Bill
The Bill proposes amendments to the Security of Critical Infrastructure Act 2018 (the SOCI
Act), including to:
Introduce additional critical infrastructure assets, which means that the existing
powers under the SOCI Act, and the new powers to be introduced under this Bill, will
apply to a broader range of assets. The Bill introduces definitions for the following
critical infrastructure sectors and assets:
o Communication sector: critical telecommunication assets, critical broadcasting
assets, broadcasting transmission assets and critical domain name system
o Data storage or processing sector: critical data storage or processing assets
o Defence industry sector: critical defence industry assets
o Financial services and markets sector: critical banking assets, critical superannuation
assets, critical insurance assets and critical financial market infrastructure assets
o Food and grocery sector: critical food and grocery assets
o Higher education and research sector: critical education assets
o Health care and medical sector: critical hospitals as critical infrastructure assets
o Transport sector: critical freight infrastructure assets, critical freight services assets,
and critical public transport assets
o Energy sector: critical liquid fuel assets, and critical energy market operator assets
o Space technology sector: critical space technology assets
Introduce two new positive security obligations (PSO) on owners and operators of
critical infrastructure assets to consider and mitigate risks to their operation. In addition to
the obligations in Part 2 of the current SOCI Act, the Bill will introduce obligations on
responsible entities for certain critical infrastructure assets to:
o Adopt, maintain and comply with an all-hazards critical infrastructure risk
management program. To comply with this obligation entities will be required to
identify material risks that may affect the availability, integrity, reliability and
confidentiality of their asset, irrespective of the source of these risks. Entities will
also be required to have appropriate risk mitigations in place to manage those risks.
o Report cyber security incidents to the Government. This will facilitate an enhanced
understanding of cyber security threats to critical infrastructure to better inform both
proactive and reactive cyber response options.
Introduce an enhanced cyber-security obligation (ECSO) on owners and operators of a
small subset of nationally significant critical infrastructure assets, declared by the
Minister to be Systems of National Significance (SoNS). Under the ECSO, the Secretary
of Home Affairs may require the responsible entity for a SoNS to undertake one or more
prescribed cyber security activities. These may require the responsible entity for a SoNS
to:
o Develop cyber security incident response plans designed to ensure an entity has
established processes and tools to prepare for and respond to cyber security
incidents.
o Undertake cyber security exercises to build cyber preparedness, and test their ability
and preparedness to respond appropriately to a cyber security incident, and their
ability to mitigate the relevant impacts.
o Undertake a vulnerability assessment to identify cyber security vulnerabilities.
o Provide system information to the Australian Signals Directorate (ASD) to build
Australia's situational awareness of the cyber threat environment.
Introduce a regime to support the Government responding to serious cyber security
incidents which would allow the Government, in limited circumstances, to take actions to
protect critical infrastructure assets that are subject to serious cyber security incidents.
These amendments will implement an enhanced critical infrastructure security framework
which will enhance the security and resilience of critical infrastructure in Australia, build
situational awareness and enable the Government to assist industry to effectively prevent,
defend against and recover from serious cyber security incidents. This will allow the
Government to maintain the continuity of essential services that support Australia's economy,
security and sovereignty.
By raising security across a broader range of critical infrastructure sectors, the Bill may also
broadly support the human rights of persons in Australia by, amongst other things, supporting
an adequate standard of living, high standards of health and access to medical services and
higher education.
Human rights implications
This Bill broadly supports the following rights:
The right to an adequate standard of living, including the right to adequate food (Article
11 of the International Covenant on Economic, Social and Cultural Rights (ICESCR)).
The right to the enjoyment of the highest attainable standard of physical and mental
health, including medical service and attention in the event of sickness (Article 12 of
ICESCR).
This Bill also engages the following rights:
The right to a fair and public hearing (Article 14 of the International Covenant on Civil
and Political Rights (ICCPR)).
The right to privacy (Article 17 of the ICCPR).
The right to an adequate standard of living, including the right to adequate food
Article 11 of the ICESCR provides for the right of everyone to an adequate standard of
living, including adequate food. It commits States Parties to the Covenant to improve
methods of production, conservation and distribution of food.
The introduction of critical food and grocery assets recognises the role that these assets play
in delivering essential supplies that maintain and sustain life. The regime introduced by the
Bill will assist to protect the availability of food throughout Australia, through improving
business resilience and protecting the assets should they be subject to a significant cyber
attack. This will reduce the likelihood of a disruption to distribution networks and other key
operations of Australia's major supermarkets which could impact the availability of critical
food and groceries.
The right to physical and mental health
Article 12 of the ICESCR provides for the right of everyone to the enjoyment of the highest
attainable standard of physical and mental health, including medical service and medical
attention in the event of sickness.
Hospitals are crucial to Australia's ability to fulfil this obligation as they provide critical care
for patients with a variety of medical, surgical and trauma conditions, and are therefore
integral to the sustainment of life.
The introduction of critical hospitals as critical infrastructure assets, but also other critical
infrastructure assets with a high degree of interdependency with critical hospitals, will assist
to protect these important assets, and in turn, the physical and mental health of all persons in
Australia.
For example, an attack on a critical hospital could pose a risk to life. Similarly, the
consequences of a prolonged and widespread failure in the energy sector could cause
shortages or destruction of essential medical supplies. Improving business resilience and
protecting the asset should it be subject to a significant cyber attack will reduce the likelihood
of a disruption to the provision of essential medical services and ensure appropriate services
remain available in the event of sickness.
The right to a fair and public hearing
Article 14 of the ICCPR provides for the proper administration of justice by upholding,
among other things, the right to a fair and public hearing. These rights include that all persons
are equal before courts and tribunals and have a right to a fair and public hearing before a
competent, independent and impartial tribunal established by law. Article 14 also includes the
right of protection against self-incrimination stating that no person shall be 'compelled to
testify against himself or confess guilt'.
Any limitations to the right to a fair and public hearing under Article 14 are permissible if the
limitations are reasonable, proportionate and for a legitimate objective.
The right to a fair and public hearing is attached only to individuals, not to businesses.
However 'entity' as defined in current section 5 of the SOCI Act includes individuals, as well
as body corporates, partnerships and trusts. Whilst the definition of 'entity' under the current
SOCI Act includes individuals, it is only in very rare instances (for example, where a critical
infrastructure asset is owned or operated by an individual rather than a corporation) that the
measures in the Bill that relate to the right to a fair and public hearing would apply to
individuals.
In these rare instances, the following measures in the Bill may engage the right to a fair and
public hearing and protection against self-incrimination under Article 14 of the ICCPR and
will be discussed in greater detail below:
Critical infrastructure risk management programs to mandate procedural
arrangements for entities to address hazards that could impact the availability, integrity,
reliability or confidentiality of critical infrastructure assets (new Part 2A of the SOCI
Act).
Enhanced cyber security obligations will ensure assets of the highest criticality to
Australia's national interests are in a position to handle cyber security incidents, and will
allow the Government access to system information (new Part 2C of the SOCI Act).
Government assistance measures will permit the Government to provide active
assistance as a last resort in response to the most serious and significant of cyber security
incidents that are or may impact a critical infrastructure asset and Australia's national
interest (new Part 3A of the SOCI Act).
The existing Ministerial directions power allows the Minister to issue a direction to an
owner or operator of a critical infrastructure asset to mitigate risks that are prejudicial to
security (current Part 3 of the SOCI Act).
The existing Secretary's power to obtain information or documents will empower the
Secretary to request certain information from reporting entities and operators of critical
infrastructure assets (current Part 4 of the SOCI Act).
Critical infrastructure risk management program
To fulfill requirements under the critical infrastructure risk management program, responsible
entities will be required to notify of all hazards for which there is a material risk of a relevant
impact, and the impact is imminent, occurring or has occurred. Responsible entities will be
required to submit an annual report that includes an identification of hazards that had a
significant relevant impact on one or more assets and includes a statement that identifies the
hazard, evaluates the effectiveness of the program in mitigating the significant relevant
impact on the hazard on the assets and outlines any variations to the program. In some cases
entities may need to reveal that the minimisation procedures they developed under their risk
management program were not reasonable. This could lead to self-incrimination.
To address this, an immunity provision is included in 30AG(3) of the SOCI Act which
prevents the information included in the annual report from being used as evidence against
the entity in any civil penalty proceedings under the SOCI Act.
Enhanced cyber security obligations
As part of the enhanced cyber security obligations, the Secretary may require the responsible
entity for a SoNS to comply with a requirement to provide periodic reports containing system
information (new Section 30DB of the SOCI Act) or event-based reports (new Section 30DC
of the SOCI Act) to the Australian Signals Directorate (ASD) if the Secretary believes on
reasonable grounds that the entity is capable of doing so. System information is information
that relates to the operation of the computer needed to operate a SoNS which may assist with
determining whether a power under the new SOCI Act should be exercised in relation to the
SoNS. System information does not include personal information within the meaning of the
Privacy Act 1988.
In deciding whether to give a system information periodic reporting notice or a system
information event-based reporting notice, the Secretary of Home Affairs must consult with
the entity prior to issuing the notice and have regard to the costs that are likely to be incurred
by the entity in complying with the notice.
If the Secretary of Home Affairs does not believe on reasonable grounds that the entity would
be technically capable of preparing reports under new section 30DB or 30DC of the SOCI
Act, new section 30DJ provides that the Secretary may require the entity to install and
maintain a specified computer program to collect and record the required system information
and transmit this to ASD. Such a request may only occur after the Secretary has consulted the
entity and considered the cost the entity might incur by complying with the request.
New section 30DG of the SOCI Act provides that an entity is not excused from giving a
periodic or event-based report on the ground that the report might tend to incriminate the
entity (new subsection (1)). Furthermore, if an individual would otherwise be able to claim
the privilege against self-exposure to a penalty in relation to giving a report under new
sections 30DB or 30DC, the individual is not excused from giving a report on that ground
(new subsection (2)). However section 30DH provides that the information is not admissible
in evidence against the entity, except in relation to compliance with those obligations or
otherwise providing false and misleading information to the Government.
Any information that is collected under this power will be protected information under the
SOCI Act, and is not intended to be used for a compliance purpose. For example, the report
cannot be used in evidence to demonstrate non-compliance with the critical infrastructure risk
management program under new Part 2A of the SOCI Act.
New subsection 30DB(4) also ensures that a reporting notice is proportionate and reasonable
- balancing the beneficial outcome of the notice with the likely impact and costs to the
affected entity when complying with the notice. To support this consideration as well as the
determination of whether the entity is technically capable of providing the report, new section
30DD mandates that the Secretary of Home Affairs must consult with the entity prior to
issuing the notice.
These obligations are focused on building enhanced partnerships with industry and greater
joint situational awareness. ASD will use this information to develop and maintain a near-real
time threat picture, positioning it to identify threats early and provide actionable advice to
industry to prevent and mitigate threats as they emerge.
Government assistance: Ministerial authorisation relating to serious cyber security incidents
Under new Part 3A of the SOCI Act, the Minister has the power to authorise the Secretary of
Home Affairs to issue:
a direction to an entity requiring them to provide certain information
a direction to an entity to take particular measures, or
a request to the chief executive of ASD to take specified action to respond to the serious
cyber security incident.
Any decision made under new Part 3A of the SOCI is not a 'decision to which this Act
applies'. This means that a decision made under new Part 3A in response to a 'serious cyber
security incident' is not subject to judicial review under the Administrative Decisions
(Judicial Review) Act 1977 (ADJR Act) and therefore limits an entity's right to a fair and
public hearing.
When making a decision under new Part 3A of the SOCI Act, the Minister must be satisfied
that there is a material risk that a 'cyber security incident' (as defined by new section 12M)
has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice, the social
or economic stability of Australia or its people, the defence of Australia or Australia's
national security. Decisions of this nature are likely to be based on sensitive and classified
information and deal with the capabilities of intelligence agencies as well as security
vulnerabilities. This could include intelligence information and covert investigation methods
and procedures, the disclosure of which may impact ongoing investigations, compromise
intelligence methodologies or otherwise damage Australia's national security and defence.
The same applies equally to decisions of the Secretary and the authorised agency under new
Part 3A who operationalise the Ministerial authorisations.
For this reason, it is reasonable to exempt decisions made under new Part 3A of the SOCI Act
from review under the ADJR Act as the public dissemination of the sensitive information and
capabilities that may be used to make decisions under new Part 3A would pose a risk to the
national security and defence of Australia.
However new Part 3A does not have the effect of entirely excluding judicial review of
decisions under Part 3A of the SOCI Act. A person who is the subject of a decision under
Part 3A is still entitled to seek judicial review under section 39B of the Judiciary Act 1903 or
subsection 75(v) of the Constitution.
Furthermore, this limitation to the right to a fair and public hearing is reasonable,
proportionate and for a legitimate objective, as the ministerial authorisation power is only
permissible if:
a cyber security incident has had, is having, or is likely to have a relevant impact on a
critical infrastructure asset (new paragraphs 35AB(1)(a)-(b));
there is a material risk that the incident has seriously prejudiced, is seriously prejudicing
or is likely to seriously prejudice the social or economic stability of Australia or its
people; the defence of Australia; or Australia's national security (new paragraph
35AB(1)(c));
no existing regulatory system of the Commonwealth, a State or a Territory could be used
to provide a practical and effective response to the incident (new paragraph 35AB(1)(d));
the Ministerial authorisation ceases after a maximum period of 20 days (new subsection
35AG(2)), unless the Minister has revoked the authorisation earlier, or where an
emergency continues beyond this time period, the Minister makes another authorisation in
relation to the particular incident (new subsection 35AG(3));
the Minister has, before giving a ministerial authorisation, consulted with the specified
entity unless the resulting delay would frustrate the effectiveness of the Ministerial
authorisation (new section 35AD);
the specified entity is unwilling or unable to take all reasonable steps to respond to the
incident (new paragraph 35AB(7)(a) and paragraphs 35AB(10)(b)-(c)); and
the specified direction is reasonably necessary for the purposes of responding to the
incident (new paragraph 35AB(7)(b) and paragraph 35AB(10)(d)); the specified direction
is a proportionate response to the incident (new paragraph 35AB(7)(c) and paragraph
35AB(10)(e)); and compliance with the specified direction is technically feasible (new
paragraph 35AB(7)(d) and paragraph 35AB(10)(f)).
Directions by the Minister
The current SOCI Act places regulatory obligations on specific entities in the electricity, gas,
water and ports sectors.
As Government has improved visibility of how interconnected Australia's critical
infrastructure is, this has highlighted a need to expand the types of critical infrastructure
entities subject to the Act to include critical infrastructure entities in a wider range of sectors.
Entities across all critical infrastructure sectors are facing increasing threats and require
enhanced protections.
By broadening the scope of the SOCI Act, the Minister's existing powers to issue directions
to reporting entities or operators of critical infrastructure assets to do, or refrain from doing,
an act or thing (Part 3, Division 2 of the SOCI Act) is expanded to a larger number of entities.
The human rights implications of the Minister's directions powers are outlined in the
Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill
2017. This outlines that the right to a fair trial are supported through the legislated safeguards
which apply prior to the Minister issuing a direction and the availability of appropriate review
mechanisms. The changes in the Bill do not alter this position.
Gathering and using information powers
By broadening the scope of the SOCI Act, the Secretary's powers to obtain information or
documents from entities, even if it exposed an individual or a body corporate to criminal or
civil liability (Part 4, Division 2 of the current SOCI Act), is expanded to a larger number of
entities.
The additional critical infrastructure assets to be included in the SOCI Act are assets that
have been determined to be fundamental to the Australian economy, security and sovereignty.
The human rights implications of the powers relating to information gathering and use are
outlined in the Statement of Compatibility with Human Rights for the Security of Critical
Infrastructure Bill 2017. This outlines that the right to a fair trial are supported through the
broad protections for individuals against criminal or civil proceedings if the information is
self-incriminating. The changes in the Bill do not alter this position.
Right to privacy
Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful
interference with their privacy. Interferences with privacy may be permissible provided that it
is authorised by law and is not arbitrary. For an interference with the right to privacy not to
be arbitrary, the interference must be for a reason consistent with the provisions, aims and
objectives of the ICCPR and be reasonable in the particular circumstances.29
The United Nations Human Rights Committee has interpreted 'reasonableness' in this
context to mean that 'any interference with privacy must be proportional to the end sought
and be necessary in the circumstances of any given case'. The term unlawful means that no
interference can take place except as authorised under domestic law.
29
Toonen v Australia, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994) at 8.3.
Article 17 of the ICCPR does not set out the reasons for which the guarantees in it may be
limited. However, limitations contained in other articles, for example, those which are
necessary in a democratic society in the interests of national security, public order, the
protection of public health or the protection of the rights and freedoms of others, may be
considered legitimate objectives in appropriate circumstances in respect of the prohibition on
interference with privacy.
Article 17 of the ICCPR only applies to interference with privacy for individuals. Whilst the
definition of 'entity' under the current SOCI Act includes individuals, it is highly unlikely
that the measures in the Bill would apply to individuals. The exception to this is the
requirement for the provision of information on the board members of an entity under the
Register of Critical Infrastructure Assets.
The responsible entity for a critical infrastructure asset will be an individual (e.g. in the water
sector) in a very small number of cases. The vast majority of critical infrastructure assets are
managed by corporations, to which the right to privacy does not apply.
Where the responsible entity for a critical infrastructure asset is an individual, the following
measures in the Bill may engage the right to privacy under Article 17 of the ICCPR:
Government assistance: Ministerial authorisation relating to cyber security incidents (new
Part 3A, Division 2 of the SOCI Act);
the increased coverage of the existing obligation of a reporting entity for a critical
infrastructure asset to give information and notify of events for the Register of Critical
Infrastructure Assets (Part 2, Division 2 of the current SOCI Act); and
the increased coverage of the existing Secretary's powers to obtain information or
documents (Part 4, Division 2 of the current SOCI Act).
Government assistance: Ministerial authorisation relating to cyber security incidents
To prevent or mitigate a serious cyber security incident that has had, is having, or is likely to
have a relevant impact on a critical infrastructure asset (new section 35AB(1)), the Minister
has the power to authorise the Secretary of Home Affairs to use:
Information gathering direction power (new sections 35AB(2)(a) or (b) and 35AK), that
is, to direct an entity to provide information that may assist with determining whether a
power under the Act should be exercised in relation to an incident and the asset;
Action direction power (new sections 35AB(2)(c) or (d) and 35AQ), that is, to direct an
entity to do, or refrain from doing, a specified act or thing within the period specified in
the direction;
Intervention direction power, that is, to request that the chief executive of ASD take
direct action (new sections 35AB(e) or (f) and 35AX). For a request that is in force under
new section 35X, an ASD staff member may require an entity to provide the staff member
with access to premises or electronic networks, and provide them with specified
information or assistance. This does not apply to premises that are used solely or
primarily as a residence.
This is a permissible limitation to the right to privacy, as prior to making the authorisation the
Minister must be satisfied that:
A cyber-security incident has occurred, is occurring or is imminent (new section
35AB(1)(a)).
That the incident has had, is having, or is likely to have a relevant impact on a critical
infrastructure asset (new section 35AB(1)(b)). New subsection 8G(2) provides the
definition of a relevant impact in this context, which includes an impact on the
availability, integrity, reliability or confidentiality of the asset. Therefore this power can
only be used to protect Australia's critical infrastructure assets.
That there is material risk that the incident has seriously prejudiced, or is seriously
prejudicing, or is likely to seriously prejudice the social or economic stability of Australia
or its people, or the defence of Australia; or Australia's national security (new section
35AB(1)(c)). This requirement ensures that the regime can only be used in the most
serious of circumstances where Australia's national interests are being seriously
prejudiced. In such circumstances, the Government's responsibility to protect Australia's
national interests are engaged.
That the action would be a technically feasible, proportionate (considering the impact of
compliance with the request and the consequences of compliance) and a reasonably
necessary response to the incident, and that the relevant entity is unwilling or unable to
take all reasonable steps to respond to the incident (new subsections 35AB(7) and
35AB(10)).
For intervention requests, that the Minister has obtained the agreement of the Prime
Minister and the Defence Minister before giving the Ministerial authorisation (new
section 35AB)).
Entities will continue to be primarily responsible for managing cyber security risks through
their critical infrastructure risk management programs under the PSO (Part 2A), and for
SoNS, incident response planning obligations (new section 30CD), cyber security exercises
(new section 30CM) and enhanced situational awareness through vulnerability assessments
(new section 30CU) under the ECSO. In the vast majority of cyber security incidents,
industry should and will respond to cyber security incidents, with the support of Government
where necessary.
However, in exceptional circumstances, the enhanced framework will provide the
Government with the power to take appropriate steps to prevent and address immediate and
serious cyber security incidents that threaten serious harm to Australia's interests, mitigate
the impacts of such incidents on critical infrastructure, and restore the functioning of those
assets.
Register of Critical Infrastructure Assets - obligations to give information and notify of
events
Whilst the collection of personal information will be rare, Part 2 of the current SOCI Act
requires the responsible entity of critical infrastructure assets to provide the Secretary of
Home Affairs with certain operational information in relation to the asset, and interest and
control information in relation to the entity and the asset.
Through the inclusion of additional critical infrastructure assets in Part 1, Division 2, section
9 of the current SOCI Act, the Register obligations will be able to be extended in their current
form to these additional assets.
Under the requirements in the Register, which will result in the incidental collection of
personal information, the limitation to the right to privacy in Article 17 of the ICCPR are
outlined in the Statement of Compatibility with Human Rights for the Security of Critical
Infrastructure Bill 2017. This outlines that the Government has taken sufficient steps to
ensure that the limitations on the right to privacy are no more restrictive than necessary as the
use and disclosure of information on the Register is restricted to purposes authorised under
the SOCI Act. The changes in the Bill do not alter this position.
Secretary's powers to obtain information or documents
By broadening the assets regarded as critical infrastructure assets under the SOCI Act, the
Secretary's powers to obtain information or documents from entities (Division 2 of the SOCI
Act) is expanded to a larger number of entities.
Section 37(1) of the current SOCI Act empowers the Secretary to request certain information
from reporting entities and operators of critical infrastructure assets. The Statement of
Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017 outlines
why the Secretary's information gathering power is a permissible limitation to the right to
privacy, including because the information gathering power is limited to obtaining
information or documents that are directly relevant to the purposes of the legislation, as stated
in the objects of the Act, as well as the functions, duties, powers and purposes prescribed in
the Act. The changes in the Bill do not alter this position.
Conclusion
The Bill is compatible with human rights because it will promote rights and, to the extent that
the Bill limits rights, those limitations are reasonable, necessary and proportionate to the
objective reducing national security risks from foreign involvement in critical infrastructure.