Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2019-2020-2021
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE)
BILL 2020
SUPPLEMENTARY EXPLANATORY MEMORANDUM
(Circulated by authority of the Minister for Home Affairs,
the Hon Karen Andrews MP)
AMENDMENTS TO THE SECURITY LEGISLATION AMENDMENT
(CRITICAL INFRASTRUCTURE) BILL 2020
OUTLINE
The Australian Government is committed to protecting the essential services all
Australians rely on by uplifting the security and resilience of our critical infrastructure. As
the threats and risks to Australia's critical infrastructure evolve in a post-COVID world, so
too must our approach to ensuring the ongoing security and resilience of these assets and
the essential services they deliver.
The purpose of the Security Legislation Amendment (Critical Infrastructure) Bill 2020
(the Bill) is to amend the Security of Critical Infrastructure Act 2018 (the Act) to
introduce an enhanced regulatory framework, building on existing requirements under the
Act. The Bill gives effect to this framework by introducing:
• government assistance to relevant entities for critical infrastructure sector assets in
response to significant cyber attacks that impact on Australia's critical
infrastructure assets.
• additional positive security obligations for critical infrastructure assets, including a
risk management program, to be delivered through sector-specific requirements,
and mandatory cyber incident reporting;
• enhanced cyber security obligations for those assets most important to the nation,
described as systems of national significance; and
• additional critical infrastructure assets, which means that the existing powers under
the Act, and the new powers to be introduced under this Bill, will apply to a
broader range of assets.
Overview of the Government Amendments
The amendments address a number of recommendations made by the Parliamentary Joint
Committee on Intelligence and Security (PJCIS) in its Advisory Report on the Security
Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the
Security of Critical Infrastructure Act 2018 of 29 September 2021 (the PJCIS report).
The amendments would:
(a) omit the following proposed new Parts of the Act, and related provisions:
(i) proposed new Part 2A of the Act - critical infrastructure risk management
programs
(ii) proposed new Part 2C of the Act - enhanced cyber security obligations
(iii) proposed new Part 6A of the Act - declaration of systems of national
significance.
(b) amend the proposed regime requiring the mandatory reporting of a cyber security
incident by an entity to a relevant Commonwealth body to allow for the written
report to be made within 84 hours (instead of 48 hours) of an oral report being
2
made, and to empower a relevant Commonwealth body to exempt an entity from
the requirement to provide a written report;
(c) Require the Secretary to give a written report to the PJCIS about a cyber security
incident in relation to which directions or requests in relation government
assistance measures are given or made under sections 35AK, 35AQ or 35AX . The
report must describe each of the directions or requests made in relation to the
incident;
(d) Allow the PJCIS to conduct a review of the operation, effectiveness and
implications of the security of critical infrastructure legislative framework in the
Act, to begin not more than three years from when the Bill receives the Royal
Assent.
(e) Require any draft rules relating to the mandatory reporting obligations be provided
directly to any entities which would reasonably be impacted by the draft rules and
include an obligation that the Minister must formally respond to any submissions
made by responsible entities;
(f) insert a definition of significant impact;
(g) In relation to a Ministerial authorisation under new section 35AD, if consultation is
required, to inform relevant entities in writing and invite the entities to make a
submission within 24 hours after receiving the draft authorisation;
(h) include an example of where a person is not entitled to cause access, modification
or impairment of computer data or a computer program, being that if a person
(including employees or agents of a responsible entity) exceeds their authority,
then this will amount to such unauthorised access, modification or impairment for
the purpose of the Act.
These amendments respond to the urgent recommendations in the PJCIS Report. These
Government amendments represent the first and most urgent amendments to deal with
post-cyber incident responses and reporting. Preventative measures and the design of the
Risk Management Programs, Systems of National Significance and Enhanced Cyber
Security Obligations will be proposed in a separate Bill that the Government intends to
bring back to the Parliament for consideration at a later date.
FINANCIAL IMPACT STATEMENT
The amendments have no financial impact.
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
A Statement of Compatibility with Human Rights has been completed in relation to
the amendments proposed to the Bill and assessed the amendments to be compatible with
Australia's human rights obligations. A copy of the Statement of Compatibility with
Human Rights is at Attachment A.
AMENDMENTS TO THE SECURITY LEGISLATION AMENDMENT
(CRITICAL INFRASTRUCTURE) BILL 2020
NOTES ON AMENDMENTS
Amendment (1) - Clause 2, page 2 (table item 2), omit the table item, substitute:
1. This amendment amends the commencement provision in table item 2 of
subsection 2(1) of the Bill to provide that Schedule 1, Parts 1 and 2, will commence on the
day after the Act receives the Royal Assent, rather than by Proclamation.
Amendment (2) - Clause 2, page 2 (table item 3, column headed "Column 2"), omit
"2020", substitute "2021"; and Amendment (59) - Schedule 1, heading to Part 3,
page 144 (line 3), omit "2020", substitute "2021"
2. Amendments (2) and (59) are technical amendments to update references to the
Federal Circuit and Family Court of Australia Act 2020 to the Federal Circuit and Family
Court of Australia Act 2021.
Amendments (3)-(21), (23)-(25), (27)-(37), (46), (48), (50)-51), (53)-(57)
3. Amendments (3)-(21), (23)-(25), (27)-(37), (46), (48), (50)-(51) and (53)-(57) are
technical amendments omitting references to provisions that are related to proposed new
Parts of the Act that are being omitted from the Bill (see amendments Nos 39, 45 and 52).
Amendment (22) - Schedule 1, item 16, page 23 (line 23), before "10", insert
"sections"; and Amendment (26) - Schedule 1, item 16, page 23 (line 23), before "10",
insert "sections".
4. These are technical amendments to correct a minor error in items 16 and 17 of the
Bill. These items should also have omitted the word 'sections' from paragraphs (a) and (b)
of the definition of security. Amendments (22) and (26), in conjunction with items 16 and
17, omit the words 'sections 10 and 12' and replace them with the new words set out in
amended items 16 and 17.
Amendment (38) - Schedule 1, item 32, page 54 (after line 15), after subsection
12N(1), insert:
5. This amendment adds a new subsection 12N(1A) to insert an example of a
situation where a person is not entitled to cause access, modification or impairment of
computer data or a computer program, as set out in subsection 12N(1). Section 12N sets
out the meaning of unauthorised access, modification or impairment for the purposes of
the Act.
6. The example is a person who is an employee or agent of the responsible entity for
an asset who would exceed their authority as an employee or agent in causing such access,
modification or impairment in relation to the asset (i.e. an 'insider').
7. The purpose of this amendment is to implement Recommendation 1 of the PJCIS
report, as described at dot point 1 of paragraph 3.18.
4
Amendment (39) - Schedule 1, item 39, page 57 (line 9) to page 66 (line 15), omit Part
2A.
8. This amendment omits Part 2A from the Bill. Part 2A relates to critical
infrastructure risk management programs.
9. The purpose of this amendment is to implement Recommendation 1 of the PJCIS
report that the Bill be split into two Bills.
10. Recommendation 7 of the PJCIS report was that the remaining non-urgent
elements of the Bill (including Part 2A) not recommended for inclusion in Bill One, be
deferred and amended into a separate Bill.
Amendment (40) - Schedule 1, item 39, page 67 (after line 23), at the end of
subsection 30BBA(2), add
11. This amendment adds a new paragraph 30BBA(2)(d) in relation to consultation on
rules made for section 30BB. Section 30BB provides that the notification requirements in
Part 2B of the Act apply to a critical infrastructure asset if (amongst other things) the asset
is specified in the rules. Part 2B of the Act sets out the reporting requirements in relation
to cyber security incidents that impact on critical infrastructure assets and section 30BBA
sets out the consultation requirements for rules made for the purposes of section 30BB.
12. The amendment provides that where the Minister is aware that an entity is
responsible for an asset that is specified, or proposed to be specified, in rules for section
30BB, the Minister must give the entity a written copy of the proposed rules. If the entity
provides a submission to the Minister within the 28 day period set out in paragraph
30BBA(2)(a), the Minister must provide the entity with a written response to the
submission.
13. The purpose of this amendment is to implement Recommendation 1 of the PJCIS
report, as described at dot point 2 of paragraph 3.18.
Amendment (41) - Schedule 1, item 39, page 68 (line 23), omit "48", substitute "84".
14. The amendment amends paragraph 30BC(3)(b) of the Bill. Section 30BC provides
for notification of a cyber security incident that has had, or is having, a significant impact
on the availability of the asset, in relation to entities specified in rules made under section
30BB.
15. The amendment provides that an entity must provide the written report referred to
the provision to the relevant Commonwealth body within 84 hours (rather than 48 hours)
after an oral report was made in relation to a cyber security incident that is having a
significant impact on the availability of the asset.
16. The purpose of this amendment is to implement dot point one of recommendation
2 of the PJCIS report.
Amendment (42) - Schedule 1, item 39, page 68 (after line 27), at the end of section
30BC, add:
17. The amendment adds new subsections 30BC(5) and (6). Section 30BC provides for
notification of critical cyber security incidents in relation to entities specified in rules
made under section 30BB.
18. Subsection 30BC(5) provides that the head of Commonwealth body (however that
head is described) may exempt an entity from the requirement to provide a written report
referred to in subsection 30BC(3). This may occur, as an example, because of an
agreement made between the Commonwealth body and the entity about the matter.
19. Subsection 30BC(6) provides that an exemption under subsection 30BC(5) is not a
legislative instrument. Exempting an entity from the obligation to provide a written report
under section 30BC(3) is beneficial to the entity. The exemption will provide the entity
with assurance that they will not later be required to provide a written report.
20. Under subsections 30BC(7) and (8), the head of the Commonwealth body may
delegate their power to:
• an SES employee or acting SES employee in the Commonwealth body; or
• a person who holds, or is acting in, a position in the relevant Commonwealth body
that is equivalent to, or higher than, a position occupied by an SES employee.
21. The delegation power is necessary as a Commonwealth body may frequently be
required to provide the exemptions set out in subsection 30BC(5). The SES level (or
equivalent) is considered a sufficiently senior level to exercise the power.
22. The purpose of this amendment is to implement dot point two of recommendation
2 of the PJCIS report.
Amendment (43) - Schedule 1, item 39, page 69 (after line 28), at the end of section
30BD, add:
23. The amendment adds new subsections 30BD(5) and (6). Section 30BD provides
for notification of cyber security incidents (other than critical incidents) in relation to
entities specified in rules made under section 30BB.
24. The amendment provides that the head of Commonwealth body (however that head
is described) may exempt an entity from the requirement to provide a written report
referred to in subsection 30BC(3). This may occur, as an example, because of an
agreement made between the Commonwealth body and the entity about the matter.
25. Subsection 30BD(6) provides that an exemption under subsection 30BD(5) is not a
legislative instrument. Exempting an entity from the obligation to provide a written report
under section 30BD(3) is beneficial to the entity. The exemption will provide the entity
with assurance that they will not later be required to provide a written report.
26. Under subsections 30BD(7) and (8), the head of the Commonwealth body may
delegate their power to:
• an SES employee or acting SES employee in the Commonwealth body; or
• a person who holds, or is acting in, a position in the relevant Commonwealth body
that is equivalent to, or higher than, a position occupied by an SES employee.
27. The delegation power is necessary as a Commonwealth body may frequently be
required to provide the exemptions set out in subsection 30BD(5). The SES level (or
equivalent) is considered a sufficiently senior level to exercise the power.
6
28. The purpose of this amendment is to implement dot point two of recommendation
2 of the PJCIS report.
Amendment (44) - Schedule 1, item 39, page 70 (after line 4), after section 30BE,
insert:
29. This amendment adds a new section 30BEA to define when a cyber security
incident is having a 'significant impact' and must therefore be reported under section
30BC. The incident will have a 'significant impact' if:
(a) the incident has materially disrupted the availability of essential goods or services
provided using the asset; or
(b) any of the circumstances specified in the rules exist in relation to the incident.
30. In assessing whether an incident is a critical cyber security incident, a responsible
entity should consider the services being provided by the asset, the impact of a disruption
to essential services and, the nature and extent of the cyber security incident.
31. A significant impact on the availability of an asset is a material disruption to the
essential services provided by that asset. An impact on other functions, for example,
certain corporate systems, which do not impact the provision of essential services would
not meet this threshold. The intention of providing a threshold for 'significant impact' is to
capture more specific and extreme circumstances than what is captured by 'relevant
impact' as defined under proposed new section 8G. The significant impact threshold is
limited to circumstances which impact the asset's availability (compare with relevant
impact which relates to availability, integrity, reliability, confidentiality). Accordingly,
this threshold will be met in circumstances in which a critical infrastructure asset's
essential services have been materially disrupted.
32. For example, a cyber security incident which affects the availability of a critical
clearing and settlement facility for a very brief period may materially disrupt its essential
services which are likely to result in significant economic repercussions. In contrast, an
incident that affects the availability of a critical education asset for the same period of time
may have a substantially lower economic material impact on the services provided by that
asset. Both assets' essential services are disrupted however, due to the time sensitive
nature of the services provided by a critical clearing and settlement facility, a relatively
short disruption will clearly have a significant impact that may be considered 'material'.
Accordingly, responsible entities will need to consider the risk of cascading impacts of
any disruption to determine when to report a cyber security incident.
33. This amendment also adds a new section 30BEB in relation to rules made under
new paragraph 30BEA(b). In summary, section 30BEB requires the Minister to consult
entities about proposed rules under section 30BEA that affect the entity. The Minister will
be required to provide 28 days for consultation and provide a written response to any
submission from the affected entity made within that time period.
34. The purpose of this amendment is to implement Recommendation 1 of the PJCIS
report, as described at dot point 4 of paragraph 3.18.
Amendment (45) - Schedule 1, item 39, page 70 (line 17) to page 95 (line 3), omit Part
2C:
35. This amendment omits Part 2C from the Bill. Part 2C relates to enhanced cyber
security obligations.
36. The purpose of this amendment is to implement Recommendation 1 of the PJCIS
report that the Bill be split into two Bills.
37. Recommendation 7 of the PJCIS report was that the remaining non-urgent
elements of the Bill (including Part 2C) not recommended for inclusion in Bill One, be
deferred and amended into a separate Bill.
Amendment (47) - Schedule 1, item 45, page 103 (after line 16), at the end of section
35AD, add:
38. This amendment adds a new subsection 35AD(3). The amendment will require the
Minister, if required to consult under subsections 35AD(1) or (2), to give the entity a copy
of the proposed ministerial authorisation and provide the entity 24 hours to make a
submission.
39. If consultation is not required under subsection 35AD(1) or (2) then subsection
35AD(3) does not apply. For example, if consultation is not required under subsection
35AD(1) or (2) because consultation would frustrate the effectiveness of the Ministerial
authorisation, compliance with subsection 35AD(3) is not required.
40. The consultation requirement in section 35AD applies in relation to a Ministerial
authorisation given under new section 35AB, in relation to the exercise of government
assistance powers by the Secretary in relation to a cyber security incident
41. The purpose of this amendment is to implement Recommendation 1 of the PJCIS
report, as described at dot point 5 of paragraph 3.18.
Amendment (49) - Schedule 1, item 45, page 122 (after line 23), at the end of Part 3A,
add:
42. This amendment adds a new section 35BK. Subsection 35BK(1) requires the
Secretary to give the PJCIS a written report about a cyber security incident in relation to
which directions or requests in relation to government assistance measures are given or
made under new sections 35AK, 35AQ or 35AX . Subsection 35BK(2) provides that the
report must describe each of the directions or requests made in relation to the incident.
43. The Secretary is not required to make a separate written report to the PJCIS in
relation to each direction or request, but is required to describe each direction or request in
a report relating to each incident.
44. This amendment implements recommendation 4 of the PJCIS report.
Amendment (52) - Schedule 1, item 66, page 135 (line 18) to page 140 (line 8), omit
the item:
45. This amendment omits Part 6A from the Bill. Part 6A relates to declaration of
systems of national significance by the Minister.
8
46. The purpose of this amendment is to implement Recommendation 1 of the PJCIS
report that the Bill be split into two Bills.
47. Recommendation 7 of the PJCIS report was that the remaining non-urgent
elements of the Bill (including Part 6A) not recommended for inclusion in Bill One, be
deferred and amended into a separate Bill.
Amendment (58) - Schedule 1, page 142 (after line 3), after item 70, insert:
48. This amendment adds a new section 60B to provide that the PJCIS may conduct a
review of the operation, effectiveness and implications of the Act, including the reformed
security of critical infrastructure legislative framework made by the Security Legislation
Amendment (Critical Infrastructure) Act 2021. The PJCIS may report its comments and
recommendations to each House of the Parliament.
49. The PJCIS must commence the review under this provision before the end of three
years after the Security Legislation Amendment (Critical Infrastructure) Act 2021 receives
the Royal Assent.
50. The purpose of this amendment is to implement recommendation 14 of the PJCIS
report.
Attachment A
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011
Amendments to the Security Legislation Amendment (Critical Infrastructure)
Bill 2020
These amendments are compatible with the human rights and freedoms recognised or
declared in the international instruments listed in section 3 of the
Human Rights (Parliamentary Scrutiny) Act 2011.
Overview of the Bill
The Australian Government is committed to protecting the essential services all
Australians rely on by uplifting the security and resilience of our critical infrastructure. As
the threats and risks to Australia's critical infrastructure evolve in a post-COVID world, so
too must our approach to ensuring the ongoing security and resilience of these assets and
the essential services they deliver.
The purpose of the Security Legislation Amendment (Critical Infrastructure) Bill 2020
(the Bill) is to amend the Security of Critical Infrastructure Act 2018 (the Act) to
introduce an enhanced regulatory framework, building on existing requirements under the
Act. The Bill gives effect to this framework by introducing:
• government assistance to relevant entities for critical infrastructure sector assets in
response to significant cyber attacks that impact on Australia's critical
infrastructure assets.
• additional positive security obligations for critical infrastructure assets, including a
risk management program, to be delivered through sector-specific requirements,
and mandatory cyber incident reporting;
• enhanced cyber security obligations for those assets most important to the nation,
described as systems of national significance; and
• additional critical infrastructure assets, which means that the existing powers under
the Act, and the new powers to be introduced under this Bill, will apply to a
broader range of assets.
Overview of the Government Amendments
The amendments address a number of recommendations made by the Parliamentary Joint
Committee on Intelligence and Security (PJCIS) in its Advisory Report on the Security
Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the
Security of Critical Infrastructure Act 2018 of 29 September 2021 (the PJCIS report).
The amendments would:
(a) omit the following proposed new Parts of the Act, and related provisions:
(i) Proposed new Part 2A of the Act - critical infrastructure risk management
programs;
10
(ii) Proposed new Part 2C of the Act - enhanced cyber security obligations; (iii)
Proposed new Part 6A of the Act - declaration of systems of national significance.
(b) amend the proposed regime requiring the mandatory reporting of a cyber security
incident by an entity to a relevant Commonwealth body to allow for the written
report to be made within 84 hours (instead of 48 hours) of an oral report being
made, and to empower a relevant Commonwealth body to exempt an entity from
the requirement to provide a written report;
(c) require the Secretary to give a written report to the PJCIS about a cyber security
incident in relation to which directions or requests in relation government
assistance measures are given or made under sections 35AK, 35AQ or 35AX . The
report must describe each of the directions or requests made in relation to the
incident;
(d) allow the PJCIS to conduct a review of the operation, effectiveness and
implications of the security of critical infrastructure legislative framework in the
Act, to begin not more than three years from when the Bill receives Royal Assent.
(e) require any draft rules relating to the mandatory reporting obligations be provided
directly to any entities which would reasonably be impacted by the draft rules and
include an obligation that the Minister must formally respond to any submissions
made by responsible entities;
(f) insert a definition of significant impact;
(g) in relation to a Ministerial authorisation under new section 35AD, if consultation is
required, to inform relevant entities in writing and invite the entities to make a
submission within 24 hours after receiving the draft authorisation;
(h) include an example of where a person is not entitled to cause access, modification
or impairment of computer data or a computer program, being that if a person
(including employees or agents of a responsible entity) exceeds their authority,
then this will amount to such unauthorised access, modification or impairment for
the purpose of the Act.
Human rights implications
The human rights impacts of the Bill were outlined in the Statement of Compatibility with
Human Rights that accompanied the Bill as introduced on 10 December 2020. As such,
this Statement of Compatibility only addresses specific Government amendments to the
Bill. The limited scope of those amendments do not engage any of the applicable rights or
freedoms.
Conclusion
The amendments are compatible with human rights as they do not raise any human rights
issues.
Index]
[Search]
[Download]
[Bill]
[Help]