[Index] [Search] [Download] [Bill] [Help]
2019-2020-2021 THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA SENATE SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE) BILL 2021 REVISED EXPLANATORY MEMORANDUM (Circulated by authority of the Minister for Home Affairs, the Honourable Karen Andrews MP) THIS MEMORANDUM TAKES ACCOUNT OF AMENDMENTS MADE BY THE HOUSE OF REPRESENTATIVES TO THE BILL AS INTRODUCEDIndex] [Search] [Download] [Bill] [Help]Security Legislation Amendment (Critical Infrastructure) Bill 2021 OUTLINE The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia's critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver. Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty. Threats ranging from natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders) all have the potential to significantly disrupt critical infrastructure. Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, and the impacts of COVID-19 illustrate that threats to the operation of Australia's critical infrastructure assets continue to be significant. Further, the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others. The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life, causing: • shortages or destruction of essential medical supplies; • instability in the supply of food and groceries; • impacts to water supply and sanitation; • impacts to telecommunications networks that are dependent on electricity; • the inability of Australians to communicate easily with family and loved ones; • disruptions to transport, traffic management systems and fuel; • reduced services or shutdown of the banking, finance and retail sectors; and • the inability for businesses and governments to function. While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune: • over the last three years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network; 2
• malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities; and • key supply chain businesses transporting groceries and medical supplies have also been targeted. Accordingly, Government will introduce an enhanced regulatory framework, building on existing requirements under the SOCI Act. The Security Legislation Amendment (Critical Infrastructure) Bill 2021 gives effect to this framework by introducing: • mandatory cyber incident reporting; and • government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia's critical infrastructure assets. These changes will be underpinned by enhancements to Government's existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy and an expanded Trusted Information Sharing Network. This will include a range of activities that will improve our collective understanding of risk within and across sectors. The enhanced framework will uplift security in all critical infrastructure sectors. When combined with better identification and sharing of threats, this framework will ensure that Australia's critical infrastructure assets are more resilient and secure. This framework will apply to owners and operators of critical infrastructure regardless of ownership arrangements. This creates an even playing field for owners and operators of critical infrastructure and maintains Australia's existing open investment settings, ensuring that businesses who apply security measures are not at a commercial disadvantage. The Australian Government's Critical Infrastructure Resilience Strategy currently defines critical infrastructure as: 'those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security.' In the context of this, the SOCI Act currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors. As such, the amendments in this Bill will enhance the obligations in the SOCI Act, and expand its coverage to the following sectors: communications; financial services and markets; data storage and processing; defence industry; higher education and research; 3
energy; food and grocery; health care and medical; space technology; transport; and water and sewerage. The reforms The Commonwealth needs to establish a clear, effective, consistent and proportionate approach to ensuring the resilience of Australia's critical infrastructure. The amendments to the SOCI Act will drive the uplift of the security of Australia's critical infrastructure. The Bill will ensure Government has the necessary powers to provide direct assistance to industry in the event of a serious cyber security incident. Positive Security Obligations The additional positive security obligations will build on the existing obligations in the SOCI Act to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened. It will also provide greater situational awareness of threats to critical infrastructure assets. The positive security obligations involve two aspects: • mandatory reporting of serious cyber security incidents to the Australian Signals Directorate (in the Australian Cyber Security Centre, or ACSC); and • where required, providing ownership and operational information to the Register of Critical Infrastructure Assets. Importantly, each aspect of the positive security obligations will only apply once a rule is made in relation to that aspect for a critical infrastructure asset or class of critical infrastructure assets. The rules will prescribe which aspects are 'switched on' for a critical infrastructure asset or class of critical infrastructure assets. Responsible entities of specified critical infrastructure assets will be required to report cyber security incidents to the relevant Commonwealth body. Collecting this information will support the development of an aggregated threat picture to inform both proactive and reactive cyber response options -from providing immediate assistance to working with industry to uplift broader security standards. Part 2 of the current SOCI Act requires assets covered by the Act to provide ownership and operational information to the Secretary of Home Affairs for the Register of Critical Infrastructure Assets (the Register). The Bill will extend this requirement to the expanded class of critical infrastructure assets where they are 'switched on' in the rules to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary. 4
Government Assistance This Bill introduces a Government Assistance regime to respond to serious cyber security incidents that applies to all critical infrastructure sector assets. Government recognises that industry should and in most cases, will respond to the vast majority of cyber security incidents, with the support of Government where necessary. However, Government maintains ultimate responsibility for protecting Australia's national interests. As a last resort, the Bill provides for Government assistance to protect assets immediately prior, during or following a significant cyber attack. Detailed notes on the clauses of the Bill is included at Attachment A. FINANCIAL IMPACT STATEMENT The measures in the Bill have no financial impact. REGULATION IMPACT STATEMENT A detailed Regulation Impact Statement to assess the high level regulatory impact to industry of uplifting the security and resilience of Australia's critical infrastructure assets was included in the Explanatory Memorandum for the Bill as introduced in the House of Representatives. STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS A Statement of Compatibility with Human Rights has been completed in relation to the Bill. It has been assessed that the amendments are compatible with Australia's human rights obligations. A copy of the Statement of Compatibility with Human Rights is at Attachment B. 5
COMMON ABBREVIATIONS AND ACRONYMS Abbreviation or acronym Meaning AAT Administrative Appeals Tribunal Acts Interpretation Act Acts Interpretation Act 1901 ACMA Australian Media and Communications Authority ACSC Australian Cyber Security Centre ADJR Act Administrative Decisions (Judicial Review) Act 1977 AEMO Australian Energy Market Operator APRA Australian Prudential Regulation Authority ASA Australian Shareholders' Association ASD Australian Signals Directorate ASIC Australian Securities and Investments Commission ASIO Australian Security Intelligence Organisation ASIO Act Australian Security Intelligence Organisation Act 1979 ATSA Aviation Transport Security Act 2004 AusCheck Act AusCheck Act 2007 Corporations Act Corporations Act 2001 Courts Act Federal Court and Family Court of Australia Act 2021 Criminal Code Criminal Code Act 1995 DISP Defence Industry Security Program Department Department of Home Affairs FATA Foreign Acquisitions and Takeovers Act 1975 FIRB Foreign Investment Review Board IGIS Inspector General of Intelligence and Security Intelligence Services Act Intelligence Services Act 2001 Legislation Act Legislation Act 2003 6
Abbreviation or acronym Meaning MTOFSA Maritime Transport and Offshore Facilities Security Act 2003 MW Megawatts NEM National Energy Market NSI Act National Security Information (Criminal and Civil Proceedings) Act 2004 PJCIS Parliamentary Joint Committee on Intelligence and Security Privacy Act Privacy Act 1988 PSPF Protective Security Policy Framework RBA Reserve Bank of Australia Regulatory Powers Act Regulatory Powers (Standard Provisions) Act 2014 Secretary Secretary of the Department of Home Affairs SOCI Act Security of Critical Infrastructure Act 2018 SCADA Supervisory Control and Data Acquisition Telecommunications Act Telecommunications Act 1997 TEQSA Tertiary Education Quality and Standards Agency TIA Act Telecommunications (Interception and Access) Act 1979 TSSR Telecommunications sector security reforms contained in the Telecommunications and Other Legislation Amendment Act 2017 7
Attachment A Security Legislation Amendment (Critical Infrastructure) Bill 2021 NOTES ON CLAUSES Section 1 Short title 1. Section 1 of the Bill provides that the short title of the Act is the Security Legislation Amendment (Critical Infrastructure) Act 2021. Section 2 Commencement 2. Section 2 of the Bill sets out the times at which the Act commences once passed by the Parliament. 3. Subsection (1) provides that each provision of the Bill specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. The table provides that: • sections 1 to 3 of the Bill and anything not otherwise covered by the table commences the day the Act receives the Royal Assent (item 1) • Parts 1 and 2 of Schedule 1 to the Bill commence on the day after the bill receives the Royal Assent (item 2) • Part 3 of Schedule 1 to the Bill commences the later of immediately after table item 2, and the commencement of the Federal Court and Family Court of Australia Act 2021 (the Courts Act) (item 3). This item also provides that, if the Courts Act never commences, then the amendments in Part 3 of Schedule 1 never occur • Part 4 of Schedule 1 to the Bill commences the later of immediately after table item 2 and the commencement of the National Emergency Declaration Act 2020 (the NED Act) (item 4). This item also provides that, if the NED Act never commences, the then amendments in Part 4 of Schedule 1 never occur, and • Schedule 2 to the Bill commences the day after the Bill receives the Royal Assent (item 5). 4. Subsection (2) provides that any information in column 3 of the table is not part of the Bill. Information may be inserted in this column, or information in it may be edited, in any published version of this Bill. 8
Section 3 Schedules 5. Section 3 of the Bill provides that legislation that is specified in a Schedule to the Bill is amended or repealed as set out in the applicable items in the Schedule concerned. In addition, this clause provides that any other item in a Schedule to this Act has effect according to its terms. 6. There are two Schedules to the Bill. Part 1 of Schedule 1 to the Bill will make amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) to: • insert new Part 2B, which will require that specified critical infrastructure assets are required to report cyber security incidents • insert new Part 3A, which outlines a number of government assistance measures that may be exercised in the most serious and significant of cyber security incidents, and • include additional measures concerning annual reporting, disclosure and use of protected information etc., and • outline relevant definitions that are required to support these amendments. 7. Part 1 of Schedule 1 also makes amendments to the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act) to exclude certain decisions made under the SOCI Act from judicial review under that Act. 8. Parts 2 and 3 of Schedule 1 to the Bill provide for the application of amendments in Part 1 of Schedule 1, and for the making of contingent amendments related to the proposed amalgamation of the Federal Circuit Court and Family Court of Australia. 9. Schedule 2 to the Bill will amend the Criminal Code to provide for an immunity to apply in relation to the Australian Signals Directorate (ASD) for conduct occurring, or reasonably believed to occur, outside of Australia. Schedule 1--Security of critical infrastructure Part 1--General amendments Administrative Decisions (Judicial Review) Act 1977 Item 1 Before paragraph (da) of Schedule 1 10. Item 1 of Schedule 1 to the Bill inserts new paragraph (dae) into Schedule 1 to the ADJR Act, to provide that any decision made under new Part 3A of the SOCI is not a 'decision to which this Act applies'. This means that a decision made under new Part 3A in response to a 'serious cyber security incident' is not subject to judicial review under the ADJR Act (see further explanation regarding new Part 3A below). 9
11. The Administrative Review Council (ARC), in their 2012 report Federal Judicial Review in Australia, identified a number of reasons that may justify an exemption from review under the ADJR Act. National security considerations were one such reason identified by the ARC as justifying excluding ADJR Act review, particularly where sensitive information is involved which may be publicly disseminated through judicial proceedings. 12. When making a decision under new Part 3A of the SOCI Act, the Minister must be satisfied that there is a material risk that a 'cyber security incident' (as defined by new section 12M, see item 7 of Schedule 1 below) has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice, the social or economic stability of Australia or its people, the defence of Australia or national security. Decisions of this nature are likely to be based on sensitive and classified information and deal with the capabilities of intelligence agencies as well as security vulnerabilities. This could include intelligence information and covert investigation methods and procedures, the disclosure of which may impact ongoing investigations, compromise intelligence methodologies or other damage Australia's national security and defence. The same applies equally to decisions of the Secretary and the authorised agency under new Part 3A who operationalise the Ministerial authorisations. 13. For this reason, it is reasonable to exempt decisions made under new Part 3A of the SOCI Act from review under the ADJR Act as the public dissemination of the sensitive information and capabilities that may be used to make decisions under new Part 3A would pose a risk to national security and the defence of Australia. 14. Similar to decisions made under the Foreign Acquisitions and Takeovers Act 1975, which are exempt from review under the ADJR Act (see paragraph (h) of Schedule 1 to that Act), decisions made under Part 3A are also likely to deal with classified and commercially confidential material that is relevant to the operation of assets critical to Australia's economy. This further supports the need for the exemption noting the potential impact to the economy if the confidentiality of this information was compromised. 15. Owners and operators of critical infrastructure assets may be reluctant or unwilling to disclose such information to government for the purpose of Part 3A, despite the penalties that such non-compliance could attract, if there is potential for this information to be disclosed publicly in court proceedings under the ADJR Act. This could delay or seriously inhibit the Minister, Secretary or authorised agency from making decisions under new Part 3A to protect assets critical to the Australian economy from imminent or released threats. 16. Furthermore, Part 3A is designed to be used in emergency circumstances where it is necessary for the Government to respond rapidly to the most serious cyber security incidents that are affecting critical infrastructure assets. Any unnecessary delays in the use of these mechanisms may prejudice the national interest noting the complex nature of such serious cyber security incidents, and the importance of critical infrastructure assets to Australia's social and economic stability, defence and national security. An exemption from review under the ADJR Act ensures the mechanisms in new Part 3A can be deployed as required and without delay. 10
17. Whilst decisions under new Part 3A will be exempt from review under the ADJR Act, there are certain safeguards and limitations included in the Bill to ensure that any decisions made under the Part are appropriate. In particular, the Minister can only make an authorisation for the exercise of powers where the Minister is satisfied that: • a cyber security incident has occurred, is occurring or is imminent (paragraph 35AB(1)(a)) • the incident has had, is having, or is likely to have, a 'relevant impact' (as defined in new section 8G) on a critical infrastructure asset (paragraph 35AB(1)(b)) • there is a material risk that the incident has seriously prejudiced, is serious prejudicing, or is likely to seriously prejudice the social or economic stability of Australia or its people, defence or national security (paragraph 35AB(1)(c)), and • no other regulatory system could be used to provide a practical and effective response to the incident (paragraph 35AB(1)(d)). 18. Further, consultation requirements are built into each stage of the regime to ensure any concerns of the entity are considered, and that any decisions are informed. 19. Importantly, the Inspector-General of Intelligence and Security will oversee the activities of the authorised agency under the Part. The Commonwealth Ombudsman also maintains jurisdiction in relation to any of the Secretary's activities under new Part 3A. 20. It is noted that the amendment does not have the effect of entirely excluding judicial review of decisions under Part 3A of the SOCI Act. A person who is the subject of a decision under Part 3A is still entitled to seek judicial review under section 39B of the Judiciary Act 1903 or subsection 75(v) of the Constitution. Security of Critical Infrastructure Act 2018 Item 4 Section 3 21. Item 4 of Schedule 1 to the Bill amends the objects provision of the SOCI Act (section 3), to omit the words 'to national security'. 22. This amendment reflects the additional and broader purpose of the SOCI Act (as a result of amendments in this Bill) which is to manage the threats posed by, and the impacts of, a variety of hazards including those that are human induced and naturally occurring in relation to critical infrastructure assets and systems of national significance. Item 5 At the end of section 3 23. Section 3 of the SOCI Act currently outlines the original intent of the SOCI Act which was to provide a regulatory framework to manage risks to national security relating to Australia's critical infrastructure. The national security risks of particular focus were sabotage, espionage and coercion. 11
24. As a result of the evolved security environment, amendments are required to the SOCI Act, and in turn, the intent and purpose of the SOCI Act has been augmented to reflect these amendments. 25. Item 5 of Schedule 1 to the Bill inserts paragraph (e) into section 3 of the SOCI Act, which describe how the purpose of the SOCI Act is carried out. Paragraph (e) provides that the object of the SOCI Act is carried out by providing a regime for the Commonwealth to respond to serious cyber security incidents, which is a reference to new Part 3A of the SOCI Act. Item 6 Section 4 26. Item 6 repeals and substitutes section 4 of the SOCI Act, which contains the simplified outline of the Act which is designed to assist the reader of the legislation in understanding the structure and content of the SOCI Act. Section 4 Simplified outline of this Act 27. New section 4 of the SOCI Act outlines that the Act, as amended by the Bill, creates a framework for managing risks relating to critical infrastructure, based on elements including: • a private register of information in relation to assets that are critical infrastructure assets • requiring a responsible entity for an asset to notify Government about cyber security incidents • requiring certain entities relating to a critical infrastructure asset to provide information in relation to an asset and to notify of certain events • allowing the Minister to require an entity to do or refrain from doing certain things if the Minister is satisfied that there is a risk that the act or omission would be prejudicial to security • allowing the Secretary to require certain entities to provide certain information or documents • setting up a regime for the Commonwealth to respond to serious cyber security incidents, and • allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset. 28. The third paragraph notes that certain information in relation to this Act is protected information and that the use and disclosure of this information is restricted. 12
29. The fourth paragraph notes that the civil penalty provisions in this Act may be enforced using civil penalty orders, injunctions or infringement notices, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. It also notes that the Regulatory Powers Act is applied for these purposes. The paragraph also notes that some provisions of the Act are subject to monitoring and investigation under the Regulatory Powers Act and that certain provisions of the Act can be enforced by criminal proceedings. 30. The fifth paragraph notes that the Minister may privately declare an asset to be a critical infrastructure asset. The final paragraph notes that the Secretary must give the Minister reports on the operation of the Act that are to be presented to Parliament. Item 7 Section 5 31. Item 7 of Schedule 1 to the Bill provides a number of definitions for terms that facilitate the amendments to the SOCI Act being made by the Bill. A number of terms are defined by reference to other acts, for example the term aircraft operator has the same meaning as it does in the Aviation Transport Security Act 2004 (ATSA). For terms defined in this manner it is intended that the term in the SOCI Act has the meaning as it appears in the Acts referred to from time to time. 32. In this explanatory memorandum those terms have been described according to how they are defined in the respective acts at the time of the introduction of the Bill. access 33. In relation to a computer program, means the execution of the computer program. The purpose of this definition is to differentiate between instances in the Bill where access has its ordinary meaning, and instances where its use relates to accessing a computer program that is installed on a computer access to computer data 34. This definition has been separated into three paragraphs reflecting the different methods data may be regarded as being accessed depending on how it is held. Paragraph (a) provides that access to computer data means, in a case where the computer data is held in a computer, the display of the data by the computer or any other output of the data from the computer. 35. Paragraph (b) defines access to computer data to also mean, in the case where the computer data is held in a computer, the copying or moving of the data to any other location in the computer, another computer or a data storage device. Paragraph (c) also defines access to computer data as meaning, in the case where the computer data is held in a storage device, the copying or moving of the data to a computer or to another data storage device. 13
aircraft operator 36. This term has the same meaning as in the ATSA. At the time of the introduction of the Bill section 9 of the ATSA provides that aircraft operator means a person who conducts, or offers to conduct, an air service. This term is used in the definition of 'critical aviation asset'. At the time of the introduction of the Bill, in the ATSA, air service means a service of providing air transportation of people or goods, or both people and goods. airport 37. Has the same meaning as in the ATSA. At the time of the introduction of the Bill subsection 28(1) of the ATSA provides that an 'airport' is an area of land or water (including any buildings, installations or equipment situated in the area) intended for use either wholly or partly in connection with the arrival, departure or movement of aircraft. It also includes any area that is controlled by the airport operator that is contiguous with such an area of land or water. This term is used in the definition of 'critical aviation asset'. airport operator 38. Has the same meaning as in the ATSA. At the time of the introduction of the Bill section 9 of the ATSA provides that 'airport operator' means the operator of an airport. This term is used in the definition of 'critical aviation asset'. air service 39. Has the same meaning as in the ATSA. At the time of the introduction of the Bill section 9 of the ATSA provides that 'air service' means a service of providing air transportation of people or goods, or both people and goods. This term is used in the definition of 'critical aviation asset'. approved staff member of the authorised agency 40. This term has the meaning given in new section 35BJ of the SOCI Act. ASD 41. This term is defined to mean the Australian Signals Directorate. asset 42. The definition of 'asset' is non-exhaustive and is intended to clarify the types of physical and electronic things that can be considered to be an 'asset'. This is particularly relevant for the definition of 'critical infrastructure asset' at section 9 of the SOCI Act (see items 22-29 of Schedule 1 to the Bill, below). The term 'asset' is also used in the definition of 'critical infrastructure sector asset' at new section 8E of the Bill. 43. The use of 'asset', including in the definition of 'critical infrastructure asset' and 'critical infrastructure sector asset', may refer to individual components of infrastructure or a 14
collection of components of infrastructure, which while individually could be regarded as assets, as a collection interact to provide, or support the provision of, a service or thing. associated entity 44. This term has the same meaning as in the Corporations Act. At the time of introduction of the Bill, section 50AAA of that Act provides that an entity is an 'associated entity' of another entity (the principal) if any of the criteria listed in subsections 50AAA(2)- (7) are satisfied. Some examples of the criteria are that: • the associate and the principal are related bodies corporate • the principal controls the associate, or • the associate controls the principal and the operations, resources and affairs of the principal are material to the associate. associated transmission facility 45. The definition captures those pieces of equipment or other things that are required to operate a radio communications transmitter. 'Associated transmission facilities' form part of a 'broadcasting transmission asset' which is used in the definition of 'critical broadcasting asset' at new section 12E of the Bill. AusCheck scheme 46. Has the same meaning as in the AusCheck Act. At the time of the introduction of the Bill, section 8 of the AusCheck Act states that regulations may provide for the establishment of an AusCheck scheme which relates to the conduct and coordination of background checks. Australia 47. When used in a geographical sense, includes the external Territories. Australian CS facility licence 48. Has the same meaning as in Chapter 7 of the Corporations Act 2001 (the Corporations Act), which at the time of the introduction of the Bill means a licence under section 824B of that Act which authorises a person to operate a clearing and settlement facility. This term is used in the definition of 'critical financial market infrastructure asset' at section 12 of the Bill. Australian derivative trade repository licence 49. Has the same meaning as in Chapter 7 of the Corporations Act. This term is relied upon for the meaning of 'critical financial market infrastructure asset' at new section 12D of the SOCI Act. 15
Australian market licence 50. Has the same meaning as in Chapter 7 of the Corporations Act, which at the time of the introduction of the Bill is defined as being a licence applied for under section 795B of that Act. This term is relied upon in the definition of 'critical financial market infrastructure asset' at new section 12D of the SOCI Act. authorised agency 51. Authorised agency means ASD. This term is particularly relevant to new Division 5 of Part 3A of the SOCI Act--the serious cyber incident response powers which are part of the government assistance measures. authorised deposit-taking institution 52. Has the same meaning as in the Banking Act 1959 (the Banking Act), which at the time of introduction of the Bill means a body corporate in relation to which an authority under subsection 9(3) of that Act is in force. This term is relied upon in the definition of 'critical banking asset' at new section 12G of the SOCI Act. background check 53. Has the same meaning as in the AusCheck Act. Section 5 of the AusCheck Act, at the time of introduction of the Bill, provides that a background check in relation to an individual is an assessment of information relating to one or more of the following: • the individual's criminal history • in certain circumstances, whether the individual has been charged with a serious offence or whether a charge for a serious offence has been resolved in relation to the individual • matters relevant to a security assessment of the individual as defined in the ASIO Act • the individual's citizenship status, residency status or the individual's right to work in Australia, including whether the person is an Australian citizen, a permanent resident or an unlawful non-citizen, and • the identity of the individual. banking business 54. Has the same meaning as in the Banking Act. At the time of introduction of the Bill the term is defined as: • a business that consists of banking within the meaning of paragraph 51(xiii) of the Constitution, or 16
• a business that is carried on by a corporation to which paragraph 51(xx) of the Constitution applies and that consists of both taking money on deposit (otherwise than as a part payment for good or services) and making advances of money, or other financial activities prescribed by regulations made under the Banking Act for the purposes of the definition. 55. This term is relied upon in the definition of 'critical banking asset' in new section 12G of the SOCI Act. benchmark administrator licence 56. Has the same meaning as in the Corporations Act. At the time of introduction of the Bill a 'benchmark administrator licence' is defined as a licence granted under section 908BC of the Corporations Act. This term is relied upon in the definition of 'critical financial market infrastructure asset' in new section 12D of the SOCI Act. broadcasting re-transmission asset 57. This term means a radiocommunications transmitter, a broadcasting transmission tower, or an associated transmission facility (as these terms are defined respectively in the SOCI Act), that is used in connection with the transmission of a service to which, as a result of section 212 of the Broadcasting Services Act 1992 (the Broadcasting Services Act), the regulatory regime established by that Act does not apply. broadcasting service 58. Has the same meaning as in the Broadcasting Services Act, which at the time of introduction of the Bill means a service that delivers television programs or radio programs to persons having equipment appropriate for receiving that service, whether the delivery uses the radiofrequency spectrum, cable, optical fibre, satellite or any other means or a combination of those means, but does not include: • a service (including a teletext service) that provides no more than data, or no more than text (with or without associated still images); or • a service that makes programs available on demand on a point-to-point basis, including a dial-up service; or • a service, or a class of services, that the Minister determines, under subsection (2) of that Act, not to fall within this definition. 59. 'Broadcasting service' is used in the context of defining the 'communications sector'. 17
broadcasting transmission asset 60. The definition identifies the individual assets or components (paragraphs (a)-(c)) that are used, or capable of being used, for the transmission of a national broadcasting service, a commercial radio broadcasting service or a commercial television broadcasting service. broadcasting transmission tower 61. The term has the same meaning as the Broadcasting Services Act. At the time of the introduction of the Bill item 2 of Schedule 4 to that Act defines a 'broadcasting transmission tower' as being a tower, pole, mast or a similar structure that is used to supply: • a broadcasting service by means of radiocommunications using the broadcasting services bands, or • a datacasting service provided under, and in accordance with the conditions of a data casting licence. business critical data 62. The definition of 'business critical data' outlines the categories of data that are of most significance to the operation and security of 'critical infrastructure assets', or otherwise represent a potential security vulnerability. This includes bulk holdings of personal information, within the meaning of the Privacy Act 1988 (the Privacy Act) (paragraph (a)), including sensitive data. This definition largely aligns with the existing reporting requirements for data arrangements under section 5 of the current Security of Critical Infrastructure Rules 2018 (the SOCI Rules) and paragraph 7(1)(f) of the SOCI Act. 63. The purpose of this definition is to limit the application of new subsection 12F(2) of the SOCI Act so that 'critical data storage or processing assets' are those assets owned or operated by a 'data storage or processing provider', and used to store or process 'business critical data' that relates to another asset captured as a 'critical infrastructure asset'. carriage service 64. Has the same meaning as in the Telecommunications Act 1997 (the Telecommunications Act), which at the time of introduction of the Bill means a service for carrying communications by means of guided and/or unguided electromagnetic energy. This term is used in the definition of 'critical telecommunications asset', and in the definition of the 'communications sector'. carriage service provider 65. Has the same meaning as in section 87 of the Telecommunications Act. The term is used in the definition of 'critical telecommunications asset'. 18
carrier 66. Has the same meaning as in the Telecommunications Act, which at the time of introduction of the Bill means the holder of a carrier licence. Carrier licence is defined at section 56 of the Telecommunications Act. This term is used in the definition of 'critical telecommunications asset'. chief executive of the authorised agency 67. This term is defined to mean the Director-General of the Australian Signals Directorate. clearing and settlement facility 68. Has the same meaning as in Chapter 7 of the Corporations Act. At the time of introduction of the Bill section 768A of the Corporations Act defined the term as meaning a facility that provides a regular mechanism for the parties to transactions relating to financial products to meet obligations to each other that arise from entering into the transactions and are of a kind prescribed by regulations made under the Corporations Act for the purposes of that paragraph (paragraph 768A(1)(b) of the Corporations Act). 69. This term is relied upon for the meaning of 'critical financial market infrastructure asset' at new section 12D of the SOCI Act, and is used in the definition of 'financial services and markets sector'. commercial radio broadcasting service 70. Has the same meaning as in the Broadcasting Services Act. At the time of introduction of the Bill the term was defined as meaning a commercial broadcasting service that provides radio programs. commercial television broadcasting service 71. Has the same meaning as in the Broadcasting Services Act, which at the time of introduction of the Bill means a commercial broadcasting service that provides television programs. communications sector 72. Means the sector of the Australian economy that involves supplying a carriage service, providing a broadcasting service, owning or operating assets that are used in connection with the supply of a carriage service, owning or operating assets that are used in connection with the transmission of a broadcasting service, or administering an Australian domain name system. 73. The communications sector is a critical enabler of economic and social activity. Communications have always been necessary to 'doing business' and the functioning of society. Many industries rely heavily on the sector and would see the ongoing and safe 19
operation of their industry significantly compromised without it. The Internet enables Australians to communicate (for example, via over-the-top communications providers) and access essential services (for example, Telehealth services which proved critical during the COVID-19 pandemic), and has facilitated industry with accessing and competing in overseas markets. 74. As noted by the Australian Competition & Consumer Commission in a Final report on Communications Sector Market Study released in April 2018, the communications sector is subject to rapid changes in technology, product innovation and consumer preferences as well as major structural changes. For example, the greater availability of high-speed broadband and changing business models within the communications sector has resulted in broadcasters and carriers alike looking to cross-platform delivery as a business necessity. As such, the definition is intended to be flexible so that it continues to be relevant as the sector evolves. 75. An 'Australian domain name system' means any country code Top Level Domain managed within Australia and its external territories (such as Norfolk Island) and generic Top Level Domains. computer 76. The meaning of 'computer' is intended to capture all or parts of an individual computer, a collection of computers that form a network or system, or any combination of these. A 'computer' has the capability to store or process data, or be used to monitor, control or do anything else that is connected to the functioning of an asset. For example, a Supervisory Control and Data Acquisition (SCADA) system is considered to be a 'computer'. computer data 77. Means any data held in a computer or a data storage device, irrespective of the form in which that data exists. computer device 78. Means a device connected to a computer. 'Computer devices' include any hardware that is designed, or has the capability, to be connected to and enable the use or functioning of a computer. Examples of things that are a 'computer device' are monitors, keyboards, computer storage devices and other devices that receive communications from the computer. connected 79. Means connection otherwise than by means of physical contact, for example, a connection by means of radiocommunication. 20
constable 80. Has the same meaning as in the Crimes Act 1914 (the Crimes Act), which at the time of introduction of the Bill means a member or special member of the Australian Federal Police or a member of the police force or police service of a State or Territory. credit facility 81. Has the meaning given by regulations made for the purposes of paragraph 12BAA(7)(k) of the Australian Securities and Investments Commission Act 2001. credit facility business 82. Means a business that offers, or provides services in relation to, a credit facility. critical aviation asset 83. A 'critical aviation asset' is defined as: • an asset that is used in connection with the provision of an air service and is owned or operated by an aircraft operator • an asset that is used in connection with the provision of an air service and is owned or operated by a regulated air cargo agent, or • an asset that is used by an airport operator in connection with the operation of an airport. 84. The aviation industry provides the only rapid global network for the transportation of goods and people, making it essential for global business. The industry generates economic growth through the creation of jobs locally as well as the facilitation of international trade and tourism. The geographic expansiveness of Australia also makes it crucial to the domestic economy as well as supporting dispersed populations. The aviation industry is dependent on distributed architectures for delivery of efficient services, included distributed networks and interdependent physical and cyberspace functions which presents complex security challenges. Breaches can have dire consequences ranging from privacy breaches, the theft of trade secrets and risk to life. 85. The aviation industry already has robust security frameworks in place, in the ATSA. Comprehensive reforms to this regime are anticipated to be progressed after the passage of this Bill. This will ensure that key assets regulated by this regime would similarly implement the positive security obligations, including in relation to the significant threat posed by cyber and systems attacks. The Department will work closely with industry to coordinate the implementation of these reforms across the aviation industry. It is however crucial to ensure the sector is captured by the framework in the amended SOCI Act to ensure that further enhancements and protective measures are available. 21
86. The note to the definition explains that under section 9 of the SOCI Act the rules may prescribe that a specified 'critical aviation asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical banking asset 87. This term is defined in new section 12G of the SOCI Act. The note to the definition explains that under section 9 of the SOCI Act the rules may prescribe that a specified 'critical banking asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical broadcasting asset 88. This term is defined in new section 12E of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical broadcasting asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical data storage or processing asset 89. This term will be defined in new section 12F of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical data storage or processing asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical defence capability 90. A critical defence capability is one which provides for the ability to shape Australia's strategic environment, deter actions against Australia's interests, and respond with credible military force when required to protect Australia's national security and national interests. This is a non-exhaustive definition as what is a critical defence capability will shift in reflection of the changing risks to Australia's national security and defence environment. 91. The term 'critical defence capability' includes materiel, technology, a platform, a network, a system and a service, that is required in connection with either the defence of Australia or with national security. Broadly, this may include things that: • support operational requirements to respond to an existing and imminent threat; • provide support to, prepare for, and sustain additional government-directed operations; • maintain high-readiness contingency forces; 22
• conduct government directed regional engagement; • maintain and sustain Defence capability for force generation, including training, medical, health and welfare; and • deliver business continuity for Defence and defence industry. critical defence industry asset 92. A 'critical defence industry' asset is an asset that is being, or will be, supplied by an entity to the Defence Department, or the Australian Defence Force, under a contract and consists of, or enables, a critical defence capability. 93. The reference to 'will be' in the definition is intended to capture assets, for which there is a contract in place, however the supply has not yet commenced. 94. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical defence industry asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. 95. These assets are key enablers of Defence capability. They provide the ability to shape Australia's strategic environment, deter actions against Australia's interests, and respond with credible military force when required to protect Australia's national security and national interests. This definition includes only those goods and services that are provided directly to Defence to meet a critical capability need, as well as critical components to those goods, technologies and services. This definition is intended to exclude those industry entities that could be considered key enablers of Defence capability but would be captured under other sectors in the Bill (e.g. electricity or water). 96. The definition of critical defence industry asset is intended to be a sub-set of the 'critical military-related goods, services and technologies' identified in the context of the proposed reforms to the Foreign Acquisitions and Takeovers Regulations 2015; noting reforms to Australia's foreign investment review framework are still subject to Parliamentary consideration. 97. While assets that fall within this definition may be subject to each of the positive security obligations, it is proposed that the Department of Defence will continue to manage security practices through its pre-existing DISP framework. critical domain name system 98. This term is defined in new section 12KA of the SOCI Act. critical education asset 99. This term is defined as meaning a university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher 23
Education Providers. The National Register of Higher Education Providers is administered by the Tertiary Education Quality and Standards Agency (TESQA) and is accessible on their website. 100. Australian universities contribute strongly to Australia's economy. For example, a 2018 report by London Economics found that Group of Eight universities, which comprise Australia's leading research-intensive universities, had an annual economic impact to the Australian economy of some $66.4 billion each year. Universities are also responsible for a significant portion of critical research and innovation activities in Australia. Universities Australia estimates that Australian universities undertook 34 per cent of Australia's total research and development, and more than 70 per cent of public sector research in 2017-18. This research and innovation underpins a wide range of aspects of Australia's society, economy and defence. 101. Australian universities are likely to continue to be a key contributor to research and innovation activities as they are required to undertake research, and offer Masters and Doctoral research degrees, in at least three broad fields, as a condition of registration with the Tertiary Education Quality and Standards Agency. Accordingly, maintaining the security and stability of critical education assets is key to the continued prosperity in Australia. 102. The definition for critical education asset refers to an institution that is owned or operated by an Australian university rather than particular aspects of the institution that are owned or operated. This reflects the complex, interconnected and multi-functional nature of universities. However, should obligations under Part 2A of the Bill be applied to critical education assets, the Department will work closely with responsible entities to ensure that any requirements are reasonable and proportionate in relation to the various components of the institution such as physical and electronic assets such as campuses, research labs and computing infrastructure and networks, while not unduly impacting non-critical aspects of a university such as recreational facilities. 103. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical education asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical energy market operator asset 104. This term is defined as an asset that is owned or operated by Australian Energy Market Operator Limited (ACN 072010327), or Power and Water Corporation, or Regional Power Corporation, or Electricity Networks Corporation, that is • used in connection with the operation of an energy market or system (paragraph (b)), and • critical to ensuring the security and reliability of an energy market (paragraph (c)). 24
105. However, a 'critical energy market operator asset' does not include a 'critical electricity asset', a 'critical gas asset' or a 'critical liquid fuel asset' (see paragraphs (d), (e) and (f)). 106. Energy market operators play a crucial role in ensuring the safe and reliable provision of energy which supports the broader functioning of society, the economy, national security and defence of Australia. A disruption to these critical assets could have significant and widespread impacts on communities, businesses and national security capabilities. Specifically, electricity and gas market operators play an essential role in ensuring electricity and gas systems operate safely and reliably, and allow for the trading of energy commodities that are ultimately sold to customers. 107. In this context, an asset that is owned or operated by an energy market operator will be critical to ensuring the security and reliability of an energy market if the asset is essential to the market operator undertaking its statutory functions, for example managing market trading and ensuring the security and reliability of the physical infrastructure. Although Western Power's primary function is as a transmission and distribution network operator, it has been included within the definition of a critical energy market operator as it undertakes market operator functions. 108. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical energy market operator asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical financial market infrastructure asset 109. This term is defined in new section 12D of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical financial market infrastructure asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical food and grocery asset 110. This term is defined in new section 12K of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may that a specified 'critical food and grocery asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical freight infrastructure asset 111. This term is defined in new section 12B of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical freight infrastructure asset' is not a 'critical infrastructure asset'. This will ensure that assets 25
that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical freight services asset 112. This term is defined in new section 12C of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical freight asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical hospital 113. A 'critical hospital' means a hospital that has a general intensive care unit. These assets are critical as they have the ability to provide specialised treatment to patients who are acutely unwell and require critical care, have multi-disciplinary medical professionals and the necessary equipment to provide critical care for patients with a variety of medical, surgical and trauma conditions. These hospitals are therefore integral to the sustainment of life in Australia. 114. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical hospital' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical infrastructure sector 115. This term is defined in new section 8D of the SOCI Act. critical infrastructure sector asset 116. This term is defined in new subsection 8E(1) of the SOCI Act. critical insurance asset 117. This term is defined in new section 12H of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical insurance asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical liquid fuel asset 118. This term is defined in new section 12A of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical liquid fuel asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. 26
critical public transport asset 119. The term is defined as a public transport network or system that is both managed by a single entity and is capable of handling at least five million passenger journeys per month. However the definition provides that it does not include a critical aviation asset. 120. Such assets play a vital role in enhancing economic productivity and the national economy by facilitating the efficient movement of people around Australia's cities. Australia's cities are growing rapidly and the movement of people is increasingly important to facilitating our prosperity. In our five largest cities (Adelaide, Brisbane, Melbourne, Perth and Sydney), close to half of the population live in the outer suburbs and have a high reliance on functioning and regular public transport networks.1 Further, these assets are critical to supporting the functioning of Australian society and culture by facilitate efficient freedom of movement. 121. Unfortunately, international events have shown that this criticality can also make these large and connected public transport networks prime targets for terrorist activities or other unlawful acts. This is particularly due to their accessibility and the large numbers of people being concentrated together at peak and predictable times. Some public transport providers also hold large data sets relating to their customers, including billing information and their public transport usage, which also need to be appropriately protected. 122. A public transport network or system may be comprised of multiple modes of transport, such as buses, trams and trains, which are managed by a single entity. The requirement for the critical public transport asset to be capable of handling at least five million passenger journeys a month, focuses the definition on those networks and systems that service major population hubs and whose disruption would cause significant economic impact and social disconnection. 123. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical public transport asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. critical superannuation asset 124. This term is defined in new section 12J of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical superannuation asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. 1 Infrastructure Australia, Outer Urban Public Transport 2018, page 4. 27
critical telecommunications asset 125. A 'critical telecommunications asset' means: • a telecommunications network that is owned or operated by a carrier and used to supply a carriage service, or • a telecommunications network or any other asset that is owned or operated by a carriage service provider an used in connection with the supply of a carriage service. 126. The definition mirrors the assets currently regulated under the Telecommunications and Other Legislation Amendment Act 2017, also known as the Telecommunications Sector Security Reforms. The definition covers the networks that carry voice and data between users across Australia and overseas and includes wires, fibre, towers, sensors, satellites, radio spectrum and physical infrastructure such as cable landing stations. 127. The security of telecommunications infrastructure significantly affects the social and economic well-being of the nation. Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities. They are crucial to a functioning society and economy and by their nature, telecommunications networks and facilities hold sensitive information. For example, lawful interception systems and customer billing and management systems which, if unlawfully accessed, can reveal sensitive law enforcement operations or the location of persons. Therefore, in addition to being a critical facilitator of so many aspects of society, these assets also present a rich intelligence target for those who wish to harm Australian interests. Telecommunications networks are also vital to the delivery and support of other critical infrastructure and services such as power, water and health. For these reasons, the telecommunications networks of carriers and carriage service providers are attractive targets for espionage, sabotage and foreign interference activity by state and non-state actors. 128. The definition does not include 'Over-the-Top' applications or services which operate over the top of this infrastructure. Over-the-Top refers to applications and services which are accessible over the internet, without any direct influence or control from network operators or internet service providers. These may include communications services such as voice and messaging (e.g. Skype), content streaming (e.g. Netflix) or cloud-based storage (e.g. Dropbox). 129. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified 'critical telecommunications asset' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. 130. For the positive security obligations to apply to a 'critical telecommunication asset' a rule must be made by the Minister to turn the obligations on. While the telecommunications sector has robust security frameworks in place in the Telecommunications Act 1997, including obligations under TSSR in Part 14 of that Act, reforms to the TSSR regime will be 28
considered in 2021 and onwards. These will be informed by the Parliamentary Joint Committee on Intelligence and Security's 'Review of Part 14 of the Telecommunications Act 1997', and through consultation with industry. 131. Noting the importance of 'critical telecommunications assets' to the economic and social stability of Australia, we consider it timely to ensure that cyber and asset register reporting information is gathered from telecommunications assets to ensure that Government has a comprehensive picture of the threat environment facing all of Australia's critical infrastructure. We acknowledge the outcomes of the Parliamentary Joint Committee on Intelligence and Security's review into the Telecommunications Sector Security Reforms are outstanding and will review the arrangements for 'critical telecommunications assets' after the Committee hands down its review.. Furthermore, retaining the definition of 'critical telecommunications' at this stage will clarify, for example, the telecommunications assets on which there must be a relevant impact to trigger the powers in Part 3A--Responding to serious cyber security incidents. cyber security incident 132. This term is defined in new section 12M of the SOCI Act. data 133. 'Data' is defined in a non-exhaustive manner to include information in any form. data storage 134. 'Data storage' is defined as data storage that involves information technology, and includes data held in all forms on computer hardware and software systems . For avoidance of doubt, the definition expressly provides that data back-up is included within the definition. data storage device 135. Means a thing (for example, a disk or file server) containing (whether temporarily or permanently), or designed to contain (whether temporarily or permanently), data for use by a computer. data storage or processing provider 136. Means an entity that provides a data storage or processing service. data storage or processing sector 137. This term is defined to mean the sector of the Australian economy that involves providing data storage or processing services. These services are critical to maintaining the supply and availability of data and cloud services in Australia which are increasingly relied upon by, and facilitate the effective functioning of, government and industry. 29
138. New high-speed networks are enabling an exponential growth in services including the Internet of Things and cloud technology. In 2019, Deloitte reported that the adoption of cloud services by businesses in Australia has resulted in a cumulative productivity benefit to the economy of $9.4 billion over the previous 5 years, with 42% of businesses in Australia using a paid cloud. 139. Industries that have the highest adoption rates of cloud services include information, media and telecommunications (64% of businesses in the industry), mining (53%), healthcare and social assistance (45%) and retail trade (42%). 140. While the adoption of data storage and cloud services offers numerous economic and social benefits, it also introduces new risks for data security as businesses and governments aim to address challenges such as skill shortages in IT and cybersecurity, compatibility of new technologies with legacy systems and the cost associated with maintaining IT infrastructure. More than ever, commercially sensitive and personal data is being uploaded and processed online. This presents an attractive target for malicious actors. 141. As companies rely on third party providers for data storage and processing services for operational needs, these services have become vital for business continuity. The demand for data storage services, including Disaster Recovery as a Service, is expected to increase to address the risk of data centre outages. data storage or processing service 142. Means either a service that enable end-users to store or back-up data, or a data processing service. Defence Department 143. Means the Department of State that deals with defence and that is administered by the Defence Minister. defence industry sector 144. The 'defence industry sector' means the sector of the Australian economy that involves the provision of critical defence capabilities. The definition is intended to cover entities that provide or support, whether directly or indirectly through supply chain arrangements, a critical capability which enables the Defence Department's or the Australian Defence Force's (collectively referred to as Defence) ability to shape Australia's strategic environment, deter actions against Australia's interests, and respond with credible military force when required to protect Australia's national security and national interests. This includes entities that supply essential goods, technologies and services to Defence to meet a critical defence capability need, and entities that provide critical components to such a critical capability. Many different entities may play a role in the creation and supply of a critical defence capability. 30
145. Further, the defence industry sector includes those suppliers or producers of goods, technology and services that: • Defence needs to ensure ongoing access due to the highly essential nature of the goods, technology or services to Defence's capability advantage; or • Defence needs to limit others' access to due to the highly sensitive nature of the goods, technology or services and their potential impact on their interests. 146. A strong defence industry sector is essential to delivering Australia's modernised defence capabilities. The demand will increase for this sector to build and maintain fleets of new ships, submarines, armoured vehicles, infrastructure and facilities, and contribute to intelligence, surveillance and reconnaissance, cyber and other electronic and information based capabilities. Australian design, construction, integration, sustainment, services and support capabilities will be critical to meeting that demand. Defence Minister 147. The 'Defence Minister' is the Minister administering section 1 of the Defence Act 1903. derivative trade repository 148. This term is defined by reference to Chapter 7 of the Corporations Act. That Act defines a 'derivative trade repository' as a facility to which information about derivative transactions, or about positions relating to derivative transactions, can be reported (whether or not other information or data can also be reported to the facility). Electricity Networks Corporation 149. This term is defined to be the Electricity Networks Corporation established under section 4 of the Electricity Corporations Act 2005 (WA). electronic communication 150. This term is defined to be a communication of information in any form by means of guided or unguided electromagnetic energy. energy sector 151. The 'energy sector' is the sector of the Australian economy that involves one of the following: • the production, transmission, distribution or supply of electricity • the production, processing, transmission, distribution or supply of gas, or • the production, processing, transmission, distribution or supply of liquid fuel. 31
152. This sector is crucial to ensuring the ongoing and reliable supply of energy in Australia, and in turn, facilitates the operation of society, the economy and defence of Australia. If the energy sector were impacted by a significant disruption it would lead to cascading consequences across all sectors, significantly impacting Australia's security and economy. The energy sector provides essential services to almost all people and businesses across the Australian economy. 153. The consequences of a prolonged and widespread failure in the energy sector could have significant implications across the economy, such as shortages or destruction to essential medical supplies or the inability for businesses and governments to function. Any number of these situations would be catastrophic to Australia's economy, security and sovereignty, as well as the Australian way of life. 154. The definition is intended to be flexible so that it continues to be relevant as business models and technologies for the supply of electricity, gas and liquid fuels change over time. For example, technological advances, including advanced metering technologies, battery storage and virtual power plants, are transforming the Australian electricity industry. 155. For example, the sector might encompass electricity generators, gas and electricity transmission and distribution networks, gas processing and storage assets, liquid fuel refineries, transmission and storage assets and energy market operators. However it does not capture energy consumers. engage in conduct 156. 'Engage in conduct' is defined as doing an act or thing or omitting to perform an act or thing. financial benchmark 157. 'Financial benchmark' is defined by reference to Part 7.5B of the Corporations Act. At the time of the introduction of the Bill, the Corporations Act definition of 'financial benchmark' in section 908AB provides that it is a price, estimate, rate, index or value that: • is made available to users • is calculated periodically from one or more transactions, instruments, currencies, prices, estimates, rates, indices, values, financial products, bank accepted bills or negotiable certificates of deposit, or other interests or goods (whether tangible or intangible), and • is referenced or otherwise used for purposes that include one or more of the following: calculating the interest, or other amounts, payable under financial products, bank accepted bills or negotiable certificates of deposit; calculating the price at which a financial product, bank accepted bill or negotiable certificate of deposit may be traded, redeemed or dealt in; calculating the value of a financial product, bank accepted bill or negotiable certificate of deposit; or measuring the 32
performance of a financial product, bank accepted bill or negotiable certificate of deposit. financial market 158. This term is defined by reference to Chapter 7 of the Corporations Act. At the time of the introduction of the Bill, Section 767A of the Corporations Act defines a 'financial market' as a facility through which: • offers to acquire or dispose of financial products are regularly made or accepted, or • offers or invitations are regularly made to acquire or dispose of financial products that are intended to result or may reasonably be expected to result in the making of offers to acquire or dispose of financial products or the acceptance of such offers. 159. Subsection 767A(2) of the Corporations Act also provides circumstances that are not financial markets. financial services and markets sector 160. Is defined to be a sector of the Australian economy that involves any of the following: • carrying on a banking business, operating a superannuation fund • carrying on an insurance business • carrying on a life insurance business • carrying on a health insurance business • operating a financial market • operating a clearing and settlement facility • operating a derivative trade repository • administering a financial benchmark • operating a payment system • carrying on financial services business, or • carrying on credit facility business. 161. This is intended to be an expansive and broad definition that includes not only each of the above types of businesses, but other entities that support each of the above outcomes. 33
162. The financial services and markets sector is a key driver of Australia's economy and is important to the prosperity of the Australian population. In 2019-20 Financial and Insurance Services was the industry that contributed the second largest share to current price gross value add (8.9 per cent)2. 163. The sector also plays a critical role in the accumulation of capital, investment and commerce, and the production of goods and services. The existence of robust financial markets and services facilitates the international flow of funds between countries and tends to lower search and transactions costs in the economy. Highly developed financial markets make Australia one of the major centres of capital markets activity in Asia. 164. The accelerating rate of technological change and increasing penetration of mobile devices, combined with shifting customer preferences, will have dramatic implications for the ways in which financial services are structured, delivered and consumed. This trend is evident in Australia and is perhaps even more apparent in other countries in the Asia-Pacific region. 165. The prevalence and dependence on advanced technologies, and the importance of financial services and markets to the Australian economy means that this sector will continue to be a target for malicious actors. That is why the Boston Consulting Group concluded in their report 'Global Wealth 2019: Reigniting Radical Growth'3 that financial firms are 300 times more likely than other institutions to experience cyber attacks. financial services business 166. This term is defined by reference to Chapter 7 of the Corporations Act where the term 'financial services business', at the time of introduction of the Bill, is defined as meaning a business of providing financial services. food 167. Means food that is fit for human consumption. food and grocery sector 168. The 'food and grocery sector' means the sector of the Australian economy that involves manufacturing, processing, packaging, distributing or supplying food or groceries on a commercial basis. Primary production and agriculture are not intended to be captured within the food and grocery sector definition. 169. The definition recognises that the reliable and secure access to food and grocery are key components for the sustainment of life for all Australians. As such, the definition captures those entities that are integral to the supply chain of the food and groceries in 2 Australian Bureau of Statistics, Australian National Accounts, catalogue number 5217.0. Accessed on 1 December 2020 at https://www.abs.gov.au/statistics/economy/national-accounts/australian-system-national- accounts/latest-release. 3 Boston Consulting Group, Global Wealth 2019: Reigniting Radical Growth, 2019, Page 22 34
Australia. While supermarkets are often the most visible point for consumers within the supply chain, when it comes to the purchasing and acquiring of food and groceries, there are numerous suppliers and components that are required in order for food and groceries to make it onto the shelves of supermarkets throughout each part of the large and diverse supply chain. gas 170. This term is defined to be a substance that: • is in a gaseous state at standard temperature and pressure, and • consists of naturally occurring hydrocarbons and non-hydrocarbons, the principal constituent of which is methane, and • is suitable for consumption. general intensive care unit 171. Means an area within a hospital that is equipped and staffed so that it is capable of providing to a patient mechanical ventilation for a period of several days, and invasive cardiovascular monitoring, has admission and discharge policies in operation, and is supported by: • during normal working hours--at least one specialist, or consultant physician, in the specialty of intensive care, who is immediately available, and exclusively rostered, to that area. and • at all times--at least one medical practitioner who is present in the hospital and immediately available to that area; and • at least 18 hours each day--at least one nurse. government business enterprise 172. This term is defined by reference to the Public Governance, Performance and Accountability Act 2013 (the PGPA Act). Section 8 of the PGPA Act, at the time of introduction of the Bill, defines 'government business enterprise' as meaning a Commonwealth entity or Commonwealth company that is prescribed by rules made under that Act. health care 173. A non-exhaustive definition of 'health care' is provided which includes a range of medical and allied health care services such as services provided by individuals who practice in any of the following professions and occupations: dental (including the profession of a dentist, dental therapist, dental hygienist, dental prosthetist and oral health therapist, medical, 35
medical radiation practice, nursing, midwifery, occupational therapy, optometry, pharmacy, physiotherapy, podiatry, psychology, or a profession or occupation specified in Ministerial rules made under section 61 of the SOCI Act. The definition also includes treatment and maintenance as a patient in a hospital health care and medical sector 174. The 'health care and medical sector' is the sector of the Australian economy that is involved in the provision of health care such as public health and preventive services, primary health care, emergency health services, hospital-based treatment, e-health services, pharmaceutical services, rehabilitation and palliative care, and diagnostic and imaging services. The definition also captures the production, distribution and supply of medical supplies which includes products that support the provision of health care services (for example, personal protective equipment and diagnostic equipment), pharmaceutical products and medicines, pacemakers and prosthetics. 175. The Australian health care and medical system is one of the best in the world and provides quality, safe and affordable health care for all Australians. It is a key reason why Australians enjoy one of the longest life expectancies in the world. Its criticality was also apparent and tested during COVID-19, where it played a central role in saving a number of lives and providing continued care to the most vulnerable members of the public. 176. Malicious actors have been known to exploit these dependencies, and the mass of sensitive information held, for profit. Evidence suggests that cyber security incidences are a significant area of concern for the health care and medical sector. According to the Office of the Australian Information Commissioner, the health sector has remained among the top reporting sectors for data breaches since January 2018. In 2019, the Victorian health sector was subject to a ransomware attack, and advanced persistent threats have been witnessed targeting Australian health sector organisations and medical research facilities. 177. International experience also highlights the dire consequences that could occur as a result of a cyber security incident impacting the health care and medical sector. In 2017, WannaCry ransomware infected over 300,000 computers and impacted organisations in 150 countries. Among them, several health organisations were affected such as the United Kingdom National Health Service which had to cancel surgeries and divert ambulances. More recently, in September 2020, hackers disabled computer systems at Düsseldorf University Hospital in Germany, which led to the death of a patient after an ambulance had to be diverted. 178. Importantly, the definition of the sector has been developed to be intentionally broad in order to capture advances in health care and medicine in the future. However, the definition is not intended to capture the provision of services that are cosmetic rather than for example therapeutic or diagnostic. 36
health insurance business 179. This term is defined by reference to the Private Health Insurance Act 2007 (the Private Health Insurance Act), which at the time of introduction of the Bill, defines 'health insurance business' as the business of undertaking liability by way of insurance or an employee health benefits scheme that relates in a particular way to hospital treatment or general treatment. higher education and research sector 180. The 'higher education and research sector' means the sector of the Australian economy that involves being a higher education provider, or undertaking a program of research that is supported financially (wholly or in part) by the Commonwealth, or is relevant to a critical infrastructure sector other than the higher education and research sector itself. 181. This definition captures institutions that contribute significantly to the Australian economy, competitiveness, skilled workforce, and Australia's global standing both as quality providers of education and as cutting-edge research institutions. For example, this could include institutions that carry out medical research or institutions that own large-scale infrastructure that is essential to Australia's national interest. This definition does not capture the services provided by early learning centres, primary and secondary schools. 182. While higher education providers account for a large portion of research activities in Australia, private institutions may also conduct nationally significant research and development. These institutions are only caught within the definition of the sector to the extent that they receive financial assistance from the Australian Government, or relate to another critical infrastructure sector. For example, entities that have received financial assistance from the Australian Research Council or the National Health and Medical Research Council, and research activities that are relevant to the space or health sector fall within the higher education and research sector. higher education provider 183. This term is defined by reference to the Tertiary Education Quality and Standards Agency Act 2011. At the time of introduction of the Bill section 5 of that Act defines 'higher education provider' to mean: • a constitutional corporation that offers or confers a regulated higher education award • a corporation that offers or confers a regulated higher education award and is established by or under a law of the Commonwealth or a Territory, or • a person who offers or confers a regulated higher education award for the completion of a course of study provided wholly or partly in a Territory. 37
hospital 184. This term is defined by reference to the Private Health Insurance Act. At the time of introduction of the Bill subsection 121-5(5) of that Act provides that a 'hospital' is a facility for which a declaration under subsection 121-5(6) of the Private Health Insurance Act is in force. Subsection 121-1(6) of the Private Health Insurance Act provides that the Minister may declare a facility is a 'hospital'. IGIS official 185. IGIS officials means the Inspector-General of Intelligence and Security, or any other person covered by subsection 32(1) of the Inspector-General of Intelligence and Security Act 1986 (the IGIS Act). impairment of electronic communication to or from a computer 186. This term is defined non-exhaustively to include the prevention of any such communication, and the impairment of any such communication on an electronic link or network used by the computer, but does not include a mere interception of any such communication. For example, this would include an action that disabled the ability for a computer to connect with the internet, irrespective of whether that action involved access the computer itself. inland waters 187. This term means waters within Australia other than waters of the sea. insurance business 188. This term is defined by reference to the Insurance Act 1973 (the Insurance Act). At the time of introduction of the Bill section 3 of the Insurance Act defines the term 'insurance business' as meaning the business of undertaking liability, by way of insurance (including reinsurance), in respect of any loss or damage, including liability to pay damages or compensation, contingent upon the happening of a specified event, and includes any business incidental to insurance business as so defined. The definition then lists a number of things that are not an 'insurance business'. internet carriage service 189. This term means a listed carriage service that enables end-users to access the internet. life insurance business 190. This term is defined by reference to the Life Insurance Act 1995. At the time of introduction of the Bill the term was defined as meaning a business that consists of any or all of the following: • the issuing of life policies, 38
• the issuing of sinking fund policies • the undertaking of liability under life policies • the undertaking of liability under sinking fund policies. 191. The definition also includes any business related to the above businesses and provides for what is not a 'life insurance business'. liquid fuel 192. This term has the same meaning as in the Liquid Fuel Emergency Act 1984. At the time of introduction of the Bill, section 3 of that Act defined the term as meaning liquid petroleum, a liquid petroleum product, a liquid petrochemical, methanol or ethanol. This includes crude oil and condensate, as well as refined products such as petrol, diesel and jet fuels, and biodiesel. listed carriage service 193. This term has the same meaning as in the Telecommunications Act. At the time of introduction of the Bill 'listed carriage service' is defined in that Act to be: • a carriage service between a point in Australia and one or more other points in Australia, • a carriage service between a point and one or more other points, where the first mentioned point is in Australia and at least one of the other points is outside Australia, • a carriage service between a point and one or more other points, where the first- mentioned point is outside Australia and at least one of the other points is in Australia. 194. The definition in section 16 of the Telecommunications Act also clarifies what a 'point' is for the purposes of that definition. local hospital network 195. This term has the same meaning as in the National Health Reform Act 2011. At the time of the introduction of the Bill section 5 of that Act defined 'local hospital network' as meaning an organisation that is a local hospital network (however described) for the purposes of the National Health Reform Agreement. managed service provider 196. This term, when used in relation to an asset, means an entity that: • manages the asset or part of the asset, 39
• manages an aspect of the asset or a part of the asset, • manages an aspect of the operation of the asset or part of the asset. 197. For example, an operator of a critical infrastructure asset may outsource responsibility for maintaining its information technology infrastructure to a separate legal entity through a contractual service-level agreement. As a result, the managed service provider has effective control and responsibility for the information technology of the critical infrastructure asset. medical supplies 198. This term is defined non-exhaustively and includes goods for therapeutic use and other things that are specified in the rules made under this Act. Ministerial authorisation 199. This term means an authorisation under new section 35AB of the SOCI Act. modification 200. 'Modification' is defined in reference to two scenarios. In respect of computer data it means either the alteration or removal of the data or an addition to the data. In respect of a computer program is means the alteration or removal of the program or an addition to the program. national broadcasting service 201. This term has the same meaning as the Broadcasting Services Act. At the time of introduction of the Bill the definition in section 13 of that Act provided that national broadcasting services are: • broadcasting services provided by the Australian Broadcasting Corporation in accordance with section 6 of the Australian Broadcasting Corporation Act 1983, or • broadcasting services provided by the Special Broadcasting Service Corporation in accordance with section 6 of the Special Broadcasting Service Act 1991, or • broadcasting services provided under the Parliamentary Proceedings Broadcasting Act 1946. 202. Section 13 of the Broadcasting Services Act further provides what is not included in the definition. National Register of Higher Education Providers 203. Means the register that is established and maintained under section 198 of the Tertiary Education Quality and Standards Agency Act 2011. 40
notification provision 204. Notifications provisions are those provisions listed in paragraphs (a) to (q) in this definition. Ombudsman official 205. Means the Ombudsman, a Deputy Commonwealth Ombudsman or a person who is a member of the staff referred to in subsection 31(1) of the Ombudsman Act 1976. Item 8 Section 5 (paragraph (b) of the definition of operator) 206. Item 8 of Schedule 1 to the Bill repeals and replaces paragraph (b) of the definition of 'operator' in section 5 of the SOCI Act. New paragraph (b) defines operator to mean, for a critical infrastructure asset other than a critical port, an entity that operates the asset or part of the asset. Item 9 Section 5 207. Item 9 of Schedule 1 to the Bill inserts a definition of 'payment system' into section 5 of the SOCI Act. payment system 208. 'Payment system' has the same meaning as in the Payment Systems (Regulation) Act 1988. At the time of the introduction of the Bill section 7 of that Act defined payment system as a funds transfer system that facilitates the circulation of money, and includes any instruments and procedures that relate to that system. Item 10 Section 5 209. Item 10 of Schedule 1 to the Bill inserts a definition of 'Power and Water Corporation' into section 5 of the SOCI Act. Power and Water Corporation 210. Means the Power and Water Corporation that is established under section 4 of the Power and Water Corporation Act 1987 (NT). Item 11 Section 5 (after paragraph (b) of the definition of protected information) 211. Item 11 of Schedule 1 to the Bill expands the definition of 'protected information' in section 5 of the SOCI Act, to include information that relates to new provisions being inserted into the SOCI Act under the Bill, the disclosure of which may contain commercially sensitive information, reveal security vulnerabilities or is otherwise sensitive and its disclosure needs to be managed. 41
212. The additional types of documents or information that will be 'protected information' under the Bill includes information that: • records or is the fact that the Minister has given a Ministerial authorisation or revoked a Ministerial authorisation (paragraph (bb)) • is, or is included in, a report under section 30BC or 30BD (paragraph (be)) • is, or is included in, a report in compliance with a system information periodic or event-based reporting notice (paragraph (bi)) • records or is the fact that the Secretary has given a direction under section 35AK or revoked such a direction (paragraph (bj)) • records or is the fact that the Secretary has given a direction under section 35AQ or revoked such a direction (paragraph (bk)), or • records or is the fact that the Secretary has given a request under section 35AX or revoked such a request (paragraph (bl)). 213. Importantly, there are a number of circumstances where the use and disclosure of protected information is authorised or exceptions to the prohibition (see Division 3 of Part 4 of the SOCI Act. Notably, the offence in section 45 which prohibits an entity from using or disclosing the protected information does not apply if the entity is the entity to which the protected information relates, or that entity consents to such disclosure or use (see subsection 46(4) of the SOCI Act). This recognises that the entity is well placed to manage the sensitivities associated with the information so far as it relates to their asset and may need to disclose the information to meet their obligations under the Act, or otherwise effectively operate the asset. Item 12 Section 5 (paragraph (c) of the definition of protected information) 214. Paragraph (c) of the definition of 'protected information' in section 5 of the SOCI Act currently provides that information is 'protected information' if it is a document or information to which paragraphs (a) or (b) applies. Item 12 of Schedule 1 to the Bill amends paragraph (c) to make reference to the different types of information that is 'protected information' in new paragraphs (ba) to (bh) of the definition, as outlined in Item 11 above. Item 13 Section 5 215. Item 13 of Schedule 1 to the Bill inserts further definitions into the SOCI Act that are required as a result of the amendments being made by the Bill. 42
radiocommunications transmitter 216. Has the same meaning as the Radiocommunications Act 1992 (the Radiocommunications Act). At the time of the introduction of the Bill subsection 7(2) of that Act defines 'radiocommunications transmitter' as: • a transmitter designed or intended for use for the purpose of radiocommunications • anything (other than a line within the meaning of the Telecommunications Act) designed or intended to be ancillary to, or associated with, such a transmitter for the purposes of that use, or • anything (whether artificial or natural) that is designed or intended for use for the purpose of radiocommunication by means of the reflection of radio emissions and that the Australian Communications and Media Authority determines in writing to be a radiocommunications transmitter for the purposes of the Radiocommunications Act. regional centre 217. This term means a city, or a town, that has a population of 10,000 or more people. Regional Power Corporation 218. This term means the Regional Power Corporation established by section 4 of the Electricity Corporations Act 2005 (WA). registrable superannuation entity 219. This term has the same meaning as in the Superannuation Industry (Supervision) Act 1993. At the time of introduction of the Bill section 10 of that Act defined 'registrable superannuation entity' as meaning a regulated superannuation fund, an approved deposit fund or a pooled superannuation trust, but does not include a self-managed superannuation fund. regulated air cargo agent 220. This term has the same meaning as in the ATSA. At the time of the introduction of the Bill, the ATSA defined the term to mean a person designated as a regulated air cargo agent in accordance with regulations made under section 44C of the ATSA. related body corporate 221. This term has the same meaning as the Corporations Act. At the time of introduction of the Bill, a 'related body corporate' was defined in that Act to mean, in relation to a body corporate, a body corporate that is related to the first-mentioned body by virtue of section 50 of the Corporations Act. 43
relevant Commonwealth regulator 222. This term means either a Department that is specified in the rules made by the Minister under section 61 of the SOCI Act or a body that is established by a law of the Commonwealth and specified in the rules. relevant entity 223. A 'relevant entity', in relation to an asset, means an entity that is the responsible entity for the asset, or is a direct interest holder in relation to the asset, or is an operator of the asset, or is a managed service provider for the asset. Operator is used is this context consistent with the definition in section 5 to include an entity that operates the asset or part of the asset. relevant impact 224. This term is defined in new section 8G of the SOCI Act. Item 14 Section 5 (definition of relevant industry) 225. Item 14 of Schedule 1 to the Bill repeals the definition of 'relevant industry', as this has been replaced in the Bill by the concept of 'critical infrastructure sector' as defined in new section 8D of the SOCI Act (see Item 21 of Schedule 1 to the Bill, below). Item 15 Section 5 (definition of responsible entity) 226. Item 15 of Schedule 1 to the Bill repeals the definition of 'responsible entity' in section 5 of the SOCI Act and replaces it with a definition which refers to new section 12L, where the term will now be defined (see further at Item 32 of Schedule 1 to the Bill, below). Item 16 Section 5 (paragraph (a) of the definition of security) 227. Item 16 of Schedule 1 to the Bill amends paragraph (a) of the definition of 'security' to provide that 'security' has the meaning given by the ASIO Act, except in the definition of critical energy market operator asset and sections 10, 12, 12A, 12D, 12G, 12H, 12J, 12M and 12N, where 'security' has its ordinary meaning and is not necessarily limited to national security. Item 17 Section 5 (paragraph (b) of the definition of security) 228. Item 17 of Schedule 1 to the Bill amends paragraph (b) of the definition of 'security' to provide that 'security' has the meaning given by the ASIO Act, except in the definition of critical energy market operator asset and sections 10, 12, 12A, 12D, 12G, 12H, 12J, 12M and 12N where 'security' has its ordinary meaning and is not necessarily limited to national security. 44
Item 18 Section 5 229. Item 18 of Schedule 1 to the Bill inserts further definitions into the SOCI Act that are required as a result of the amendments being made by the Bill. significant financial benchmark 230. This term has the same meaning as in the Corporations Act. At the time of introduction of the Bill, section 908AC of the Corporations Act provides that a 'significant financial benchmark' is a financial benchmark declared under subsection 908AC(2) of the Act. That subsection provides that ASIC may, by legislative instrument, declare a financial benchmark to be a 'significant financial benchmark' if satisfied of the criteria in paragraphs 908(2)(a)-(2)(c) of the Corporations Act. space technology sector 231. The 'space technology sector' is the sector of the Australian economy that involves the commercial provision of space-related services. The space technology sector touches every aspect of the Australian economy and is heavily relied on by other critical infrastructure for their daily functioning. For example, space-based technology provides essential data in support of other services such as weather forecasting, emergency management, communications and online banking. This dependence poses a serious security dilemma as incidents can have far-reaching and potentially catastrophic consequences for other critical infrastructure sectors such as communications, banking and transport. 232. The definition is intended to capture the assets that provide the services, as well as those that support them. The note to the definition provides the following non-exhaustive examples of what may be regarded as space-related services noting that it is a dynamic and evolving sector of the economy: • position, navigation and timing services in relation to space objects, • space situation awareness services, • space weather monitoring and forecasting, • communications, tracking, telemetry and control in relation to space objects, • remote sensing earth observations from space, or • facilitating access to space. 233. These examples align with the National Civil Space Priority Areas outlined in the Department of Industry, Science, Energy and Resources' Australian Civil Space Strategy 2019-2028. The space technology sector is a rapidly evolving sector with new space-related services and new methods of utilising space technology constantly being developed. In 45
Australia, the space technology sector is growing strongly and is expected to grow at an annualised 7.1 per cent over the five years through 2023-24. staff member 234. In relation to the authorised agency, means a staff member of the Australian Signals Directorate (within the meaning of the Intelligence Services Act). technical assistance notice 235. This term has the same meaning as in Part 15 of the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a notice that has been issued under section 317L of the Telecommunications Act. technical assistance request 236. This term has the same meaning as in Part 15 of the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a request made under paragraph 317G(1)(a) of the Telecommunications Act. technical capability notice 237. This term has the same meaning as in Part 15 of the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a notice given under section 317T of the Telecommunications Act. telecommunications network 238. This term has the same meaning as in the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a system, or series of systems, that carries, or is capable of carrying, communications by means of guided and/or unguided electromagnetic energy. therapeutic use 239. This term has the same meaning as in the Therapeutic Goods Act 1989. At the time of the introduction of the Bill, the term was defined in that Act as meaning use in, or in connection with: • preventing, diagnosing, curing or alleviating a disease, ailment, defect or injury in persons, • influencing, inhibiting or modifying a physiological process in persons • testing the susceptibility of persons to a disease or ailment • influencing, controlling or preventing conception in persons 46
• testing for pregnancy in persons, or • the replacement or modification of parts of the anatomy in persons. transport sector 240. The 'transport sector' means the sector of the Australian economy that involves: • owning or operating assets that are used in connection with the transport of goods or passengers on a commercial basis, or • the transport of goods or passengers on a commercial basis. 241. The definition recognises the important role that the sector plays in the economy by facilitating the movement of goods and people across Australia, as well as the assets that support that movement. The geographic spread of Australia's population coupled with economic reliance on goods that are produced in remote areas means that the reliable and efficient transport of goods, such as food, and passengers is essential to the functioning of the economy and social cohesion. For instance, the transport of essential food and groceries into remote areas of the Northern Territory relies on the availability of long combination vehicles or 'road trains' (as they are commonly referred to). 242. The intent of extending the definition to capture entities that own or operate assets used in connection with the transport of goods and passengers on a commercial basis is to capture those enabling assets that, if disrupted, would undermine the operation of Australia's transport capability. For example, the definition is intended to capture logistics services without which freight operations could not function. In another example, transport is often reliant on intermodal facilities that provide for the efficient transfer of goods and people from one mode of transport to another. unauthorised access, modification or impairment 243. This term has the meaning given by new section 12N of the SOCI Act. water and sewerage sector 244. The 'water and sewerage sector' means the sector of the Australian economy that involves either operating water or sewerage systems or networks, or manufacturing or supplying goods, or providing services, for use in connection with the operation of water or sewerage systems of networks. 245. This definition is intended to capture wastewater, potable water, raw water and recycled water and encompasses desalination plants, water utilities and bulk water providers. The definition also captures the supply chains that support these services, such as the manufacturers and suppliers of chemicals used in the treatment of water. 246. This sector is critical to the continued supply of clear and safe water for all Australians and to the functioning of other critical infrastructure. Water and sewerage are 47
essential to socio-economic development, healthy ecosystems and to human survival itself. Combined, they are vital to reducing the burden of disease and improving the health, welfare and productivity of the Australian population. Water is a finite and irreplaceable resource that must protected. 247. International examples have shown that these services can be the target of malicious actors who intend to cause serious harm to populations. For example, Israel's National Cyber Directorate received reports about attempted cyber attack in April 2020 and June 2020 on its water infrastructure. If successful, the attack would have led to the increased chlorination of treated water, causing the poisoning of the local population served by the affected treatment facility. Item 19 Section 5 (definition of water utility) 248. Item 19 of Schedule 1 to the Bill will insert the words 'or sewerage services, or both.' at the end of the definition of 'water utility'. This is intended to provide consistency with the breadth of the water and sewerage sector as well as the existing definition of critical water asset in section 5 of the SOCI Act. Item 20 At the end of section 6 249. Item 20 of Schedule 1 to the Bill inserts new subsections (5) and (6) into section 6 of the SOCI Act, which outlines the meaning of 'interest and control information'. 250. Subsection 6(5) provides that, if the 'first entity' (i.e. the entity operating an asset) is the Governor-General, the Prime Minister or a Minister, and is a direct interest holder in relation to an asset because of paragraph 8(1)(b) of the SOCI Act, the first entity is not required to provide any interest or control information. 251. The note to subsection 6(5) reminds the reader that the term Minister is defined in section 2B of the Acts Interpretation Act 1901 (Acts Interpretation Act). 252. As provided at item 26, the broader range of assets that are intended to be captured as critical infrastructure assets may include Commonwealth government business enterprises. In light of this, subsection 6(5) ensures these individuals, who would otherwise be required to provide interest or control information as a result of the office they hold, are not required to report information for the register. 253. However, subsection 6(6) clarifies that subsection 6(5) does not affect the obligation of the Commonwealth to provide interest and control information in relation to the asset if the Commonwealth is also a direct interest holder in relation to the asset because of paragraph 8(1)(a) or (b) of the SOCI Act. 254. This means that if the Commonwealth identifies as a direct interest holder for an asset, then the Commonwealth is required to provide interest and control information. The practical effect of this provision is that the Commonwealth department or agency responsible 48
for the asset will provide interest and control information in relation to that asset on the register of critical infrastructure assets. Item 21 After section 8C 255. Item 21 of Schedule 1 to the Bill inserts new sections 8D, 8E, 8F and 8G into the SOCI Act. Section 8D Meaning of critical infrastructure sector 256. New section 8D of the SOCI Act lists each of the following sectors of the Australian economy as a 'critical infrastructure sector': • the communications sector (paragraph (a)) • the data storage or processing sector (paragraph (b)) • the financial services and markets sector (paragraph (c)) • the water and sewerage sector (paragraph (d)) • the energy sector (paragraph (e)) • the health care and medical sector (paragraph (f)) • the higher education and research sector (paragraph (g)) • the food and grocery sector (paragraph (h)) • the transport sector (paragraph (i)) • the space technology sector (paragraph (j)), and • the defence industry sector (paragraph (k)). 257. The definitions for each separate sector are included in section 5, by operation of the Bill. 258. This definition, in combination with the amendments to sections 9 and 51 of the SOCI Act, serves to limit the sectors from which the Minister may prescribe or declare additional critical infrastructure assets. The definition is also used in the definition of critical infrastructure sector assets (defined in new section 8E of the SOCI Act). Section 8E Meaning of critical infrastructure sector asset 259. New section 8E of the SOCI Act provides that an asset is a 'critical infrastructure sector asset' if it relates to a 'critical infrastructure sector' as defined in new section 8D, above. In addition, certain assets are deemed to be critical infrastructure sector assets as 49
outlined in subsections (2)-(11). These deeming provisions are not intended to limit the interpretation of a critical infrastructure sector asset but rather clarify that particular critical infrastructure assets relate to certain critical infrastructure sectors. 260. Section 8E is used to limit the assets to which the serious cyber incident response powers at new Part 3A may apply. 261. While the serious cyber incident response powers are focused on protecting critical infrastructure assets, the high-level of interdependencies across the Australian economy and through supply chains means that actions in relation to an asset in a sector identified in new section 8D may be required to respond to a serious cyber security incident. Subsections 8E(2)-(11)--Deeming--when asset relates to a sector 262. Subsection (2) provides that, for the purposes of the SOCI Act, each of the following assets (each of which is defined) is taken to relate to the communications sector: • a critical telecommunications asset (paragraph (a)) • a critical broadcasting asset (paragraph (b)), and • a critical domain name system (paragraph (c)). 263. Subsection (3) provides that, for the purpose of the SOCI Act, a critical data storage or processing asset is taken to relate to the data storage or processing sector. 264. Subsection (4) provides that each of the following assets (each of which is separately defined), are taken to relate to the financial services and market sector: • a critical banking asset (paragraph (a)) • a critical superannuation asset (paragraph (b)) • a critical insurance asset (paragraph (c)), and • a critical financial market infrastructure asset (paragraph (d)). 265. Subsection (5) provides that for the purpose of the SOCI Act a critical water asset is taken to relate to the water and sewerage sector. 266. Subsection (6) provides that each of the following assets (each of which is separately defined), are taken to relate to the energy sector: • a critical electricity asset (paragraph (a)) • a critical gas asset (paragraph (b)) • a critical energy market operator asset (paragraph (c)), and 50
• a critical liquid fuel asset (paragraph (d)). 267. Subsection (7) provides that for the purposes of the SOCI Act a critical hospital is taken to relate to the health care and medical sector. Subsection (8) provides that a critical education asset is taken to relate to the higher education and research sector. Subsection (9) provides that a critical food and grocery asset is taken to relate to the food and grocery sector. 268. Subsection (10) provides that the following assets (each of which is a term defined separately) relate to the transport sector: • a critical port (paragraph (a)) • a critical freight infrastructure asset (paragraph (b)) • a critical freight services asset (paragraph (c)) • a critical public transport asset (paragraph (d)), and • a critical aviation asset (paragraph (e)). 269. Subsection (11) provides that a critical defence industry asset is taken to relate to the defence industry. Section 8F Critical infrastructure sector for a critical infrastructure asset 270. New section 8F of the SOCI Act clarifies that, for the purposes of the SOCI Act, the critical infrastructure sector for a critical infrastructure asset is the critical infrastructure sector to which the asset relates. Section 8G Meaning of relevant impact 271. New section 8G of the SOCI Act defines the term 'relevant impact' in relation to a hazard on a critical infrastructure asset, or in relation to a cyber security incident on a critical infrastructure asset. 272. This term is used in several places in the SOCI Act to refer to the types of impacts on an asset that are the focus of the obligations. For example, an impact on customer service or the quality of the service being provided will not necessarily be regarded as a relevant impact unless it also impacts the availability, integrity, reliability or confidentiality of information about the asset. This term is intended to focus the obligations under the SOCI Act to only those impacts on the security of critical infrastructure assets, and therefore, impact Australia's social and economy stability, national security and defence. 273. The relevant impact may be direct or indirect. This is intended to focus the definition on the result of the hazard or cyber security incident rather than its source, emphasising the all-hazards approach being taken under the Bill. 51
274. Subsection (1) provides that the relevant impact of a hazard on a critical infrastructure asset is the impact (whether direct or indirect) of the hazard on: • the availability of the asset (paragraph (a)) • the integrity of the asset (paragraph (b)) • the reliability of the asset (paragraph (c)), or • the confidentiality of information about the asset, information stored in the asset an computer data (paragraph (d)). 275. For instance, the relevant impact of a hazard on a critical infrastructure asset in the energy sector could be an extreme weather event (e.g. heatwave, severe storm) creating a black out across a metropolitan area. This amounts to a 'relevant impact' because the availability of the critical electricity asset has been compromised, such that a significant population does not have access to power, or the supply is unreliable. This would lead to considerable disruption to interconnected networks that rely on electricity, impacting their integrity, reliability and availability, potentially resulting in: • reduced services or shutdown of the banking, finance and retail sectors, • impacts to clean water supply, and • disruptions to the transport sector, traffic management systems and availability of fuel. 276. The relevant impact of an unauthorised access to the systems of a data centre could directly result in a compromise to the confidentiality of the information held in that data centre, resulting in an impact on businesses ability to trust in the integrity of the data held in that facility. 277. It is important to note that a relevant impact must be more serious than a reduction in the quality of service being provided. 278. Subsection (2) provides that the relevant impact of a cyber security incident on a critical infrastructure asset is the impact (whether direct or indirect) of the cyber security incident on: • the availability of the asset (paragraph (a)) • the integrity of the asset (paragraph (b)) • the reliability of the asset (paragraph (c)), or • the confidentiality of information about the asset, information stored in the asset an computer data (paragraph (d)). 52
Item 22 Paragraphs 9(1)(a), (b), (c) and (d) 279. Section 9(1) of the SOCI Act defines the term 'critical infrastructure asset' through the list in paragraphs (1)(a) to (f). Item 22 of Schedule 1 to the Bill repeals paragraphs (1)(a) to (d), and inserts paragraphs (1)(a) to (dr), which provides for the inclusion of the additional 18 classes of critical infrastructure assets introduced through the Bill. 280. Building on the existing definition in the SOCI Act, definitions of additional critical infrastructure assets within the eleven critical infrastructure sectors will be introduced while retaining the Minister for Home Affairs' existing ability to prescribe or declare additional assets, noting the amendments to paragraph 9(3)(b). 281. Critical infrastructure assets across each sector have been identified through an assessment of criticality to the social or economic stability of Australia or its people, the defence of Australia, or national security. In particular, considerations include, but are not limited to, whether, if destroyed, degraded, or rendered unavailable, there would be a significant detrimental impact on: • maintaining basic living standards for the Australian population - this includes those essential services and other services without which the safety, health or welfare of the Australian community or a large section of the community would be endangered or seriously prejudiced; • industries, commercial entities and financial institutions that underpin Australia's wealth and prosperity; • the security of large or sensitive data holdings which, if undermined, could lead to the theft of personal or commercially sensitive information, intellectual property or trade secrets, and national security and defence capabilities. Item 23 At the end of subsection 9(1) 282. Item 23 of Schedule 1 to the Bill will insert a note at the end of subsection 9(1) directing the reader to see subsection 13(3) of the Legislation Act 2003 (Legislation Act) with regard to the prescription by class. Subsection 13(3) of the Legislation Act provides that if enabling legislation, such as this Act, confers on a person the power to make a legislative instrument that specifies or declares or prescribes a matter, or doing anything in relation to a matter, then in exercising the power, the person may identify the matter by referring to a class or classes of matters. Item 24 Paragraphs 9(2)(a), (b), (c) and (d) 283. Under subsection 9(2) of the SOCI Act, the rules made by the Minister under section 61 may prescribe that a specific asset is not a critical infrastructure asset. Item 24 of Schedule 1 to the Bill reflects the same changes made under item 22, in that it repeals paragraphs (a) to (d) and replaces them with the new paragraphs (a) to (v), creating a list of 53
twenty two classes critical infrastructure assets from which the rules may prescribe a specific asset as not being a critical infrastructure asset. Item 25 At the end of subsection 9(2) 284. Item 25 of Schedule 1 to the Bill will insert a note at the end of subsection 9(2) directing the reader to see subsection 13(3) of the Legislation Act with regard to the prescription by class. Subsection 13(3) of the Legislation Act provides that if enabling legislation, such as this Act, confers on a person the power to make a legislative instrument that specifies or declares or prescribes a matter, or doing anything in relation to a matter, then in exercising the power, the person may identify the matter by referring to a class or classes of matters. Item 26 After subsection 9(2) 285. Item 26 of Schedule 1 to the Bill inserts new subsections 9(2A) and (2B) after the existing subsection 9(2). 286. New subsection (2A) applies where an asset is owned by the Commonwealth or a body corporate established by a law of the Commonwealth. When this subsection applies, the asset concerned will not be a critical infrastructure asset unless: • the asset is declared under section 51 of the SOCI Act to be a critical infrastructure asset (paragraph (c)), or • the asset is prescribed by the rules for the purposes of paragraph 9(1)(f) (paragraph (d)). 287. The Government acknowledges the need to critical of, and the need to safeguard and protect, assets, networks and infrastructure that are necessary for the effective operation of government and democratic institutions. This is critical to maintaining trust and confidence in government and democratic institutions, and the effective functioning of government services. 288. However, the measures and powers in this Bill will not apply to all Commonwealth assets because these assets are already subject to existing frameworks that are designed to maintain security and resilience. The Commonwealth is also in a position to provide active assistance should these assets be subject to a serious cyber incident. 289. Commonwealth assets are subject to the Protective Security Policy Framework (PSPF) which requires government departments and agencies to implement certain security measures in relation to four key areas: • Governance: to manage security risks and support a positive security culture • Personnel: to ensure employees and contractors are suitable to access Government resources, and meet appropriate standards of integrity and honesty 54
• Information: to maintain confidentiality, integrity and availability of official information • Physical: to provide a safe and secure physical environment for people; information and assets. 290. The PSPF is supported by other government initiatives that are designed to maintain information security standards. • The Information Security Registered Assessors Program (IRAP), which is an Australian Signals Directorate initiative to provide high-quality information and communications technology security assessment services to government. • The Australasian Information Security Evaluation Program (AISEP) evaluates and certifies products to provide a level of assurance in its security functionality in order to protect systems and information against cyber threats. These evaluation activities are certified by the Australasian Certification Authority (ACA). • the Australian Government Information Security Manual outlines a cybersecurity framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats. • The Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of adversaries. 291. Furthermore, the Government has announced a package of work to strengthen the defences of Commonwealth public sector networks as part of Australia's Cyber Security Strategy 2020. The first priority of this work is to centralise the management and operations of the large number of networks run by Australian Government agencies, including considering secure hubs. Centralisation reduces the number of targets available to hostile actors such as nation states or state-sponsored adversaries, allowing the Australian Government to focus its cyber security investment on a smaller number of more secure networks. A centralised model will be designed to promote innovation and agility while still achieving economies of scale. 292. The centralisation of cyber security systems across government will be complemented by the work of government agencies to strengthen cyber security and implement the ACSC's Essential Eight strategies to mitigate cyber security incidents. This work will be informed and supported by the ACSC's ongoing cyber security advice and assistance. This approach to the uplift of government systems will be designed to reduce the risk of compromise, and prevent the common techniques used by malicious cyber actors to compromise systems. Australian government agencies will also put a renewed focus on policies and procedures to manage cyber security risks. Standard cyber security clauses will be included in Australian Government IT contracts. 55
293. However, as provided at new paragraph 9(2A)(b) this exemption for Commonwealth assets does not extend to those assets owned by a Commonwealth body corporate that is a government business enterprise. This is because government business enterprises are in essence commercial entities. Accordingly, and generally speaking, Government has limited control over the daily operations of these entities and the manner in which they provide services may be regarded as more closely resembling private sector entities. NBN Co Limited and the Australian Postal Corporation are examples of government business enterprises. 294. However, new paragraphs 9(2A)(c)-(d) provides a mechanism by which Commonwealth assets may be prescribed or declared to be critical infrastructure assets in the future should there be a change circumstances and the existing security treatments no longer be regarded as appropriate. 295. New subsection (2B) provides that an asset is not a critical infrastructure asset, if, or to the extent to which, that asset is located outside of Australia. In effect, the various definitions of critical infrastructure assets will be limited to the aspects of the assets that are located in Australia permanently, or from time to time (for example in the case of an airplane). It is notable that 'Australia', as defined under section 5 of this Act, includes the external territories. Item 27 Paragraph 9(3)(b) 296. Under paragraph 9(1)(f) of the SOCI Act, an asset prescribed in the rules for the purposes of the paragraph will be a critical infrastructure asset. Paragraph 9(3)(b) currently provides that the Minister, amongst other things, must not prescribe an asset for the purposes of paragraph 9(1)(f) unless the Minister is satisfied that there is a risk, in relation to the asset, that may be prejudicial to security. 297. Item 27 of Schedule 1 to the Bill repeals and replaces paragraph 9(3)(b) of the SOCI Act to provide that the Minister must be satisfied that the asset relates to a critical infrastructure sector before prescribing the asset as a critical infrastructure asset under paragraph 9(1)(f). 298. The repealed provision is no longer appropriate in light of the new obligations being introduced by the Bill which focus on identifying critical infrastructure assets and ensuring they are resilient. The criticality of the assets, and the essential role they play in Australia, must be the exclusive focus when identifying the focus of the SOCI Act. Further the amendment reflects the reality that there is some security risk associated with all critical infrastructure assets, limiting the utility of this criterion. 299. In its place, new paragraph 9(3)(b) limits the scope of assets that the Minister may prescribe as critical to those that relate to a critical infrastructure sector. This will ensure that assets cannot be prescribed economy wide, but rather must be from a sector of the economy that is regarded as critical. 56
Item 28 Subparagraph 9(4)(a)(i) 300. Subparagraph 9(4)(a)(i) of the SOCI Act provides that the Minister must not prescribe an asset under paragraph 9(1)(f) unless the Minister has first consulted the First Minister of the State or Territory in which the asset is located. Item 28 of Schedule 1 to the Bill amends subparagraph to refer to the State or Territory in which the asset is wholly or partly located. This is intended to reflect the national, or cross-jurisdictional, footprint of some critical infrastructure assets. Item 29 Subparagraph 9(4)(a)(ii) 301. Item 29 of Schedule 1 to the Bill omits the words 'industry for the asset' and substitutes the words 'critical infrastructure sector' in subparagraph 9(4)(a)(ii) of the SOCI Act. This is to reflect the introduction of the concept of a 'critical infrastructure sector' in new section 8D, as outlined above. Item 30 Paragraph 10(1)(a) 302. Section 10 of the SOCI Act defines the term 'critical electricity asset'. One of the current criteria for being a 'critical electricity asset' is that the asset is a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers. 303. Item 30 of Schedule 1 to the Bill inserts the words 'or any other number of customers prescribed by the rules' at the end of paragraph 10(1)(a) which will allow the Minister, through rules made under section 61 of the SOCI Act, to change the number of customers that qualifies an asset to be a 'critical electricity asset'. 304. Electricity is fundamental to every facet of Australian society, underpinning just about everything in the digital age. The Bill draws on the existing definition in the SOCI Act and provides for the option to extend its application to a broader set of assets in recognition that the prolonged disruption to Australia's electricity networks would have a significant impact on communities, businesses and national security capabilities. This change is intended to future-proof the framework. Item 31 Paragraph 12(1)(b) 305. Section 12 of the SOCI Act defines the term 'critical gas asset'. Paragraph 12(1)(b) currently provides that a 'critical gas asset' includes a gas storage facility that has a maximum daily quantity of at least 75 terajoules per day or any other quantity prescribed by the rules. 306. Item 31 of Schedule 1 to the Bill repeals paragraph 12(1)(b) of the SOCI Act, and substitutes that a 'critical gas facility' is a gas storage facility that has a maximum daily withdrawal capacity of at least 75 terajoules per day or any other maximum daily withdrawal capacity prescribed by the rules. 57
307. This is not intended to be a change in policy but rather clarify the application of the paragraph to more accurately reflect the terminology used in the sector. Item 32 After section 12 308. This item inserts new sections 12A, 12B, 12C, 12D, 12E, 12F, 12G, 12H, 12J, 12K, 12L, 12M, 12N and 12P into the SOCI Act, which outline further definitions required in relation to the amendments being made by the Bill. Section 12A Meaning of critical liquid fuel asset 309. New section 12A of the SOCI Act outlines a definition of 'critical liquid fuel asset'. Subsection (1) provides that a critical liquid fuel asset is any of the following: • a liquid fuel refinery that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (2) (paragraph (a)) • a liquid fuel pipeline that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (3) (paragraph (b)), or • a liquid fuel storage facility that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (4) (paragraph (c)). 310. The definition recognises the role that these assets play in delivering critical services that are essential to energy security and relied on to support the economy. A prolonged disruption to Australia's liquid fuel supply would have a significant impact on communities, businesses and national security capabilities. For example, liquid fuel underpins every aspect of our daily life, from our groceries to our commute to work and our emergency services. The then Commonwealth Department of the Environment and Energy, in an interim report released in April 2019, reported that on average each Australian uses nearly three times more energy from liquid fuel than they do electricity. The liquid fuel market also powers machinery on which other sectors rely, such as transport or space technology. This definition captures the assets needed to refine liquid fuel to be suitable for consumption, the pipelines required to distribute the fuel, and facilities used to store it to ensure it is accessible at key locations. 311. A note to subsection (1) reminds the reader that under section 9 the rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset. 312. Subsection (2) provides that rules made under paragraph (1)(a) may prescribe specified liquid fuel refineries that are critical to ensuring the security and reliability of a liquid fuel market (paragraph (a)), or requirements for a liquid fuel refinery to be critical to ensuring the security and reliability of a liquid fuel market (paragraph (b)). The rules are expected to prescribe, initially, the major Australian crude oil refineries (Corio in Geelong, Victoria and Lytton in Queensland). These refineries play a major part in Australia's fuel supply chain, with Australian refineries providing for approximately 50 per cent of Australia's transport fuel needs. 58
313. Subsection (3) provides that rules made under paragraph (1)(b) may prescribe specified liquid fuel pipelines that are critical to ensuring the security and reliability of a liquid fuel market (paragraph (a)), or requirements for a liquid fuel pipeline to be critical to ensuring the security and reliability of a liquid fuel market (paragraph (b)). The rules are expected initially to prescribe the distribution pipelines that are critical for inter-city distribution and for movement from refineries and ports to terminals. 314. Subsection (4) provides that rules made under paragraph (1)(c) may prescribe specified liquid fuel storage facilities that are critical to ensuring the security and reliability of a liquid fuel market (paragraph (a)), or requirements for a liquid fuel storage facility to be critical to ensuring the security and reliability of a liquid fuel market (paragraph (b)). The rules are expected to initially prescribe a 50 mega litre storage threshold, capturing assets across all states and territories, except Tasmania and the Australian Capital Territory. These storage facilities are critical to building resilience to supply disruptions, thereby protecting consumers and the economy from fuel shortages. 315. Rules made under these subsections will ensure that only those liquid fuel assets that are critical to Australia at any point in time fall within the definition of critical liquid fuel asset. This flexibility is necessary to ensure the definition can be reasonably adapted to adjust to changes in the liquid fuel market and interdependencies with that market. Section 12B Meaning of critical freight infrastructure asset 316. New section 12B of the SOCI Act provides the definition of 'critical freight infrastructure asset'. Subsection (1) provides that an asset is a critical freight infrastructure asset if it is any of the following: • a road network that, in accordance with subsection (2), functions as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a)) • a rail network that, in accordance with subsection (3), functions as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)), or • a intermodal transfer facility that, in accordance with subsection (4), is critical to the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (c). 317. The freight industry is an essential component of the national economy. These assets play an important role in ensuring capital cities and population centres can access critical products (such as medical supplies and food and groceries) as well as facilitating businesses that rely on land based supply chains. An efficient intermodal facility is an important component of the overall effectiveness of regional transport services and plays a crucial role in road to road and road to rail interchange activities. Facilities improve the predictability of pick-up and delivery times and address congestion on city roads. For example, large vehicles 59
will service manufacturing through to distribution between urban centres whilst smaller distribution trucks will operate in and out of the cities. The criticality of these networks and facilities became all the more apparent during the COVID-19 outbreaks where demand increased for critical supplies across States, Territories and regional centres. 318. A note to subsection (1) reminds the reader that under section 9 the rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset. 319. Subsection (2) provides that the rules may prescribe, for the purpose of paragraph (1)(a), specified road networks that function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a)), or requirements for a road network to function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)). 320. Subsection (3) provides that the rules may prescribe, for the purpose of paragraph (1)(b), specified rail networks that function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a)), or requirements for a rail network to function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)). 321. Subsection (4) provides that the rules may prescribe, for the purpose of paragraph (1)(c), specified intermodal transfer facilities that function are critical to the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a)), or requirements for an intermodal transfer facility to be critical to the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)). 322. Considerations when determining criticality under subsections 12B(2), (3) and (4) may include: • the volume of freight the network or facility enables to be transported; • the value of the commodities the network or facility enables; • the frequency of heavy vehicles the network or facility utilising the network or facility; • whether the network or facility enables the transport of specific commodities of high economic significance for the region; or • whether any alternative transport routes are available should the network or facility became unavailable. 323. Major road and rail assets are vital in responding to and mitigating the impacts of natural disasters. The criticality of these assets is amplified if there is a lack of redundancy, as 60
inconvenience gives may to a threat to national interests. For example, the 2009 floods in Queensland's north and north-west temporarily closed the Bruce highway and limited the availability of food and supplies to the region. 324. Similarly, intermodal terminals play a significant role in facilitating the consolidation, storage and transfer of freight between rail and road at the beginning and end of each rail journey. Intermodal terminals provide connectivity to ports, regional networks and other capital cities and regional centres and are central to the stability and security of road and rail infrastructure. These facilities are also useful in enabling redundancies by allowing goods to be transferred between modes of transport should one be compromised. 325. The Department will work closely with the freight industry and State and Territory Governments to identify which road networks, rail networks or intermodal transfer facilities function as critical corridors. Section 12C Meaning of critical freight services asset 326. New section 12C of the SOCI Act provides the definition of 'critical freight services asset'. Subsection (1) provides that an asset is a critical freight services asset if it is a network that is used by an entity carrying on a business that, in accordance with subsection (2), is critical to the transportation of goods by road, rail, inland waters or sea. 327. The note to subsection (1) reminds the reader that under section 9 the rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset. 328. Subsection (2) provides that the rules may prescribe, for the purpose of subsection (1), specified businesses that are critical to the transportation of goods by road, rail, inland waters or sea (paragraph (a)), or requirements for a businesses that to be critical to the transportation of goods by road, rail, inland waters or sea (paragraph (b)). 329. Critical freight services assets are critical to Australia's trade and commerce, and social stability as they are responsible for logistics and movement of valuable goods and products across the country. These assets assist businesses to transport products to consumers, and ensuring communities can access critical supplies, including food and groceries. The COVID-19 pandemic and recent natural disasters have highlighted the importance of freight services, and the assets they rely on, in transporting personal protective equipment, medical supplies, food and groceries, and other critical supplies across Australia. 330. The Department will work closely with the freight industry and State and Territory Governments to identify critical freight services. The factors the Minister may consider when making rules may include: • the relevant business' market share • the volume, value and criticality of goods transported. For example, whether the business is responsible for the transport of niche goods that enable the delivery of 61
critical services (for instance medical supplies that enable intensive care units to remain operational or vaccines), and • whether any redundancies exist if that freight service is rendered unavailable. Section 12D Meaning of critical financial market infrastructure asset 331. New section 12D of the SOCI Act provides the definition of 'critical financial market infrastructure asset'. These assets are critical to the functioning, security and stability of financial services and markets. 332. A significant disruption to financial market infrastructure assets would have a detrimental impact in terms of public trust, financial stability and market integrity and efficiency. The reasons for this include their central and enabling position within the financial system and inability of participating financial institutions and, in most cases, ultimately also consumers and businesses, to leverage substitute services. 333. Financial market infrastructure licensed in Australia support transactions in securities with a total annual value of $16 trillion and derivatives with a total annual value of $150 trillion. These markets turn over value equivalent to Australia's annual GDP every three business days.4 334. Subsection (1) provides that a critical financial market infrastructure asset is any of the following assets: • an asset that is owned or operated by an Australian body corporate that holds an Australian market licence and is used in connection with the operation of a financial market that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (2) (paragraph (a)) • an asset that is owned or operated by an associated entity of an Australian body corporate that holds an Australian market licence and is used in connection with the operation of a financial market that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (2) (paragraph (b)) • an asset that is owned or operated by an Australian body corporate that holds an Australian CS facility licence and is used in connection with the operation of a clearing and settlement facility that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (3) (paragraph (c)) 4 Council of Financial Regulators, 'Financial Market Infrastructure Regulatory Reforms' November 2019, accessed on 2 December 2020 at < https://www.cfr.gov.au/publications/consultations/2019/consultation-on- financial-market-infrastructure-regulatory-reforms/pdf/fmi-consultation-nov-2019.pdf> 62
• an asset that is owned or operated by an associated entity of an Australian body corporate that holds an Australian CS facility licence and is used in connection with the operation of a clearing and settlement facility that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (3) (paragraph (d)) • an asset that is owned or operated by an Australian body corporate that holds a benchmark administrator licence and is used in connection with the administration of a significant financial benchmark that is critical to the security and reliability of the financial services and markets sector, in accordance with subsection (4) (paragraph (e)) • an asset that is owned or operated by an associated entity of an Australian body corporate that holds a benchmark administrator licence and is used in connection with the administration of a significant financial benchmark that is critical to the security and reliability of the financial services and markets sector, in accordance with subsection (4) (paragraph (f)) • an asset that is owned or operated by an Australian body corporate that holds an Australian derivative trade repository licence and is used in connection with the operation of a derivative trade repository that, in accordance with subsection (5), is critical to the security and reliability of the financial services and markets sector (paragraph (g)) • an asset that is owned or operated by an associated entity of an Australian body corporate that holds an Australian derivative trade repository licence and is critical to the operation of a derivative trade repository in accordance with subsection (5) (paragraph (h)), or • an asset that is used in connection with the operation of a payment system that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector (paragraph (i)). 335. Subsection (2) provides that for the purpose of paragraphs (1)(a) and (1)(b) the rules may prescribe specified financial markets that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a financial market to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 336. Consistent with advice from existing financial regulators, the rules may prescribe, for example, a threshold that captures a narrower cohort of the Domestic (subsection 795B(1)) Tier 1 market licensees, and may be determined by a turnover metric. 337. Financial markets are used by participants to either raise funds (e.g. by issuing securities) or invest savings (by buying securities and other financial assets). The stability and operational efficiency of Australia's financial markets is of critical importance to business 63
confidence and the Australian economy. The importance of financial markets is evident from the value of financial transactions. For example, the Australian equity market daily average turnover for the June 2020 quarter was $9 billion, up from a daily average $6.82 billion in the June 2019 quarter.5 338. Subsection (3) provides that for the purpose of paragraphs (1)(c) and (1)(d) the rules may prescribe specified clearing and settlement facilities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a clearing and settlement facility to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 339. Requirements for a clearing and settlement facility to be critical to the security and reliability of the financial services and markets sector may include, but not be limited to, the following criteria: • the size of the facility in Australia • the availability of substitutes for the facility's services in Australia • the nature and complexity of the products cleared or settled by the facility, or • the degree of interconnectedness with other parts of the Australian financial system. 340. Reliable and timely clearing, transfer of ownership and settlement arrangements are essential to the efficient and effective operation of financial markets. A rigorous and reliable clearing and settlement infrastructure allows market participants to undertake bond market transactions without undue risk from default, market, systemic or other broader risks. Accordingly, the effectiveness of such systems significantly affects the development of secondary market activity. 341. Subsection (4) provides that for the purpose of paragraphs (1)(e) and (1)(f) the rules may prescribe specified significant financial benchmarks that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a significant financial benchmark to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 342. Significant financial benchmarks are of critical importance to a wide range of users in financial markets and throughout the broader economy. Benchmarks affect the pricing of key financial products such as credit facilities offered by financial institutions, corporate debt securities, exchange-traded funds, foreign exchange and interest rate derivatives, commodity derivatives, equity and bond index futures and other investments and risk management products. They also drive or influence asset allocation decisions within investment portfolios. 5 Australian Securities & Investments Commission, Equity market data for quarter ending June 2020, accessed on 1 December 2020 at: https://www.rba.gov.au/payments-and-infrastructure/payments-system.html 64
343. If the availability or integrity of a significant financial benchmark is disrupted, this could lead to financial contagion or systemic instability, and impact on both retail and wholesale investors. 344. Subsection (5) provides that for the purpose of paragraphs (1)(g) and (1)(h) the rules may prescribe specified derivative trade repositories that are critical to the security or reliability of the financial services and markets sector (paragraph (a)), or requirements for a derivative trade repository to be critical to the operation of the financial services and markets sector (paragraph (b)). 345. A derivative trade repository is a facility to which information about derivative transactions, or about positions relating to derivative transactions, can be reported. They act as a centralised registry that maintains an electronic database of records of transactions. Derivative trade repositories are a core component of the infrastructure supporting derivatives markets. A derivative trade repository may be part of a network linking various entities (e.g. clearing and settlement facilities, dealers or financial custodians) and therefore a disruption in a derivative trade repository could risk spreading to linked entities and having cascading impacts across the economy. 346. Derivative trade repositories have emerged as a relatively new type of financial market infrastructure and have recently grown in importance, particularly in light of the Group of Twenty commitments reached at the summit in Pittsburgh in 2009 in relation to the necessity of substantial reforms to practices in over-the-counter derivatives markets. 347. Whilst there is currently no domestically incorporated derivative trade repository that is licensed in Australia, the intention of including derivative trade repositories is to future- proof the regime should there emerge a domestic derivative trade repository noting it would potentially play a critical role in the financial system. 348. Subsection (6) provides that for the purpose of paragraph (1)(i) the rules may prescribe specified payment systems that are critical to the operation of the financial services and markets sector (paragraph (a)), or requirements for a payment system to be critical to the operation of the financial services and markets sector (paragraph (b)). 349. Requirements which, if present in a payment system, mean that such a payment system is critical to ensuring the security and reliability of the financial services and markets sector may include, but not be limited to: • a minimum aggregate value and/or volume of Australian dollar payments processed through the system over a specified period; • the time-criticality of the payments processed; • a minimum average value of the payments processed through the system over a specified period; 65
• the provision of important payment services for which there are few or no close substitutes; • the system being used to settle payments that effect settlement in one or more financial market infrastructures; or • other factors indicating that the system has the potential to trigger or transmit systemic disruption, or, if unavailable, result in significant disruption to economic activity. 350. Payment systems refer to arrangements which allow consumers, businesses and other organisations to transfer funds usually held in an account at a financial institution to one another. Australian payment systems contribute to the smooth functioning of the economy. Financial transactions are now more than ever before facilitated by the internet and mobile- based technologies. Non-cash payments account for most of the value of payments in the Australian economy. On average, in 2019 non-cash payments worth around $255 billion were made each business day, equivalent to around 13 per cent of annual GDP.6 351. Consumers and businesses are heavily dependent on the continued functioning and security of infrastructure and assets that are used to operate these payment systems. 352. The development of any rules under this section will involve close consultation with industry and existing Commonwealth financial regulators. 353. Subsection (7) provides that, for the purposes of section 12D, 'Australian body corporate' means a body corporate that is incorporated in Australia. Section 12E Meaning of critical broadcasting asset 354. New section 12E of the SOCI Act provides the definition of 'critical broadcasting asset'. Subsection (1) provides that one or more broadcasting transmission assets are a 'critical broadcasting asset' if: • the broadcasting transmission assets are owned or operated by the same entity and located on a site that, in accordance with subsection (2), is a critical transmission site (paragraph (a)) • the broadcasting transmission assets are owned or operated by the same entity, located on at least 50 different sites and not broadcasting re-transmission assets (paragraph (b)), or • the broadcasting transmission assets are owned or operated by an entity that, in accordance with subsection (3), is critical to the transmission of a broadcasting service (paragraph (c)). 6 Reserve Bank of Australia, Payments System, accessed on 1 December at https://www.rba.gov.au/payments- and-infrastructure/payments-system.html 66
355. Broadcast media play an important role in emergencies, both in disseminating and collecting information about an incident. While there is no legislative requirement for broadcasters to undertake the role of disseminating emergency warnings to communities, the Commonwealth, State and Territories have established working relationships with broadcasters to ensure emergency information is disseminated effectively in a crisis. However, the ability for national and commercial broadcasters to deliver emergency messages is dependent on the resilience and security of transmission and distribution infrastructure. 356. A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical broadcasting asset is not a critical infrastructure asset. 357. Subsection (2) provides that, for the purposes of paragraph (1)(a), the rules may prescribe specified sites as being critical transmission sites (paragraph (a)), or requirements for sites to be critical transmission sites (paragraph (b)). For example, the rules may prescribe a particular transmission site may service a key population centre with no alternative sites meaning that any disruption to that site could cause significant difficulties in an emergency. 358. The Department will work closely with industry and State and Territory Governments to determine whether rules will need to be made to capture particular critical transmissions sites that do not meet the 50-site threshold. 359. Paragraph (1)(b) provides that a network of broadcasting transmission assets across 50 different sites is critical as this represents an extensive network of transmission infrastructure that is relied upon by key broadcasters to service significant population areas in Australia. The services that are provided by networks captured by this limb of the definition are crucial to ensuring key broadcasters are able to service the community during emergency circumstances. 360. However, assets that are used exclusively for retransmission purposes are not within the scope of the test at subsection (b). Re-transmission sites include broadcasting transmission assets that are used in connection with the re-transmission of a service to which, as a result of section 212 of the Broadcasting Services Act, the regulatory regime under that Act does not apply. 361. This reflects that retransmission sites do not themselves form a critical network for the transmission of radio and television. Instead, re-transmission sites play a support role and are designed to address gaps in a transmission in network. As a result, only certain re-transmission sites are critical to facilitating the services offered by broadcasters. 362. That is why paragraph (2)(a) provides scope for the Minister to prescribe broadcasting transmission assets (including re-transmission sites) located on a critical transmission site to be critical broadcasting assets. In determining whether a certain transmission site is a critical broadcasting asset, the Minister will consider factors such as its geographic location, redundancies in relation to alternative transmission sites, and the size of the population serviced by the asset. 67
363. Paragraph (c) provides that a critical broadcasting asset may also be one or more broadcasting transmission assets if those assets are owned or operated by an entity that, in accordance with subsection (3), is critical to the transmission of a broadcasting service. For the purposes of this paragraph, the rules may prescribe specified entities that are critical to the transmission of a broadcasting service, or requirements for an entity to be critical to the transmission of a broadcasting service. Section 12F Meaning of critical data storage or processing asset 364. New section 12F of the SOCI Act provides the definition of 'critical data storage or processing asset'. Demand for data and cloud services has significantly increased as more business is conducted online. This means that data and cloud services have become an important component for day-to-day business operations. 365. The definition encompasses those assets that are critical to maintaining the commercial supply and availability of data and cloud services located in Australia. The definition is intended to capture the physical infrastructure or computing platforms used primarily to provide data storing or processing services on a commercial basis. This includes enterprise data centres, managed services data centres, colocation data centres and cloud data centres. The definition is aimed at data storage companies or cloud computing companies that provide data storage or processing as their primary business offering to the critical infrastructure asset, whether that be through infrastructure as a service (IaaS) or platform as a service (PaaS). Software as a service (SaaS) providers may also be captured by the critical data storage or processing asset definition, where the software is relied on to store or process a Government agency's data or critical infrastructure asset's business critical data as the primary function of the service. 366. The definition does not cover instances where data storage or processing is secondary to, an enabler for, or simply a by-product of, the primary service being offered - for example, accounting services. In a scenario where a business has shared business critical data with a SaaS provider, but only for the purposes of the SaaS provider providing its primary service (such as running the business' payroll), the SaaS provider is not to be considered a critical infrastructure asset. 367. Subsection (1) provides that an asset is a critical data storage or processing asset if all of the following apply: • the asset is owned or operated by an entity that is a data storage or processing provider (paragraph (a)) • the asset is used wholly or primarily to provide a data storage or processing service that is provided by the entity on a commercial basis to one of the government bodies listed in subparagraphs (i)-(vi) (paragraph (b)), and • the entity knows that the asset is used as described in paragraph (b). 68
368. A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset. 369. Data centres and cloud providers that are custodians of Government data are critical due to sensitive nature of Government information that they store or process. Under the Protective Security Policy Framework, the Australian Government is required to safeguard official information and mitigate the risks of cyber attacks. This is because it is likely that a compromise of Government data may lead to the disclosure of highly sensitive information relevant to the operation of the nation, risk foreign relations with key international partners and undermine economic prosperity and social stability. State and Territory Government also hold sensitive data that is critical to the operation of services and other aspects in their jurisdiction. 370. Subsection (2) also provides that an asset is a critical data storage or processing asset if all of the following apply: • the asset is owned or operated by an entity that is a data storage or processing provider (paragraph (a)) • the asset is used wholly or primarily to provide a data storage or processing service that is provided by the entity on a commercial basis to another critical infrastructure asset and relates to business critical data (paragraph (b)), and • the entity knows that the asset is used as described in paragraph (b) (paragraph (c)). 371. A note to subsection (2) reminds the reader that the rules, made under section 9, may prescribe that a specified critical data storage or processing asset is not a critical infrastructure. 372. Data centres and cloud providers captured by this limb of the definition are critical by virtue of the fact that they handle business critical data for other critical infrastructure assets. Business critical data includes bulk holdings of personal information, and information that is crucial to the continued operation and functioning of assets that directly contribute to maintaining Australia's economic and social stability. Should this data, or the provision of services in relation to it, be impacted, the confidentiality and reliability of the critical infrastructure asset is likely to be affected including, potentially the provision of essential services. 373. A data storage or processing provider may not always know if they are providing services relating to business critical data of a critical infrastructure asset. For example, data privacy practices typically mean that third party providers do not have visibility over what type of data is being stored or processes through their facilities. In response to these circumstances, the asset will only become a critical data storage or processing asset where the 69
responsible entity knows that it is storing or processing business critical data or a critical infrastructure asset. 374. In support of this requirement, subsection (3) applies if an entity (the first entity) is the responsible entity for a critical infrastructure asset (paragraph (a)), and the first entity becomes aware that a data storage or processing service is provided by another entity on a commercial basis to the first entity and relates to business critical data (paragraph (b)). 375. For example, this obligation applies when the responsible entity of a critical banking asset becomes aware that a data storage or processing service is managing its business critical data on a commercial basis. This is likely to be at the point of services commencing following the entering of a contractual arrangement. The responsible entity must then take all reasonable steps to inform the relevant data storage or processing service of these circumstances as soon as practicable after becoming so aware. 376. If subsection (3) applies, the first entity must: • take reasonable steps to inform the other entity that the first entity has become aware that the data storage or processing service is provided by the other entity on a commercial basis, and relates to business critical data (paragraph (c)), and • do so as soon as practicable after becoming aware (paragraph (d)). 377. Commonwealth, State and Territory Governments will not be required to notify data and cloud service providers that they are critical data storage and processing assets. In these circumstances, it is expected that the relevant data or cloud service provider will be aware that they provide services to a Government client. 378. Breach of subsection (3) is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the infringement. It is designed to deter non- compliance and to ensure that owners or operators of data storage or processing providers can be notified as soon as practicable that their asset is a critical data storage of processing asset, noting the importance of the service they are providing. The penalty for this notification requirement is commensurate with the penalty for failing to notify of events in relation to the Register of Critical Infrastructure Assets. Section 12G Meaning of critical banking asset 379. New section 12G of the SOCI Act provides the definition of 'critical banking asset'. This definition recognises the role banking businesses play in the financial system, holding the majority of financial system assets. In addition to retail deposit-taking and lending activities, banks are involved in financial intermediation, including business banking, trading in financial markets, stockbroking and insurance and funds management. A severe compromise of any of Australia's major banks has the potential for significant and lasting economic and security impacts given their high volume of retail customers as well as important government and business customers. 70
380. Subsection (1) provides that an asset is a critical banking asset if it is any of the assets described in paragraphs (a) or (b). Paragraph (a) describes an asset where the following conditions are satisfied: • an asset is owned or operated by an authorised deposit-taking institution (subparagraph (i)) • the authorised deposit-taking institution is an authorised deposit-taking institution that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector (subparagraph (ii)), and • the asset is used in connection with the carrying on of banking business (subparagraph (iii)). 381. Paragraph (b) described an asset that meets the following conditions: • the asset is owned or operated by a body corporate that is a related body corporate of an authorised deposit-taking institution (subparagraph (i)) • the body corporate is a body corporate that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector (subparagraph (ii)), and • the asset is used in connection with the carrying on of banking business (subparagraph (iii)). 382. A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical banking asset is not a critical infrastructure asset. 383. Subsection (2) provides that for the purposes of subparagraph (1)(a)(ii), the rules may prescribe specified authorised deposit-taking institutions that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an authorised deposit-taking institution to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 384. For example, following consultation with industry, the Minister may make rules prescribing particular banks as critical to the financial services and markets sector, or establish threshold attributes in the rules for determining criticality such as a minimum quantity of assets held for the bank to be regarded as a critical banking asset. 385. Subsection (3) provides that, for the purposes of subparagraph (1)(b)(ii), the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 71
Section 12H Meaning of critical insurance asset 386. New section 12H of the SOCI Act provides the definition of 'critical insurance asset'. Insurers play a critical role in the financial system and can act as an important buffer in the Australian economy by softening the potential financial impacts to businesses and individuals as a result of sudden and often uncontrollable shocks. Insurers also play a significant role in assisting communities, industry and the Australian economy to recover from natural disasters and other hazards. 387. Life insurance plays a vital role in Australia's social construct, and will continue to provide necessary financial protection noting Australia's aging population. Life insurers are also significant contributors to Australia's wealth and prosperity. Life insurance acts as a saving mechanism for Australians and allows for significant volumes of long-term funding for financial markets and other sectors in need of investment, contributing to Australia's overall economic growth and stability. 388. Health insurers are not only critical to ensuring Australians can access health services, but they also are important contributors to the country's wealth and prosperity. Private health insurance provides cover for private hospital services and many out-of-hospital health services not covered by Medicare, such as dentistry. According to the Australian Prudential Regulation Authority (APRA), 43.8 per cent of the Australian population had private hospital cover at 30 September 2020, and 53.2 per cent had cover for ancillary services ('extras'), such as dentistry and optometry, as at 30 September 2020.7 389. The critical insurance asset definition recognises the key role that insurers play in the financial system. They act as an important buffer for the Australian economy, softening the financial impact of events on public funds by drawing on private sector funding. For example, failure in a reinsurer could affect operations across a significant number of Australian insurers. 390. Subsection (1) provides that an asset that meets the criteria outlined in paragraphs (a) to (f) are a 'critical insurance asset'. Paragraph (a) outlines the following criteria: • the asset is owned or operated by an entity that carries on insurance business • the entity is an entity that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector, and • the asset is used in connection with the carrying on of insurance business. 391. Paragraph (b) outlines the following criteria: • the asset is owned or operated by a body corporate that is a related body corporate 7 APRA, Quarterly private health insurance statistics, September 2020. Accessed on 1 December 2020 at https://www.apra.gov.au/sites/default/files/2020- 11/Quarterly%20private%20health%20insurance%20statistics%20highlights%20September%202020_0.pdf 72
of an entity that is carrying on insurance business • the body corporate is a body corporate that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector, and • the asset is used in connection with the carrying on of insurance business. 392. Paragraph (c) outlines the following criteria: • the asset is owned or operated by an entity that carries on life insurance business • the entity is an entity that, in accordance with subsection (4), is critical to the security and reliability of the financial services and markets sector, and • the asset is used in connection with the carrying on of insurance business. 393. Paragraph (d) outlines the following criteria: • the asset is owned or operated by a body corporate that is a related body corporate of an entity that is carrying on life insurance business, and is critical to the carrying on of life insurance business • the body corporate is a body corporate that, in accordance with subsection (4), is critical to the security and reliability of the financial services and markets sector, and • the asset is used in connection with the carrying on of insurance business. 394. Paragraph (e) outlines the following criteria: • the asset is owned or operated by an entity that carries on health insurance business • the entity is an entity that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector, and • the asset is used in connection with the carrying on of insurance business. 395. Paragraph (f) outlines the following criteria: • the asset is owned or operated by a body corporate that is a related body corporate of an entity that is carrying on health insurance business • the entity is an entity that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector, and • the asset is used in connection with the carrying on of insurance business. 73
396. A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical insurance asset is not a critical infrastructure asset. 397. Subsection (2) provides that for the purposes of subparagraph (1)(a)(i) the rules may prescribe specified entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 398. Subsection (3) provides that for the purposes of subparagraph (1)(b)(ii) the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 399. Subsection (4) provides that for the purposes of subparagraph (1)(c)(ii) the rules may prescribe specified entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 400. Subsection (5) provides that for the purposes of subparagraph (1)(d)(ii) the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 401. Subsection (6) provides that for the purposes of subparagraph (1)(e)(ii) the rules may prescribe specified entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 402. Subsection (7) provides that for the purposes of subparagraph (1)(f)(ii) the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 403. The rules will be used to identify those insurance assets that are critical. This may include prescribing that an insurance with assets over a certain monetary threshold would be regarded as critical as its market share would mean that events impacting the assets would have cascading effects across the economy. Section 12J Meaning of critical superannuation asset 404. New section 12J of the SOCI Act provides the definition of 'critical superannuation asset'. Superannuation represents the largest financial asset for the majority of Australian households. Superannuation savings are the basis for the retirement incomes of millions of Australians. More than 60 per cent of Australians directly contribute to superannuation, with 74
a substantial proportion of that investment used to finance the development of Australian industry.8 The long-term financial prosperity of Australian retirees is intricately linked to the financial health of the Australian economy. 405. Subsection (1) provides that an asset is a 'critical superannuation asset' if it is owned or operated by a registrable superannuation entity that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector (paragraph (a)) and is used in connection with the operation of a superannuation fund (paragraph (b)). This is not intended to cover self-managed superannuation funds. 406. A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical superannuation asset is not a critical infrastructure asset. 407. Subsection (2) provides that for the purpose of paragraph (1)(a) the rules may prescribe registrable superannuation entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an a registrable superannuation entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 408. The rules will be used to identify those superannuation assets that are critical. This may include prescribing as critical those registrable superannuation entity with assets over a certain monetary threshold as its market share would mean that events impacting the assets would have cascading effects across the population and economy. Section 12K Meaning of critical food and grocery asset 409. New section 12K of the SOCI Act provides the definition of 'critical food and grocery asset'. The COVID-19 pandemic has placed food and grocery distribution and supply under significant pressure, revealing both the criticality and vulnerability of these networks. The last six months in particular have highlighted how disruptions to distribution networks and other key operations of Australia's major supermarkets can seriously impact the availability of food and groceries to the community. 410. Other parts of the sector (for example food manufacturing or packaging) are not considered critical food and grocery assets as they are often disaggregated and, if disrupted, are less likely to have a severe and widespread impact on the availability of food and grocery. 411. Subsection (1) provides that an asset is a critical food and grocery asset if it is a network that is used for the distribution or supply of food or groceries (paragraph (a)), and is owned or operated by an entity that is declared by the rules to be a critical supermarket retailer, critical food wholesaler or critical grocery wholesaler (paragraph (b)). 412. A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical food and grocery asset is not a critical infrastructure asset. 8 Infrastructure Partnerships Australia, 'The Role of Superannuation in Building Australia's Future' (2017). 75
413. Subsections (2)-(4) provide that the rules may prescribe specified entities that are critical supermarket retailers, critical food wholesalers, or critical grocery wholesalers, or alternatively requirements for an entity to be a critical supermarket retailers, critical food wholesalers, or critical grocery wholesalers. 414. Following further consultation with industry, the Minister may declare a supermarket retailer, food wholesaler or grocery wholesaler to be critical in the rules through prescribing a specific entity or identifying a qualitative or quantitative threshold for criticality. This is likely to cover the existing significant supermarket retailers. Section 12KA Meaning of critical domain name system 415. New section 12KA of the SOCI Act will provide the definition of 'critical domain name system'. The domain name system underpins the operation of the internet. The domain name system is the global database that translates website names into computer-readable internet protocol (IP) addresses. For example, '.au' is Australia's country code domain. The .au namespace plays an important role in supporting the digital economy with over 3.2 million domain names registered as at August 2020. With the online environment becoming increasingly enmeshed with everyday life, a disruption to a critical domain name system could have significant cascading implications for Australian businesses, government and the community. Malicious or criminal exploitation of the domain name system can compromise users' ability to conduct business, navigate the internet or their data. 416. This term means a system that is managed by an entity that, in accordance with subsection (2), is critical to the administration of an Australian domain name system and is used in connection with the administration of an Australian domain name system. An 'Australian domain name system' means a country code Top Level Domain or a generic Top Level Domain where the administrator of that domain name system is resident in Australia. 417. The note below subsection (1) explains that under section 9 of this Act the rules may prescribe that a specified 'critical data domain name system' is not a 'critical infrastructure asset'. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact. 418. Subsection (2) provides that the rules may prescribe, for the purposes of subsection (1), specified entities that are critical to the administration of an Australian domain name system, or requirements for an entity to be critical to the administration of an Australian domain name system. It is likely that .au Domain Administration Ltd (auDA) will be specified under subsection (2) as the entity responsible for the .au domain name. Section 12L Meaning of responsible entity 419. New section 12L of the SOCI Act will provide the definition for 'responsible entity'. The definition has been separated into twenty five subsections representing the twenty two classes of assets listed in the definition of critical infrastructure asset (see subsection 9(1)), as well as assets that are prescribed under paragraph 9(1)(f) or assets that are declared under section 51 by the Minister. 76
420. Responsible entities are those entities with ultimate operational responsibility for the asset. These entities have effective control or authority over the operations and functioning of the asset as a whole (even if they do not have direct control over a particular part of the asset), and are in a position to engage the services of contractors and other operators. Given this, these entities are best placed to fulfil the obligations (should they be activated and apply) under existing Part 2 of the SOCI Act, and new 2B of this Bill. Further, due to their ultimate responsibility for the asset, the responsible entity will also serve as the key contact point for consultation in relation to rules that may impact the asset. 421. Importantly, section 12L provides the Minister with the ability to make rules to override the responsible entity for a specific category of critical infrastructure asset identified in this section, and prescribe another entity to be the responsible entity. The purpose of this rule making power is to provide adequate flexibility to ensure the obligations and measures under this Bill continue to apply to the most appropriate entity. Subsection 12L(1)--Critical telecommunications asset 422. Subsection (1) provides that the responsible entity for a critical telecommunications asset is: • if the critical telecommunications asset is owned or operated by a carrier--the carrier (subparagraph (a)(i)) • if the critical telecommunications asset is owned or operated by a carriage service provider--the carriage service provider (subparagraph (a)(ii)), or • another entity if prescribed by the rules (paragraph (b)). 423. These entities have been identified as responsible entities for critical telecommunications assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(2)--Critical broadcasting asset 424. Subsection (2) provides that the responsible entity for a critical broadcasting asset is: • the entity referred to in either subparagraph 12E(1)(a)(i), (b)(i) or (1)(c), whichever is applicable (paragraph (a)), or • another entity if prescribed by the rules (paragraph (b)). 425. This means that the responsible entity for a critical broadcasting asset is the entity that: 77
• owns or operates broadcasting transmission assets that are located on a site that is a critical transmission site (subparagraph 12E(1)(a)(i)). The rules will prescribe either specified sites or requirements for sites to be critical • owns or operates broadcasting transmission assets located on at least 50 different sites (subparagraph 12E(1)(b)(i)) , or • has been prescribed in the rules as critical to the transmission of a broadcasting service. 426. These entities have been identified as responsible entities for critical broadcasting assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(3)--Critical domain name system 427. Subsection (3) provides that the responsible entity for a critical domain name system is: • an entity referred to in paragraph 12KA(1)(a) (paragraph (a)), or • another entity if prescribed by the rules (paragraph (b)). 428. This means that the responsible entity for a critical domain name system is an entity that has been specified under subsection 12KA(2). As outlined above for section 12KA, auDA will likely be the entity referred to in paragraph 12KA(1)(a) and therefore would be the responsible entity. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(4)--Critical data storage or processing asset 429. Subsection (4) provides that the responsible entity for a critical data storage or processing asset is the entity referred to in paragraph 12F(1)(a) (paragraph (a)), 12F(2)(a) (paragraph (a) and (b)) or another entity that has been prescribed by the rules to be the responsible entity (paragraph (c)). 430. These entities (essentially the owner or operator of the asset) have been identified as responsible entities for critical data storage or processing assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(5)--Critical banking asset 431. Subsection (5) provides that the responsible entity for a critical banking asset is the authorised deposit-taking institution referred to in paragraph 12G(1)(a), the body corporate referred to in paragraph 12G(1)(b) (paragraphs (a) and (b)) or an entity been prescribed by the rules to be the responsible entity (paragraph (c)). 78
432. These entities have been identified as responsible entities for critical banking assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(6)--Critical superannuation asset 433. Subsection (6) provides that the responsible entity for a critical superannuation asset is the entity registrable superannuation referred to in subsection 12J(1) (paragraph (a)) or an entity has been prescribed by the rules to be the responsible entity (paragraph (b)). 434. These entities have been identified as responsible entities for critical superannuation assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(7)--Critical insurance asset 435. Subsection (7) provides that the responsible entity for a critical insurance asset is: • if the asset is covered by paragraph 12H(1)(a)--the entity that carries on insurance business referred to in subparagraph 12H(1)(a)(i) (paragraph (a)) • if the asset is covered by paragraph 12H(1)(b)--the body corporate that is a related body corporate of an entity that carries on insurance business referred to in subparagraph 12H(1)(b)(i) (paragraph (b)) • if the asset is covered by paragraph 12H(1)(c)--the entity that carries on life insurance business referred to in subparagraph 12H(1)(c)(i) (paragraph (c)) • if the asset is covered by paragraph 12H(1)(d)--the body corporate that is a related body corporate of an entity that carries on life insurance business referred to in subparagraph 12H(1)(d)(i) (paragraph (d)) • if the asset is covered by paragraph 12H(1)(e)--the entity that carries on health insurance business referred to in subparagraph 12H(1)(e)(i) (paragraph (e)) • if the asset is covered by paragraph 12H(1)(f)--the body corporate that is a related body corporate of an entity that carries on health insurance business referred to in subparagraph 12H(1)(f)(i) (paragraph (f)), or • or any other entity prescribed by the rules (paragraph (g)). 436. These entities have been identified as responsible entities for each category of critical insurance assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. 79
Subsection 12L(8)--Critical financial market infrastructure asset 437. Subsection (8) provides that the responsible entity for a financial market infrastructure asset is: • if the asset is covered by paragraph 12D(1)(a)--the body corporate that holds an Australian market licence referred to in subparagraph 12D(1)(a)(i) (paragraph (a)) • if the asset is covered by paragraph 12D(1)(b)--the associated entity of an Australian body corporate that holds an Australian market licence as mentioned in subparagraph 12D(1)(b)(i) (paragraph (b)) • if the asset is covered by paragraph 12D(1)(c)--the body corporate that holds an Australian CS facility licence referred to in subparagraph 12D(1)(c)(i) (paragraph (c)) • if the asset is covered by paragraph 12D(1)(d)--the associated entity of an Australian body corporate that holds an Australian CS facility licence as mentioned in subparagraph 12D(1)(d)(i) (paragraph (d)) • if the asset is covered by paragraph 12D(1)(e)--the body corporate that holds a benchmark administrator licence referred to in subparagraph 12D(1)(e)(i) (paragraph (e)) • if the asset is covered by paragraph 12D(1)(f)--the associated entity of a body corporate that holds a benchmark administrator licence as mentioned in subparagraph 12D(1)(f)(i) (paragraph (f)) • if the asset is covered by paragraph 12D(1)(g)--the body corporate that holds an Australian derivative trade repository licence referred to in subparagraph 12D(1)(g)(i) (paragraph (g)) • if the asset is covered by paragraph 12D(1)(h)--the associated entity of a body corporate that holds an Australian derivative trade repository licence as mentioned in subparagraph 12D(1)(h)(i) (paragraph (h)) • if the asset is covered by paragraph 12D(1)(i)--the entity that is used in connection with the operation of a payment system prescribed by the rules (paragraph (i)), or • another entity if prescribed by the rules (paragraph (j)). 438. These entities have been identified as responsible entities for each category of critical financial market infrastructure assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. 80
Subsection 12L(9)--Critical water asset 439. Subsection (9) provides that the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service to be delivered by the asset (paragraph (a)), or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)). 440. This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical water assets. Subsection 12L(10)--Critical electricity asset 441. Subsection (10) provides that the responsible entity for a critical electricity asset is the entity that holds the licence, approval or authorisation to operate the asset to provide the service to be delivered by the asset, or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)). 442. This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical electricity assets. Subsection 12L(11)--Critical gas asset 443. Subsection (11) provides that the responsible entity for a critical gas asset is the entity that holds the licence, approval or authorisation to operate the asset to provide the service to be delivered by the asset, or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)). 444. This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical gas assets. Subsection 12L(12)--Critical energy market operator asset 445. Subsection (12) provides that the responsible entity for a critical energy market operator is: • if the asset is used by Australian Energy Market Operator Limited (ACN 072 010 327)--that company (paragraph (a)) • if the asset is used by Power and Water Corporation--that corporation (paragraph (b)) • if the asset is used by Regional Power Corporation--that corporation (paragraph (c)) • if the asset is used by Electricity Networks Corporation--that corporation (paragraph (d)), or • if another entity is prescribed by the rules, that entity (paragraph (e)). 81
446. These entities have been identified as responsible entities for each critical energy market operator asset as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(13)--Critical liquid fuel asset 447. Subsection (13) provides that the responsible entity for a critical liquid fuel asset is: • for a liquid fuel refinery, the entity that operates that refinery (paragraph (a)) • for a liquid fuel pipeline, the entity that operates that pipeline (paragraph (b)) • for a liquid fuel storage facility, the entity that operates that facility (paragraph (c)), or • if another entity is prescribed in the rules, that entity (paragraph (d)) 448. These entities have been identified as responsible entities for each category of critical liquid fuel assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(14)--Critical hospital asset 449. Subsection (14) provides that the responsible entity for a critical hospital is: • if it is a public hospital, the local hospital network that operates the hospital (paragraph (a)) • if it is a private hospital, the entity that holds the licence, authorisation or approval to operate the hospital (paragraph (b)), or • if another entity is prescribed by the rules, that entity (paragraph (c)). 450. These entities have been identified as responsible entities for critical hospital assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(15)--Critical education asset 451. Subsection (15) provides that the responsible entity for a critical education asset is the university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers, or another entity has been prescribed by the rules to be the responsible entity (paragraph (b)). 82
452. These entities have been identified as responsible entities for critical education assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(16)--Critical food and grocery asset 453. Subsection (16) provides that the responsible entity for a critical food and grocery asset is the entity referred to in paragraph 12K(1)(b), or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)). 454. This means that the responsible entity for a critical food and grocery asset is the critical supermarket retailer, critical food wholesaler or critical grocery wholesaler that has been specified in the rules. 455. These entities have been identified as responsible entities for each category of critical food and grocery assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(17)--Critical port 456. Subsection (17) provides that the responsible entity for a critical port is the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA)), unless another entity has been prescribed by the rules to be the responsible entity for the port (paragraph (b)). 457. This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical electricity assets. Subsection 12L(18)--Critical freight infrastructure asset 458. Subsection (18) provides that the responsible entity for a critical freight infrastructure asset is: • if the Commonwealth is responsible for the management of the asset, the Commonwealth (paragraph (a)) • if the State is responsible for the management of the asset, the State (paragraph (b)) • if a Territory is responsible for the management of the asset, that Territory (paragraph (c)) • if a body is established by a law (Commonwealth, State or Territory) and that body is responsible for the management of the asset, then that body (paragraph (d)) 83
• if none of paragraphs (a)-(d) apply, then the entity prescribed by the rules (paragraph (e)), or • if another entity is prescribed by the rules in relation to the asset, then that entity (paragraph (f)). 459. These entities have been identified as responsible entities for each category of critical freight infrastructure assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(19)--Critical freight services asset 460. Subsection (19) provides that the responsible entity for a critical freight services asset is the entity referred to in subsection 12C(1), or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)). 461. This means the responsible entity for a critical freight services asset is the entity that uses a network that is critical to the transportation of goods. 462. These entities have been identified as responsible entities for critical freight services assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(20)--Critical public transport asset 463. Subsection (20) provides that the responsible entity for a critical public transport asset is the entity managing a public transport network or system referred to in paragraph (a) of the definition (in section 5 of the SOCI Act) of critical public transport asset or another entity prescribed by the rules to be the responsible entity for the asset (paragraph (b)). 464. These entities have been identified as responsible entities for critical public transport assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(21)--Critical aviation asset 465. Subsection (21) provides that the responsible entity for a critical aviation asset is: • if the asset is used in connection with the provision of an air service, and is owned or operated by an aircraft operator, the aircraft operator (paragraph (a)) • if the asset is used in connection with the provision of an air service and owned or operated by a regulated air cargo agent, the regulated air cargo agent (paragraph (b)) • if the asset is used by an airport operator in connection with the operation of an airport, the airport operator (paragraph (c)), or 84
• if another entity is prescribed by the rules in relation to the asset, that entity (paragraph (d)). 466. These entities have been identified as responsible entities for each category of critical aviation assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(22)--Critical defence industry asset 467. Subsection (22) provides that the responsible entity for a critical defence asset is the entity that is supplying or will supply that asset to the Defence Department, or the Australian Defence Force under a contract, as referred to in paragraph (a) of the definition of critical defence asset (see section 5), or another entity is prescribed by the rules to be the responsible entity for the asset (paragraph (b)). 468. These entities have been identified as responsible entities for critical defence industry assets as they are ultimately responsible for the asset's continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. Subsection 12L(23)--Assets prescribed by the rules 469. Subsection (23) provides that the responsible entity for an asset that has been prescribed as a critical infrastructure asset under paragraph 9(1)(f), is the entity that is listed in the rules. Subsection 12L(24)--Assets declared to be a critical infrastructure asset 470. Subsection (24) provides that the responsible entity for an asset that has been declared as a critical infrastructure asset by the Minister under section 51, is the entity listed in the declaration. It is noted that subsection 51(2) requires that a declaration under section 51 specifies who the responsible entity for the asset is. Section 12M Meaning of cyber security incident 471. New section 12M of the SOCI Act defines the term 'cyber security incident'. Under the amendments made by the Bill, there will be obligations for certain critical infrastructure assets and systems of national significance in relation to such incidents. Cyber security incidents will also be central to the operation of the powers outlines in new Part 3A. 472. This section provides that a cyber security incident is one or more acts, events or circumstances involving any of the following: • unauthorised access to computer data or a computer program (paragraph (a)) • unauthorised modification of computer data or a computer program (paragraph (b)), 85
• unauthorised impairment of electronic communication to or from a computer (paragraph (c)), or • unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or a computer program (paragraph (d)). 473. Some common examples of a cyber security incident include: • Malware - Any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, trojan horses, ransomware, spyware, adware, and others. • Phishing - Fraudulent attempts to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising communications (through emails and other formats) as trustworthy. • Denial of service - This form of attack is where a perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. • Cross-site scripting - This is where an attacker injects malicious scripts into otherwise benign and trusted websites. The victim's web browser executes those scripts thinking they are legitimate, allowing the attacker to bypass the victim's access controls. Section 12N Meaning of unauthorised access, modification or impairment 474. New section 12N of the SOCI Act will provide the definition for 'unauthorised access, modification or impairment'. Under subsection (1) of this definition, the following conduct is unauthorised if the person is not entitled to cause that access, modification or impairment: • access to computer data or a computer program (paragraph (a)) • modification of computer data or a computer program (paragraph (b)) • impairment of electronic communications to or from a computer (paragraph (c)), or • the impairment of the availability, reliability, security or operation of a computer, computer data or a computer program (paragraph (d)). 86
475. For the conduct to be unauthorised, it must have occurred without authority, irrespective of whether that authority is drawn from for example, legislation or contractual arrangements. 476. Subsection (1A) provides an example of a situation where a person is not entitled to cause access, modification or impairment of computer data or a computer program, as set out in subsection 12N(1). 477. The example is a person who is an employee or agent of the responsible entity for an asset who would exceed their authority as an employee or agent in causing such access, modification or impairment in relation to the asset (i.e. an 'insider'). 478. Subsection (2) provides that it is immaterial if the person can be identified or not. Subsection (3) provides circumstances in which a person is entitled to cause the access, modification or impairment. Paragraph (3)(b) provides that if the person does so under the following circumstances, they were entitled to do so: • under a warrant issued under a law of the Commonwealth, a State or a Territory (subparagraph (i)) • under an emergency authorisation given to the person under Part 3 of the Surveillance Devices Act 2004 or under a law of a State or Territory that makes provision to similar effect (subparagraph (ii)) • under a tracking device authorisation given to the person under section 39 of the Surveillance Devices Act 2004 (subparagraph (iii)) • in accordance with a technical assistance request (subparagraph (iv)) • in compliance with a technical assistance notice (subparagraph (v)), or • in compliance with a technical capability notice (subparagraph (vi)). Section 12P Examples of responding to a cyber security incident 479. New section 12P of the SOCI Act illustrates types of actions that may be regarded as responses to a cyber security incident. This is particularly relevant for new Part 3A as the Minister in certain circumstances must be satisfied that the responsible entity is unwilling or unable to take all reasonable steps to respond to the incident. 480. This section of the SOCI Act provides the following as examples of responding to a cyber security incident: • if the incident is imminent--preventing the incident (paragraph (a)) • mitigating a relevant impact of the incident on a critical infrastructure asset or a critical infrastructure sector asset (paragraph (b)), or 87
• if a critical infrastructure asset or a critical infrastructure sector asset has been, or is being, affected by the incident--restoring the functionality of the asset (paragraph (c)). 481. Due to rapid technological change, it is not possible to foresee all possible ways that a system may be compromised or exploited, or the actions that would be required to respond to the incident. In particular, the methods of compromise and the required responses will change over time alongside technology. Therefore, a non-prescriptive approach has been taken in relation to defining what a response to a cyber security incident would involve. Further, it is important to recognise that a response will be proportionate to the nature of the incident and the system that will, is being, or has been, impact, as well as impacted by the capabilities of the entity responsible for protecting the system. Item 33 Paragraph 13(1)(b) 482. Subsection 13(1) provides that the SOCI Act applies to the types of entities listed in the paragraphs to the subsection. Paragraph 13(1)(b) currently provides that the SOCI Act applies to an entity 'that is a reporting entity for' or an operator of one of the assets listed in the subparagraphs. 483. Item 33 of Schedule 1 to the Bill will repeal 'that is a reporting entity for' and replace it with 'so far as the entity is the responsible entity for, a reporting entity for, a relevant entity for'. This is to reflect the various classes of entities identified in the Act. Item 34 At the end of paragraph 13(1)(b) 484. Item 34 of Schedule 1 to the Bill adds subparagraphs (iv), (v), (vi), (vii) and (viii) to the end of paragraph 13(1)(b). Those subparagraphs provide the following further characteristics of assets to which the SOCI Act applies: • used in the course of, or in relation to, banking to which paragraph 51(xiii) of the Constitution applies (subparagraph (iv)) • used in the course of, or in relation to, insurance to which paragraph 51(xiv) of the constitution applies (subparagraph (v)) • used to supply a carriage service (subparagraph (vi)) • used in connection with the provision of a broadcasting service (subparagraph (vii)), or • used to administer a domain name system (subparagraph (viii)). 485. These amendments reflect the additional classes of critical infrastructure assets that have been added to the Act. 88
Item 35 Subsection 13(2) 486. Subsection 13(2) of the SOCI Act currently provides that Division 3 of Part 4 of the SOCI Act, relating to the use and disclosure of protected information, also applies to any other entity. Item 35 of Schedule 1 to the Bill amends subsection 13(2) of the SOCI Act to also provide that section 60AA of this Act also applies to any other entity. Item 36 Division 1 of Part 2 (heading) 487. Item 36 of Schedule 1 to the Bill will change the heading of Division 1 of Part 2 from 'Simplified outline of this Part' to 'Introduction'. Item 37 At the end of section 18 488. Item 37 of Schedule 1 to the Bill inserts a note to section 18 that indicates that the reader should also consider section 18A when considering the simplified outline in that section. Item 38 At the end of Division 1 of Part 2 489. Item 38 of Schedule 1 to the Bill inserts new section 18A of the SOCI Act, to provide for the application of Part 2. Section 18A Application of this Part 490. New section 18A of the SOCI Act provides for the application of Part 2. Subsection (1) outlines that subject to subsection (3) (as outlined in subsection (2)), Part 2 applies to a critical infrastructure asset if any of the following apply: • the asset is specified in the rules (paragraph (1)(a)) • the asset is the subject or a declaration under section 51, and the declaration determines that this Part applies to the asset (paragraph (1)(b)), or • immediately before the commencement of section 18A, in accordance with item 2 of the Bill, the asset was a critical infrastructure asset (within the meaning of the Act prior to these amendments commencing) (paragraph (1)(c)). 491. Paragraph 1(a) effectively works as an 'on switch' through which the Minister can ensure that this particular aspect of the positive security obligations only applies in appropriate situations. For example, the Minister may choose not to apply Part 2 to a class of critical infrastructure assets, if the information that would be provided under the obligations is already available to government through other means and therefore the desired security objectives are being achieved. Importantly, this will be used to avoid duplicate reporting to Government and thus reduce regulatory burden. 89
492. Paragraph 1(b) replicates the intent of paragraph 1(a) for assets declared to be critical infrastructure assets under existing section 51 of the SOCI Act, noting the private nature of those declarations due to the associated security vulnerabilities. Paragraph 18A(b)(ii) requires that a declaration made under existing section 51 must specify if the obligations under Part 2A are 'activated' and apply to the declared asset. This ensures responsible entities of assets declared under section 51 are aware of their obligations under Part 2 (should they be activated) without disclosing the identity of these sensitive assets. 493. Section 1(c) also provides a transitional provision to ensure the obligations in Part 2 will continue to apply, uninterrupted, in relation to those critical infrastructure assets that had existing obligations under the Part immediately prior to the commencement of section 18A. 494. In addition to the power to make this instrument under section 30AB, subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a power to make, grant or issue any instrument of a legislative or administrative character (including rules, regulations or by-laws), the power shall be construed as including a power exercisable in the like manner and subject to the like conditions (if any) to repeal, rescind, revoke, amend, or vary any such instrument. 495. A note to subsection (1) indicates that specification by class is permitted by way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to make a legislative instrument specifying a matter may identify the matter by referring to a class or classes of matters. 496. This note has been included to clarify that the Minister has the discretion to specify in rules that Part 2 applies to: • all critical infrastructure assets, • a category of critical infrastructure assets such as critical broadcasting assets, • a subset of assets within a category of critical infrastructure assets, such as liquid fuel pipelines that are critical liquid fuel assets, or • a specific asset that is a critical infrastructure asset. 497. Subsection (3) outlines that the rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period beginning when the asset became a critical infrastructure asset (paragraph (a)) and ending at a time ascertained in accordance with the rules (paragraph (b)). This is intended to provide the ability to offer a delayed commencement or 'grace period' in the future when an entity becomes a critical infrastructure asset to which the Part applies, allowing them a reasonable period to adjust their business. 90
Section 18AA Consultation--rules 498. New section 18AA of the SOCI Act sets out consultation requirements in relation to rules made for the purposes of section 18A, providing that a responsible entity for a critical infrastructure asset must comply with the requirement to adopt and maintain a critical infrastructure risk management program. Subsection 18AA(1)--Scope 499. Subsection (1) provides that section 18AA applies to rules made for the purposes of section 18A of the SOCI Act. Subsection 18AA(2)--Consultation 500. Subsection (2) provides that, before making or amending rules for the purposes of section 18A, the Minister must do all of the following: • cause to be published on the Department's website a notice setting out the draft rules or amendments and inviting persons to make submissions to the Minister about the draft rules or amendments within 28 days of publication of the notice (paragraph (a)) • give a copy of the notice to each First Minister (paragraph (b)), and • consider any submissions received under paragraph (a) (paragraph (c)). 501. This consultation requirement will ensure that the Part is only activated in appropriate circumstances and allow entities an opportunity to provide the Government with submissions on any delay in the commencement of the Part necessary to allow them to adjust their businesses without undue burden. Item 39 After Part 2 502. Item 39 inserts new Part 2B (notification of cyber security incidents) into the SOCI Act. Part 2B--Notification of cyber security incidents 503. Industry has emphasised the need for Government and industry to be both providers and consumers of cyber intelligence to inform how networks can be best secured and how cyber resilience can be uplifted. In response to this, notification of cyber security incidents will play a central role to coordinating and delivering an enhanced picture of cyber situational awareness, supported by the provision of cyber information by industry. 504. The objective of this is to facilitate the development of an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry. Through greater awareness, the Government can better see malicious trends and campaigns which would not be apparent to 91
an individual victim of an attack. In return, the Government will share actionable, anonymised information back out to industry to assist responsible entities improving cyber resilience in relation to their assets or response to particular incidents. 505. This obligation will not override or displace any other legislative obligations the entity may have in relation to reporting security incidents, for example, the notifiable data breach scheme under the Privacy Act. However, in determining whether to apply this Part to an asset, the consultation process will provide a mechanism to consider any interactions and ensure that the obligations are only applied where the required security objectives are not being met. Section 30BA Simplified outline of this Part 506. New section 30BA of the SOCI Act is a simplified outline of Part 2B, which is intended to aid the reader of the legislation in understanding the operation of this Part. Under Part 2B, responsible entities for certain critical infrastructure assets will be required to notify government about the occurrence of cyber security incidents. This is one element of the positive security obligations for critical infrastructure assets--the other being maintaining the register of critical infrastructure assets (existing Part 2 of the SOCI Act). Section 30BB Application of this Part 507. New section 30BB of the SOCI Act provides that the mandatory notification requirements in Part 2B apply to a critical infrastructure asset if: • the asset is specified in rules made by the Minister under section 61 of the SOCI Act (paragraph (a)), or • the asset is subject to a declaration under section 51 (which enables the Minister to make a private declaration that an asset is a critical infrastructure asset) and the declaration under section 51 determines that Part 2B applies to the asset (paragraph (b)). 508. This effectively works as an 'on switch' through which the Minister can ensure that this particular aspect of the positive security obligations only applies in appropriate situations. 509. Similar to new section 18A of the SOCI Act, this section allows for a nuanced, sector- specific or asset-specific approach to be taken on the application of this obligation in new Part 2B. In determining whether to make rules to apply the obligations under Part 2B to certain critical infrastructure assets, the Minister is likely to consider the appropriateness of any existing arrangements or requirements for responsible entities of those assets to report to Government or regulators the occurrence of a cyber security incident or incidents, or other arrangements to provide the required visibility of the threat environment. If existing arrangements are deemed to be appropriate and effective, the Minister is unlikely to activate the reporting requirements in relation to the relevant critical infrastructure assets. 92
510. A note to this section indicates that specification by class is permitted by way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to make a legislative instrument specifying a matter may identify the matter by referring to a class or classes of matters. 511. This note has been included to clarify that the Minister has the discretion to specify in rules that Part 2B applies to: • all critical infrastructure assets, • a category of critical infrastructure assets such as critical broadcasting assets, • a subset of assets within a category of critical infrastructure assets, such as liquid fuel pipelines that are critical liquid fuel assets, or • a specific asset that is a critical infrastructure asset. 512. Subsection (3) outlines that the rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period beginning when the asset became a critical infrastructure asset (paragraph (a)) and ending at a time ascertained in accordance with the rules (paragraph (b)). This is intended to provide the ability to offer a delayed commencement or 'grace period' in the future when an entity becomes a critical infrastructure asset to which the Part applies, allowing them a reasonable period to adjust their business. 513. Recommendation 3 of the PJCIS's Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 of 29 September 2021 was that the rules for Part 2B of the Act be incorporated into the explanatory memorandum for Bill One. 514. Accordingly, it is intended that the initial rules under section 30BB of the Act will specify that Part 2B of the Act applies to the following critical infrastructure assets: • critical food and grocery asset • critical hospital • critical education asset • critical energy market operator asset • critical port • critical freight infrastructure asset • critical freight services asset • critical public transport asset 93
• critical electricity asset • critical gas asset • critical liquid fuel asset • critical telecommunications asset • critical water asset. Section 30BBA Consultation--rules 515. New section 30BBA of the SOCI Act sets out consultation requirements in relation to rules made for the purposes of section 30BB, providing that a responsible entity for a critical infrastructure asset must comply with the requirement to report cyber security incidents. Subsection 30BBA(1)--Scope 516. Subsection (1) provides that section 30BBA applies to rules made for the purposes of section 30BB of the SOCI Act. Subsection 30BBA(2)--Consultation 517. Subsection (2) provides that, before making or amending rules for the purposes of section 30BB, the Minister must do all of the following: • cause to be published on the Department's website a notice setting out the draft rules or amendments and inviting persons to make submissions to the Minister about the draft rules or amendments within 28 days of publication of the notice (paragraph (a)) • give a copy of the notice to each First Minister (paragraph (b)), and • consider any submissions received under paragraph (a) (paragraph (c)). 518. Paragraph 30BBA(2)(d) also provides that where the Minister is aware that an entity is responsible for an asset that is specified, or proposed to be specified, in rules for section 30BB, the Minister must give the entity a written copy of the proposed rules. If the entity provides a submission to the Minister within the 28 day period set out in paragraph 30BBA(2)(a), the Minister must provide the entity with a written response to the submission. 519. This consultation requirement will ensure that the Part is only activated in appropriate circumstances and allow entities an opportunity to provide the Government with submissions on any delay in the commencement of the Part necessary to allow them to adjust their businesses without undue burden. 94
Section 30BC Notification of critical cyber security incidents 520. New section 30BC of the SOCI Act introduces an obligation for responsible entities of critical infrastructure assets captured by section 30BB to report a critical cyber security incident to a relevant Commonwealth regulator. 521. Under subsection (1), if an entity is a responsible entity for a critical infrastructure asset captured by section 30BB and the entity becomes aware that a cyber security incident is occurring, or has occurred, and the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset, the entity must: • give the relevant Commonwealth body (as defined in section 30BF) a report that is about the incident and includes such information, as any, as is prescribed by the rules (paragraph (c)), and • do so as soon as practicable, and in any event within 12 hours, after the entity becomes aware that the above circumstances exist (paragraph (d)). 522. A cyber security incident is defined in section 12M as one or more acts, events or circumstances involving unauthorised access, modification or impairment of computer data, a computer program or a computer. 523. Section 30BEA defines 'significant impact'. It is a higher threshold than the 'relevant impact' (see subsection 8G(2)) threshold required for reporting of cyber security incidents under section 30BD. 524. Awareness, for the purposes of this reporting obligation, relates to a Responsible Entity having knowledge of a cyber security incident. Whether or not a Responsible Entity is 'aware' is a question of fact. Examples of when a Responsible Entity is aware of a cyber security incident include: • where an employee observes a ransomware lock screen on a responsible entity's computer system • where an employee observes, in real-time or a history of, unauthorised access to the responsible entity's computer system, or • where an employee observes an incident or experiences an issue on a computer system and through business as usual processes is expected to seek assistance from the responsible entity's internal IT support or Chief Information Security Officer (CISO). In this scenario, the entity 'becomes aware' for the purpose of the reporting obligation once the entity's internal IT support or CISO confirms the incident is a cyber security incident. 525. Determining whether an incident is having a significant impact on the availability of the asset will be matter of judgment for the responsible entity. The services being provided by the asset, together with the nature and extent of the cyber security incident, will determine the 95
significance of the incident and whether it meets the threshold of being a critical cyber security incident. For example, a cyber security incident which affects the availability of a critical clearing and settlement facility for a very brief period may have significant economic repercussions while an incident that affects the availability of a critical education asset for the same period of time may have a substantially lower impact. 526. It is not intended that day-to-day incidents, such as the receipt of a single scam email which is easily recognised and addressed through standard security practices without impacting the asset's operations, are required to be reported under this section as they would not meet the level of significance required. The impact to be considered under this obligation is limited to the impact on the availability of the asset, and therefore incidents which impact confidentiality and integrity which may nevertheless be serious, do not need to be reported within 12 hours (these may be captured, however, under the obligation in relation to reporting other cyber security incidents under section 30BD). The Department will provide further guidance and support to industry to assist with identifying what is a significant impact for the purpose of this section in different sectoral contexts. 527. The investigation of a system outage may take time to finalise before it can be determined whether the outage is a result of a 'cyber security incident' as defined by new section 12M of the SOCI Act. Similarly, determining the significance of the impact of the incident may equally take time. In light of this, paragraph (1)(d) means that the obligation to report within 12 hours is only enlivened when the responsible entity becomes aware that the incident meets the above criteria. In practice, the obligation requires the notification of Government to be one of the first steps in the business' incident response plan. 528. The 12 hour time frame for reporting is considered reasonable and proportionate due to the significance of the impact on the critical asset, and the potential for that impact to effect the provision of essential services and have cascading impacts across the economy or the sector. The Government will use the information provided in these reports to proactively engage with the affected entities and provide any support or guidance necessary to respond to the incident. The Government may also proactively engage with affected sectors more broadly, while protecting the information of the reporting entity, if it determines that other entities have been, or will be, subject to the same attack to provide appropriate assistance and guidance as required. 529. Alternatively, and subject to addition thresholds being satisfied, consideration may be given as to whether the serious cyber incident response powers in Part 3A are required to effectively and appropriately respond to the incident. 530. Further, the requirement for the entity to be aware an incident is a 'cyber security incident' before the obligation is enlivened provides further support for the reasonableness and proportionality of the timeframe. 531. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to 96
deter non-compliance to ensure Government is able to engage with the affected entity and provide support or guidance as soon as practicable. Subsections 30BC(2)-(8)--Form of report etc. 532. Subsection (2) outlines that a report given under subsection (1) may be given orally or in writing. 533. Subsection (3) provides that, if a report is given orally, then the entity must: • make a written record of the report in the 'approved form' (subparagraph (a)(i)), being the form approved by the Secretary for the purpose of this subparagraph which will be publicly available on the Department's website (www.cicentre.gov.au). • give a copy of the written record of the report to the relevant Commonwealth body (subparagraph (a)(ii)), and • do so within 84 hours of giving the oral report (paragraph (b)). 534. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure a written record of the incident is provided to the relevant Commonwealth body as soon as possible. 535. Subsection (4) provides that, if a report is given in writing, the responsible entity must ensure that the report is in the 'approved form' (being the form approved by the Secretary for the purpose of this subsection). This approved form will be made publicly available. 536. Breach of this obligation is also subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure information provided to the relevant Commonwealth body is done so uniformly. 537. Subsection 30BC(5) provides that the head of a Commonwealth body (however that head is described) may exempt an entity from the requirement to provide a written report referred to in subsection 30BC(3). An example of a head of a Commonwealth body is the Director-General of ASD. The exemption may be provided, as an example, because of an agreement made between the Commonwealth body and the entity about the matter. 538. Subsection 30BC(6) provides that an exemption under subsection 30BC(5) is not a legislative instrument. Exempting an entity from the obligation to provide a written report under section 30BC(3) is beneficial to the entity. The exemption will provide the entity with assurance that they will not later be required to provide a written report. 97
539. Under subsections 30BC(7) and (8), the head of the Commonwealth body may delegate their power to: • an SES employee or acting SES employee in the Commonwealth body; or • a person who holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee. 540. The delegation power is necessary as a Commonwealth body may frequently be required to provide the exemptions set out in subsection 30BC(5). The SES level (or equivalent) is considered a sufficiently senior level to exercise the power. Section 30BD Notification of other cyber security incidents 541. New section 30BD of the SOCI Act introduces an obligation for responsible entities for critical infrastructure assets captured by section 30BB to report a cyber security incident to the relevant Commonwealth body in certain circumstances. 542. Under subsection (1), if an entity is a responsible entity for a critical infrastructure asset captured by section 30BB and the entity becomes aware that a cyber security incident is occurring, has occurred, or is imminent and the incident has had, is having, or is likely to have, a relevant impact (whether direct or indirect) on the asset, the entity must: • give the relevant Commonwealth body (as defined in section 30BF) a report that is about the incident and includes such information, as any, as is prescribed by the rules (paragraph (c)), and • do so as soon as practicable, and in any event within 72 hours, after the entity becomes aware that the above circumstances exist (paragraph (d)). 543. A relevant impact in this context is defined in new subsection 8G(2) of the SOCI Act to mean an impact on the availability, integrity, reliability or confidentiality of the asset. 544. Awareness, for the purposes of this reporting obligation, relates to a Responsible Entity having knowledge of a cyber security incident. Whether or not a Responsible Entity is 'aware' is a question of fact. Examples of when a Responsible Entity is aware of a cyber security incident include: • where an employee observes a ransomware lock screen on a responsible entity's computer system • where an employee observes, in real-time or a history of, unauthorised access to the responsible entity's computer system, or • where an employee observes an incident or experiences an issue on a computer system and through business as usual processes is expected to seek assistance from the responsible entity's internal IT support or Chief Information Security 98
Officer (CISO). In this scenario, the entity 'becomes aware' for the purpose of the reporting obligation once the entity's internal IT support or CISO confirms the incident is a cyber security incident. 545. This obligation differs to that outlined at section 30BC in the following key ways: • section 30BC is concerned with cyber security incidents that have occurred or are occurring, while section 30BD is concerned with cyber security incidents that have occurred, are occurring, or will occur imminently, and • section 30BC is focused on significant impact on availability of the asset, while section 30BD is focused on any relevant impact. If an incident has been reported under section 30BC, it does not need to be reported again under section 30BD. 546. The concept of an imminent cyber security incident seeks to capture situations where, for example, a malicious actor is attempting to exploit a known vulnerability. An example of such a situation is where malicious actors are actively exploiting a specific vulnerability on a system, and that vulnerability has not been patched on the entity's system. 547. The impact of these events is not as significant, relatively, and therefore a longer time period is provided for the report to be made (72 hours for section 30BD reports, compared to 12 hours for section 30BC reports). However, it is nevertheless important that these incidents are reported as they may, for example: • indicate preparatory actions by a malicious actor ahead of further actions which could have a potentially catastrophic impact on the availability of the asset and the essential services it provides, as well as cascading impacts throughout the economy, • involve persistent targeting or attempted access to a network where the entity believes a compromise is imminent. or • involve a compromise of sensitive commercial or personal information. 548. Similarly to section 30BC, this section recognises that an investigation into an event may take time to finalise before it can be determined that its source was a cyber security incident as opposed to, for example, a mechanical failure. In light of this, paragraph (1)(d) means that the obligation to report within 72 hours is only enlivened when the responsible entity becomes aware that the incident meets the above criteria. In practice, the obligation requires the notification of Government to be one of the first steps in the businesses incident response plan. 549. In light of the above factors, this reporting timeframe is considered reasonable and proportionate. It should also be noted that it aligns with the timeframes for other security reporting obligations such as the European Union's General Data Protection Regulation (GDPR) and the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234. Article 33 of the former imposes on an entity an obligation to notify the relevant 99
supervisory authority of a personal data breach no later than 72 hours. Under the latter, an APRA-regulated entity must notify APRA as soon as possible and no later than 72 hours after becoming aware of an information security incident if certain conditions have been met. Subsections 30BD(2)-(8)--Form of report etc. 550. Subsection (2) outlines that a report given under subsection (1) may be given orally or in writing. 551. Subsection (3) provides that, if the report is given orally, then the entity must: • make a written record of the report in the approved form (subparagraph (a)(i)), • give a copy of the written record of the report to the relevant Commonwealth body (subparagraph (a)(ii)), and • do so within 48 hours of giving the oral report (paragraph (b)). 552. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure a written record of the incident is provided to the relevant Commonwealth body without delay. 553. Subsection (4) provides that, if a report is given in writing, the responsible entity must ensure that the report is in the approved form (being the form approved by the Secretary for the purpose of subparargaph (3)(a)(i)). The approved form will be publicly available on the Department's website (www.cicentre.gov.au). 554. Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure information provided to the relevant Commonwealth body is done so with the requisite detail to make the report effective. 555. Subsection (5) provides that the head of Commonwealth body (however that head is described) may exempt an entity from the requirement to provide a written report referred to in subsection 30BC(3). An example of the head of a Commonwealth body is the Director- General of ASD. The example may be provided, as an example, because of an agreement made between the Commonwealth body and the entity about the matter. 556. Subsection (6) provides that an exemption under subsection (5) is not a legislative instrument. Exempting an entity from the obligation to provide a written report under subsection (3) is beneficial to the entity. The exemption will provide the entity with assurance that they will not later be required to provide a written report. 557. Under subsections (7) and (8), the head of the Commonwealth body may delegate their power to: • an SES employee or acting SES employee in the Commonwealth body; or 100
• a person who holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee. 558. The delegation power is necessary as a Commonwealth body may frequently be required to provide the exemptions set out in subsection 30BD(5). The SES level (or equivalent) is considered a sufficiently senior level to exercise the power. Section 30BE Liability 559. New section 30BE of the SOCI Act excludes responsible entities, and their employees etc., from liability when acting in good faith in relation to the obligations to report cyber security incidents as set out in Part 2B. 560. Subsection (1) provides that an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with new sections 30BC or 30BD of the SOCI Act. 561. Subsection (2) provides that an officer, employee or agent of an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (1). 562. This provision is intended to protect entities from incurring liabilities, such as confidentiality requirements that may exist in contracts with their customers, when complying with these obligations. Section 30BEA Significant impact 563. Section 30BEA sets out when a cyber security incident is having a 'significant impact' and must therefore be reported under section 30BC. The incident will have a 'significant impact' if: • the incident has materially disrupted the availability of essential goods or services provided using the asset; or • any of the circumstances specified in the rules exist in relation to the incident. 564. In assessing whether an incident is a critical cyber security incident, a responsible entity should consider the services being provided by the asset, the impact of a disruption to essential services and, the nature and extent of the cyber security incident. 565. A significant impact on the availability of an asset is a material disruption to the essential services provided by that asset. An impact on other functions, for example, certain corporate systems, which do not impact the provision of essential services would not meet this threshold. The intention of providing a threshold for 'significant impact' is to capture more specific and extreme circumstances than what is captured by 'relevant impact' as defined under proposed new section 8G. The significant impact threshold is limited to circumstances which impact the asset's availability (compare with relevant impact which relates to availability, integrity, reliability, confidentiality). Accordingly, this threshold will 101
be met in circumstances in which a critical infrastructure asset's essential services have been materially disrupted. 566. For example, a cyber security incident which affects the availability of a critical clearing and settlement facility for a very brief period may materially disrupt its essential services which are likely to result in significant economic repercussions. In contrast, an incident that affects the availability of a critical education asset for the same period of time may have a substantially lower economic material impact on the services provided by that asset. Both assets' essential services are disrupted however, due to the time sensitive nature of the services provided by a critical clearing and settlement facility, a relatively short disruption will clearly have a significant impact that may be considered 'material'. Accordingly, responsible entities will need to consider the risk of cascading impacts of any disruption to determine when to report a cyber security incident. Section 30BEB Consultation--rules 567. New section 30BEB relates to rules made under new paragraph 30BEA(b). In summary, section 30BEB requires the Minister to consult entities about proposed rules under section 30BEA that affect the entity. The Minister will be required to provide 28 days for consultation and provide a written response to any submission from the affected entity made within that time period. Section 30BF Relevant Commonwealth body 568. New section 30BF of the SOCI Act defines the term 'relevant Commonwealth body' for the purpose of Part 2B to be: • a Department that is specified in Ministerial rules made under section 61 (paragraph (a)) • a body that is established under a law of the Commonwealth and is specified in Ministerial rules (paragraph (b)), or • if neither paragraphs (a) or (b) apply, ASD (paragraph (c)). 569. This means that, absent any specific Department or Commonwealth body being prescribed in rules under section 61 of the SOCI Act, the relevant Commonwealth body to whom reports are to be made is ASD. Although ASD will be the relevant Commonwealth body to whom reports are made, ASD will not perform a regulatory or compliance role. Cyber incident reports made to ASD will only be used to inform an enhanced cyber threat picture and develop appropriate mitigations and advice. Item 40 Paragraph 32(4)(c) 570. Under existing section 32 of the SOCI Act, the Minister can give an entity that is a responsible entity for, or operator of, a critical infrastructure asset a written direction requiring the entity to do, or refrain from doing, a specified act or thing within the period 102
specified in the direction (see subsection (2) in particular). Subsection 32(4) outlines matters to which the Minister must have regard before issuing a direction under subsection (2). 571. Item 40 of Schedule 1 to the Bill omits the words 'industry for the critical infrastructure asset' from paragraph 32(4)(c) of the SOCI Act and substitutes the words 'critical infrastructure sector'. The result is that the Minister is now required to have regard to the potential consequences that the direction may have on competition in the relevant 'critical infrastructure sector' as defined in new section 8D of the SOCI Act (see item 21 of Schedule 1 above). This reflects the change in terminology used in the SOCI Act, with the concept of relevant industry being replaced with critical infrastructure sector. Item 41 At the end of section 32 572. Item 41 of Schedule 1 to the Bill inserts a new subsection (6) at the end of section 32 of the SOCI Act. That subsection provides that section 32 does not, by implication, limit a power conferred by another provision of the SOCI Act. This reflects the additional of other powers, including direction powers, into the SOCI Act and the intention for these amendments to not limit the operation of this existing power. Item 42 Subparagraph 33(1)(a)(i) 573. Section 33 of the SOCI Act requires the Minister, before giving a direction under subsection 32(2), to consult with certain persons including the First Minister of the State, the Australian Capital Territory or the Northern Territory in which the relevant critical infrastructure asset is located. 574. Item 42 of Schedule 1 to the Bill inserts the words 'wholly or partly' in front of the word 'located' in subparagraph 33(1)(a)(i) of the SOCI Act. This clarifies that, in circumstances where a critical infrastructure asset has physical locations in different States and Territories, the Minister is required to consult with all relevant First Ministers before issuing a subsection 32(2) direction noting that may involve consultation with multiple First Ministers. Item 43 Subparagraph 33(1)(a)(ii) 575. Item 43 of Schedule 1 to the Bill omits the words 'industry for the critical infrastructure asset' from subparagraph 33(1)(a)(ii) of the SOCI Act and substitutes the words 'critical infrastructure sector'. This drafting aligns with the amendments made to paragraph 32(4)(c) of the SOCI Act (see Item 40 of Schedule 1 to the Bill above). 576. This amendment means that the Minister must consult with each Minister of the State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant critical infrastructure sector in the State or Territory. This reflects the change in terminology used in the SOCI Act, with the concept of relevant industry being replaced with critical infrastructure sector. 103
Item 44 At the end of Part 3 577. Item 44 of Schedule 1 to the Bill inserts new section 35AAB into Part 3 of the SOCI Act. Section 35AAB Liability 578. New section 35AAB of the SOCI Act limits the liability of an entity and its officers, employees or agents in relation to acts or omissions done in compliance of a direction made by the Minister under subsection 32(2). 579. Subsection (1) provides that an entity, being a responsible entity for a critical infrastructure asset that has been given a Ministerial direction under subsection 32(2), is not liable to an action or other proceeding for damages for or in relation to an act or omission done or omitted in good faith in compliance with a direction under subsection 32(2). 580. Subsection (2) provides that an officer, employee or agent of an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (1). 581. A direction made under section 32 may require an entity, or its officers, employees or agents, to do or stop doing certain things in order to address a security risk. Compliance with this power may result in the entity being liable. For example, a direction requiring an entity to cease using the services of a certain provider may result in them breaching contractual obligations with that provider. This provision will ensure that the entity, or its staff, will not be liable when acting in compliance with a lawful direction from the Minister. Item 45 After Part 3 582. Item 45 of Schedule 1 to the Bill inserts new Part 3A (responding to critical cyber security incidents) into the SOCI Act. The government assistance powers conferred by Part 3A, exercisable under a Ministerial authorisation granted under Division 2, include powers to: • gather information from an entity that may assist with determining whether a power under the SOCI Act should be exercised (Division 3) • direct that an entity do, or refrain from doing, a specified act or thing (Division 4), and • request that an authorised agency (i.e. ASD) intervene with an entity's operations (Division 5). 583. Existing Part 2 and new Part 2B of the SOCI Act, discussed above, impose obligations on industry to manage risks associated with the operation of critical infrastructure assets. As critical infrastructure assets are increasingly reliant on, and connected via, electronic systems, cyber security vulnerabilities are a matter of increasing and fundamental 104
concern. As malicious actors are exploiting these vulnerabilities on an ever more frequent basis, including in relation to critical infrastructure assets, enhanced powers must be available. Where serious risks do eventuate which affect the ability of the asset to deliver essential services and prejudice Australia's national interests, effective mechanisms are required to resolve the incident. Globally, we have recently witnessed a number of cyber security incidents in relation to critical infrastructure assets that have had significant direct and indirect consequences. The impacts of these cyber incidents have ranged from large scale financial losses to loss of life. Ukraine power outages, 2015 The 23 December 2015 Ukrainian power outages highlighted the impacts of cyber attacks on critical infrastructure. The attack involved sophisticated malicious actors taking command and control of the Supervisory Control and Data Acquisition (SCADA) systems of three energy distributors, resulting in 30 substations being switched off. The attack disabled or destroyed other digital infrastructure and wiped data from the companies' networks. An employee reportedly watched on helplessly as the malicious actor took substations offline. Concurrently, a call centre that provided up to date information to consumers about the blackout became inoperable due to a denial-of-service attack. While less than 1 per cent of the country's daily consumption of energy was disrupted, the attack left over 225,000 Ukrainians, in the middle of winter, without power for several hours. Two months after the attack, some control centres were still not fully operational with manual procedures required. However, the potential for far greater consequences remain. Cyber attacks can destroy physical components. With the capability and intent, an attack on the energy sector could result in impacts that are significantly more difficult to repair. WannaCry, 2017 In 2017, a large-scale ransomware campaign, commonly called WannaCry, affected some 230,000 individuals and over 300,000 computer systems in 150 countries. The incident resulted in an estimated USD$4 billion in financial losses globally. WannaCry targeted vulnerabilities in Microsoft Windows software, impacting communications, financial, transport and healthcare services. This included the United Kingdom's National Health Service which was forced to turn away non-critical patients and cancel around 20,000 appointments. Hospital attacks, 2020 Since the COVID-19 pandemic began, hospitals have come under increasing strain due to malicious cyber incidents, particularly ransomware attacks. The March 2020 ransomware attack on Brno University Hospital, one of the Czechia's largest COVID-19 testing laboratories, saw the forced shut down of its entire information technology network. In September 2020, Dusseldorf University Hospital suffered a ransomware attack that brought 105
down its computer systems. As a result, an individual being transported to the hospital by ambulance was re-routed to another hospital 30 kilometres and passed away en route. 584. The Government remains committed, first and foremost, to working in partnership with states, territories and industry, who own, operate and regulate our critical infrastructure to collaboratively resolve incidents when they do occur and mitigate their impacts. Collaborative resolution will always remain the most effective method of resolving and incident and the Government's first preference. However, noting the importance of the services being provided by these assets and the Government's ultimate responsibility for protecting Australia's national interests, circumstances may arise which require Government intervention. In such emergency circumstances, it is crucial that the Government has last resort powers to respond to the incident or mitigate the risk. 585. Part 3 of the SOCI Act currently provides the Minister for Home Affairs with the power to issue a direction to a reporting entity or operator to require them to take action to mitigate risks that are prejudicial to security. However, as critical infrastructure assets have become increasingly reliant on cyber infrastructure, and noting the rapidly evolving cyber threat environment we currently face, an additional emergency regime is required to address the risk of a particularly serious cyber attack which seriously prejudices Australia's national interests. Without such powers, a single cyber attack could have cascading catastrophic, life threatening consequences. 586. Consultations have revealed a strong community expectation that, in emergency circumstances and as a matter of last result, the Government will use its significant technical expertise in cyber-defence to protect Australia's national interests and restore the functioning of essential services. However, consultations also highlighted that these powers must be used only in the most exceptional circumstances. The framework in Part 3A, as discussed below, is subject to a range of stringent safeguards and limitations to ensure that it is only used in the most serious circumstances, in an appropriate manner, and firmly limited to responding to the cyber security incident. Division 1--Simplified outline of this Part Section 35AA Simplified outline of this Part 587. New section 35AA of the SOCI Act sets out a simplified outline of Part 3A. The part provides the Government with certain limited powers to respond to serious cyber security incidents that are impacting critical infrastructure assets. Division 2--Ministerial authorisation relating to cyber security incident Section 35AB Ministerial authorisation 588. New section 35AB of the SOCI Act sets out the circumstances in which the Minister may give an authorisation for the Secretary to exercise the government assistance powers under Part 3A in relation to a 'cyber security incident'. 'Cyber security incident' is newly 106
defined in section 12M of the SOCI Act (see Item 32 of Schedule 1 to the Bill above) and includes acts, events or circumstances involving: • unauthorised access to computer data or a computer program (paragraph (a)) • unauthorised modification of computer data or a computer program (paragraph (b)), • unauthorised impairment of electronic communications to or from a computer (paragraph (c)), and • unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or a computer program (paragraph (d)). Subsection 35AB(1)--Scope 589. Subsection 35AB(1) creates a high threshold for when a ministerial authorisation can be made under subsection 35AB(2), and ensures that the powers in Part 3A are only used in emergency circumstances, as a last resort and when it is in the national interest. In practice, subsection 35AB(1) ensures that the Secretary will only be authorised by the Minister to use the powers in Part 3A in exceptionally rare or emergency circumstances. 590. Subsection (1) provides that section 35AB applies where the Minister is satisfied of all of the following matters: • a cyber security incident has occurred, is occurring or is imminent (paragraph (a)) • the incident has had, is having or is likely to have a relevant impact on a critical infrastructure asset, known as the 'primary asset' (paragraph (b)) • there is a material risk that the incident has seriously prejudiced, is seriously prejudicing or is likely to seriously prejudice the social or economic stability of Australia or its people, the defence of Australia or national security (including security and international relations) (paragraph (c)), and • no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident (paragraph (d)). 591. Each of these factors is discussed in turn below. Paragraph 35AB(1)(a)--A cyber security incident has occurred, is occurring or is imminent 592. Firstly, the Minister must be satisfied that a cyber security incident has occurred, is occurring, or is imminent. Cyber security incident is defined at new section 12M and, broadly speaking, means one or more acts, events or circumstances involving unauthorised access, modification or impairment of computer data, a computer program or a computer. 107
593. This limits the focus of Part 3A to responding to cyber security incidents. As critical infrastructure assets are increasingly reliant on, and connected via, electronic systems, cyber security vulnerabilities are a matter of increasing and fundamental concern. The Government has particular expertise in responding to cyber threats that may not be available in the private sector. 594. Paragraph (1)(a) also relates to cyber security incidents that have occurred, are occurring or are imminent. A cyber security incident may come with warning, or suddenly, and be rapid or prolonged, but nevertheless catastrophic in its impact. This temporal scope is necessary to ensure that the Government may, where all the other criteria are met, provide an effective response as the circumstances require (examples below). • There may be a credible threat, evidenced by positioning and potentially attacks on related infrastructure, that a malicious actor is about to launch a cyber attack. Therefore it is vital that the Government, when aware an attack is imminent, can if necessary take action to bolster defences in relation to the critical infrastructure asset in order to attempt to prevent the incident, and its consequential impact, from eventuating. • An attack may occur unexpectedly and action is required to mitigate the impact, including by limiting the extent of compromise. This may include taking steps to prevent further compromise within a network or segregate systems to limit further damage. • Where a cyber security incident has occurred, its impact may be significant and sustained. Even after the compromise has been addressed, significant work may be required to restore the functioning of the asset to enable it to recommence providing essential services. Paragraph 35AB(1)(b)--The cyber security incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset 595. Secondly, the Minister must be satisfied that the cyber security incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset. The exclusive objective of this regime is to defend critical infrastructure assets, in light of their criticality to the social or economic stability of Australia or its people, the defence of Australia, or national security. That is to say, this is not intended to be a regime that can be used to defend assets economy-wide. While cyber security incidents can have significantly and costly impacts on assets which are not critical, the ability for the Government to step-in is exclusively reserved for critical infrastructure assets given the essential services they provide to the nation. Nevertheless, the Government is committed to working collaboratively with those other entities through other non-regulatory mechanisms to improve cyber resilience and response capabilities. 596. Section 8G provides the definition of a relevant impact in this context, which includes an impact on the availability, integrity, reliability or confidentiality of the asset. The use of 108
relevant impact in paragraph (1)(b) means that a ministerial authorisation cannot be made if the impact, or the likely impact, of the cyber security incident is not sufficiently serious. For example, impacting the profitability of an asset. Rather, the regime is more focused on impact that undermine the intended operation or functioning of a critical infrastructure asset, or put at risk the asset's networks and sensitive information holdings. 597. A relevant impact may occur directly or indirectly. That is to say that a cyber security incident can have a relevant impact on a critical infrastructure asset, even if for example, the incident does not involve a direct compromise of the critical infrastructure asset's systems. This reflects that, due to the complex and extensive interdependencies of critical infrastructure assets, a cyber security incident can significantly impede or compromise the functioning of an asset by targeting a crucial dependency in its supply chain rendering the primary asset inoperable. Therefore, Ministerial authorisation may be made in relation to critical infrastructure sector assets, meaning assets that relate to a critical infrastructure sector. Paragraph 35AB(1)(c)--Material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to serious prejudice 598. Thirdly, the Minister must be satisfied that there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice: • the social or economic stability of Australia or its people; or • the defence of Australia; or • national security. 599. This criteria is important in establishing that the event must be of significant seriousness. That is, Australia's national interests are at risk. The executive arm of government is best placed to make this assessment, as it requires consideration of a wide range of varying factors on a case by case basis. In particular, this assessment is likely to rely on intelligence about the potential cascading impact of the incident. 600. 'Seriously prejudiced' has its ordinary meaning. In the context of new paragraph 35A(1)(c), the use of 'seriously prejudiced' is designed to ensure that a ministerial authorisation is not made unless the Minister is satisfied that the impact, or likely impact, of the cyber security incident on a critical infrastructure asset can reasonably be considered capable of causing significant damage or harm to Australian interests. To clarify, the Minister may be satisfied that an incident meets this criterion even if it is not impacting on all jurisdictions. Instead, the focus of this provision is on the impact to Australia's various national interests, recognising that an impact on, for example, a particular part of the economy may be nationally significant. 109
Paragraph 35AB(1)(d)--There is no existing regulatory system that could be used to provide a practical and effective response to the incident 601. Finally, the Minister must be satisfied that there is no existing regulatory system of the Commonwealth, a State or a Territory that could be used to provide a practical and effective response to the incident. This requirement is intended to cement this power as one of last resort, acknowledging the various regulatory regimes that exist across governments which may be utilised to manage risks. However, where those risks exceed the capacity of those systems, this regime will offer an effective and practice response. This ensures that, wherever possible and appropriate, consideration is given to whether existing regimes, which are potentially less invasive or which are designed specifically to address risks associated with particular assets, could be relied upon to effectively respond to the incident. 602. The Minister can be satisfied of this even if those other systems, if any, have not attempted to be used so long as the Minister considers that if they used, they would not provide a practical and effective response. This is to ensure that futile steps are not required to be taken and shown to fail in time critical situations before an effective response can be initiated. In satisfying themselves of this requirement, the Minister is likely to consult with relevant Commonwealth, State and Territory Ministers, as well as regulators, including any relevant Commonwealth regulator designated under the amended SOCI Act. This may also include receiving referrals for action when an event has escalated beyond their abilities. Hypothetical scenario: A large energy provider has been the subject of a cyber security incident which impacts its ability to provide electricity to residents of the east coast of Australia. As a result, large population hubs are without electricity and there are cascading impacts to other critical infrastructure assets such as outages to critical telecommunications assets and critical hospitals causing widespread economic and social disruption. The Commonwealth has consulted with the relevant State regulator who has advised that they do not have the powers to effectively respond to the incident, and has requested the Commonwealth provide assistance. Subsections 35AB(2)-(4)--Ministerial authorisation 603. When satisfied of the factors in subsection (1), subsection (2) provides that the Minister may, on application by the Secretary, do any or all of the following things: • authorise the Secretary to give directions to a specified entity under section 35AK (information gathering directions) that relate to the incident and the 'primary asset' or a specified critical infrastructure sector asset (paragraphs (a) and (b)) 110
• authorise the Secretary to give directions to a specified entity under section 35AQ (action directions) that relate to the incident and the primary asset or a specified critical infrastructure sector asset (paragraphs (c) and (d)), or • authorise the Secretary to give a specified request under section 35AX (intervention request) that relates to the incident and the primary asset or a specified critical infrastructure sector asset (paragraphs (e) and (f)). 604. Subsection (3) provides that an authorisation made by the Minister under subsection (2) is to be known as a 'Ministerial authorisation'. 605. These various forms of Ministerial authorisation must relate to the cyber security incident, and be made in relation to the primary asset or a specified critical infrastructure sector asset. While in most circumstances, the primary asset will be the focus of the ministerial authorisation, in some circumstances, a Ministerial authorisation may be required in relation to a critical infrastructure sector asset. 606. This reflects that, due to the complex and extensive interdependencies of critical infrastructure assets, a cyber security incident can significantly impede or compromise the functioning of an asset by targeting a crucial dependency in its supply chain rendering the primary asset inoperable. As a result, it may be necessary for defensive action to be taken in relation to an asset other than the critical infrastructure asset itself, although the action must be focused on the protection and restitution of the critical infrastructure asset. This will ensure that the necessary intervention can be made at the most appropriate and effective place within the ecosystem of the critical infrastructure asset. However, the Ministerial authorisation must be made in relation to a critical infrastructure sector asset, limiting the operation of the regime to the critical infrastructure sectors. 607. For example, the Minister may authorise the Secretary to give directions to a specified entity in relation to a specified critical infrastructure sector asset that provides information technology services to a critical infrastructure asset. This may be necessary to better understand the operation of the critical infrastructure asset and inform the Government's understanding of the nature and extent of a cyber compromise. Similarly, a critical infrastructure sector asset may be used as a vector or platform for an attack on a critical infrastructure asset due to connectivity between the respective assets' systems. Therefore an effective response to the incident may need to be made in relation to the critical infrastructure sector asset to assist in mitigating the impacts on the critical infrastructure sector asset. 608. Further, Ministerial authorisations under paragraphs (c)-(d) must specify the direction or request that is being authorised. The Secretary, when taking steps in response to the authorisation, does not have discretion to expand the scope of actions that can be directed or requested. The significance of Ministerial authorisations made under those paragraphs make it appropriate for their scope to be determined by the Minister. 609. Subsection (4) provides that subsection 33(3AB) of the Acts Interpretation Act, that relevantly provides that a Ministerial authorisation under subsection (2) could be made with 111
respect to a class of assets or cyber security incidents, does not apply. This is appropriate and necessary to include given the serious and invasive nature of the government assistance powers that can be exercised as a result of a Ministerial authorisation, with the effect being that the Minister will need to consider the unique circumstances of each entity to which the authorisation will apply. Subsections 35AB(5)-(6)--Information gathering directions 610. The first type of Ministerial authorisation that can be made relate to the gathering of information. An effective and appropriate response to a serious cyber security incident requires a strong understanding of the nature and extent of the incident, as well as a strong understanding of the circumstances of the asset including its cyber maturity, its vulnerabilities and its interdependencies. This information will inform any decisions in relation to further Ministerial authorisations, and be important in ensuring that those Ministerial authorisations are reasonably necessary and proportionate. 611. Subsection (5) provides that a Ministerial authorisation under paragraph (2)(a) or (b), enabling the Secretary to give directions under section 35AK, is generally applicable to the incident and the asset concerned, and is to be made without reference to any specific directions. 612. Under subsection (6), the Minister must not give a Ministerial authorisation under paragraph (2)(a) or (b) unless the Minister is satisfied that the directions under section 35AK that could be authorised by the Ministerial authorisation are likely to facilitate a practical and effective response to the incident. 613. These subsections provide that the Minister may authorise the Secretary utilising information gathering directions (when the factors outlined in section 35AK are met) if doing so is likely to facilitate a practical and effective response to the incident. For example, the Minister may consider that the use of the powers in section 35AK are necessary to facilitate a practical and effective response to the incident, where the Minister is aware of the severity of the incident but is unsure as to what actions are needed to respond. 614. In comparison to Ministerial authorisations made under paragraphs (2)(c)-(f), the authorisation will not specify the precise content of the direction or directions that can be made by the Secretary. Noting that this provides the Secretary with a degree of discretion in developing information gathering directions, that discretion is limited by section 35AK to ensure that the power is only used in an appropriate way. Further, it is noted that this information gathering power can be used in relation to critical infrastructure sector assets, while in comparison the Secretary's existing information gathering powers provided in existing section 37 of the SOCI Act are limited to being in relation to critical infrastructure assets. This broader scope is warranted as the interdependencies between critical infrastructure assets and other assets across the critical infrastructure sectors may mean that information necessary to guide an effective response is held by an entity related to another asset which relates to the critical infrastructure sector. 112
Hypothetical scenario: A key supplier of logistical services to a critical freight service asset is subject to a cyber security incident which results in the critical freight service asset being unable to distribute medical supplies nationally. While the responsible entity for the critical freight service asset is cooperating with government, the Government requires information from the provider of the logistical services to determine the full extent of the compromise and develop an appropriate response. The Minister for Home Affairs authorises the Secretary of Home Affairs issuing information gathering directions to the supplier, as the entity responsible for the critical infrastructure sector asset, to provide the necessary information. This information is used to jointly develop an appropriate response with the responsible entity to mitigating the impacts of the incident on the critical freight service asset. Subsections 35AB(7)-(9)--Action directions 615. The second type of Ministerial authorisation that can be made relate to requiring the specified entity to do an act or thing, including an omission. In responding to an incident, the Government acknowledges that an entity's understanding of the systems and operation of the asset means that the entity is best positioned to take the necessary actions to respond to the incident. Therefore, this type of Ministerial authorisation is focused on compelling the entity to take actions, or do things, that are reasonably necessary and proportionate to responding to the incident where the entity is unwilling or unable to respond to the incident. 616. Subsection (7) provides that the Minister must not give a Ministerial authorisation under paragraphs (2)(c) or (d), enabling the Secretary to give action directions under section 35AQ, unless the Minister is satisfied of the existence of the circumstances set out in paragraphs (a) to (d). It should be noted that these criteria are additional to those criteria in subsection (1) of which the Minister must also be satisfied. 617. Firstly, the Minister must be satisfied that the entity is unwilling or unable to take all reasonable steps to respond to the incident (under paragraph (7)(a)). This is reflective of the Government's continued view that industry are primarily responsible for responding to cyber security incidents and that Government intervention is only to be used in emergencies and as a last resort when industry fail to resolve the incident. The unwillingness of an entity to take all reasonable steps may be driven by various factors, such as profit, reputation, or external influence. However noting the criticality of the asset and the impact of the incident, as well as the material risk of serious prejudice to Australia's national interest, in these circumstances resolving the incident must take precedence. The inability of an entity to take all reasonable steps may be driven by a technical lack of capacity or capability, or legal constraints such as contractual or legislative requirements relating to continuity of service. Therefore, despite a willingness to resolve the incident, the entity may not be able to do so. For example, an entity may be willing to provide assistance voluntarily however is concerned about incurring 113
liability for disclosing commercially confidential information and in such circumstances may request a Ministerial authorisation be made to facilitate them taking the necessary steps to assist in resolving the incident. 618. When considering what reasonable steps to respond to the incident may involve, it is not intended that a different tactical response to that which the Minister would pursue would amount to an unwillingness or inability to take reasonable steps to respond to the incident. The inclusion of the element of reasonableness will require the Minister to consider the various approaches that may be taken to effectively respond to the incident, with steps likely to be considered reasonable if they are capable of effectively and practically resolving the incident. The focus is on ensuring that an adequate response is taken, rather than being prescriptive of the exact response that must be taken. 619. However, it is important to note that certain steps may be regarded as reasonable even if they exceed the capacity or capabilities of the particular entity. Therefore consideration of whether all reasonable steps are being taken will require consideration of what a reasonable person would expect a business in that position to do or be able to do. 620. Secondly, the Minister must be satisfied that the specified direction is reasonably necessary for the purposes of responding to the incident (under paragraph (7)(b)). This provision appropriately limits the scope of an action direction to ensure it is directly relevant to addressing or responding to the incident. The use of 'reasonably necessary' clarifies that an action direction and anything that compliance with it would require to be done must be directly focused on responding to the incident. This is an important safeguard to ensure an action direction cannot be used as a vehicle to require an entity to do, or refrain from doing, an act that goes beyond addressing or responding to the incident. This reflects that this regime is only to be used to defend critical infrastructure assets from cyber security incidents, and is strictly limited to that purpose. Further the element of reasonableness will ensure that the required actions are not only necessary but are appropriate in the circumstances. 621. Thirdly, the Minister must be satisfied that the specified direction is a proportionate response to the incident (under paragraph (7)(c)). This provision appropriately limits the scope of an action direction to ensure it is proportionate. While the criteria the Minister must be satisfied of, as set out in subsection (1), highlight that the circumstance in which these powers will be used must be serious, it is equally important that the directions are proportionate in light of all the circumstances. For example, and depending on the particular circumstances, a direction may not be regarded as proportionate if it would result in greater harm to the asset even if it would practically respond to the incident. 622. In considering proportionality, subsection (8) requires the Minister to have regard to the impact of the direction on the activities carried on by the specified entity and the functioning of the asset concerned, the consequences of compliance with the direction and any other matters the Minister considers relevant. For example, while taking a computer system offline may be reasonably necessary to mitigating a cyber security incident, if that computer system is necessary for providing life sustaining equipment, the Minister will need to consider the respective consequences of action and inaction, and whether alternative 114
options are available. Additionally, the Minister may consider the costs for the entity in complying and whether the costs from action would outweigh the costs of inaction, including for the entity and society more broadly. The impact on end-users and customers of the asset may also be relevant considerations in considering proportionately. 623. Finally, the Minister must be satisfied that the specified direction is technically feasible (under paragraph (7)(d)). A direction is technically feasible when the direction relates to a course of action that is reasonably possible to execute, or within the existing capability of the relevant entity. A direction is considered not to be technically feasible if there is no technical capability that could be utilised to produce the outcome that is sought. The consultation requirement in section 35AD will be an important mechanism to ensure the Minister has a sound understanding of the entities technical capabilities and therefore whether this condition is met. 624. Subsection (9) provides further limitations on the scope of what can be authorised by the Minister. A direction must not: • require the specified entity to permit the authorised agency to do an act or thing that could be the subject of a request under section 35AX (paragraph (a)), or • require the specified entity to take offensive cyber action against a person who is directly or indirectly responsible for the incident (paragraph (b)). 625. Noting that a Ministerial authorisation in relation to an intervention request is subject to additional safeguards due to the significance of the conduct that may be authorised, paragraph (a) ensures that action directions are not used as a backdoor to compel an entity to permit Government officials access to the asset. Further paragraph (b) embeds the defensive nature of the regime, noting that it would not be appropriate to require the entity to take actions against the perpetrator of the attack that are not regarded as defensive. For example, the directions cannot require the entity to 'hack back' or undertake any other actions that may constitute a criminal offence such as accessing the perpetrators computer without authority. The focus of these directions is on defending the asset, which may include removing a perpetrator from the asset, but should not extend into actions that would be regarded as offensive. Paragraph (b) does not limit in anyway the responsibilities and powers that other agencies such as the Australian Signals Directorate and Australian Federal Police have to prevent and disrupt cybercrime under other legislative regimes. 115
Hypothetical scenario: A critical data storage or processing asset, which hosts sensitive Government information, is subject to a cyber security incident which poses an imminent risk that the confidentiality of the Government information will be compromised. In light of information provided in response to information gathering directions, the Minister for Home Affairs is satisfied that the reconfiguration of the computer network to segregate the compromised computer and prevent the exfiltration of the sensitive Government information is reasonably necessary and proportionate to responding to the incident. Following consultation with the operator of the asset, the Minister for Home Affairs is also satisfied that the entity is unwilling to undertake the required action as it would affect, albeit in a limited way, the provision of services to the data centre's other customers. Subsections 35AB(10)-(15)--Intervention requests 626. The third type of Ministerial authorisations that can be made relate to intervention requests. Where directing an entity to take specified action would not be practical or effective, it may be necessary for the Government to step-in and take the necessary actions to defend the asset. This is a last resort option, within a last resort regime, and will only be used in extraordinary circumstances. However it must be recognised that in emergencies where Australia's national interests are at risk of serious prejudice and industry is unable to respond, the Government may have unique expertise that could be deployed to prevent an incident, mitigate its impact, or restore the functioning of an asset following an incident. In some circumstances, the cyber capabilities and technical resources of the Australian Signals Directorate will surpass those of industry. Where those circumstances exist, it is reasonable, appropriate and expected that the Government has the powers to respond. Nevertheless, the significance of these powers necessity that they are subject to stringent safeguards, limitations and oversight mechanisms to ensure they are only used when absolutely necessary and appropriate. 627. Subsection (10) provides that the Minister must not give a Ministerial authorisation under paragraphs (2)(e) or (f), enabling the Secretary to make a request under section 35AQ, unless the Minister is satisfied of the existence of the circumstances set out in paragraphs (a) to (g). It should be noted that these criteria are additional to those criteria in subsection (1) of which the Minister must also be satisfied. 628. Firstly, the Minister must be satisfied that giving a Ministerial authorisation under paragraph (2)(c) or (d) would not amount to a practical and effective response to the incident (under paragraph (10)(a)). Direct Government intervention in relation to assets is appropriately reserved for extraordinary circumstances. To guarantee that this option is only considered as a last resort, the Minister must be satisfied that legally compelling the entity to do the action would not amount to a practical and effective response to the incident. For example, where the Minister has authorised a direction providing that the entity is to take the action and they have unreasonably refused to comply with the direction, the Minister may be 116
satisfied that the directions power is not effective. Alternatively, following consultation, the Minister may be aware that the required actions require a level of technical expertise that the entity does not possess, and is not able to acquire, and therefore a ministerial authorisation for a direction to take the action would not be practical. 629. The Minister is not required to have made an authorisation under paragraph (2)(c) or (d) before the Minister can be satisfied that it would not amount to a practical and effective response to the incident. Noting the time critical nature of responding to the serious cyber security incident, a requirement to make futile Ministerial authorisations would not be reasonable. Rather, the Minister may, for example, be satisfied of this matter having consider information provided through consultation and information gained through directions issued by the Secretary under section 35K. 630. Secondly, paragraphs (10)(b) and (c) require the Minister be satisfied that the relevant entity or entities are unwilling or unable to take all reasonable steps to respond to the incident. This provision reflects that there may be multiple relevant entities that have a degree of responsibility for a particular aspect of the asset and may be in a position to take the necessary action. The Minister must be satisfied that none of these entities are willing or able to do so. 631. A relevant entity for an asset is defined in section 5 as an entity that is the responsible entity for the asset, a direct interest holder in relation to the asset, an operator of the asset, or is a managed service provider for the asset. 632. This is reflective of the Government's continued view that industry are primarily responsible for responding to cyber security incidents and that Government intervention is only to be used in emergencies and as a last resort when industry fail to resolve the incident. The unwillingness of an entity to take all reasonable steps may be driven by various factors, such as profit, reputation, or external influence. However noting the criticality of the asset and the impact of the incident, as well as the material risk of serious prejudice to Australia's national interest, in these circumstances resolving the incident must take precedence. The inability of an entity to take all reasonable steps may be driven by a technical lack of capacity or capability, or legal constraints such as contractual or legislative requirements relating to continuity of service. Therefore, despite a willingness to resolve the incident, the entity may not be able to do so. For example, an entity may be actively attempting to resolve the incident however the advanced nature of the compromise exceeds their technical expertise. 633. When considering what reasonable steps to respond to the incident may involve, it is not intended that a different tactical response to that which the Minister would pursue would amount to an unwillingness or inability to take reasonable steps to respond to the incident. The inclusion of the element of reasonableness will require the Minister to consider the various approaches that may be taken to effectively respond to the incident, with steps likely to be considered reasonable if they are capable of effectively and practically resolving the incident. The focus is on ensuring that an adequate response is taken, rather than being prescriptive of the exact response that must be taken. 117
634. However, it is important to note that certain steps may be regarded as reasonable even if they exceed the capacity or capabilities of the particular entity. Therefore consideration of whether all reasonable steps are being taken will require consideration of what a reasonable person would expect a business in that position to do or be able to do. 635. Thirdly, paragraph (10)(d) requires that the Minister be satisfied that the specified request is reasonably necessary for the purposes of responding to the incident. This provision appropriately limits the scope of an action that can be requested to ensure it is directly relevant to addressing or responding to the incident. The use of 'reasonably necessary' clarifies that a request and anything that compliance with it would require to be done must be directly focused on responding to the incident. This is an important safeguard to ensure a request, and any action taken in response to that request, cannot be used for any purposes other than responding to the incident. This reflects that this regime is only to be used to defend critical infrastructure assets from cyber security incidents, and is strictly limited to that purpose. Further the element of reasonableness will ensure that the required actions are not only necessary but are appropriate in the circumstances. 636. Fourthly, paragraph (10)(e) requires that the Minister be satisfied that the specified request is a proportionate response to the incident. This provision appropriately limits the scope of a request, and the actions that may be taken in response to it, to ensure it is proportionate. While the criteria the Minister must be satisfied of, as set out in subsection (1), highlight that the circumstance in which these powers will be used must be serious, it is equally important that the directions are proportionate in light of all the circumstances. For example, and depending on the particular circumstances, a request may not be regarded as proportionate if the actions that may be taken in response to it would result in greater harm to the asset even if it would practically respond to the incident. 637. In considering proportionality, subsection (11) requires the Minister to have regard to the impact of compliance with the request on the functioning of the asset concerned, the consequences of compliance with the specified request, and any other matters the Minister considers relevant. For example, while taking a computer system offline may be reasonably necessary to mitigating a cyber security incident, if that computer system is necessary for providing life sustaining equipment, the Minister will need to consider the respective consequences of action and inaction, and whether alternative options are available. Further, the consequences of the requested actions on the asset itself, its longer-term functioning and associated costs, may also be considered. The impact on end-users and customers of the asset may also be relevant considerations in considering proportionately. The Minister may also consider the appropriateness of direct Government intervention in relation to a privately owned asset and whether the significance of that step is proportionate in light of the incident and its impacts. 638. Fifthly, paragraph (10)(f) requires that the Minister be satisfied that compliance with the specified request is technically feasible. While the Australian Signals Directorate has extensive and sophisticated capabilities, its resources are not without bounds. Therefore the Minister must consider whether it would be technically feasible for ASD to undertake the 118
required action. Consultation between the Minister and the Minister for Defence will be important in determining whether the required actions are technically feasible. 639. Finally, paragraph (10)(g) requires that the Minister be satisfied that each of the acts or things specified in the request are acts or things covered by section 35AC. This regime is focused exclusively on cyber security incidents, and founded on the understanding that in some circumstances, the cyber capabilities and resources of the Australian Signals Directorate will surpass those of industry. Reflective of this, the actions requested must be limited to the computer related actions for which the Australian Signals Directorate has expertise in and must not extend more broadly. 640. Subsection (12) provides further limitations on the scope of what can be authorised by the Minister. The Minister must not give a Ministerial authorisation under paragraphs (2)(e) or (f) if compliance with the specified request would involve the authorised agency taking offensive cyber action against a person who is directly or indirectly responsible for the incident. This limitation embeds the defensive nature of the regime, noting that it would not be appropriate to require to require the entity to take actions against the perpetrator of the attack that are not regarded as defensive. For example, the request cannot require the authorised agency to 'hack back' or undertake any other actions against a perpetrator. The focus of this regime is on defending the asset, which may include removing a perpetrator from the asset, but should not extend into actions that would be regarded as offensive. This subsection does not limit in anyway the responsibilities and powers that the ASD may have to prevent and disrupt cybercrime under other legislative regimes. 641. Subsection (13) provides an additional layer of oversight to reflect the significance of these powers. The Minister must not give a Ministerial authorisation under paragraphs (2)(e) or (f) unless the Minister has obtained the agreement of the Prime Minister and the Defence Minister. 642. The Prime Minister, as leader of the country and chair of the National Security Committee of Cabinet, is well positioned to assess the appropriateness of such an authorisation. The Defence Minister, as the minister responsible for the authorised agency, will ensure that their involvement is appropriate and consistent with other defence priorities and interests. This ensures that an authorisation for an intervention request is subject to a comprehensive triple lock mechanism, and any action that is intended to be conducted by the authorised agency has been scrutinised by key members of the executive arm of Government. The involvement of the Prime Minister and the Defence Minister will also add additional perspective and balance to the decision making process to ensure the impact on the entity is appropriate in the circumstances. 643. The agreement required by this subsection may be given orally or in writing (subsection (14)) noting the potential urgency of an effective response. However subsection (15) provides that, if agreement is given orally by either the Prime Minister or Defence Minister for the purposes of subsection (13), the respective Minister must make a written record of the agreement and give a copy of the written record to the Minister within 48 hours after the agreement is given. 119
Hypothetical Scenario: During incident response, the authorised agency may require access to various types of data and information, such as systems logs and host images, to determine what malicious activity had occurred and what systems have been affected. The authorised agency may also need to install investigation tools, such as host-based sensors or network monitoring capabilities, to analyse the extent of malicious activity and inform effective remediation actions. To remediate the cyber security incident, the authorised agency may need to remove malicious software (e.g. web shells, ransomware, and/or reconnaissance tools) which requires altering/removing of data in a computer. The authorised agency may need to conduct these activities on-site with the victim or remotely, where capability exists to do so. The authorised agency may also implement blocking of malicious domains, may disable internet access or may implement other specified mitigations. The authorised agency may also require systems to be patched (altering data) or a change in network configurations, to alter the function of the system, to prevent a similar activity. A Ministerial authorisation may be sought for an intervention request relating to each of these specific actions. Subsection 35AB(16)--Ministerial authorisation is not a legislative instrument 644. Subsection (16) clarifies that a Ministerial authorisation given by the Minister under subsection (2) is not a legislative instrument. This is reasonable in these circumstances because: • the public disclosure of an authorisation for intervention request may not only undermine the ability for the authorised officer to undertake any acts that have been authorised, but may also alert nefarious actors to a potential weakness or vulnerability in a critical infrastructure asset, and • the authorisation applies the law in a particular circumstance to particular facts, and does not determine or alter the content of the law for the purposes of subsection 8(4) of the Legislation Act. Subsection 35AB(17)--Other powers not limited 645. Subsection (17) provides that section 35AB does not, by implication, limit a power conferred by another provision of the SOCI Act. Section 35AC Kinds of acts or things that may be specified in an intervention request 646. New section 35AC of the SOCI Act outlines the kinds of acts or things that a Ministerial authorisation under paragraphs 35AB(2)(e) or (f) may specify in the request to be made by the Secretary under section 35AX for the purposes of paragraph 35AB(10)(g). These 120
conditions serve as another limitation to ensure that the actions are computer-related acts and appropriately targeted at responding to the cyber security incident and reflect the specialised skills of the authorised agency which in many circumstances surpass those of the private sector. 647. The things covered by section 35AC are: • accessing or modifying a computer or computer device that is, or is part of, the asset to which the Ministerial authorisation relates (paragraph (a)) - For example, a specified request may be to access a specified computer prior to undertaking an analysis of it (where analysis is also requested). • undertaking an analysis of a computer, computer program, computer data or a computer device that is, or is part of, the asset (paragraph (b)) - For example, a specified request may be to undertake analysis of network activity through logs files or server images to identify malicious software (malware). • if necessary to undertake the analysis under paragraph (b)--install a computer program on a computer that is, or is part of, the asset (paragraph (c)) - For example, a specified request may be to install a specified computer program to run a vulnerability assessment to identify gaps that require patching. • access, add, restore, copy, alter or delete data held in a computer or a computer device, that is, or is part of, the asset (paragraph (d)) - For example, a specified request may be to identify, access, and delete malware located on a network. • access, add, restore, copy, alter or delete a computer program that is, or a computer program that is installed on a computer that is, or is part of the asset (paragraphs (e) and (f)) - For example, a specified request may be to restore a program critical to the assets operation that was previously deleted as part of a malicious cyber activity. • alter the functioning of a computer or a computer device that is, or is part of, the asset (paragraph (g)) - For example, a specified request may be to alter the computer's ability to access a computer network, in order to stop it from infecting other computers. • remove or disconnect, or connect or add, a computer or a computer device to a computer network that is, or is part of, the asset (paragraphs (h) and (i)) - For example, a specified request may be to disconnect an infected Universal Serial Bus from a computer to mitigate further spread of malware. • remove a computer or computer device that is, or is part of, the asset from premises (paragraph (j)) - For example, a specified request may be to physically remove a computer from the premises for further analysis (where analysis is also requested). 121
Section 35AD Consultation 648. New section 35AD of the SOCI Act outlines consultation requirements that must be completed, subject to listed exceptions, by the Minister before issuing a Ministerial authorisation. This consultation requirement ensures that (wherever possible) affected entities are able to inform Government's use of the powers in Part 3A. The Minister must have regard to any information provided when making a Ministerial authorisation. 649. Subsection (1) provides that, before giving a Ministerial authorisation under paragraphs 35AB(2)(c) or (d) that would enable the Secretary to make an action direction under section 35AQ, the Minister must consult the specified entity unless the delay that would occur in doing so would frustrate the effectiveness of the authorisation. 650. Under subsection (2), before giving an authorisation under paragraphs 35AB(2)(e) or (f) that would enable the Secretary to give an intervention request to the chief executive of the authorised agency, the Minister must: • if the authorisation is given under paragraph 35AB(2)(e) in relation to a critical infrastructure asset--consult the responsible entity, or entities, for the asset (paragraph (a)), or • if authorisation is given under paragraph 35AB(2)(f) in relation to a critical infrastructure sector asset--consult the owner/s or operator/s of the asset that the Minister considers most relevant to the authorisation (paragraph (b)). 651. The Minister is not required to undertake the consultation listed in subsection (2) where the delay that would occur in doing so would frustrate the effectiveness of the authorisation. 652. Subsection 35AD(3) requires the Minister, if required to consult under subsections 35AD(1) or (2), to give the entity a copy of the proposed ministerial authorisation and provide the entity 24 hours to make a submission. 653. If consultation is not required under subsection 35AD(1) or (2) then subsection 35AD(3) does not apply. For example, if consultation is not required under subsection 35AD(1) or (2) because consultation would frustrate the effectiveness of the Ministerial authorisation, compliance with subsection 35AD(3) is not required. 654. Consultation with affected entities is vital to ensuring the Minister's decisions are informed and appropriate. In particular, this consultation will assist with satisfying the Minister as to whether an entity is unwilling or unable to take all reasonable steps to respond to the incident (see paragraph 35AB(7)(a) and paragraphs 35AB(10)(b)-(c)). It is also important to provide greater information about the circumstances of the incident to determine whether the proposed course of action is reasonably necessary (see paragraph 35AB(7)(b) and paragraph 35AB(10)(d)), proportionate (see paragraph 35AB(7)(c) and paragraph 35AB(10)(e)) and technically feasible (see paragraph 35AB(7)(d) and paragraph 35AB(10)(f)). 122
655. However, it is equally important to recognise that due to emergency nature of the regime, in extreme circumstances, compliance with this consultation requirement may impede an effective and timely response to an incident. This is intended to only occur in rare circumstances. For example, the Government may be engaging closely with a particular entity in relation to a cyber security incident involving a particular critical infrastructure asset (Asset 1) and it becomes clear that the malicious actor will imminently gain unauthorised access to another, interconnected, critical infrastructure asset (Asset 2) from the system of Asset 1 and cause catastrophic damage. In such circumstances, the Minister may have sufficient information to determine the particular action that must occur immediately to prevent the compromise but be unable to undertake the required consultation before the actor compromises Asset 2. 656. Where such rare circumstances occur, the Minister will still need to satisfied of the factors in subsection 35AB(1) as well as subsection 35AB(7) or (10) as relevant. This provides a safeguard by ensuring that the Minister must have sufficient information to form this satisfaction, while allowing for adaptability in the regime. Further, following the making of the authorisation, should the entity bring any concerns to the Minister's attention, subsection 35AH(3) places a duty on the Minister to revoke the authorisation if no longer satisfied of its necessity. Similarly, should the entity raise any concerns with the Secretary which result in the Secretary no longer being satisfied that the Ministerial authorisation is required, subsection 35AH(4) places an obligation on the Secretary to inform the Minister as soon as practicable. This ensures that any consultation that occurs after the Ministerial authorisation is made can be used to inform its continuation or potential revocation. 657. As responsible entities have not been identified in the legislation in relation to critical infrastructure sectors assets, due to this being a significantly broader class of assets, the Minister must exercise discretion as to who is the most relevant entity to consult with in relation to the Ministerial authorisation. An owner or operator, or both, may be considered relevant if the Ministerial authorisation will directly affect them or affect an aspect of the asset for which they are responsible. This flexibility will allow for the most appropriate entity or entities to be provided with the opportunity to make representations to the Minister in relation to the proposed authorisation. Section 35AE Form and notification of Ministerial authorisation 658. New section 35AE of the SOCI Act outlines the permitted forms of a Ministerial authorisation given under subsection 35AB(2), and the requirements to notify relevant entities and other stakeholders about the authorisation being given. 659. Subsection (1) provides that a Ministerial authorisation may be given orally or in writing. However, an authorisation must not be given orally unless the delay that would occur if the authorisation were to be made in writing would frustrate the effectiveness of any directions that may be given under sections 35AK and 35AQ, or any requests that may be given under section 35AX (see subsection (2)). 123
Subsections 35AE(3)-(5)--Notification of Ministerial authorisations given orally 660. Under subsection (3), if a Ministerial authorisation is given orally, the Minister must make a written record of the authorisation and give a copy of the written record to the Secretary and the IGIS within 48 hours of giving the authorisation. This will ensure there are accurate records of the authorisation. The notification of the IGIS is important to ensure that the Inspector-General has an opportunity to consider whether to exercise any of their oversight powers in relation to the Ministerial authorisation, or actions taken in response to it. 661. Subsection (4) provides that, if a Ministerial authorisation is given orally and relates to a critical infrastructure asset, the Minister must also give a copy of a written record of the authorisation to the responsible entity for the asset within 48 hours of giving the authorisation. In addition, under subsection (5), if a Ministerial authorisation is given orally and relates to a critical infrastructure sector asset that is not a critical infrastructure asset, the Minister must also give a copy of the written record of the authorisation to the most relevant owner/s or operator/s of the asset. These requirements mean that the affected entity is provided with a written copy of the authorisation. This is an important safeguard to ensure the entity has a clear understanding of the extent of the authorisation. Subsections 35AB(6)-(8)--Notification of Ministerial authorisations given in writing 662. Under subsection (6), if a Ministerial authorisation is given in writing, the Minister must give a copy of the authorisation to the Secretary and the IGIS within 48 hours of giving the authorisation. The notification of the IGIS is important to ensure that the Inspector- General has an opportunity to consider whether to exercise any of their oversight powers in relation to the Ministerial authorisation, or actions taken in response to it. 663. Subsection (7) provides that, if a Ministerial authorisation is given in writing and relates to a critical infrastructure asset, the Minister must also give a copy of the Ministerial authorisation to the responsible entity for the asset within 48 hours of giving the authorisation. In addition, under subsection (8), if a Ministerial authorisation is given in writing and relates to a critical infrastructure sector asset that is not a critical infrastructure asset, the Minister must also give a copy of the Ministerial authorisation to the most relevant owner/s or operator/s of the asset. These requirements mean that the affected entity is provided with a written copy of the authorisation. This is an important safeguard to ensure the entity has a clear understanding of the extent of the authorisation. Section 35AF Form of application for Ministerial authorisation 664. Subsection 35AB(2) of the SOCI Act (outlined above) provides that the Minister may make a Ministerial authorisation on application by the Secretary. New section 35AF of the SOCI Act outlines requirements for the making of an application by the Secretary for the purpose of subsection 35AB(2). 665. Subsection (1) provides that the Secretary may make the application orally or in writing. Subsection (2) provides that the Secretary must not make an oral request for a Ministerial authorisation unless the delay that would occur, should the application be made in 124
writing, would frustrate the effectiveness of any directions that may be given by the Secretary under sections 35AK or 35AQ, or any requests given under section 35AX. 666. Under subsection (3), if a request for a Ministerial authorisation is made orally, the Secretary is required to make a written record of the application and give a copy of the written record to the Minister within 48 hours of making the application. 667. It is noted that any written request is already required to be given to the Minister under subsection 35AB(2) above. Section 35AG Duration of Ministerial authorisation 668. New section 35AG of the SOCI Act sets out the duration of a Ministerial authorisation given under subsection 35AB(2). Subsection 35AG(1)--Scope 669. Subsection (1) provides that section 35AG applies to a Ministerial authorisation given in relation to a cyber security incident and an asset. This is intended to cover all types of Ministerial authorisations that may be given under subsection 35AB(2). Subsection 35AG(2)--Duration of Ministerial authorisation 670. Subsection (2) provides that, subject to this section, the Ministerial authorisation remains in force for the period specified in the Ministerial authorisation which must not exceed 20 days. That is, the duration of the Ministerial authorisation is to be included in the authorisation itself and can be for any period up to and including 20 days. 671. Although it is recognised that the comprehensive resolution of a serious cyber security incident is likely to take longer than 20 days, this maximum timeframe is intended to reflect the emergency nature of the intervention. This regime is only intended to be used as a last resort to achieve outcomes that are considered necessary in light of the severity of the impact to the nation and for no longer than strictly necessary. It is noted that subsection 35AH(3) requires the Minister to revoke an authorisation if satisfied that it is no longer required, further ensuring that the authorisation does not continue for any longer than necessary. Subsection 35AG(3)-(5)--Fresh Ministerial authorisations 672. Under subsection (3), if a Ministerial authorisation is in force, the SOCI Act does not prevent the Minister from giving a further fresh Ministerial authorisation that is in the same, or substantially the same, terms as the original authorisation and that comes into force immediately after the expiry of the original authorisation. 673. In deciding whether to give a fresh Ministerial authorisation in accordance with subsection (3), in addition to the various factors the Minister must be satisfied of in section 35AB, the Minister must also have regard to the number of occasions on which Ministerial authorisations have been made in relation to the incident and the asset (under subsection (4)). 125
Subsection (5) clarifies that subsection (4) does not, however, limit the matters to which the Minister may have regard to in deciding whether to give a fresh Ministerial authorisation. 674. These subsections are intended to allow the Minister, if satisfied that a Ministerial authorisation continues to be required, to make a fresh authorisation. However, in making a further authorisation, the Minister must meet all the requirements that would ordinarily be required in relation to the making of a Ministerial authorisation, in addition to having regard to the extra consideration in subsection (4). Section 35AH Revocation of Ministerial authorisation 675. New section 35AH of the SOCI Act sets out how a Ministerial authorisation given under subsection 35AB(2) can be revoked. Subsection 35AH(1)--Scope 676. Subsection (1) provides that section 35AH applies to a Ministerial authorisation that is in force in relation to a cyber security incident and an asset. This is intended to cover all types of Ministerial authorisations that may be given under subsection 35AB(2). Subsection 35AH(2)--Power to revoke Ministerial authorisation 677. Subsection (2) provides that the Minister may, in writing, revoke a Ministerial authorisation. The revocation must be made in writing, and cannot be done orally. Subsections 35AH(3)-(4)--Duty to revoke Ministerial authorisation 678. Under subsection (3), if the Minister is satisfied that the Ministerial authorisation is no longer required to respond to the cyber security incident concerned, the Minister must, in writing, revoke the authorisation. 679. Subsection (4) further provides that, if the Secretary is satisfied that the Ministerial authorisation is no longer required to respond to the cyber security incident, the Secretary must notify the Minister that the Secretary is so satisfied and do so as soon as practicable after the Secretary becomes so satisfied. This notification will cause the Minister to reconsider the Ministerial authorisation, and if no longer satisfied that it is required, subsection (3) would require it to be revoked. Subsections 35AH(5)-(7)--Notification of revocation 680. Subsection (5) provides that, if any Ministerial authorisation is revoked, the Minister must give a copy of the revocation to the Secretary, the IGIS and each relevant entity to which the authorisation relates within 48 hours of the revocation. 681. Under subsection (6), if the revocation relates to a critical infrastructure asset, the Minister must also give a copy of the revocation to the responsible entity for the asset. Subsection (7) further provides that, if the revocation relates to a critical infrastructure sector 126
asset that is not a critical infrastructure asset, the Minister must also give a copy of the revocation to the owner or operator of the asset the Minister considers to be most relevant. Subsection 35AH(8)--Revocation is not a legislative instrument 682. Subsection (8) clarifies that a revocation of a Ministerial authorisation is not a legislative instrument. This is reasonable in these circumstances because: • the public disclosure of the authorisation may reveal weakness or vulnerabilities in critical infrastructure assets that could be exploited by nefarious actors or otherwise cause damage in relation to the asset. • the authorisation applies the law in a particular circumstance to particular facts, and does not determine or alter the content of the law for the purposes of subsection 8(4) of the Legislation Act. Subsection 35AH(9)--Application of Acts Interpretation Act 1901 683. Subsection (9) provides that section 35AH does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act to an instrument made under a provision of the SOCI Act (other than Part 3A). Section 35AJ Minister to exercise powers personally 684. New section 35AJ of the SOCI Act provides that the power of the Minister under Division 2 of Part 3A (in particular under subsection 35AB(2) to give a Ministerial authorisation) may only be exercised by the Minister personally and cannot be delegated on an implied basis, noting that there is no express provision enabling delegation of the Minister's powers in the SOCI Act or included the Bill. Given the serious nature of the powers in Part 3A, it is reasonable and appropriate to require these powers to be exercised personally by the elected official with responsibility for ensuring the security of Australia's critical infrastructure. Division 3--Information gathering directions 685. New Division 3 of Part 3A of the SOCI Act provides for the Secretary, when authorised to do so by the Minister, to give directions to entities to provide information to the Secretary. Section 35AK Information gathering direction 686. New section 35AK of the SOCI Act sets out when the Secretary may give an information gathering direction. 127
Subsection 35AK(1)--Scope 687. Subsection (1) provides that section 35AK applies if a Ministerial authorisation has been given under paragraphs 35AB(2)(a) or (b) in relation to a cyber security incident and an asset. Subsections 35AK(2)-(6)--Direction 688. Subsection (2) applies where an entity is a relevant entity for the asset to which the Ministerial authorisation relates and the Secretary has reason to believe that the entity has information that may assist with determining whether a power under this Act should be exercised in relation to the incident and the asset. In these circumstances, the Secretary may direct the entity to: • give any such information to the Secretary (paragraph (c)), and • do so within the period, and in the manner, specified in the direction (paragraph (d)). 689. An effective and appropriate response to a serious cyber security incident requires a strong understanding of the nature and extent of the incident, as well as a strong understanding of the circumstances of the asset including its cyber security maturity, its vulnerabilities and its interdependencies. This information will inform any decisions in relation to further Ministerial authorisations, and be important in ensuring that those Ministerial authorisations are reasonably necessary and proportionate. 690. A direction under subsection (2) may be given under a Ministerial authorisation given under paragraphs 35AB(2)(a) or (b). These types of Ministerial authorisations differ from other types outlined in paragraphs 35AB(2)(c) to (f). In particular, Ministerial authorisations given under paragraphs 35AB(2)(a) and (b) provide a level of discretion to the Secretary to determine the content of the Secretary's directions under subsection (2), as well as allowing multiple directions to be made, subject to the conditions set out in section 35AK. By comparison, Ministerial authorisations given under 35AB(2)(c) to (f) only permit the Secretary to make directions or requests that are explicitly authorised by the Minister. 691. This flexibility in relation to information gathering directions reflects the fact that the relevant directions that can be made under subsection (2) are less invasive than the types of directions that can be given under the Ministerial authorisations to which paragraphs 35AB(2)(c) to (f) relate, and that information gathering can be an iterative process and therefore administrative flexibility is required to achieve an effective outcome. The information provided in response to one direction may raise the need for further information to be provided, precipitating a further direction to be given by the Secretary under the same Ministerial authorisation. For example, the information reveals that a particular part of a computer network has been compromised and to assist in determining whether a Ministerial authorisation is required for an action direction, the Secretary first needs to know the purpose and significance of that part of the system and any mitigation measures in place. 128
692. Under subsection (3), the period specified in the direction under paragraph (2)(d) must end at or before the end of the period for which the Ministerial authorisation is in force--noting that the authorisation can be in force for a specified period not exceeding 20 days (subsection 35AG(2)). 693. Subsections (4) and (5) provide further limitations on the giving of directions under subsection (2). Subsection (4) provides that the Secretary must not give the direction under subsection (2) unless the Secretary is satisfied that the direction is a proportionate means of obtaining the information (paragraph (a)) and compliance with the direction be the entity is technically feasible (paragraph (b)). 694. The proportionality test at paragraph (4)(a) is intended to ensure the Secretary considers whether the information can be obtained through other less invasive avenues, and whether the value of the information to assisting with determining whether a power under the Act should be exercised is proportionate to the nature of the request. 695. The requirement for directions to be technically feasible under paragraph (4)(b) is a further limitation on the information gathering directions that can be issued by the Secretary. A direction is technically feasible when the direction relates to a course of action that is reasonably possible to execute, or within the existing capability of the relevant entity. A direction is considered not to be technically feasible if there is no technical capability that could be utilised to produce the outcome that is sought. For example, a direction to produce a data set that does not exist, and cannot technically be generated, would not be regarded as technically capable. 696. The consultation requirement at subsection (6) ensures that the affected entities are afforded an opportunity to provide meaningful advice and guidance to the Secretary when determining the proportionality and technical feasibility of a direction. However, this consultation requirement does not apply if the delay that would occur in complying with the requirement would frustrate the effectiveness of the direction. 697. In addition, subsection (5) provides a further limitation on the directions that the Secretary can give under this section to ensure they are reasonable and appropriate. Subsection (5) provides that the Secretary must not give a direction that would require the entity to: • do an act or thing that would be prohibited by sections 7 or 108 of the Telecommunications (Interception and Access) Act 1979 (the TIA Act) (paragraphs (a) and (b)), or • do an act or thing that would, disregarding the SOCI Act, be prohibited by sections 276, 277 or 278 of the Telecommunications Act (paragraph (c)). 698. The TIA Act and the Telecommunications Act, respectively, provide specific protections for telecommunications data, including stored communications and data relating to the provision of carriage services, and for that data only to be accessible where the specific authorisation provisions in those Acts are available. The intention of subsection (5) of this 129
section is to ensure that a direction given by the Secretary under subsection (2) does not enable the Secretary to collect such telecommunications data. Should this information be required, the dedicated mechanisms provided in the TIA Act and Telecommunications Act would need to be used. This regime is not to be used as an alternative pathway to access those forms of information. Subsection 35AK(7)--Other powers not limited 699. Subsection (7) provides that section 35AK does not, by implication, limit a power conferred by another provision of the SOCI Act. This ensures that the other powers in the SOCI Act, such as the Secretary's information gathering powers at existing section 37, in the Act are not taken to be limited as a result of this power. It is important to note that the Secretary's powers under section 37 are limited to a reporting entity for, or an operator of, a critical infrastructure asset, while a Ministerial authorisation made under paragraph 35AB(2)(b) may extend to a relevant entity for a critical infrastructure sector asset. Section 35AL Form of direction 700. New section 35AL of the SOCI Act provides that a direction from the Secretary under section 35AK may be given orally or in writing (see subsection (1)). Under subsection (2), the Secretary must not give a direction orally unless the delay that would result from doing in writing would frustrate the effectiveness of the direction. Under subsection (3), if the Secretary gives a direction orally, the Secretary must make a written record of the direction and give a copy of the written record to the entity to which the direction relates within 48 hours of the direction being given. Section 35AM Compliance with an information gathering direction 701. New section 35AM of the SOCI Act requires an entity to comply with a direction given to the entity under section 35AK to the extent that the entity is capable of doing so. That an entity will not be in breach of this obligation if they are not capable of complying is important to accommodate, for example, for situations where consultation has not been able to occur (see subsection 35AK(6)) and therefore the entity was not able to inform the Secretary that compliance would not be technically feasible. 702. Breach of this obligation is subject to a civil penalty of up to 150 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance with an information gathering direction. This penalty is commensurate with the non-compliance for an obligation to comply with directions under the ATSA and MTOFSA. The penalty reflects the importance of enabling government to obtain information relevant to the prevention of, mitigation of or restoration from a serious cyber security incident in a timely and effective manner. 130
Section 35AN Self-incrimination etc. 703. New section 35AN of the SOCI Act provides that: • an entity is not excused from giving information under section 35AK (as required under section 35AM) on the ground that the information might tend to incriminate the entity (subsection (1)), and • if an individual would ordinarily be able to claim the privilege against self- exposure to a penalty in relation to giving information under section 35AK, the individual is not excused from giving information under that section on that ground (subsection (2)). 704. A note to subsection (2) indicates that a body corporate is not entitled to claim the privilege against self-exposure to penalty. 705. This provision highlights that the importance of the information being sought to provide the necessary understanding to support Government's decisions as to the necessary actions to respond to a serious cyber security incident. The information is not intended to be used for a compliance purpose (as reflected by section 35AP) and it is crucial that timely and accurate information is provided to prevent further prejudice to Australia's national interests. Section 35AP Admissibility of information etc. 706. New section 35AP of the SOCI Act limits how information given to the Secretary under a section 35AK direction can be admitted into evidence. This provides important protections for the entity noting that section 35AN abrogates their ordinary rights in relation to self incrimination and exposure to penalty. Under this section, such information is not admissible in evidence against an entity: • in criminal proceedings other than proceedings for an offence against section 137.1 and 137.2 of the Criminal Code, which relate to providing false and misleading statements and documents to the Commonwealth, that relate to the SOCI Act (paragraph (c)), and • in civil proceedings other than proceedings for a recovery of a penalty in relation to a contravention of section 35AM (paragraph (d)). 707. When read together, sections 35AN and 35AP facilitate open and transparent information gathering to support the operation of the Part in emergencies, while guaranteeing that the information provided by the entity cannot later be admitted as evidence in a proceeding against the court except in relation to failing to comply with the direction, or doing so in a false or misleading manner. 708. This provision is important to encourage open and accurate reporting noting the importance of the information being provided, however equally balances the impact of new section 35AN to ensure that the information provided is not used against the individual as 131
evidence. This position reflects that this information is not being sought for a compliance purpose but rather protect critical infrastructure in an emergency. Division 4--Action directions 709. New Division 4 of Part 3A of the SOCI Act provides for the Secretary, when authorised to do so by the Minister, to give directions to relevant entities to take, or refrain from taking, certain actions in the circumstances outlined below. Section 35AQ Action direction 710. New section 35AQ of the SOCI Act provides that the Secretary may, pursuant to a Ministerial authorisation, give the relevant entity for a critical infrastructure asset or a critical infrastructure sector asset a direction that directs the entity to do, or refrain from doing, a specified act or thing within the period specified in the direction (see subsection (1)). 711. Under subsection (2), the Secretary must not give a direction under section 35AQ unless the direction: • is identical to a direction specified in a Ministerial authorisation under paragraphs 35AB(2)(c) or (d) (paragraph (a)) • includes a statement to the effect that the direction is authorised by the Ministerial authorisation (paragraph (b)), and • specifies the date on which the Ministerial authorisation was given (paragraph (c)). 712. The effect of paragraph 35AQ(2)(a) is that the Secretary actions the direction that is authorised by the Minister. 713. A note to subsection (2) reminds the reader that a Ministerial authorisation must not be given unless, amongst other things, the Minister is satisfied that the direction is reasonably necessary for the purposes of responding to a cyber security incident, as outlined under section 35AB above (see paragraph 35AB(7)(b) in particular). 714. Subsection (3) provides that the period specified in the direction as required under paragraph (2)(c) must end at or before the end of the period for which the Ministerial authorisation is in force-- noting that the authorisation can be in force for a period no longer than 20 days under subsection 35AG(2). The intention of this provision is to clarify that a direction authorised under a Ministerial authorisation cannot extend beyond the authorisation itself. This reflects that the direction is the operationalising of the authorisation. 715. Subsection (4) provides that a direction under section 35AQ is subject to such conditions, if any, as are specified in the direction. This provides flexibility and ensures any direction can be narrowed to reflect the unique circumstances of the incident. 132
716. Under subsection (5), the Secretary must not give a direction under section 35AQ that would require an entity to give information to the Secretary. The more appropriate mechanism to require information to be provided are the information gathering directions under Division 2 of Part 3A of the SOCI Act, as outlined above. That mechanism has been designed for that express purpose and has tailored and proportionate safeguards, and therefore should be the mechanism used to gather information should it be required. Subsection 35AQ(6)--Other powers not limited 717. Subsection (6) provides that section 35AQ does not, by implication, limit a power conferred by another provision of the SOCI Act. Section 35AR Form of direction 718. New section 35AR of the SOCI Act provides that a direction given by the Secretary under section 35AQ may be given orally or in writing (subsection (1)). Under subsection (2), the Secretary must not, however, give a direction orally unless the delay that would result from doing in writing would frustrate the effectiveness of the direction. Under subsection (3), if the Secretary gives a direction orally, the Secretary must make a written record of the direction and give a copy of the written record to the entity to which the direction relates within 48 hours of the direction being given. Section 35AS Revocation of direction 719. New section 35AS of the SOCI Act sets out how a direction given by the Secretary under section 35AQ is revoked. Subsection 35AS(1)--Scope 720. Subsection (1) provides that section 35AS applies if a direction is in force under section 35AQ in relation to a Ministerial authorisation (given under paragraphs 35AB(2)(c) or (d)) and the direction was given to a particular entity. Subsection 35AS(2)--Power to revoke direction 721. Subsection (2) provides that the Secretary may, by written notice given to the entity, revoke the direction. This means that the Secretary may elect to revoke the direction should the Secretary consider that it is no longer appropriate (see in particular subsection 35AS(3)). Subsection 35AS(3)--Duty to revoke direction 722. Under subsection (3), if the Secretary is satisfied that the direction is no longer required to respond to the cyber security incident to which the Ministerial authorisation relates, the Secretary must, by written notice given to the entity, revoke the direction. This is an important safeguard to ensure that the direction is not in place for any longer than strictly necessary. It also ensures that, should continued engagement with the entity reveal new information which changes the need for the direction, or the circumstances themselves 133
change which render the direction to be no longer necessary, the Secretary has a duty to revoke the direction. For example, if the direction relates to deleting a computer program and, as a result of unauthorised activity, that program is already deleted, upon learning of this, the Secretary may revoke the direction. Subsection 35AS(4)--Automatic revocation of direction 723. Subsection (4) provides that, if the Ministerial authorisation ceases to be in force (either by expiration of the duration of the authorisation under subsection 35AG(2) or revocation under section 35AH), the direction is automatically revoked. As the direction is operationalising the authorisation, the termination of the authorisation appropriately triggers the termination of the direction to ensure that no unauthorised action occurs. Subsection 35AS(5)--Application of Acts Interpretation Act 1901 724. Subsection (5) provides that section 35AS does not, by implication, limit a power conferred by another provision of the SOCI Act. Section 35AT Compliance with direction 725. New section 35AT of the SOCI Act provides that an entity commits an offence if all of the following apply: • the entity is given a direction by the Secretary under section 35AQ (paragraph (a)) • the entity engages in conduct after receiving the direction (paragraph (b)), and • the entity's conduct breaches the direction (paragraph (c)). 726. Subsection (1) provides that the offence does not apply if the entity took all reasonable steps to comply with the direction. This is intended to ensure that the entity is not liable for failing to comply with the direction when compliance is not technically possible, for example due to an unforeseen lack of capability, or due to changing circumstances. For example if a direction provides that the entity must alter the configuration settings on a computer program, and before they can do so, the malicious actor renders the computer, on which the program sits, inaccessible making compliance impossible. However, this subsection is not intended to provide an avenue to excuse unwillingness to comply with the direction. 727. The penalty for this offence is imprisonment for 2 years or 120 penalty units, or both. If the entity who commits the offence is a corporation, the penalty will be 600 penalty units by application of subsection 4B(3) of the Crimes Act. This penalty is a proportionate response based on the nature of the conduct and is designed to deter non-compliance with an action direction. This penalty is commensurate with the offence of obstruction of Commonwealth public officials at section 149.1 of the Criminal Code. This offence has a similar purpose to section 149.1 of the Criminal Code and the penalty reflects the 134
significance of the circumstances that led to the direction being issued, and the potential prejudice to Australia's national interest should it not be complied with. Section 35AV Directions prevail over inconsistent obligations 728. New section 35AV of the SOCI Act provides that, if an obligation under the SOCI Act is applicable to an entity, the obligation has no effect to the extent to which it is inconsistent with a direction given to the entity by the Secretary under section 35AQ. This provision ensures that any action required under section 35AQ takes precedence over any potential contradictory requirements under other parts of the SOCI framework. The primacy of the directions reflect that an appropriate response to an emergency may warrant a deviation from the other obligations contained in the Act. Section 35AW Liability 729. New section 35AW of the SOCI Act provides that: • an entity is not liable to an action or other proceedings for damages for or in relation to an act done or omitted in good faith in compliance with a direction given under section 35AQ (subsection (1)), and • an officer, employee or agent of an entity is not liable to an action or other proceedings for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (1) (subsection (2)). 730. This ensures that relevant entities, when acting in response to a compulsory legal direction, are not subjected to civil liabilities. The absence of such an immunity would result in the entity being forced to choose between complying with the lawful direction or for example, contractual obligations. Noting the objectives of the directions are to respond to a serious cyber security incident that poses a material risk of serious prejudice to Australia's national interests, it is important that there are no barriers to the entity complying with such a direction and that they are not penalised for doing so. For example, a direction may require the entity, or its representatives, to temporarily disable customers' access to a particular system as that portal is being exploited by the malicious actor and needs to be reconfigured to uplift the security. Compliance with such a direction may breach contractual arrangements the entity, or its representatives, have with their customers in relation to continuity of service. Division 5--Intervention requests 731. New Division 5 of Part 3A of the SOCI Act provides for the Secretary, when authorised to do so by the Minister, to make requests to the chief executive of the authorised agency. 135
Section 35AX Intervention request 732. New section 35AX of the SOCI Act empowers the Secretary to give the chief executive of the authorised agency a request that the authorised agency do one or more specified acts or things within the period specified in the request (see subsection (1)). The chief executive of the authorised agency is defined in section 5 to mean the Director-General of ASD. 733. Subsection (2) provides that the Secretary must not give a request under subsection (1) unless the request: • is identical to a request specified in a Ministerial authorisation under paragraph 35AB(2)(e) or (f) (paragraph (a)) • includes a statement to the effect that the request is authorised by the Ministerial authorisation (paragraph (b)), and • specifies the date on which the Ministerial authorisation was given (paragraph (c)). 734. A note to subsection (2) reminds the reader that a Ministerial authorisation must not be given unless, amongst other things, the Minister is satisfied that the request is reasonably necessary for the purposes of responding to a cyber security incident, as outlined under section 35AB above (see paragraph 35AB(10)(d) in particular). 735. Subsection (3) provides that the period specified in the request as required under subsection (2)(c) must end at or before the end of the period for which the Ministerial authorisation is in force-- noting that the authorisation can be in force for a period no longer than 20 days under subsection 35AG(2). The intention of this provision is to clarify that a request authorised under a Ministerial authorisation cannot extend beyond the authorisation itself. This reflects that the request is the operationalising of the authorisation. 736. Subsection (4) provides that a request under section 35AX is subject to such conditions, if any, as are specified in the request. This provides flexibility and ensures any direction can be narrowed to reflect the unique circumstances of the incident. 737. Subsection (5) provides that a request made by the Secretary does not extend to: • doing an act or thing that would be prohibited by sections 7 or 108 of the TIA Act (paragraphs (a) and (b)), or • doing an act or thing that would, disregarding the SOCI Act, be prohibited by sections 276, 277 or 278 of the Telecommunications Act (paragraph (c)). 738. The TIA Act and the Telecommunications Act, respectively, provide specific protections for telecommunications data, including stored communications and data relating to the provision of carriage services, and for that data only to be accessible where the specific 136
authorisation provisions in those Acts are available. The intention of subsection (5) of this section is to ensure that a request given by the Secretary under subsection (2) does not enable the authorised agency to collect such telecommunications data. Should this information be required, the dedicated mechanisms provided in the TIA Act and Telecommunications Act would need to be used. This regime is not to be used as an alternative pathway to access those forms of information. Subsection 35AX(6)--Other powers not limited 739. Subsection (6) provides that section 35AX does not, by implication, limit a power conferred by another provision of the SOCI Act. Section 35AY Form and notification of request 740. New section 35AY of the SOCI Act provides that a request under section 35AX may be given orally or in writing (see subsection (1)). The Secretary must not, however, give a section 35AX request orally unless the delay that would result from doing in writing would frustrate the effectiveness of the request (subsection (2)). Under subsection (3), if the Secretary gives a direction orally, the Secretary must make a written record of the request and give a copy of the written record of the request to the chief executive of the authorised agency within 48 hours of the request being given. Subsections 35AY(3)-(5)--Notification of requests given orally 741. Subsection (3) requires the Secretary, if a request is given orally, to make a written record of the request and give a copy of the written record of the request to the chief executive of the authorised agency within 48 hours of giving the request. 742. If a request is given orally in relation to a critical infrastructure asset, under subsection (4), the Secretary must give a written record of the request to the responsible entity for that asset within 48 hours of giving the request. Alternatively, under subsection (5), if a request is given orally in relation to a critical infrastructure sector asset that is not a critical infrastructure asset, the Secretary must also give a written record of the request to the owner/s or operator/s of that asset that the Secretary considers to be most relevant to the request. These obligations will ensure that affected entities have sufficient visibility of the exact scope of the request. Should the entity consider that the approved staff member of the authorised agency, when acting in response to the request exceeds the scope of the request, the entity will be able to make a complaint to the Inspector-General of Intelligence and Security. Subsections 35AY(6)-(8)--Notification of requests given in writing 743. Subsection (6) requires the Secretary to provide a copy of a written request under section 35AX to the chief executive of the authorised agency within 48 hours of making the request. 137
744. If a request is given in writing in relation to a critical infrastructure asset, under subsection (7), the Secretary must give a written record of the request to the responsible entity for that asset within 48 hours. In addition, under subsection (8), if a request is given in relation to a critical infrastructure sector asset that is not a critical infrastructure asset, the Secretary must give a written record of the request to the owner/s or operator/s of that asset that the Secretary considers to be most relevant to the request within 48 hours. Section 35AZ Compliance with request 745. New section 35AZ of the SOCI Act is intended to clarify that the authorised agency is authorised to do an act or thing in compliance with a request under section 35AX (see subsection (1)). This provisions clarifies that the authorised agency has lawful authority to do acts or things in compliance with a request. 746. Subsection (2) is a deeming provision, which provides that an act or thing done by the authorised agency in compliance with a request under section 35AX is taken to be done in the performance of the function conferred on the authorised agency by paragraph 7(1)(f) of the Intelligence Services Act, which provides that it is a function of ASD to cooperate with and assist bodies referred to in section 13A in accordance with that section. 747. Section 13A of the Intelligence Services Act provides that an agency governed by the Act may cooperate with and assist the bodies listed in subsection 13A(1) in the performance of their functions, subject to any arrangements made or directions given by the responsible Minister for that agency (paragraph 13A(2)(a)) and upon request from the head of the body (paragraph 13A(2)(b)). Paragraph 13A(1)(c) lists a Commonwealth authority, or a State authority, that is prescribed by the regulations for the purpose of that paragraph as a body that an agency may cooperate with and assist. It is proposed that the Home Affairs Department, being the Department administered by the Minister administering the SOCI Act, will be prescribed in regulations on or before the commencement of the Bill--meaning that it is possible for ASD to have the function of cooperating and assisting the Department of Home Affairs. 748. The effect of subsection (2) is that any activities done by ASD in relation to a request from the Secretary under section 35AX will be within the existing functions of ASD for the purposes of the Intelligence Services Act. Section 35BA Revocation of request 749. New section 35BA of the SOCI Act sets out the circumstances in which a request under section 35AX is revoked. Subsection 35BA(1)--Scope 750. Subsection (1) provides that section 35BA applies if a request is in force under section 35AX in relation to a Ministerial authorisation (given under paragraphs 35AB(2)(e) or (f)). 138
Subsection 35BA(2)--Power to revoke request 751. Subsection (2) provides that the Secretary may, by written notice given to the chief executive of the authorised agency, revoke the request. Subsection 35BA(3)--Duty to revoke request 752. Under subsection (3), if the Secretary is satisfied that the request is no longer required to respond to the cyber security incident to which the Ministerial authorisation relates, the Secretary must, by written notice given to the entity, revoke the request. 753. Under subsection (3), if the Secretary is satisfied that the request is no longer required to respond to the cyber security incident to which the Ministerial authorisation relates, the Secretary must, by written notice given to the chief executive of the authorised agency, revoke the request. This is an important safeguard to ensure that the request is not in place for any longer than strictly necessary. It also ensures that, should continued engagement with the entity reveal new information which changes the need for the request, or the circumstances themselves change which render the direction to be no longer necessary, the Secretary has a duty to revoke the request. For example, if the entity advises, and the Secretary is satisfied, that the entity has been able to take all reasonable necessary steps to respond to the incident the Secretary must revoke the request. Subsection 35BA(4)--Automatic revocation of direction 754. Subsection (4) provides that, if the Ministerial authorisation ceases to be in force (either by expiration of the duration of the authorisation under subsection 35AG(2) or revocation under section 35AH), the request is automatically revoked. As the request is operationalising the authorisation, the termination of the authorisation appropriately triggers the termination of the request to ensure that no unauthorised actions occur. Subsection 53BA(5)--Notification of revocation of request 755. Under subsection (5), if a request under section 35AX is revoked by the Secretary, the Secretary must give a copy of the revocation to the chief executive of the authorised agency and each relevant entity for the asset as soon as practicable after the revocation. Subsection 35BA(6)--Application of Acts Interpretation Act 1901 756. Subsection (6) provides that section 35BA does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act 1901, other than a provision under Part 3A of the SOCI Act. Section 35BB Relevant entity to assist the authorised agency 757. New section 35BB of the SOCI Act makes it a requirement for an entity to assist the authorised agency for the purposes of complying with the request made by the Secretary under section 35AX. 139
758. Under subsection (1), if a request under section 35AX is in force in relation to a critical infrastructure asset or a critical infrastructure sector asset and the entity is a relevant entity for the asset, then an approved staff member of the authorised agency may require the entity to: • provide the approved staff member with access to the premises for the purpose of the authorised agency complying with the request (paragraph (c)), or • provide the authorised agency with specified information or assistance that is reasonably necessary to allow the authorised agency to comply with the request (paragraph (d)). 759. Paragraph (1)(c) is intended to ensure that the cooperation of the entity is sought to facilitate access to the premises as required to comply with the request, for example, prior to any force being used. 760. Paragraph (1)(d) is required to ensure that the authorised agency can obtain any necessary incidental information and assistance to assist them in complying with the request. This is crucial to prevent any unintended consequences that may otherwise occur which would be contrary to the purpose of the request. In taking the actions set out in the request, the authorised agency may need to seek the assistance of the entity to understand the most effective and appropriate way to, for example, execute a computer program or locate the relevant data. This will assist the entity from unintended consequences or unnecessary actions. The information and assistance that can be request must be reasonably necessary to comply with the request, ensuring that this obligation is strictly limited to facilitating compliance and cannot be used for any alternative purposes. 761. A note to subsection (1) directs the reader of the legislation to also see section 149.1 of the Criminal Code, which deals with obstructing and hindering Commonwealth public officials, which includes approved staff members of the authorised agency. Failing to comply with a requirement under this sector may amount to a criminal offence under that provision of the Criminal Code. 762. Subsection (2) provides that a staff member of the authorised agency cannot require the entity to provide the approved staff member with access to premises under paragraph (1)(c) where the premises is used solely or primarily as a residence. This limitation is intended to ensure no undue invasion of personal privacy. Should these powers be required to be used, the focus is likely to be on the premises of large corporate entities where the relevant asset is located. 763. Subsection (3) provides that an entity must comply with a requirement under subsection (1). Breach of this obligation is subject to a civil penalty of up to 150 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance with a requirement for an entity to assist an authorised agency to do an act or thing in compliance with an intervention request. The penalty reflects the significance of the circumstances that led to the request being made, and the potential 140
prejudice to Australia's national interest should the entity not provide the necessary incidental assistance to the authorised agency to allow for the request to be complied with. 764. Subsection (4) provides that an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with subsection (1). 765. Subsection (5) provides that an officer, employee or agent of an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (4). 766. These protections ensure that the entity, and its officers, employees or agents, are able to fully cooperate with the approved staff member in responding to the incident. Section 35BC Constable may assist the authorised agency 767. New section 35BC of the SOCI Act provides that, if an entity refuses or fails to provide a staff member of the authorised agency with access to premises when required to do so under subsection 35BB(1) then: • the approved staff member may enter the premises for the purpose of the authorised agency complying with the relevant section 35AX request (paragraph (1)(a)), and • a constable may assist the approved staff member in gaining access to the premises using reasonable force against property (subparagraph (1)(b)(i)) and if necessary to assist, enter the premises (subparagraph (1)(b)(ii)). 768. Subsection (2) provides that, if an approved staff member of the authorised agency has entered premises for the purpose of complying with a request under section 35AX, a constable may: • assist the authorised agency in complying with the request by using reasonable force against property located on the premises (paragraph (a)), and • enter the premises for this purpose (paragraph (b)). 769. Constable is defined to have the same meaning given by the Crimes Act. This means that a member or special member of the Australian Federal Police, or a member of a police force of a State or Territory, is able to use force to enter premises in limited circumstances, or to assist the authorised agency in complying with the section 35AX request, under these provisions. Constables are trained in the use of force against property and are subject to various oversight regimes, for example, the Australian Federal Police is subject to oversight by the Commonwealth Ombudsman. An entity will be permitted to make a complaint to the Commonwealth Ombudsman in relation to any concerns with the operation of the powers. 770. It is reasonable and proportionate to permit a constable to use force for the express and strictly limited purpose of assisting the authorised agency with fulfilling an intervention 141
request noting the likely ramification to Australia's national interest if the cyber security incident is not addressed. The constable would be permitted to use force against (for example) a locked door to a room that an authorised officer requires access to in order to comply with the request from the Secretary and the relevant entity is refusing to provide the necessary assistance. Read together with section 35BB, the use of force against property is intended to be used as a last resort, when strictly necessary, to implement the request. The significance of this, further justifies the need for the Prime Minister and Defence Minister to agree to the giving of a relevant Ministerial authorisation. 771. Nevertheless, section 35BE clarifies that the use of force against a person by a constable or a staff member of the authorised agency is not authorised under this regime. This however would not exclude a police officer using force to arrest a person, under powers derived from other Commonwealth laws, who is obstructing a Commonwealth official in the performance of their functions (an offence under section 149.1 of the Criminal Code). Section 35BD Removal and return of computers etc. 772. New section 35BD of the SOCI Act sets out obligations on approved staff members of the authorised agency to remove and return computers. This is an importance provision in ensuring that the asset, and its components, are reinstated as soon as practicable and to the extent possible to minimise any unnecessary impact of the exercise of the powers. Subsection 35BD(1)-(2)--Removal of computers etc. 773. The connection of computers or other devices may be necessary to comply with a request under section 35AX, such as those of the authorised agency, may be required to, for example, undertake an analysis of a system onsite using specialised software. Subsection (1) provides that, if the authorised agency adds or connects a computer or device to a computer network and, whilst the relevant section 35AX request is in force, a staff member of the authorised agency forms a reasonable belief that the computer or device is no longer required to comply with the request, then the authorised agency must remove or disconnect the computer or device as soon as practicable. This ensures that the intervention continues for no longer than is strictly necessary to comply with the request. 774. Under subsection (2), the obligation to remove a computer or device as soon as practicable also applies in circumstances where the request under section 35AX ceases to be in force--such as where the request expires or is revoked by the Secretary under section 35BA. Subsection 35BD(3)-(4)--Return of computers etc. 775. The removal of computers may be necessary to comply with a request under section 35AX, for example, in instances where the authorised agency requires the use of specialised equipment located off-site to undertake the requested analysis. 776. Subsection (3) provides that, if the authorised agency removes a computer or device and, whilst the relevant section 35AX request is in force, an approved staff member of the 142
authorised agency forms a reasonable belief that the removal of the computer or device is no longer required to comply with the request, then the authorised agency must return the computer or device as soon as practicable. This ensures that the intervention continues for no longer than is strictly necessary to comply with the request. 777. Under subsection (4), the obligation to return a computer or device as soon as practicable also applies in circumstances where the request under section 35AX ceases to be in force--such as where the request expires or is revoked by the Secretary under section 35BA. Section 35BE Use of form against an individual not authorised 778. New section 35BE outlines that nothing in Division 5 of Part 3A of the SOCI Act (in particular, but not limited to, section 35BC) authorises the use of force against an individual. This is an important clarifying provision to ensure that, despite the importance of the powers being exercised, the use of force against a person is not justified under this regime noting its focus is on resolving cyber security incidents. This does not limit the use of force against a person being used concurrently when authorised under another law of the Commonwealth. Section 35BF Liability 779. New section 35BF of the SOCI Act provides that the chief executive of the authorised agency, an approved staff member of the authorised agency or a constable is not liable to an action or other proceeding (whether civil or criminal) for, or in relation to, an act or matter done or omitted to be done in the exercise of any power or authority conferred by Division 5 of Part 3A of the SOCI Act. That is, the agency, staff member or constable is immune from liability when acting with lawful authority, providing the requisite legal certainty for those officers to take the necessary steps to comply with the request and protect Australia's national interests. 780. This immunity provision is reasonable and proportionate noting the various safeguards in place to ensure that actions or things lawfully authorised to be done or omitted under the Division are strictly limited, justified in the context of the cyber security incident and its impacts, and otherwise appropriate in all the circumstances. Further the oversight arrangements in place under the respective regimes of the Inspector-General of Intelligence and Security and Commonwealth Ombudsman will ensure any misuse of the powers is identified and addressed. Section 35BG Evidentiary certificates 781. New section 35BG of the SOCI Act provides that the Inspector-General of Intelligence and Security may issue a written certificate setting out any facts relevant the question of whether anything done, or omitted to be done, by the authorised agency, or an approved staff member of the authorised agency, was done, or omitted to be done, in the exercise of any power or authority conferred by the Division. For example, the evidentiary certificate may go to whether the execution of a computer program in a particular manner 143
was in compliance with a request from the Secretary, and therefore authorised to occur. This is likely to rely on a strong understanding of technical matters which the Inspector-General of Intelligence and Security is well versed. 782. Subsection (2) provides that a certificate under subsection (1) is admissible in evidence in any proceedings as prima facie evidence of the matters stated in the certificate. 783. Evidentiary certificates are intended to streamline the court process by reducing the need to contact numerous officers and experts to give evidence. Evidentiary certificates also assist with maintaining the confidentiality of the sensitive methodologies and capability of the authorised agency. In this circumstance the matters it can be expected to cover are technical and non-controversial matters. Section 35BH Chief executive of the authorised agency to report to the Defence Minister and the Minister 784. New section 35BH of the SOCI Act sets out requirements for the chief executive of the authorised agency to report on any activities undertaken under Division 5 of Part 3A of the SOCI Act. 785. This section establishes a requirement for the authorised agency to prepare a post- activity report that is to be provided to the Defence Minister, as Minister responsible for the authorised agency, and the Minister for Home Affairs, as the Minister responsible for the security of critical infrastructure and who authorised the request. This obligation is to ensure the relevant Ministers have visibility of the actions that were taken and how they contributed to an effective response. This will assist the Government in monitoring the use of these powers, but also support future decision making in similar circumstances. 786. Subsection (1) applies where the Secretary has given a request to the chief executive under section 35AX, that was authorised by a Ministerial authorisation given under paragraphs 35AB(2)(e) or (f), and the authorised agency does one or more acts or things in compliance with the request--as specified in the Ministerial authorisation and listed in section 35AC. 787. If subsection (1) applies, the chief executive of the authorised agency must: • prepare a written report that sets out details of the acts or things done and explains the extent to which doing those acts or things has amounted to an effective response to the cyber security incident concerned (paragraph (c)), and • give a copy of the report to the Defence Minister and Minister for Home Affairs (paragraphs (d) and (e)). 788. Subsection (2) requires the chief executive of the authorised agency to comply with the obligations under subsection (1) as soon as practicable after the end of the period specified in the section 35AX request and, in any event, within 3 months after the end of that period. This means that the report described in paragraph (1)(c) must be prepared and given 144
to the respective Ministers no later than 3 months after the end of the period specified by the Secretary in the section 35AX request. Section 35BJ Approved staff members of the authorised agency 789. Subsection (1) provides that the chief executive of the authorised agency may, in writing, declare that a specified staff member of the authorised agency is an approved staff member of the authorised agency for the purposes of this Act. Subsection (2) provides that subsection (1) is not a legislative instrument. 35BK Reports to the Parliamentary Joint Committee on Intelligence and Security 790. New section 35BK provides for reports to be made to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) about use made of the powers in Part 3A of the Act. 791. Subsection 35BK(1) requires the Secretary to give the PJCIS a written report about a cyber security incident in relation to which directions or requests in relation to government assistance measures are given or made under new sections 35AK, 35AQ or 35AX . Subsection 35BK(2) provides that the report must describe each of the directions or requests made in relation to the incident. 792. The Secretary is not required to make a separate written report to the PJCIS in relation to each direction or request, but is required to describe each direction or request in a report relating to each incident. 793. However, the Secretary may make more than one report to the PJCIS about a cyber security incident if, for example, the incident is ongoing. This could mean, for example, that an earlier report to the PJCIS describes earlier uses of the Part 3A powers in relation to the incident, while a later report describes later uses of the Part 3A powers in relation to the same incident. Item 46 Section 36 (paragraph beginning "information") 794. Item 46 of Schedule 1 to the Bill repeals the second paragraph in section 36 of the SOCI Act, which is a simplified outline of Part 4 of that Act. The paragraph to be repealed currently provides an overview of what is 'protected information'. The amendments will remove the explanation of protected information and will instead, as explained in item 47 below, make reference to the defined term in section 5 of the Act. As a result, the second paragraph of the simplified outline is no longer required. Item 47 At the end of section 36 795. Item 47 of Schedule 1 to the Bill inserts a note at the end of the simplified outline. The note makes reference to 'protected information' being a term that is defined in section 5 of the Act. This supports the removal of the paragraph in Item 46 as outlined above. 145
Item 48 Subparagraph 42(2)(a)(viii) 796. Subsection 42(2) of the SOCI Act provides that the Secretary may, in certain circumstances, disclose protected information to the persons listed in that subsection. Subparagraph 42(2)(a)(viii) currently provides that the Secretary may disclose protected information to the Commonwealth Minister who has responsibility for the regulation or oversight of the relevant industry for the critical infrastructure asset to which the protected information relates. The definition of 'relevant industry' is being repealed by the Bill, and replaced by the concept of 'critical infrastructure sector'. Item 48 of Schedule 1 to the Bill makes the amendments necessary to reflect this change in terminology. Item 49 Paragraph 42(2)(b) 797. Subsection 42(2) of the SOCI Act provides that the Secretary may, in certain circumstances, disclose protected information to the persons listed in that subsection. Paragraph 42(2)(b) currently provides that the Secretary may disclose protected information to the State or Territory Minister who has responsibility for the regulation or oversight of the relevant industry for the critical infrastructure asset to which the protected information relates. The definition of 'relevant industry' is being repealed by the Bill, and replaced by the concept of 'critical infrastructure sector'. Item 49 of Schedule 1 to the Bill makes the amendments necessary to reflect this change in terminology. Item 50 After section 43 798. Item 50 of Schedule 1 to the Bill inserts new sections 43A, 43B, 43C and 43D into the SOCI Act, which authorise the use and disclosure of 'protected information' to particular specified bodies. The definition of protected information in section 5 has been expanded (as outlined in Item 11 of Schedule 1 to the Bill above) to capture the additional types of sensitive information that may be generated under the SOCI Act. In light of this expansion, and the related provisions, additional permitted information use and disclosure circumstances are required. 799. Section 43A provides that the Secretary may disclose protected information to an IGIS official for the purposes of exercising powers, or performing duties or functions, as an IGIS official, and make a record of or use protected information for the purpose of that disclosure. This provides an authorisation for the purposes of excluding the application of the offence in section 45 of the SOCI Act. 800. Sections 43B and 43C provide that the Inspector General of Intelligence and Security and Ombudsman are permitted to share with one another information and documents that are protected information to facilitate their oversight function, particularly in relation to their duties under the SOCI Act. This provides an authorisation for the purposes of excluding the application of the offence in section 45 of the SOCI Act. Importantly, an entity that is subject to a direction, or to whom an intervention request relates, will be permitted to complain to either of these oversight bodies, as relevant. 146
801. Section 43D allows ASD to use information or documents that are protected information in the performance of their functions as set out in section 7 of the Intelligence Services Act. This authorisation reflects the additional role of ASD in relation to the security of critical infrastructure, including being the recipient agency for reports provided under new Part 2B and Division 5 of Part 2C. These obligations are being introduced to assist in providing ASD with an enhanced awareness of the cyber threat environment, in particular as it relates to critical infrastructure, to allow it to perform its functions which notably include providing advice and other assistance relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means (paragraph 7(1)(ca) of the Intelligence Services Act). 802. This aligns with the existing use and disclosure regime under the SOCI Act which currently permits the Secretary for Home Affairs to share protected information to law enforcement and national security agencies and officers of those agencies in circumstances where the information would assist the agency or officer to exercise their powers, functions or duties (as provided at existing subsection 42(2)). The Secretary can also disclose protected information to an enforcement body (within the meaning of the Privacy Act) if the Secretary believes it is reasonably necessary for one or more enforcement related activities (within the meaning of that Act) conducted by or on behalf of the enforcement body (see existing section 43). Section 43A Authorised disclosure to IGIS official 803. New section 43A of the SOCI Act provides that the Secretary may disclose may disclose protected information to an IGIS official for the purposes of exercising powers, or performing duties or functions, as an IGIS official, and make a record of or use protected information for the purpose of that disclosure. 804. The effect of this section is the Secretary does not commit the offence in section 45 of the SOCI Act when disclosing information to an IGIS official. 805. A note to the provision clarifies that this section is an authorisation for the purposes of other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy Principle 6.2 provides that the disclosure of personal information is permitted where the disclosure is required or authorised by or under an Australian law. Section 43B Authorised use and disclosure--Ombudsman official 806. New section 43B of the SOCI Act provides that protected information may be disclosed by an Ombudsman official to an IGIS official for the purpose of the IGIS official exercising their powers or performing their functions or duties as an IGIS official. 807. The effect of this section is that an Ombudsman official does not commit the offence in section 45 of the SOCI Act when disclosing information to an IGIS official. 808. A note to the provision clarifies that this section is an authorisation for the purposes of other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy 147
Principle 6.2 provides that the disclosure of personal information is permitted where the disclosure is required or authorised by or under an Australian law. Section 43C Authorised use and disclosure--IGIS official 809. New section 43C of the SOCI Act provides that protected information may be disclosed by an IGIS official to an Ombudsman official for the purpose of the Ombudsman official exercising their powers or performing their functions or duties as an Ombudsman official. 810. The effect of this section is that an IGIS official does not commit the offence in section 45 of the SOCI Act when disclosing information to an Ombudsman official. 811. A note to the provision clarifies that this section is an authorisation for the purposes of other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy Principle 6.2 provides that the disclosure of personal information is permitted where the disclosure is required or authorised by or under an Australian law. Section 43D Authorised use and disclosure--ASD 812. New section 43D of the SOCI Act provides that the Director-General of ASD or a staff member of ASD may make a record of, use or disclose protected information for the purposes of the performance of the functions of ASD set out in section 7 of the Intelligence Services Act. 813. The effect of this section is that the Director-General, or a staff member, of ASD does not commit the offence in section 45 of the SOCI Act when making a record, using or disclosing protected information in the performance of ASD's functions. 814. A note to the provision clarifies that this section is an authorisation for the purposes of other laws, including the Australian Privacy Principles. Relevantly, Australian Privacy Principle 6.2 provides that the disclosure of personal information is permitted where the disclosure is required or authorised by or under an Australian law. Item 51 Paragraph 45(1)(a) 815. Section 45 of the SOCI Act creates an offence for an entity to make a record of, disclose or use protected information without being appropriately authorised or required to do so noting the sensitivities associated with that information. Paragraph 45(1)(a) currently provides that the offence applies where an entity obtains protected information. 816. Item 51 of Schedule 1 to the Bill amends this paragraph to provide two subparagraphs covering obtaining information (as covered by existing paragraph (a)) and the generation of information for the purposes of complying with the SOCI Act. This additional subparagraph is intended to capture the range of circumstance where, under the amendments made by this Bill, an entity is required to generate certain information that is sensitive and would be regarded as protected information. For example, an entity may be required to generate a vulnerability assessment report under new Division 4 of Part 2C, which following these 148
amendments, would be protected information and subject to the information use and disclosure provisions contained in Division 3 of Part 4 of the SOCI Act. 817. This amended offence provision should be read together with the various provisions which authorise use and disclosure, or provide exceptions to the offence, which ensure that the entity or other bodies are not impeded in using the protected information for a legitimate purpose or in a manner appropriate in light of the sensitivities associated with the information. Item 52 Paragraph 45(1)(d) 818. Item 52 of Schedule 1 to the Bill amends paragraph 45(1)(d) of the SOCI Act to provide that an entity that is required under a 'notification provision' to make a record of, disclose or otherwise use protected information will not be committing the section 45 offence. 'Notification provision' is newly defined in section 5 to include the two existing provisions currently captured in paragraph 45(1)(d) (subsections 51(3) and 52(4)) as well as a further 17 specific provisions being inserted by the Bill (see Item 7 of Schedule 1 to the Bill, above) which require the disclosure etc. of protected information. Item 53 Paragraph 46(1)(a) 819. Section 46 of the SOCI Act lists exceptions to the secrecy offence in section 45. Those exceptions currently include where the making of the record, disclosure or use of the record is required or authorised by a law of the Commonwealth, other than Subdivision A or subsections 51(3) or 52(4) under paragraph 46(1)(a). 820. Item 53 of Schedule 1 to the Bill amends the de-confliction provision in paragraph 46(1)(d) of the SOCI Act to replace the reference to subsections 51(3) and 52(4) with a reference to 'a notification provision'. As outlined under Item 52 above, this definition includes those subsections as well as a further 17 specific provisions being inserted by the Bill which may require the disclosure etc. of protected information. Item 54 Subsection 46(3) 821. Subsection 46(3) of the SOCI Act provides a further exception to the secrecy offence in section 45. Relevantly, under that subsection, section 45 does not apply to an entity when acting in good faith in purported compliance with subsections 51(3) or 52(4). Item 54 of Schedule 1 to the Bill amends paragraph 46(1)(d) of the SOCI Act to replace the reference to subsections 51(3) and 52(4) with a reference to 'a notification provision'. As outlined under Item 52 above, this definition includes those subsections as well as a further 17 specific provisions being inserted by the Bill which may require the disclosure etc. of protected information. 149
Item 54A Section 47 822. Item 54A of Schedule 1 to the Bill omits the words 'Except where it is necessary to do so for the purposes of giving effect to this Act, an entity is not', and substitutes them with '(1) An entity is not (subject to subsection (2))'. This amendment rephrases the section to accommodate item 54B of Schedule 1 to the Bill (discussed below). Item 54B As the end of section 47 823. Item 54A of Schedule 1 to the Bill adds subsection (2) to section 47 which provides that subsection (1) does not prevent an entity from being required to disclose protected information, or to produce a document containing protected information, if it is necessary to do so for the purposes of giving effect to any of the following: • the SOCI Act; • the Inspector-General of Intelligence and Security Act 1986 (IGIS Act), or any other Act that confers functions, powers or duties on the Inspector-General of Intelligence and Security; or • a legislative instrument made under either the SOCI Act or the IGIS Act. 824. The effect of this amendment is to extend that exception to also apply when it is necessary to disclose or produce protected information for the purposes of the IGIS Act, or any other Act conferring functions, powers or duties on the IGIS, or for the purposes of an instrument made under one of those Acts, or under the SOCI Act. 825. The extension of this exception is intended to ensure that the IGIS is able to compel access to information that may be relevant to an inquiry despite the protection against disclosure provided by section 47. 826. The amendment would clarify that information and records can be shared with IGIS officials for the purpose of the IGIS performing oversight functions. This is necessary to support the IGIS's oversight functions by ensuring they have full access to all relevant information. Item 55 At the end of section 48 827. Section 48 contains a simplified outline of Part 5 of the SOCI Act. Item 55 of Schedule 1 to the Bill inserts additional material into the simplified outline to take into account the additional provisions being inserted in Items 56 and 57 of Schedule 1 to the Bill, as outlined below. 150
Item 56 Subsections 49(2) and (3) 828. The Regulatory Powers Act provides for a standard suite of provisions in relation to monitoring and investigation powers, as well as civil penalties, infringement notices, enforceable undertakings and injunctions. 829. The standard provisions of the Regulatory Powers Act are an accepted baseline of powers required for an effective monitoring, investigation or enforcement regulatory regime, providing adequate safeguards and protecting important common law privileges. 830. Item 56 of Schedule 1 to the Bill repeals and replaces subsections 49(2) and (3) of the Bill, to provide for the effective operation of those Parts of the Regulatory Powers Act that are currently triggered by the SOCI Act, as outlined below. Subsections 49(2)-(3)--Authorised applicant 831. Subsection 49(2) of the SOCI Act currently provides that, for the purposes of Part 4 of the Regulatory Powers Act and as that Part applies to civil penalty provisions, the 'authorised applicant' is the Minister and the Secretary. New subsection (2) provides that the Secretary and a person appointed under new subsection (3) are an authorised applicant. This allows the enforcement and compliance powers to be vested with another agency or body should they regulate compliance with certain measures under the SOCI Act. 832. The Secretary is empowered, under new subsection (3), to appoint a person to be an authorised applicant where the person is: • the chief executive officer (however described) of a relevant Commonwealth regulator (paragraph (a)) • an SES, or acting SES, employee of the Department or a relevant Commonwealth regulator (paragraph (b)), or • a person that holds or is acting in a position within a relevant Commonwealth regulator that is equivalent to, or higher than, an SES employee (paragraph (c)) 833. A note to subsection (3) outlines that the terms 'SES employee' and 'acting SES employee' are defined in section 2B of the Acts Interpretation Act. 834. This provision will ensure that the Secretary, along with any specified relevant Commonwealth regulator, and officers of an appropriate seniority within their organisations, are empowered to exercise the relevant powers under Part 4 of the Regulatory Powers Act. Most relevantly, this includes applying to a court for an order that a person, who is alleged to have contravened a civil penalty provision, pay the Commonwealth a pecuniary penalty. A body or Department may be prescribed in the rules as a relevant Commonwealth regulator for the purposes of the SOCI Act where, following consultation with the relevant Minister, it has been determined that they are well-positioned to manage the oversight of the regime in 151
relation to a particular sector. This provision will ensure that such regulators, alongside the Secretary, can effectively fulfil this oversight function. Subsections 49(3A)-(3B)--Authorised person 835. Subsection 49(3) of the SOCI Act currently provides that the Minister and the Secretary are an 'authorised person' for the purposes of Parts 6 and 7 of the Regulatory Powers Act, as those Parts apply to civil penalty provisions. New subsection (3A) provides that the Secretary and a person appointed under new subsection (3B) are an authorised applicant. This allows the enforcement and compliance powers to be vested with another agency or body should they regulate compliance with certain measures under the SOCI Act. 836. The Secretary is empowered, under new subsection (3B), to appoint a person to be an authorised applicant where the person is: • the chief executive officer (however described) of a relevant Commonwealth regulator (paragraph (a)) • an SES, or acting SES, employee of the Department or a relevant Commonwealth regulator (paragraph (b)), or • a person that holds or is acting in a position within a relevant Commonwealth Regulator that is equivalent to, or higher than, an SES employee (paragraph (c)) 837. A note to subsection (3B) outlines that the terms 'SES employee' and 'acting SES employee' are defined in section 2B of the Acts Interpretation Act. Item 57 At the end of Part 5 838. Item 57 of Schedule 1 to the Bill inserts new Divisions 3 and 4 into Part 5 of the SOCI Act, to trigger the exercise of additional powers under the Regulatory Powers Act. Division 3 of Part 5 triggers the monitoring and investigation powers available under Parts 2 and 3 respectively of the Regulatory Powers Act. Division 4 of Part 5 triggers the availability of infringement notices under Part 5 of the Regulatory Powers Act. Division 3--Monitoring and investigation powers Section 49A Monitoring powers 839. New section 49A of the SOCI Act will trigger the availability of monitoring powers under Part 2 of the Regulatory Powers Act. Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the provisions of an Act or a legislative instrument have been, or are being, complied with. A simplified outline of that Part can be found in section 6 of the Regulatory Powers Act. 840. Noting the additional obligations being introduced into the SOCI Act, it is important that the Secretary, or any relevant Commonwealth regulator, has appropriate powers to 152
monitor compliance with the regime to ensure its effectiveness in achieving the required security objectives. The triggering of the monitoring powers under the Regulatory Powers Act will give these regulators the accepted baseline of monitoring powers required to effectively fulfil their role. 841. Division 1 of Part 2 of the Regulatory Powers Act contains a number of provisions that need to be addressed in the SOCI Act for the monitoring powers to apply. For example, under subsection 11(1) of the Regulatory Powers Act a person is only an authorised applicant if 'an Act provides that the person is an authorised applicant'. Meaning, that for any person to act as an authorised applicant for the purposes of the monitoring powers set out in the Regulatory Powers Act, the SOCI Act is required to make provision for who is an authorised applicant. Subsection 49A(1)--Provisions subject to monitoring 842. Subsection (1) provides that a provision is subject to the monitoring powers in Part 2 of the Regulatory Powers Act if it is an offence against section 35AT or section 45 of the SOCI Act (paragraph (a)), or if it is a civil penalty provision of the SOCI Act (paragraph (b)). This satisfies the requirement under section 8 of the Regulatory Powers Act that an Act, in this case the SOCI Act, must specifically make a provision subject to the monitoring powers in Part 2 of the Regulatory Powers Act. Subsection 49A(2)--Information subject to monitoring 843. Subsection (2) provides that information given in compliance or purported compliance with this Act is subject to the monitoring powers in Part 2 of the Regulatory Powers Act. This satisfies the requirement under section 9 of the Regulatory Powers Act that an Act, in this case the SOCI Act, must specifically make information subject to the monitoring powers in Part 2 of the Regulatory Powers Act. Subsections 49A(3)-(4)--Authorised applicant 844. Subsection (3) provides that a person appointed by the Secretary under subsection (4) is an authorised applicant. Under subsection (4), the Secretary may appoint the following persons by writing to be an authorised applicant under subsection (3): • an SES, or acting SES, employee of the Department or a relevant Commonwealth regulator (paragraph (a)), or • a person that holds or is acting in a position within a relevant Commonwealth Regulator that is equivalent or higher than an SES employee (paragraph (b)). 845. A note to subsection (3) outlines that the terms 'SES employee' and 'acting SES employee' are defined in section 2B of the Acts Interpretation Act. 153
846. Together subsections (3) and (4) satisfy the requirement in section 11 of the Regulatory Powers Act that an authorised applicant must be identified as such in the relevant Act, in this case the SOCI Act. Subsections 49A(5)-(6)--Authorised person 847. Subsection (5) provides that a person appointed by the Secretary under subsection (6) is an authorised person. Under subsection (6), the Secretary may appoint the following persons by writing to be an authorised person under subsection (5): • an APS employee of the Department or a relevant Commonwealth regulator (paragraph (a)), or • an officer or employee of a relevant Commonwealth regulator (paragraph (b)). 848. Together subsections (5) and (6) satisfy the requirement in section 12 of the Regulatory Powers Act that an authorised person is a person identified as such in the relevant Act, in this case the SOCI Act. Subsection 49A(7)--Issuing officer 849. Subsection (7) provides that a magistrate is an issuing officer for the purpose of the monitoring powers under Part 2 of the Regulatory Powers Act. This subsection satisfies the requirement in section 14 of the Regulatory Powers Act that a person or class of persons is only an issuing officer if an Act, in this case the SOCI Act, specifies that they are an issuing officer. Subsections 49A(8)-(11)--Relevant chief executive 850. Subsection (8) provides that the Secretary is the relevant chief executive in relation to the monitoring powers in Part 2 of the Regulatory Powers Act, for the purpose of section 15 of that Act. Subsection (9) provides that the Secretary may delegate these powers to an SES employee or an acting SES employee. The note to subsection (9) identifies that the terms SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act. 851. Subsection (10) provides that the powers that can be delegated include those under Part 2 of the Regulatory Powers Act (see paragraph (a)) and those that are incidental to the Part 2 powers (see paragraph (b)). Subsection (11) provides that any person exercising powers that have been delegated to them under subsection (9) must do so in accordance with any directions given by the relevant chief executive. Subsection 49A(12)--Relevant court 852. Subsection (12) is included for the purpose of section 16 of the Regulatory Powers Act, and provides that Federal Court of Australia, the Federal Circuit Court of Australia and a court of a State or Territory that has jurisdiction in relation to matters arising under the SOCI Act are relevant courts. 154
Subsection 49A(13)--Premises 853. Subsection (13) provides that, for the purpose of exercising the Part 2 monitoring powers, an authorised person cannot enter a premises if the premises are used solely or primarily as a residence. Subsection 49A(14)--Person assisting 854. Subsection (14) triggers section 23 of the Regulatory Powers Act to provide that an authorised person may be assisted by another person in exercising monitoring powers under Part 2 of the Regulatory Powers Act. Subsection 49A(15)--External Territories 855. Subsection (15) confirms that the monitoring powers under Part 2 of the Regulatory Powers Act extend to the external Territories. This is necessary to align with the scope of the SOCI Act. Section 49B Investigation powers 856. New section 49B of the SOCI Act triggers the use of investigation powers under Part 3 of the Regulatory Powers Act. Part 3 of the Regulatory Powers Act creates a framework for gathering material that relates to the contravention of offence provisions and civil penalty provisions. A simplified outline of that Part can be found in section 36 of the Regulatory Powers Act. 857. Noting the additional obligations being introduced into the SOCI Act, it is important that the Secretary, or any relevant Commonwealth regulator, has appropriate powers to investigate possible non-compliance with the regime to ensure its effectiveness in achieving the required security objectives. The triggering of the investigation powers under the Regulatory Powers Act will give these regulators the accepted baseline of investigation powers required to effectively fulfil their role. Subsection 49B(1)--Provisions subject to investigation 858. Subsection (1) provides that a provision is subject to the investigation powers in Part 3 of the Regulatory Powers Act if it is an offence against section 35AT or section 45 of this Act (paragraph (a)), or if it is a civil penalty provision of this Act (paragraph (b)). This provision satisfies the requirement under section 38 of the Regulatory Powers Act that an Act, in this case the SOCI Act, must specifically make a provision subject to investigation powers. 155
Subsections 49B(2)-(3)--Authorised applicant 859. Subsection (2) provides that a person appointed under subsection (3) is an authorised applicant in relation to the provisions mentioned in subjection (1). Subsection (3) provides that the Secretary may, by writing, appoint the following as an authorised applicant: • an SES, or acting SES, employee of the Department or a relevant Commonwealth regulator (paragraph (a)), or • a person that holds or is acting in a position within a relevant Commonwealth Regulator that equivalent to or higher than an SES employee (paragraph (b)). 860. The note to subsection (3) identifies that the terms SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act. Together subsections (2) and (3) satisfy the requirement in section 41 of the Regulatory Powers Act that an authorised applicant is identified as such in the relevant Act, in this case the SOCI Act. Subsections 49B(4)-(5)--Authorised person 861. Subsection (4) provides that a person appointed under subsection (5) is an authorised person in relation to evidentiary material that relates to the provision mentioned in subjection (1). Subsection (5) provides that the Secretary may, by writing, appoint the following as an authorised person: • an APS employee of the Department or a relevant Commonwealth regulator (paragraph (a)), or • an officer or employee of a relevant Commonwealth regulator (paragraph (b)). 862. Together subsections (4) and (5) satisfy the requirement in section 42 of the Regulatory Powers Act that an authorised person is only so if the Act, in this case the SOCI Act, provides for them to be an authorised person. Subsection 49B(6)--Issuing officer 863. Subsection (6) provides that a magistrate is an issuing officer for the purpose of the investigation powers under Part 3 of the Regulatory Powers Act. This subsection is satisfying the requirement in section 44 of the Regulatory Powers Act that a person or class of persons is only an issuing officer if the relevant Act, in this case the SOCI Act, identifies them as such. Subsections 49B(7)-(10)--Relevant chief executive 864. Subsection (7) provides that the Secretary is the relevant chief executive in relation to the investigation powers in Part 3 of the Regulatory Powers Act, for the purpose of section 45 of that Act. Subsection (8) provides that the Secretary may delegate the powers to an SES 156
employee or an acting SES employee. The note to subsection (8) identifies that the terms SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act. 865. Subsection (9) provides that the powers that can be delegated include those under Part 3 of the Regulatory Powers Act (see paragraph (a)) and those that are incidental to the Part 3 powers (paragraph (b)). Subsection (10) provides that any person exercising powers that have been delegated to them under subsection (8) must do so in accordance with any directions given by the relevant chief executive. Subsection 49B(11)--Relevant court 866. Subsection (11) is included for the purpose of section 46 of the Regulatory Powers Act, and provides that Federal Court of Australia, the Federal Circuit Court of Australia and a court of a State or Territory that has jurisdiction in relation to matters arising under the SOCI Act are relevant courts. Subsection 49B(12)--Person assisting 867. Subsection (12) triggers section 53 of the Regulatory Powers Act to provide that an authorised person may be assisted, by another person, in exercising their powers in relation to the Part 3 investigation powers. Subsection 49B(13)--External Territories 868. Subsection (13) confirms that the investigation powers under Part 3 of the Regulatory Powers Act extend to the external Territories. This is necessary to align with the scope of the SOCI Act. Division 4--Infringement notices Section 49C Infringement notices 869. New section 49C of the SOCI Act triggers the powers in Part 5 of the Regulatory Powers Act. Part 5 of the Regulatory Powers Act creates a framework for the use of infringement notices where an infringement officer reasonably believes that a provisions has been contravened. A simplified outline of that Part can be found in section 98 of the Regulatory Powers Act. 870. Noting the importance of graduated enforcement regime, the triggering of Part 5 of the Regulatory Powers Act provides an important mechanism that can be utilised to address purported instances of non-compliance in a less serious and less resource intense way relative to, for example, civil penalty proceedings. Subsection 49C(1)--Provisions subject to an infringement notice 871. Subsection (1) provides that all civil penalty provisions within the SOCI Act are subject to the Part 5 infringement notices under the Regulatory Powers Act. The note to 157
subsection (1) notes that Part 5 of the Regulatory Powers Act creates a framework for using infringement notices. 872. The provision satisfied the requirement in section 100 of the Regulatory Powers Act that an Act, in this case the SOCI Act, must specifically make a provision subject to an infringement notice under Part 5 of that Act. Subsections 49C(2)-(3)--Infringement officer 873. Subsection (2) provides that, for the purposes of Part 5 of the Regulatory Powers Act, a person appointed under subsection (3) is an infringement officer in relation to the provisions mentioned in subsection (1). Subsection (3) provides that the Secretary may, by writing, appoint the following persons to be an infringement officer: • an SES, or acting SES, employee of the Department or a relevant Commonwealth regulator (paragraph (a)), or • a person that holds or is acting in a position within a relevant Commonwealth Regulator that is equivalent to or higher than an SES employee (paragraph (b)). 874. The note to subsection (3) identifies that the terms SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act. Together subsections (2) and (3) satisfy the requirement in section 101 of the Regulatory Powers Act that a person is an infringement officer if an Act, in this case the SOCI Act, provides that the person is an infringement officer for the purposes of Part 5 of that Act. Subsections 49C(4)-(6)--Relevant chief executive 875. Subsection (4) provides that the Secretary is the relevant chief executive in relation to infringement notices in Part 5 of the Regulatory Powers Act, for the purpose of section 102 of that Act. Subsection (5) provides that the Secretary may delegate these powers to an SES employee or an acting SES employee. The note to subsection (5) identifies that the terms SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act. 876. Subsection (6) provides that any person exercising powers that have been delegated to them under subsection (4) must do so in accordance with any directions given by the relevant chief executive. Subsection 49C(7)--External Territories 877. Subsection (7) confirms that infringement notices under Part 5 of the Regulatory Powers Act extend to the external Territories. This is necessary to align with the scope of the SOCI Act. Item 58 Paragraphs 51(1)(b) and (c) 878. Section 51 of the SOCI Act provides for the Minister to make a private declaration that a particular asset is a critical infrastructure asset, relevantly where the circumstances 158
outlined in paragraphs (1)(a)-(c) apply. Those circumstances currently include where the asset relates to a 'relevant industry' (paragraph (b)) and the Minister is satisfied of certain the matters outlined in paragraph (c). 879. Item 58 of Schedule 1 to the Bill repeals paragraphs 51(1)(b) and (c) and replaces them with new provisions, and also inserts a further paragraph (1)(d). Paragraph (1)(b) is updated to reflect that the term 'relevant industry' is being repealed from the SOCI Act, and replaced with the concept of 'critical infrastructure sector' (see further at new section 8D, at Item 21 of Schedule 1 to the Bill above). 880. Paragraph (1)(c) is being redrafted to provide that, before making a private declaration that an asset is a critical infrastructure asset, the Minister must also be satisfied that the asset is critical to one or more of the following: • the social or economic stability of Australia or its people (subparagraph (i)), • the defence of Australia (subparagraph (ii)), or • national security (subparagraph (iii)). 881. This condition mirrors existing paragraph 9(3)(a), which provides that the Minister may prescribe an asset to be a critical infrastructure asset if, amongst other things, they are critical to the above criteria. This is a broadening of the existing subparagraph 51(1)(c)(i) which is limited to national security. This limitation is not considered appropriate given the essential services provided by critical infrastructure assets to the various vital aspects of Australia being social and economic stability and defence, in addition to national security. 882. New paragraph (1)(d) provides that, in addition to the circumstances outlined in paragraphs (1)(a)-(c), there must also be a risk to one or more of the following if it were publicly known that the asset is a critical infrastructure asset: • the social or economic stability of Australia or its people (subparagraph (i)), • the defence of Australia (subparagraph (ii)), or • national security (subparagraph (iii)). 883. This change aligns with the broadening of the aspects of criticality to provide that this mechanism for identifying a critical infrastructure asset can be used, as an alternative to the rule making power in subsection 9(3) where a risk would arise should the status of the asset as a critical infrastructure asset arise from its public listing. Item 59 Subsection 51(1) (note 1) 884. Item 59 of Schedule 1 to the Bill repeals the first note from section 51. The note being repealed refers the reader to the definition of 'relevant industry'. This amendment is consequential to the repeal of that term from the SOCI Act. 159
Item 60 Subsection 51(1) (note 2) 885. Item 60 of Schedule 1 to the Bill amends the second note to make it a reference to a singular note. This amendment is a technical amendment required as a result of Item 59. Item 61 After subsection 51(2) 886. Item 61 of Schedule 1 to the Bill inserts a new subsection 51(2A) into the SOCI Act. That subsection provides that, when the Minister makes a declaration that an asset is a critical infrastructure asset under subsection (1), the Minister may do all or any of the following: • determine that Part 2 of the SOCI Act (concerning providing information to the register) applies to the asset (paragraph (a)) • determine that Part 2B of the SOCI Act (concerning mandatory cyber incident reporting) applies to the asset (paragraph (c)). 887. This provision is to operate in a similar way to the 'on switch provisions' (see new sections 18A and 30BB, as described above) but reflects that assets that are privately declared under section 51 cannot be identified in those rules due to risks associated with their status being publicly know. Item 62 Paragraph 51(3)(b) 888. Item 62 of Schedule 1 to the Bill repeals paragraph 51(3)(b) of the SOCI Act and replaces it with a new paragraph. The current provision requires that if the Minister makes a declaration under subsection (1) they must notify the First Minister of the State or Territory in which the asset is located. 889. New paragraph 51(3)(b) clarifies this policy to make clear that, where the asset is located in more than one jurisdiction, each First Minister must be notified. Item 63 Subsection 51(4) 890. Item 63 of Schedule 1 to the Bill repeals subsection 51(4) SOCI Act which is a requirement that a notice made under subsection 51(3) must specify the obligations of the reporting entity under the Act. This provision is no longer required due to the new subsection (2A) inserted by item 61 of Schedule 1 to the Bill. Item 64 After section 51 891. Item 64 of Schedule 1 to the Bill inserts new section 51A into the SOCI Act, which includes an express requirement for the Minister to conduct consultation before making a private declaration under section 51. This clarifies that consultation must involve giving the entity a notice setting out the proposed declaration and inviting submissions within a specified time period. 160
Section 51A Consultation--declaration 892. Subsection (1) provides that, before making a declaration under section 51 that a specified entity is the responsible entity for an asset, the Minister must give the entity a notice that sets out the proposed declaration (paragraph (a)), and invite the entity to make submissions regarding the proposal within 28 days or a shorter specified period (paragraph (b)). The Minister is the required, under subsection (2), to consider any submissions received within the specified period. 893. Subsection (3) provides that the Minister must not specify a shorter period unless they are satisfied that it is necessary due to urgent circumstances. Subsection (4) provides that the notice must set out the reasons for making the declaration unless they are satisfied that doing so would be prejudicial to security. 894. Further the notice to the entity must set out the reasons for making the declaration unless the Minister is satisfied that doing so would be prejudicial to security. For example, the Minister's consideration of the criticality of the asset to the defence of Australia may rely on sensitive and classified information in relation to critical dependencies of defence capabilities and associated vulnerabilities. However the Minister should provide the reasons to the greatest extent possible without prejudicing security. Item 65 Subsection 52(5) 895. Item 65 of Schedule to the Bill repeals subsection 52(5) from the SOCI Act. Section 52 deals with the Secretary being notified of changes to a reporting entity for an asset. A requirement under the section is that the Secretary give the new reporting entity a notice that the asset they are responsible for is a critical infrastructure asset. Subsection 52(5) requires that the notice specifies the obligations of the entity. Item 67 Subsection 59(1) 896. Subsection 59(1) of the SOCI Act currently provides that the Secretary may delegate any of their 'powers, functions or duties under this Act.' Item 67 of Schedule 1 to the Bill inserts the words '(other than Part 3A)' after 'this Act'. This ensure that any powers, functions or duties of the Secretary under Part 3A, which relates to dealing with a serious cyber security incident, must be exercised personally and cannot be delegated. This limitation on the power to delegate reflects the significance of the powers, functions and duties that the Secretary may have under Part 3A and the appropriateness for these to not be exercised by more junior officers. Item 68 Division 4 of Part 7 (at the end of the heading) 897. Item 68 of Schedule 1 to the Bill is a technical amendment to insert the word 'etc.' at the end of the heading of Division 4 of Part 7, so that it now reads as 'Periodic reports, reviews and rules etc.'. This reflects that the Division contains additional content, including new sections 60AA and 60AB (see Item 70 of Schedule 1 to the Bill, below). 161
Item 69 At the end of subsection 60(2) 898. Under subsection 60(1) of the SOCI Act, the Secretary must give the Minister, for presentation to the Parliament, a report on the operation of the SOCI Act for each financial year. The report under subsection 60(1) must deal with the matters listed in paragraphs (2)(a)- (e). 899. These amendments reflect the expanded scope of the obligations and powers to be introduced into the SOCI Act by this Bill and serves as an important oversight mechanism by providing transparency and accountability to Parliament and the public about the operation of the SOCI Act. 900. Item 69 of Schedule 1 to the Bill inserts the following additional paragraphs into subsection (2), as matters that the Secretary's report to the Minister under subsection (1) must contain: • the number of cyber security incidents reported during the financial year under section 30BC (paragraph (h)) • the number of cyber security incidents reported during the financial year under section 30BD (paragraph (i)) • the number of Ministerial authorisations given under section 35AB during the financial year (paragraph (n)) • the number of Ministerial authorisation given under paragraph 35AB(2)(a) or (b) during the financial year (paragraph (o)) • the number of Ministerial authorisations given under paragraph 35AB(2)(c) or (d) during the financial year (paragraph (p)) and • the number of Ministerial authorisations given under paragraph 35AB(2)(e) or (f) during the financial year (paragraph (q)). Item 70 After section 60 901. Item 70 of Schedule 1 to the Bill inserts new sections 60AA and 60AB into the SOCI Act. Section 60AA Compensation for acquisition of property 902. New section 60AA of the SOCI Act deals with the acquisition of property (what is known as a 'historic shipwrecks' clause after the first legislation that introduced this type of provision). Subsection (1) provides that if the operation of the Act would result in an acquisition of property, within the meaning of paragraph 51(xxxi) of the Constitution, otherwise than on just terms, the Commonwealth is liable to pay a reasonable amount of compensation. 162
903. Subsection (2) provides that if the Commonwealth and the entity do not agree on the amount of compensation, the entity may institute proceedings in either the Federal Court of Australia (paragraph (a)), or in the Supreme Court of a State or Territory (paragraph (b)). 904. While nothing in the Bill is expressly targeted at the acquisition of property, it is recognised that this could occur in extremely rare circumstances incidental to the operation of the powers set out in Part 3A in particular. Should it be necessary, it is important that the Government can respond effectively to a serious cyber security incident however if that requires the acquisition of property it is important that reasonable compensation is paid. Section 60AB Service of notices, directions and instruments by electronic means 905. New section 60AB of the SOCI Act provides that paragraphs 91(1)(d) and (2)(d) of the Electronic Transactions Act 1999 (the Electronic Transactions Act) do not apply to a notice, direction or instrument under the SOCI Act, any Ministerial rules made under section 61 of that Act, or the Regulatory Powers Act (so far as that Act relates to the SOCI Act). 906. A note to this section explains that the provisions from the Electronic Transactions Act deal with the consent of the recipient of information, to the information being given by way of electronic communication. 907. Noting that the vast majority of responsible entities for critical infrastructure assets are large corporate entities, this provision will allow efficient service through utilising electronic methods where appropriate. Item 70A After section 60A 908. Item 70A of Schedule 1 to the Bill inserts new section 60B into the SOCI Act. Section 60B Review of this Act 909. Section 60B provides that the PJCIS may conduct a review of the operation, effectiveness and implications of the Act, including the reformed security of critical infrastructure legislative framework made by the Security Legislation Amendment (Critical Infrastructure) Act 2021. The PJCIS may report its comments and recommendations to each House of the Parliament. 910. To conduct the review under this provision, the PJCIS must commence the review before the end of three years after the Security Legislation Amendment (Critical Infrastructure) Act 2021 receives the Royal Assent. Part 2--Application provisions 911. Part 2 of Schedule 1 to the Bill deals with the application of amendments to subsections 9(3) and (4) of the SOCI Act (see Items 27, 28 and 29) and to section 51 (see Items 58-63). 163
Item 71 Application--subsections 9(3) and (4) of the Security of Critical Infrastructure Act 2018 912. Item 71 of Schedule 1 to the Bill provides that the amendments of subsections 9(3) and (4) of the SOCI Act made by Schedule 1 apply in relation to rules made after the commencement of Item 71. 913. This application provision is required to ensure that rules made in relation to assets prior to the commencement of Item 71 continue to have effect despite the changes to section 9. This will allow for continuity in the operation of the SOCI Act. Item 72 Application--section 51 of the Security of Critical Infrastructure Act 2018 914. Item 72 of Schedule 1 to the Bill provides that the amendments of section 51 of the SOCI Act made by Schedule 1 apply in relation to a declaration made after the commencement of Item 72. 915. This application provision is required to ensure that declarations made in relation to assets prior to the commencement of Item 72 continue to have effect despite the changes to section 51. This will allow for continuity in the operation of the SOCI Act. Part 3--Amendments contingent on the commencement of the Federal Circuit and Family Court of Australia Act 2021 916. Part 3 of Schedule 1 to the Bill provides for amendments to the SOCI Act that are contingent upon the commencement of the Federal Circuit and Family Court of Australia Act 2021. This Act provides for the amalgamation of the Federal Circuit Court and Family Court of Australia. Security of Critical Infrastructure Act 2018 Item 73 Paragraphs 49A(12)(b) and 49B(11)(b) 917. Item 73 of Schedule 1 to the Bill provides that, in both paragraphs 49A(12)(b) and 49B(11)(b) (as outlined at Item 57 of Schedule 1, above), the words 'Federal Circuit Court of Australia' are omitted and the words 'Federal Circuit and Family Court of Australia (Division 2)'. This will reflect the change in terminology resulting from the commencement of the Federal Circuit and Family Court of Australia Act 2021. Part 4--Amendments contingent on the commencement of the National Emergency Declaration Act 2020 918. Part 4 of Schedule 1 to the Bill provides for amendments to the National Emergency Declaration Act 2020 (National Emergency Declaration Act) and SOCI Act that are contingent upon the commencement of the National Emergency Declaration Act. The 164
National Emergency Declaration Act provides for the declaration of a national emergency by the Governor-General. National Emergency Declaration Act 2020 Item 74 Section 10 (after paragraph (za) of the definition of national emergency law) 919. Section 10 of the National Emergency Declaration Act provides a number of definitions for the purposes of that Act. The definition of 'national emergency law' provides an authoritative list of the provisions across the statute book that contain powers that may be enlivened, or the operation of which may be modified, while a national emergency declaration is in force. The fact that a provision is listed in the definition of national emergency power is not intended to otherwise affect the interpretation or operation of the provision. 920. Item 74 of Schedule 1 to the Bill will insert an additional paragraph, paragraph (zaa), into the definition of national emergency law which provides that section 35AB of the Security of Critical Infrastructure Act 2018 is a national emergency law for the purposes of the National Emergency Declaration Act. Security of Critical Infrastructure Act 2018 Item 75 After subsection 35AB(1) 921. Item 75 of Schedule 1 to the Bill will insert an alternative application provision to new section 35AB of the SOCI Act. In particular, this subsection 35AB(1A) will provide that the section applies if the Minister is satisfied of, amongst the other factors, that the incident relates to an emergency specified in a national emergency declaration (within the meaning of the National Emergency Declaration Act) that is in force. 922. The purpose of this item is to simplify the process for the Minister to authorise the Secretary to exercise powers under Part 3A in relation to a cyber security incident, where a national emergency declaration under the National Emergency Declaration Act is in force and the incident relates to the national emergency. The item removes the requirement for the Minister to be satisfied that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice one or more of the matters specified in paragraph 35AB(1)(c), given that the Prime Minister must be satisfied that an emergency has caused, is causing or is likely to cause nationally significant harm before the Governor-General may declare a national emergency. 923. New subsection 35AB(1A) provides that the section also applies if the Minister is satisfied of all of the following factors: • a cyber security incident has occurred, is occurring, or is imminent; and 165
• the incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset (the primary asset); and • the incident relates to an emergency specified in a national emergency declaration (within the meaning of the National Emergency Declaration Act) that is in force; and • no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident. Schedule 2--Australian Signals Directorate 924. Schedule 2 to the Bill makes amendments to the Criminal Code to limit liability for certain acts performed by ASD. 925. The purpose of the amendments is to update the existing, limited immunities afforded to staff members and agents of the Australian Signals Directorate to ensure they remain effective in light of technological change. The underlying purpose of the immunities framework is to ensure that the staff members and agents of the Australian Signals Directorate are protected from civil and criminal liability for activities that are done in the proper performance of the Australian Signals Directorate's functions, including activities targeted offshore that are done to protect Australian critical infrastructure. These activities might otherwise be prohibited by Commonwealth, state or territory laws dealing with computer-related acts. Criminal Code Act 1995 Item 1 Subsection 476.4(2) of the Criminal Code 926. Section 476.4 provides that Part 10.7 of the Criminal Code (which contains offences related to unauthorised use of, and access to, computers) is not intended to exclude or limit the operation of any other law of the Commonwealth, a State or a Territory (subsection (1)). Subsection (2) of that section then provides that the operation of subsection (1) is subject to section 476.5. Item 1 of Schedule 2 to the Bill amends subsection 476.4(2) of the Criminal Code to provide that subsection (1) has effect subject to section 476.5 as well as the new section 476.6 (see Item 6 of Schedule 2, below). Item 2 Section 476.5 of the Criminal Code (at the end of the heading) 927. Item 2 of Schedule 2 to the Bill makes a technical amendment to the heading to section 476.5 to insert reference to 'ASIS and AGO' (the Australian Secret Intelligence Service and the Australian Geospatial Organisation). This reflects the amendments being made to section 476.5 (see Items 3, 4 and 5 of Schedule 2, below) that mean that this section will now only limit liability for certain acts done by ASIS and AGO, with new section 476.6 of the Criminal Code dealing with the liability of acts done by ASD. 166
Item 3 Subsection 476.5(1) of the Criminal Code 928. Item 3 of Schedule 2 to the Bill removes a reference to ASD in subsection 476.5(1) of the Criminal Code, reflecting that this section will no longer relate to the acts of ASD. Item 4 Subsection 476.5(3) of the Criminal Code 929. Item 4 of Schedule 2 to the Bill removes the definition of 'ASD' from section 476.5 of the Criminal Code, reflecting that this section will no longer relate to the acts of ASD. Item 5 Subsection 476.5(3) of the Criminal Code (definition of ASD) 930. The current definition of 'staff member' in subsection 476.5(3) of the Criminal Code refers to staff members of the ASD. Item 5 of Schedule 2 to the Bill removes the reference to staff members of ASD (see paragraph (b) of the definition), reflecting that this section will no longer relate to the acts of ASD. Item 6 At the end of Division 476 of the Criminal Code 931. Item 6 of Schedule 2 to the Bill inserts new section 476.6 into the Criminal Code, which is a new provision dealing solely with the liability of staff members and agents of ASD. Section 476.6 Liability for certain acts--ASD 932. New section 476.6 of the Criminal Code provides for the limitation of liability for staff members or agents of ASD. 933. Subsection (1) provides that a staff member or agent of ASD is not subject to any civil or criminal liability for engaging in conduct inside or outside of Australia if both of the following apply: • the conduct is engaged in on the reasonable belief that it is likely to cause a computer-related act, event, circumstance or result to take place outside Australia (whether or not it in fact takes place outside Australia) (paragraph (a)), and • the conduct is engaged in in the proper performance of a function of ASD, as outlined in section 7 of the Intelligence Services Act (paragraph (b)). 934. This largely replicates the limitations on liability that exist in current section 476.5 of the Criminal Code, with the notable exception of the inclusion qualification that the conduct is engaged in on the 'reasonable belief that it is likely' to take place outside Australia. 935. This amendment is required in response to changes in technology, in particular the increasing prevalence of online, internet-based communications, which obscure the geographic location of parties to communications. The amendments update the Australian Signals Directorate's immunities to ensure it can continue to operate efficiently in an 167
increasingly challenging online environment, where it is not always possible to reliably determine the geographic location of a device or computer. 936. This challenge is exacerbated for the Australian Signals Directorate where adversaries (including foreign intelligence services and terrorist organisations) undertake cyber activities that harm Australia's critical infrastructure. To effectively perform its functions, and defend and respond to serious cyber security incidents, the Australian Signals Directorate may need to engage in computer-related acts offshore, such as affecting the adversary's computer or device. However, where an adversary takes active steps to obfuscate their physical location, or where it is impossible for the Australian Signals Directorate to reliably determine their physical location, it is necessary to protect staff members and agents from liability if they inadvertently affect a computer or device located inside Australia. 937. The amendment will not provide staff members or agents of the Australian Signals Directorate with immunity from liability in circumstances where they know or believe an adversary's computer or device to be located in Australia. Nor will it provide such persons with immunity where their belief that an adversary's computer or device is located outside Australia is not reasonable. Consistent with current subsection 476.5(1), the immunity will continue to apply only where a staff member's or agent's conduct is done in the proper performance of an Australian Signals Directorate function. 938. Subsection (2) provides that a person is not subject to any civil or criminal liability for engaging in conduct inside or outside of Australia if all of the following apply: • the conduct is preparatory to, in support of, or otherwise directly connected with, overseas activities of ASD (paragraph (a)) • the conduct, taken together with a computer-related act, event, circumstance or result that took place, or was intended to take place, outside Australia could amount to an offence but, in the absence of that computer-related act, event, circumstance or result, would not amount to an offence (paragraph (b)), and • the conduct is engaged in in the proper performance of a function of ASD, as outlined in section 7 of the Intelligence Services Act (paragraph (c)). 939. Subsection (3) restricts the scope of the liability limitation in subsection (2), by providing that subsection (2) is not intended to permit any conduct in relation to premises, persons, computers, things, or carriage services in Australia, being: • conduct which ASIO could not engage in without a Minister authorising it by warrant issued under Division 2 of Part III of the ASIO Act or under Part 2-2 of the TIA Act (paragraph (a)), or • conduct engaged in to obtain information that ASIO could not obtain other than in accordance with Division 3 of Part 4-1 of the TIA Act. 168
940. Subsection (4) provides that subsections (1) and (2) have effect despite anything in a law of the Commonwealth or of a State or Territory, whether passed or made before or after the commencement of this subsection, unless the law expressly provides otherwise. Subsection (5) clarifies that subsection (4) does not affect the operation of subsection (1). Subsections 476.6(6)-(7)--Certificate 941. Evidentiary certificates are intended to streamline the court process by reducing the need to contact numerous officers and experts to give evidence. Evidentiary certificates also assist with maintaining the confidentiality of the sensitive methodologies and capability of the authorised agency. 942. Subsection (6) provides that the Inspector General of Intelligence and Security may give a certificate in writing certifying any fact relevant to the question of whether conduct was engaged in, in the proper performance of a function of ASD. 943. Subsection (7) provides that a certificate given under subsection (6) is prima facie evidence of the facts certificate in any proceedings, including both court and tribunal proceedings. Subsections 476.6(8)-(9)--Notice to Inspector-General of Intelligence and Security 944. Subsection (8) applies if all of the following apply: • a person engages in conduct referred to in subsection (1) or (2) in relation to ASD (paragraph (a)) • the conduct causes material damage, material interference or material obstruction to a computer (within the meaning of section 22 of the ASIO Act) in Australia (paragraph (b)), and • apart from this section, the person would commit an offence against Part 10.7 of the Criminal Code (paragraph (c)). 945. If subsection (8) applies, the agency head (within the meaning of the Intelligence Services Act) of ASD must, as soon as practicable, give a written notice to the Inspector- General of Intelligence and Security that: • informs the Inspector-General of Intelligence Security of the fact (paragraph (d)), and • provides details about the conduct that caused the damage, interference or obstruction to the computer (paragraph (e)). 946. Subsection (9) provides that section 476.6 of the Criminal Code has effect in addition to, and does not limit, section 14 of the Intelligence Services Act. 169
947. While this limitation on liability will only apply where the conduct was engaged in on the reasonable belief that it is likely to cause a computer-related act, event, circumstance or result to take place outside Australia, should it later be determined that the a computer in Australia was impacted, it is important that the Inspector-General of Intelligence Security is made aware of the matter given its significance. This will allow the Inspector-General of Intelligence Security to, should they wish, investigate the actions taken to ensure they were lawful. Subsection 476.6(10)--Definitions 948. Subsection (10) provides the following definitions that apply in section 476.6 of the Criminal Code. • 'ASD' means the Australian Signals Directorate • 'civil or criminal liability' means any civil or criminal liability (whether under this Part, under another law or otherwise) • 'computer-related act, even, circumstance or result' means an act, event, circumstance or result involving the reliability, security or operation of a computer (paragraph (a)), access to, or modification of, data held in a computer or on a data storage device (paragraph (b)), electronic communication to or from a computer (paragraph (c)), the reliability, security or operation of any data held in or on a computer, computer disk, credit card, or other data storage device (paragraph (d)), possession or control of data held in a computer or on a data storage device (paragraph (e)), or producing, supplying or obtaining data held in a computer or on a data storage device (paragraph (f)), and • 'staff member', in relation to ASD, means the Director-General of ASD, or a member of the staff of ASD (whether an employee of ASD, a consultant or contractor to ASD, or a person who is made available by another Commonwealth or State authority or other person to perform services for ASD). Item 7 Application of amendments 949. Item 7 of Schedule 2 to the Bill provides that the amendments to the Criminal Code made by Schedule 2 only apply in relation to conduct engaged in after the commencement of Schedule 2, as outlined in clause 2 to the Bill. 170
Attachment B Statement of Compatibility with Human Rights Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 Security Legislation Amendment (Critical Infrastructure) Bill 2021 This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011. Overview of the Bill The Bill proposes amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), including to: • Introduce additional critical infrastructure assets, which means that the existing powers under the SOCI Act, and the new powers to be introduced under this Bill, will apply to a broader range of assets. The Bill introduces definitions for the following critical infrastructure sectors and assets: o Communication sector: critical telecommunication assets, critical broadcasting assets, broadcasting transmission assets and critical domain name system o Data storage or processing sector: critical data storage or processing assets o Defence industry sector: critical defence industry assets o Financial services and markets sector: critical banking assets, critical superannuation assets, critical insurance assets and critical financial market infrastructure assets o Food and grocery sector: critical food and grocery assets o Higher education and research sector: critical education assets o Health care and medical sector: critical hospitals as critical infrastructure assets o Transport sector: critical freight infrastructure assets, critical freight services assets, and critical public transport assets o Energy sector: critical liquid fuel assets, and critical energy market operator assets, and o Space technology sector: critical space technology assets. • In addition to the reporting obligations to the Register of Critical Infrastructure Assets in Part 2 of the current SOCI Act, the Bill will introduce a new positive security obligation (PSO) on owners and operators of critical infrastructure assets to report cyber security incidents to the Government. This will facilitate an enhanced understanding of cyber security threats to critical infrastructure to better inform both proactive and reactive cyber response options. 171
• Introduce a regime to support the Government responding to serious cyber security incidents which would allow the Government, in limited circumstances, to take actions to protect critical infrastructure assets that are subject to serious cyber security incidents. • Enable the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to conduct a review of the operation, effectiveness and implications of the Bill not less than three years from when the Bill receives Royal Assent. These amendments will implement an enhanced critical infrastructure security framework which will enhance the security and resilience of critical infrastructure in Australia, build situational awareness and enable the Government to assist industry to effectively prevent, defend against and recover from serious cyber security incidents. This will allow the Government to maintain the continuity of essential services that support Australia's economy, security and sovereignty. Human rights implications This Bill broadly supports the following rights: • the right to an adequate standard of living, including the right to adequate food in Article 11 of the International Covenant on Economic, Social and Cultural Rights (ICESCR), and • the right to the enjoyment of the highest attainable standard of physical and mental health, including medical service and attention in the event of sickness in Article 12 of ICESCR. This Bill also engages the following rights: • the right to a fair and public hearing in Article 14 of the International Covenant on Civil and Political Rights (ICCPR), and • the right to privacy in Article 17 of the ICCPR. The right to an adequate standard of living, including the right to adequate food Article 11 of the ICESCR provides for the right of everyone to an adequate standard of living, including adequate food. It commits States Parties to the Covenant to improve methods of production, conservation and distribution of food. The introduction of critical food and grocery assets recognises the role that these assets play in delivering essential supplies that maintain and sustain life. The regime introduced by the Bill will assist to protect the availability of food throughout Australia, through improving business resilience and protecting the assets should they be subject to a significant cyber attack. This will reduce the likelihood of a disruption to distribution networks and other key operations of Australia's major supermarkets which could impact the availability of critical food and groceries. The right to physical and mental health Article 12 of the ICESCR provides for the right of everyone to the enjoyment of the highest attainable standard of physical and mental health, including medical service and medical attention in the event of sickness. Hospitals are crucial to Australia's ability to fulfil this obligation as they provide critical care for patients with a variety of medical, surgical and trauma conditions, and are therefore integral to the sustainment of life. 172
The introduction of critical hospitals as critical infrastructure assets, but also other critical infrastructure assets with a high degree of interdependency with critical hospitals, will assist to protect these important assets, and in turn, the physical and mental health of all persons in Australia. For example, an attack on a critical hospital could pose a risk to life. Similarly, the consequences of a prolonged and widespread failure in the energy sector could cause shortages or destruction of essential medical supplies. Improving business resilience and protecting the asset should it be subject to a significant cyber attack will reduce the likelihood of a disruption to the provision of essential medical services and ensure appropriate services remain available in the event of sickness. The right to a fair and public hearing Article 14 of the ICCPR provides for the proper administration of justice by upholding, among other things, the right to a fair and public hearing. These rights include that all persons are equal before courts and tribunals and have a right to a fair and public hearing before a competent, independent and impartial tribunal established by law. Article 14 also includes the right of protection against self-incrimination stating that no person shall be 'compelled to testify against himself or confess guilt'. Any limitations to the right to a fair and public hearing under Article 14 are permissible if the limitations are reasonable, proportionate and for a legitimate objective. The right to a fair and public hearing is attached only to individuals, not to businesses. However 'entity' as defined in current section 5 of the SOCI Act includes individuals, as well as body corporates, partnerships and trusts. Whilst the definition of 'entity' under the current SOCI Act includes individuals, it is only in very rare instances (for example, where a critical infrastructure asset is owned or operated by an individual rather than a corporation) that the measures in the Bill that relate to the right to a fair and public hearing would apply to individuals. In these rare instances, the following measures in the Bill may engage the right to a fair and public hearing and protection against self-incrimination under Article 14 of the ICCPR and will be discussed in greater detail below: • Government assistance measures will permit the Government to provide active assistance as a last resort in response to the most serious and significant of cyber security incidents that are or may impact a critical infrastructure asset and Australia's national interest (new Part 3A of the SOCI Act). • The existing Ministerial directions power allows the Minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate risks that are prejudicial to security (current Part 3 of the SOCI Act). • The existing Secretary's power to obtain information or documents will empower the Secretary to request certain information from reporting entities and operators of critical infrastructure assets (current Part 4 of the SOCI Act). Government assistance: Ministerial authorisation relating to serious cyber security incidents Under new Part 3A of the SOCI Act, the Minister has the power to authorise the Secretary of Home Affairs to issue: • a direction to an entity requiring them to provide certain information 173
• a direction to an entity to take particular measures, or • a request to the chief executive of the Australian Signals Directorate (ASD) to take specified action to respond to the serious cyber security incident. Any decision made under new Part 3A of the SOCI is not a 'decision to which this Act applies'. This means that a decision made under new Part 3A in response to a 'serious cyber security incident' is not subject to judicial review under the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act) and therefore limits an entity's right to a fair and public hearing. When making a decision under new Part 3A of the SOCI Act, the Minister must be satisfied that there is a material risk that a 'cyber security incident' (as defined by new section 12M) has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice, the social or economic stability of Australia or its people, the defence of Australia or Australia's national security. Decisions of this nature are likely to be based on sensitive and classified information and deal with the capabilities of intelligence agencies as well as security vulnerabilities. This could include intelligence information and covert investigation methods and procedures, the disclosure of which may impact ongoing investigations, compromise intelligence methodologies or otherwise damage Australia's national security and defence. The same applies equally to decisions of the Secretary and the authorised agency under new Part 3A who operationalise the Ministerial authorisations. For this reason, it is reasonable to exempt decisions made under new Part 3A of the SOCI Act from review under the ADJR Act as the public dissemination of the sensitive information and capabilities that may be used to make decisions under new Part 3A would pose a risk to the national security and defence of Australia. However new Part 3A does not have the effect of entirely excluding judicial review of decisions under Part 3A of the SOCI Act. A person who is the subject of a decision under Part 3A is still entitled to seek judicial review under section 39B of the Judiciary Act 1903 or subsection 75(v) of the Constitution. Furthermore, this limitation to the right to a fair and public hearing is reasonable, proportionate and for a legitimate objective, as the ministerial authorisation power is only permissible if: • a cyber security incident has had, is having, or is likely to have a relevant impact on a critical infrastructure asset (new paragraphs 35AB(1)(a)-(b)); • there is a material risk that the incident has seriously prejudiced, is seriously prejudicing or is likely to seriously prejudice the social or economic stability of Australia or its people; the defence of Australia; or Australia's national security (new paragraph 35AB(1)(c)); • no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident (new paragraph 35AB(1)(d)); • the Ministerial authorisation ceases after a maximum period of 20 days (new subsection 35AG(2)), unless the Minister has revoked the authorisation earlier, or where an 174
emergency continues beyond this time period, the Minister makes another authorisation in relation to the particular incident (new subsection 35AG(3)); • the Minister has, before giving a ministerial authorisation, consulted with the specified entity unless the resulting delay would frustrate the effectiveness of the Ministerial authorisation (new section 35AD); • the specified entity is unwilling or unable to take all reasonable steps to respond to the incident (new paragraph 35AB(7)(a) and paragraphs 35AB(10)(b)-(c)); and • the specified direction is reasonably necessary for the purposes of responding to the incident (new paragraph 35AB(7)(b) and paragraph 35AB(10)(d)); the specified direction is a proportionate response to the incident (new paragraph 35AB(7)(c) and paragraph 35AB(10)(e)); and compliance with the specified direction is technically feasible (new paragraph 35AB(7)(d) and paragraph 35AB(10)(f)). Directions by the Minister The current SOCI Act places regulatory obligations on specific entities in the electricity, gas, water and ports sectors. As Government has improved visibility of how interconnected Australia's critical infrastructure is, this has highlighted a need to expand the types of critical infrastructure entities subject to the Act to include critical infrastructure entities in a wider range of sectors. Entities across all critical infrastructure sectors are facing increasing threats and require enhanced protections. By broadening the scope of the SOCI Act, the Minister's existing powers to issue directions to reporting entities or operators of critical infrastructure assets to do, or refrain from doing, an act or thing (Part 3, Division 2 of the SOCI Act) is expanded to a larger number of entities. The human rights implications of the Minister's directions powers are outlined in the Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017. This outlines that the right to a fair trial are supported through the legislated safeguards which apply prior to the Minister issuing a direction and the availability of appropriate review mechanisms. The changes in the Bill do not alter this position. Gathering and using information powers By broadening the scope of the SOCI Act, the Secretary's powers to obtain information or documents from entities, even if it exposed an individual or a body corporate to criminal or civil liability (Part 4, Division 2 of the current SOCI Act), is expanded to a larger number of entities. The additional critical infrastructure assets to be included in the SOCI Act are assets that have been determined to be fundamental to the Australian economy, security and sovereignty. The human rights implications of the powers relating to information gathering and use are outlined in the Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017. This outlines that the right to a fair trial are supported through the broad protections for individuals against criminal or civil proceedings if the information is self-incriminating. The changes in the Bill do not alter this position. Right to privacy Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy. Interferences with privacy may be permissible provided that it 175
is authorised by law and is not arbitrary. For an interference with the right to privacy not to be arbitrary, the interference must be for a reason consistent with the provisions, aims and objectives of the ICCPR and be reasonable in the particular circumstances.9 The United Nations Human Rights Committee has interpreted 'reasonableness' in this context to mean that 'any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case'. The term unlawful means that no interference can take place except as authorised under domestic law. Article 17 of the ICCPR does not set out the reasons for which the guarantees in it may be limited. However, limitations contained in other articles, for example, those which are necessary in a democratic society in the interests of national security, public order, the protection of public health or the protection of the rights and freedoms of others, may be considered legitimate objectives in appropriate circumstances in respect of the prohibition on interference with privacy. Article 17 of the ICCPR only applies to interference with privacy for individuals. Whilst the definition of 'entity' under the current SOCI Act includes individuals, it is highly unlikely that the measures in the Bill would apply to individuals. The exception to this is the requirement for the provision of information on the board members of an entity under the Register of Critical Infrastructure Assets. The responsible entity for a critical infrastructure asset will be an individual (e.g. in the water sector) in a very small number of cases. The vast majority of critical infrastructure assets are managed by corporations, to which the right to privacy does not apply. Where the responsible entity for a critical infrastructure asset is an individual, the following measures in the Bill may engage the right to privacy under Article 17 of the ICCPR: • Government assistance: Ministerial authorisation relating to cyber security incidents (new Part 3A, Division 2 of the SOCI Act); • the increased coverage of the existing obligation of a reporting entity for a critical infrastructure asset to give information and notify of events for the Register of Critical Infrastructure Assets (Part 2, Division 2 of the current SOCI Act); and • the increased coverage of the existing Secretary's powers to obtain information or documents (Part 4, Division 2 of the current SOCI Act). Government assistance: Ministerial authorisation relating to cyber security incidents To prevent or mitigate a serious cyber security incident that has had, is having, or is likely to have a relevant impact on a critical infrastructure asset (new section 35AB(1)), the Minister has the power to authorise the Secretary of Home Affairs to use: • Information gathering direction power (new sections 35AB(2)(a) or (b) and 35AK), that is, to direct an entity to provide information that may assist with determining whether a power under the Act should be exercised in relation to an incident and the asset; • Action direction power (new sections 35AB(2)(c) or (d) and 35AQ), that is, to direct an entity to do, or refrain from doing, a specified act or thing within the period specified in the direction; • Intervention direction power, that is, to request that the chief executive of ASD take direct action (new sections 35AB(e) or (f) and 35AX). For a request that is in force under 9 Toonen v Australia, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994) at 8.3. 176
new section 35X, an ASD staff member may require an entity to provide the staff member with access to premises or electronic networks, and provide them with specified information or assistance. This does not apply to premises that are used solely or primarily as a residence. This is a permissible limitation to the right to privacy, as prior to making the authorisation the Minister must be satisfied that: • A cyber-security incident has occurred, is occurring or is imminent (new section 35AB(1)(a)). • That the incident has had, is having, or is likely to have a relevant impact on a critical infrastructure asset (new section 35AB(1)(b)). New subsection 8G(2) provides the definition of a relevant impact in this context, which includes an impact on the availability, integrity, reliability or confidentiality of the asset. Therefore this power can only be used to protect Australia's critical infrastructure assets. • That there is material risk that the incident has seriously prejudiced, or is seriously prejudicing, or is likely to seriously prejudice the social or economic stability of Australia or its people, or the defence of Australia; or Australia's national security (new section 35AB(1)(c)). This requirement ensures that the regime can only be used in the most serious of circumstances where Australia's national interests are being seriously prejudiced. In such circumstances, the Government's responsibility to protect Australia's national interests are engaged. • That the action would be a technically feasible, proportionate (considering the impact of compliance with the request and the consequences of compliance) and a reasonably necessary response to the incident, and that the relevant entity is unwilling or unable to take all reasonable steps to respond to the incident (new subsections 35AB(7) and 35AB(10)). • For intervention requests, that the Minister has obtained the agreement of the Prime Minister and the Defence Minister before giving the Ministerial authorisation (new section 35AB)). In the vast majority of cyber security incidents, industry should and will respond to cyber security incidents, with the support of Government where necessary. However, in exceptional circumstances, the enhanced framework will provide the Government with the power to take appropriate steps to prevent and address immediate and serious cyber security incidents that threaten serious harm to Australia's interests, mitigate the impacts of such incidents on critical infrastructure, and restore the functioning of those assets. Register of Critical Infrastructure Assets - obligations to give information and notify of events Whilst the collection of personal information will be rare, Part 2 of the current SOCI Act requires the responsible entity of critical infrastructure assets to provide the Secretary of Home Affairs with certain operational information in relation to the asset, and interest and control information in relation to the entity and the asset. Through the inclusion of additional critical infrastructure assets in Part 1, Division 2, section 9 of the current SOCI Act, the Register obligations will be able to be extended in their current form to these additional assets. Under the requirements in the Register, which will result in the incidental collection of personal information, the limitation to the right to privacy in Article 17 of the ICCPR are 177
outlined in the Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017. This outlines that the Government has taken sufficient steps to ensure that the limitations on the right to privacy are no more restrictive than necessary as the use and disclosure of information on the Register is restricted to purposes authorised under the SOCI Act. The changes in the Bill do not alter this position. Secretary's powers to obtain information or documents By broadening the assets regarded as critical infrastructure assets under the SOCI Act, the Secretary's powers to obtain information or documents from entities (Division 2 of the SOCI Act) is expanded to a larger number of entities. Subection 37(1) of the current SOCI Act empowers the Secretary to request certain information from reporting entities and operators of critical infrastructure assets. The Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017 outlines why the Secretary's information gathering power is a permissible limitation to the right to privacy, including because the information gathering power is limited to obtaining information or documents that are directly relevant to the purposes of the legislation, as stated in the objects of the Act, as well as the functions, duties, powers and purposes prescribed in the Act. The changes in the Bill do not alter this position. Conclusion The Bill is compatible with human rights because it will promote rights and, to the extent that the Bill limits rights, those limitations are reasonable, necessary and proportionate to the objective of reducing national security risks from foreign involvement in critical infrastructure. 178