The Joint Committee's recommendations for businesses responsible for Australia's critical infrastructure 7 min read
The Parliamentary Joint Committee on Intelligence and Security (the Joint Committee) has recommended that businesses responsible for Australia's critical infrastructure be subjected to expanded governance assistance measures as a matter of urgency.
If adopted, the recommendations would see the proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Draft Bill) separated into two Bills. The first Bill would implement the Government's expanded powers, while industry consultation continues regarding elements of the second Bill.
- The Joint Committee has tabled an advisory report with 14 recommendations, including, most significantly, that the Draft Bill be split into two amended Bills. The rationale for the split is to allow Parliament to urgently pass a Bill to implement the governance assistance measures (Part 3A and enabling provisions) to address the present threats to Australia's critical infrastructure (Bill One), while consultation may proceed in order to achieve consensus as to the less urgent elements of the regime, which will be set out in the second Bill (Bill Two).
- If passed, Bill One would:
- give the Government 'last resort' powers to direct an entity to gather information or undertake an action (including to require software be installed), and to authorise the Australian Signals Directorate to intervene against cyber attacks;
- introduce the notification of cyber security incidents obligations (with minor amendments to the Bill first released, to extend the timing for written notification from 48 hours to 84 hours, provided an oral notification is given within 12 hours); and
- amend the definitions of the critical infrastructure sectors, relevant critical assets and responsible entities under the Security of Critical Infrastructure Act 2018 (Cth), which would widen the scope of the 'national security business' definition within the Foreign Acquisitions and Takeovers Act 1975 (Cth) and result in more transactions being subject to FIRB approval.
- All other proposed amendments, such as in relation to risk management programs and declarations of systems of national significance, are recommended to be passed in Bill Two, following further consultation with industry on these positive security obligations.
- The Joint Committee is eager to see Bill One pass before the end of the Parliamentary sitting calendar in 2021, which is before the last day of sitting on 2 December
On 10 December 2020, the Hon Christian Porter MP, the then Attorney-General, referred the Draft Bill to the Joint Committee for review, and on 21 December 2020, the Joint Committee launched an inquiry and statutory review into the Draft Bill and the Security of Critical Infrastructure Act as a joint inquiry.
Following months of stakeholder engagement and consultation, the Joint Committee, on 29 September 2021, tabled its advisory report on the Draft Bill and the critical infrastructure reforms. It made 14 recommendations, including, most significantly, that the governance assistance measures within Part 3A of the Draft Bill and its associated enabling provisions be separated out of the Draft Bill and passed expeditiously in order to empower government to respond to the present threats to critical infrastructure assets.
Our Insight on the proposed critical infrastructure reforms in November last year provides a recap and detailed summary of the relevant provisions of the draft Bill.
What would be included in Bill One?
While the Joint Committee has acknowledged the importance of consultive development of the reforms (in particular, referring to the compelling evidence provided by industry in relation to regulatory duplication and the unquantifiable regulatory costs), the Committee expressed significant concern about the inability to reach stakeholder consensus. In light of this stalemate and in the face of looming cyber security threats to Australia's critical infrastructure, the Committee has recommended that the 'last resort' government assistance measures be separated out and passed as soon as practicable.
Bill One would include:
- (Government assistance measures – Part 3A) The Committee considers the proposed government assistance measures to be the most urgent. Under this Part, the Government would be granted three key powers that it can exercise in limited circumstances when a cyber security incident is affecting a critical infrastructure asset:
- it can require disclosure of information that may assist with responding to an incident;
- it can require an entity to do an act or thing in circumstances where the entity is unwilling or unable to resolve the incident itself; and
- it can authorise the Australian Signals Directorate to step in to do one of a list of things where directing the entity to act would not be practical or effective (eg if the entity is unwilling or unable).
These powers can be applied very broadly regarding any ‘relevant entity’ for a sector asset or a critical infrastructure asset.
- (Notification requirements with relevant rules – Part 2B) The Joint Committee has indicated that the notification of cyber security incidents, which allow the assistance measures under Part 3A to be engaged, will also need to be retained. While they have considered the 12-hour period for oral notification to be reasonable, the Committee has recommended that the written notification period be extended from 48 hours to 84 hours. The Joint Committee has also suggested that entities should be allowed to agree with relevant Commonwealth bodies to provide only oral notifications (removing the requirement for a written notification).
- (Critical infrastructure sector and asset definitions) Given the definitions of sectors and assets are crucial to the operation of the Bill's proposed framework, the Joint Committee recommends that Bill One should identify and define the critical infrastructure sectors and the relevant critical assets that are affected, or will be affected, by the Bill, as well as the responsible entities. If that change is made, it will have a direct impact on the operation of the Foreign Acquisitions and Takeovers Act, as the definition of 'national security business' in that Act includes critical infrastructure assets as defined in the Security of Critical Infrastructure Act. An expansion of the definition of critical infrastructure assets will widen the scope of the national security business definition, and result in more transactions being subject to approval under the Foreign Acquisitions and Takeovers Act.
- (Criminal Code and Intelligence Services Act amendments) The Joint Committee recommends reviewing and amending the provisions that limit liability for Australian Signals Directorate staff when performing actions under the proposed Part 3A provisions. The need for review has been suggested in response to submissions made by the Law Council of Australia that, as currently drafted, the scope of immunity reaches much further than the activities Australian Signals Directorate would undertake for the purpose of the performing its security of critical infrastructure-related responsibilities.
What would be included in Bill Two?
The Joint Committee has recommended that the remaining elements of the Bill be deferred and dealt with in Bill Two. If this recommendation is adopted, the following measures will be deferred and subject to industry consultation before being reintroduced to Parliament.
- (Risk management programs – Part 2A) If passed, Part 2A under the Draft Bill would establish an obligation on responsible entities to adopt and maintain a critical infrastructure risk management program. This positive security obligation is one aspect of the new regime that focuses on physical security, personnel security and supply chain security in addition to cyber security. Each program is to be informed by rules at both a general level (applying to all sectors) and a specific, sector-by-sector level.
- (Declaration of Systems of National Significance along with enhanced security obligations – Part 2C and 6A) These Parts are intended to apply to the critical infrastructure assets that have been nominated by the Minister as having the highest criticality. Entities responsible for these assets are required to cooperate closely with government on cyber security matters through the ‘enhanced cyber security obligations’.
- Prepare for the governance assistance measures to commence
The Government had initially planned for the Draft Bill and the Part 3A obligations to commence on 1 July 2021; however, delays in the consultation processes and the outstanding review into the Draft Bill caused this start date to be suspended. Following the release of the Joint Committee's advisory report, we would expect the Government may act swiftly to introduce Bill One into Parliament. Affected entities should therefore be preparing to comply with the new measures imminently. For your business, this may involve implementing contractual pass-throughs to facilitate compliance with the relevant obligations, and uplifts to cyber attack response and recovery playbooks.
- Participate in the development of sector-specific rules to further define the scope and content of obligations
If the Joint Committee's recommendations are adopted, we expect industry consultation on the sector-specific rules will continue. We note that the Government has completed its first-phase consultation on the co-design requirements for the electricity, gas, data storage or processing sector, and the water and sewerage sector. From September to December, consultations will take place for the financial services and markets (payment systems) sector and the food and grocery sector. Updates on the consultation process are published on the Department website and CIC website, and we will keep you informed as the regime develops.