Senate

Revised Explanatory Memorandum

(Circulated by authority of the Minister for Home Affairs, the Honourable Karen Andrews MP)

OUTLINE

The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia's critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver.

Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty.

Threats ranging from natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders) all have the potential to significantly disrupt critical infrastructure. Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, and the impacts of COVID-19 illustrate that threats to the operation of Australia's critical infrastructure assets continue to be significant. Further, the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others.

The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life, causing:

•

shortages or destruction of essential medical supplies;

•

instability in the supply of food and groceries;

•

impacts to water supply and sanitation;

•

impacts to telecommunications networks that are dependent on electricity;

•

the inability of Australians to communicate easily with family and loved ones;

•

disruptions to transport, traffic management systems and fuel;

•

reduced services or shutdown of the banking, finance and retail sectors; and

•

the inability for businesses and governments to function.

While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune:

•

over the last three years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network;

•

malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities; and

•

key supply chain businesses transporting groceries and medical supplies have also been targeted.

Accordingly, Government will introduce an enhanced regulatory framework, building on existing requirements under the SOCI Act. The Security Legislation Amendment (Critical Infrastructure) Bill 2021 gives effect to this framework by introducing:

•

mandatory cyber incident reporting; and

•

government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia's critical infrastructure assets.

These changes will be underpinned by enhancements to Government's existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy and an expanded Trusted Information Sharing Network. This will include a range of activities that will improve our collective understanding of risk within and across sectors.

The enhanced framework will uplift security in all critical infrastructure sectors. When combined with better identification and sharing of threats, this framework will ensure that Australia's critical infrastructure assets are more resilient and secure.

This framework will apply to owners and operators of critical infrastructure regardless of ownership arrangements. This creates an even playing field for owners and operators of critical infrastructure and maintains Australia's existing open investment settings, ensuring that businesses who apply security measures are not at a commercial disadvantage.

The Australian Government's Critical Infrastructure Resilience Strategy currently defines critical infrastructure as:

'those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security.'

In the context of this, the SOCI Act currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors.

As such, the amendments in this Bill will enhance the obligations in the SOCI Act, and expand its coverage to the following sectors: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage.

The reforms

The Commonwealth needs to establish a clear, effective, consistent and proportionate approach to ensuring the resilience of Australia's critical infrastructure. The amendments to the SOCI Act will drive the uplift of the security of Australia's critical infrastructure.

The Bill will ensure Government has the necessary powers to provide direct assistance to industry in the event of a serious cyber security incident.

Positive Security Obligations

The additional positive security obligations will build on the existing obligations in the SOCI Act to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened. It will also provide greater situational awareness of threats to critical infrastructure assets.

The positive security obligations involve two aspects:

•

mandatory reporting of serious cyber security incidents to the Australian Signals Directorate (in the Australian Cyber Security Centre, or ACSC); and

•

where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.

Importantly, each aspect of the positive security obligations will only apply once a rule is made in relation to that aspect for a critical infrastructure asset or class of critical infrastructure assets. The rules will prescribe which aspects are 'switched on' for a critical infrastructure asset or class of critical infrastructure assets.

Responsible entities of specified critical infrastructure assets will be required to report cyber security incidents to the relevant Commonwealth body. Collecting this information will support the development of an aggregated threat picture to inform both proactive and reactive cyber response options -from providing immediate assistance to working with industry to uplift broader security standards.

Part 2 of the current SOCI Act requires assets covered by the Act to provide ownership and operational information to the Secretary of Home Affairs for the Register of Critical Infrastructure Assets (the Register). The Bill will extend this requirement to the expanded class of critical infrastructure assets where they are 'switched on' in the rules to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary.

Government Assistance

This Bill introduces a Government Assistance regime to respond to serious cyber security incidents that applies to all critical infrastructure sector assets. Government recognises that industry should and in most cases, will respond to the vast majority of cyber security incidents, with the support of Government where necessary. However, Government maintains ultimate responsibility for protecting Australia's national interests. As a last resort, the Bill provides for Government assistance to protect assets immediately prior, during or following a significant cyber attack.

Detailed notes on the clauses of the Bill is included at Attachment A .

FINANCIAL IMPACT STATEMENT

The measures in the Bill have no financial impact.

REGULATION IMPACT STATEMENT

A detailed Regulation Impact Statement to assess the high level regulatory impact to industry of uplifting the security and resilience of Australia's critical infrastructure assets was included in the Explanatory Memorandum for the Bill as introduced in the House of Representatives.

STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

A Statement of Compatibility with Human Rights has been completed in relation to the Bill. It has been assessed that the amendments are compatible with Australia's human rights obligations. A copy of the Statement of Compatibility with Human Rights is at Attachment B .