Security Legislation Amendment (Critical Infrastructure) Bill 2020: could your organisation be caught?Jul 2021 | Cyber Risk
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (Bill) aims to protect Australia’s critical infrastructure from cyber security threats and other hazards, building on the pre-existing framework established in the Security of Critical Infrastructure Act 2018 (SOCI Act). The Bill is currently being reviewed, with recent public hearings on 8 and 9 July 2021 highlighting some industries’ concerns.
Significantly, if passed, the Bill allows the federal government to impose obligations on, and interfere with, private and public enterprise. In this article, we focus on the proposed cyber security obligations and corresponding Government powers, but notably the Bill has much broader application.
Purpose of the Bill
The Bill responds to evolving human and natural threats to critical infrastructure in a ‘post COVID-19 world’ and aims to minimise disruption and ‘cascading consequences across our economy, security and sovereignty’.1
While Australia has so far avoided any catastrophic cyber attacks, the Bill is said to be part of the federal government’s response in light of recent cyber incidents including:
- repeated cyber attacks on the Federal Parliamentary Network and several Australian universities;
- the targeting of supply chain businesses transporting food and medical supplies;
- ongoing attacks on the health sector and medical research facilities, which are already under increased pressure due to COVID-19. The Office of the Australian Information Commissioner has reported the health sector has experienced a larger number of data breaches than any other sector over the last two years2; and
- the disruption caused by COVID-19, in particular to the health sector.
The Bill has three main elements:
- additional obligations for critical infrastructure assets;
- enhanced cyber-security obligations; and
- government assistance for cyber attack response.
We discuss each of these below.
1. Critical infrastructure assets – additional obligations
The Bill imposes various obligations on owners and controllers of ‘Critical Infrastructure’ which is defined by the federal government’s ‘Critical Infrastructure Resilience Strategy’, as:
‘those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security'.
The SOCI Act already applies to electricity, port, water and gas assets. The Bill proposes to extend the scope of ‘Critical Infrastructure’ to include assets that ‘relate’ to the following sectors:
- financial services and markets;
- data storage and processing;
- defence industry;
- higher education and research;
- food and grocery;
- health care and medical;
- space technology;
- transport; and
- water and sewerage.
The Bill also introduces a new category of ‘systems of national significance’, which are ‘the most critical to the security, economy and sovereignty of Australia’, and will have additional obligations including in relation to cyber incidents.
The SOCI Act already requires owners of critical infrastructure assets to:
- register ownership and operational details with the federal government;
- provide requested information; and
- comply with directions ‘when all other mechanisms to mitigate risk have been exhausted’.
The Bill proposes additional positive security obligations for critical infrastructure assets, including strict notification obligations and adopting risk management programs.
Outlined below are the notification requirements in relation to cyber-incidents. Notifications are to be directed to the Australian Signals Directorate3 (ASD) orally or in writing. A civil penalty of up to 50 penalty units may apply if these obligations are not complied with.
Critical cyber security incidents
Significantly, a responsible entity must report a critical cyber security incident within 12 hours of the entity becoming aware that the incident is ‘critical’. While the timeframe is narrow, the time does not start running until an entity is aware that the impact is significant, therefore allowing for some internal investigation to take place. However, it is likely that any prolonged delay will be subject to criticism and risk an entity being issued a civil penalty.
A ‘critical’ cyber security incident is one that has a significant impact on the availability of a critical infrastructure asset. The Bill presently does not provide any criteria for what a ‘significant’ impact is, as the impact of an incident will differ from asset to asset.
The definitions of ‘responsible entity’ are sector specific, but generally refer to the entity with ultimate control of the asset.4
Other cyber security incidents
If a cyber security incident is not ‘critical’ but is likely to have a ‘relevant impact’ on a critical infrastructure asset, the responsible entity is required to report the incident within 72 hours of becoming aware of the impact. Again, the timeframe is triggered by awareness.
A ‘relevant impact’ is an impact on the availability, integrity, reliability or confidentiality of the asset (irrespective of the seriousness of that impact). A ‘relevant impact’ is not exhaustively defined and needs to be judged on a case-by-case basis.
2. Enhanced cyber security obligations
The Bill requires the Federal Government and ‘systems of national significance’, to partner to create bespoke cyber security systems. ‘Systems of national significance’ are crucial to the nation, and have interdependencies across sectors and are vulnerable to being disrupted by, and causing disruption to, other critical infrastructure assets and sectors.
The increased obligations include the development of cyber-security incident response plans, participation in cyber-security exercises, vulnerability assessments and remediation, and provision of system information to the ASD.
3. New Part 3A – Government assistance
If a ‘relevant entity’ experiences a ‘cyber security incident’ (or one is imminent or likely to occur), the proposed new pt 3A of the Bill gives the government broad powers to assist the entity to respond to the incident. These powers are only to be exercised in emergency circumstances, as a last resort and when it is in the national interest. Decisions under the new pt 3A will be exempt from review under the Administrative Decisions (Judicial Review) Act 1977.
Who does pt 3A apply to?
To understand the breadth of those powers, and the scope of both public and private organisations which may be affected, it is necessary to understand what a ‘relevant entity’ and a ‘cyber security incident’ is.
Under pt 3A, a ‘relevant entity’ is entitled to federal government assistance and falls into the following categories:
- the responsible entity for an asset (the entity with operational responsibility);
- a direct interest holder in relation to the asset;
- an operator of the asset; or
- a managed service provider for an asset.
Given that a large portion of the industries captured by the Bill’s definition of critical infrastructure operate by way of public-private partnerships, relevant entities may include private companies with government involvement.
The term ‘cyber security incident’ is also defined broadly and includes unauthorised:
- access to computer data or a computer program;
- modification of computer data or a computer program;
- impairment of electronic communication to or from a computer; and
- impairment of the availability, reliability, security or operation of a computer, computer data or a computer program.
This appears to encompass the full gambit of cyber incidents from a large-scale data breach or ransomware attack to a computer virus. However, as noted above, the powers outlined below may only be exercised in emergency circumstances.
What powers does the federal government have?
If a cyber security incident occurs, the federal government may issue:
- Information gathering directions which require the relevant entity to produce information to the federal government to ensure a detailed understanding of the nature and extent of the incident, as well as its vulnerabilities and interdependencies with other assets. This will assist in establishing what further directions may need to be issued;
- Action directions which allow the federal government to direct an entity to do, or refrain from doing, a specified act or thing; and
- Intervention requests, described as a ‘last resort option within a last resort regime’,5 which allow the ASD to defend an asset in circumstances where directing an entity to take specified action would not be practical or effective. This recognises that the federal government may have access to unique resources and expertise not otherwise available, possibly enabling the blocking of malicious domains, disabling internet access, and removing or altering stored data.
It is not clear exactly how serious a cyber security incident needs to be before the federal government deems it necessary to issue the directions above.
At the recent public hearings, Google, AWS, Microsoft and Atlassian all assert that they are best placed to respond to cyber incidents, and do not anticipate needing government assistance, and object to the ‘overly broad powers’ the Bill would grant the government. In contrast, representatives of the water, electricity and logistics sectors agreed that government assistance could be valuable, depending on the circumstances.
The Bill proposes broad powers for the federal government, and imposes broad obligations on responsible entities, in an effort to respond to increasing cyber threats.
If the Bill is enacted, it will be crucial for entities to immediately determine whether they are a relevant entity or responsible entity, and, if so, the extent to which the obligations will apply to them and when and how they can be activated.
The provisions in the Bill in its present form are arguably onerous and may have wide ranging impacts on the private contractual arrangements between parties. In light of this, it remains to be seen whether the Bill will tread the fine line between allowing those entities to operate independently, and effectively managing the very real cyber risks those assets face.
1 Explanatory memorandum of the Bill.
2 For more information on the prevalence, causes and consequences of cyber attacks in each sector see Katherine Hayes, Greg Stirling and Hayley Nankivell, ‘Human error still causing data breaches’ (2021)<https://www.carternewell.com/page/Publications/2021/human-error-still-causing-data-breaches/>.
3 Unless another Commonwealth body is prescribed in the rules.
4 For example, the responsible entity of telecommunications assets is the carrier that holds the carrier license for the telecommunications network.
5 Explanatory memorandum of the Bill.
This article may provide CPD/CLE/CIP points through your relevant industry organisation.
The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.