|Canberra is proposing to significantly expand its power of critical infrastructure owners and operators in the cause of securing Australia’s networks.|
Australia’s Department of Home Affairs has published draft legislation that would significantly expand the government’s ability to oversee and regulate the owners and operators of critical infrastructure and to step in and apparently take over any such networks if deemed necessary. This model of a more interventionist regulatory state regarding cybersecurity could be transplanted to other western democracies, especially in light of ongoing, intensifying use of cyberspace by the Russian Federation, People’s Republic of China, other nations, hackers, and cyber criminals.
In its “Cyber Security Strategy 2020” released earlier this year, the Australian government explained:
The Australian Government will introduce new laws to make sure Australia can recover quickly from a cyber security emergency. This will include providing reasonable and proportionate directions to businesses to minimize the impact of an incident and taking direct action to protect systems during an emergency.
Consequently, the Department of Home Affairs (Home Affairs or Department) has drafted and released for feedback legislation based, in large part, on input from a white paper published over the summer. In its press release, Home Affairs contended “[t]he Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure and systems of national significance.” Home Affairs stated “[a]s part of the next stage of development of these reforms, we are seeking views on:
- the Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill)
- the Bill’s accompanying draft Explanatory Document
- the Exposure Draft of the Intelligence Services Regulations 2020 (the Regulations)
- the Regulations’ accompanying Explanatory Statement.
The Department explained “[t]he Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure…[and] [t]he Regulations support the operation of the Bill’s assistance and cooperation measures.”
Home Affairs wants feedback on these documents by 27 November.
The draft legislation would change how Australia oversees its critical infrastructure, especially the cybersecurity aspects. One major consequence of the draft legislation is that the sectors government at a higher level of scrutiny would be expanded beyond the energy and maritime sectors to include vast swaths of Australia’s economy. Additionally, some entities and assets would be subject to a heightened level of scrutiny and compliance based on their signal importance to Australia. However, what may be foremost in the minds of owners and operators of critical infrastructure are the provisions allowing Home Affairs to issue orders to do or not do certain things in the event their systems are endangered in such a way that the economic, social, defense, or national security well-being of the country are in danger.
In the Explanatory Document, Home Affairs used an interesting word to characterize the support for “an enhanced regulatory framework for Australia’s critical infrastructure:” “cautious.” This suggests that industry and other stakeholders generally support increasing government regulation of critical infrastructure but signals perhaps muted or coded opposition to the type of muscular regime Home Affairs is floating. Nonetheless, the Department summarized the feedback received during the consultation period:
- the need for genuine co-design of sector-specific requirements and recognition that voluntary partnerships remain the first preference for resolving incidents;
- the need for greater clarity around how critical infrastructure assets and systems of national significance are to be defined;
- concern over the extent of the proposed Government Assistance powers;
- the unclear and possibly high regulatory impost, as well as possible duplication with existing regulatory frameworks (particularly in sectors with existing, mature security frameworks); and
- the risks in pursuing the reforms on an expedited timeframe.
Home Affairs explained the “Government will introduce an enhanced regulatory framework, building on existing requirements under the “Security of Critical Infrastructure Act 2018” (SOCI) Act…[and] [t]he “Security Legislation Amendment (Critical Infrastructure) Bill 2020” gives effect to this framework by introducing:
- a Positive Security Obligation for critical infrastructure, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;
- enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and
- government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure assets.
The Department noted “[t]he Australian Government’s Critical Infrastructure Resilience Strategy currently defines critical infrastructure as:
‘those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.’
As noted, the sectors of Australia’s economy that would receive enhanced regulatory demands is dramatically expanded. Home Affairs stated that
- Within that broad definition of critical infrastructure, the SOCI Act currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors.
- As such, the amendments in this Bill will enhance the obligations in the SOCI Act, and expand its coverage to the following sectors: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage.
Home Affairs provided an overview of the new requirements owners and operators of critical infrastructure in all these sectors would need to meet:
- The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) will introduce an all-hazards Positive Security Obligation for a range of critical infrastructure assets across sectors. This ensures industry is taking the appropriate steps to manage the security and resilience of their assets. The specific matters to be included in a critical infrastructure risk management program will be prescribed in rules, which will be co-designed between industry and government.
- The Bill also recognises those assets that are the most critical to the security, economy and sovereignty of Australia. These ‘systems of national significance’ will bear additional cyber obligations recognising the cyber threat environment we currently face. Finally, while these measures are designed to ensure we do not suffer a catastrophic cyber attack, the Bill will ensure Government has the necessary powers to provide direct assistance to industry in the event of a serious cyber security incident.
On the latter point (i.e., the power of the government to intervene), elsewhere Home Affairs elaborated
Government recognises that industry should and in most cases, will respond to the vast majority of cyber security incidents, with the support of Government where necessary. However, Government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the Bill provides for Government assistance to protect assets during or following a significant cyber attack.
The draft legislative language provides that Home Affairs could direct owners or operators of critical infrastructure to take certain acts or refrain from taking certain acts in the event a cyber incident is occurring, has occurred, or is imminent, will have a “relevant impact” on a critical infrastructure asset, and may, is, or will prejudice the social or economic stability of the country, its defense, or national security. There are limits on this power, but it would represent a sweeping expansion of authority for the Australian government is enacted in the current formulation.
The Department also explained that the legislation would establish new Enhanced Cyber Security Obligations for “systems of national significance” deemed as such by the government. These obligations would be placed on a subset of critical infrastructure owners and operators, those most vital to Australia, and there would be additional requirements and scrutiny, such as direction to undertake certain measures. Home Affairs stated:
- The Enhanced Cyber Security Obligations in the Bill will support a bespoke, outcomes-focused partnership between Government and Australia’s most critical assets – privately declared as ‘systems of national significance’. These obligations will enhance the already mature Government-industry information sharing arrangements to build an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry.
- Systems of national significance are a significantly smaller subset of critical infrastructure assets that, by virtue of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors, are crucial to the nation.
- Under the Enhanced Cyber Security Obligations, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more prescribed cyber security activities. These include the development of cyber security incident response plans, cyber security exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities for remediation, and provision of system information to build Australia’s situational awareness. The Bill explicitly requires the Secretary of Home Affairs to request the prescribed activity in order to ensure activities have a clear, stated security objective.
- Through consultation in developing this Bill, stakeholders provided support for greater threat information sharing and partnerships with Government. The Enhanced Cyber Security Obligations will support the sharing of near-real time threat information to provide industry with a more mature understanding of emerging cyber security threats, and the capability to reduce the risks of a significant cyber attack against Australia’s most critical assets.
Home Affairs elucidated the proposed “Positive Security Obligation” the rules the government will “co-design” with industry to ensure “industry is taking the appropriate steps to manage the security and resilience of their assets:”
The Positive Security Obligation will build on the existing obligations in the SOCI Act to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened. It will also provide greater situational awareness of threats to critical infrastructure assets.
The Department stated “[t]he Positive Security Obligation involves three aspects:
- adopting and maintaining an all-hazards critical infrastructure risk management program;
- mandatorily report serious cyber security incidents to the Australian Signals Directorate (ACSC); and
- where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.