Update 30 September 2021
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has come out in support of the passage of urgent reforms – part of a proposed two-step approach to protect Australia’s critical infrastructure from cyber threats.
In its Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (tabled on 29 September 2021), the Committee recommended that emergency powers be quickly legislated in a standalone bill, with a second, separate bill to be introduced after further consultation.
The PJCIS has made 14 recommendations in relation to the Bill, including proposing a split in the current proposed framework into two amended Bills:
- Bill One for rapid passage – to expand the critical infrastructure sectors covered by the Act, introduce government assistance measures to be used as a last resort in crisis scenarios, as well as mandatory reporting obligations
- Bill Two for further consultation – including declarations of systems of national significance, enhanced cyber-security obligations and positive security obligations which are to be defined in delegated legislation
This recommended two-step approach will enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure.
The approach would also give businesses and government additional time to co-design the most effective regulatory framework to ensure long-term security of critical infrastructure.
Chair of the Committee, Senator James Paterson, said, “The Committee received compelling evidence that the complexity and frequency of cyber-attacks on critical infrastructure is increasing globally.
“Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure.
“However, as the regulatory framework is still undergoing co-design with each of the eleven sectors and will not be finalised until after passage of the bill, many businesses have expressed concern about this uncertainty and asked for the entire bill to be paused in the current economic climate.
“While sympathetic to the concerns of industry leaders, the Committee does not believe that pausing the entire bill is in Australia’s national interests given the immediate cyber threats that our nation faces.
“The Committee’s recommended solution allows for the urgent measures to pass now, to equip the government with the emergency powers it needs while allowing additional time for co-design to overcome the concerns of industry about the regulatory impact.
“The passage of both bills is essential because cyber-security is not just the government’s job. Industry has a role to play too and the second bill which imposes obligations on businesses is an important part of a comprehensive response to the serious challenges we face.”
Update 6 August 2021
The Parliament’s Intelligence and Security Committee held its fourth public hearing on Thursday 29 July 2021 as part of its Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.
The Committee heard from the Department of Home Affairs and the Australian Signals Directorate (ASD) at a recall hearing to address evidence presented by industry and subject matter experts from previous hearings and in further submissions received to the inquiry.
Senator James Paterson, Chair of the committee, said, ‘The committee has heard from a wide range of independent experts and entities proposed for regulation by the Bill and the existing regime.
“The Committee has heard important evidence, not just on how these laws may impact critical infrastructure service providers and their customers, but also on the scale of the cyber threat from both criminal and state actors.
“Committee members will seek the feedback of the Department and ASD on that evidence to assist us in formulating our report and recommendations.”
A program for the hearing is available here.
Update 9 July 2021
Earlier this week, Ports Australia and its members met with the Aviation and Maritime Division at the Department of Home Affairs for a collaborative discussion on the Critical Infrastructure reforms.
Ports Australia was joined by a range of representatives from supply chain, transport, water and utilities sectors as witnesses at the Thursday 8 July 2021 public hearing , Chaired by Senator James Paterson.
Witnesses shared their perspectives on the Bill’s proposed review and how it can be pragmatically rethought to support how the industries operate, states Ports Australia.
Ports Australia said it is encouraged by consultation with Government, after participating in Parliament’s Intelligence and Security Committee’s latest public hearing on the Critical Infrastructure Bill review, but argue that more is needed for proper co-design of security requirements under the Bill, to better align with the industry.
Ports Australia states that more work is needed to revise the Bill so it recognises the intricacies of ports, like who is responsible for each moving part in their operations, what defines an infrastructure asset as critical and improve co-designing the security requirements for these assets so they align with operations.
At the hearing, Ports Australia’s CEO, Mike Gallacher, said industry will support the government’s work once its current weaknesses are addressed.
To summarise, Ports Australia is calling for:
- Clearer definitions for responsibilities of entities, especially when recognising that it should be port facility operators (stevedores for example) who are critical port assets, NOT the port operator; this also extends to critical infrastructure assets where the definition of responsibilities must be clarified (concerning assets like intermodal terminals)
- The definition of critical infrastructure assets to be clarified so we can identify which assets are captured as critical (intermodal terminals for example)
- Continued industry engagement on the co-design of security requirements which properly align with the processes of supply chain operations
The Parliament’s Intelligence and Security Committee is holding two days of public hearings on Thursday 8 and Friday 9 July, as part of its Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.
The Committee will hear from a selected range of industry, union and expert representatives that have engaged with the Committee for its review.
Opening statements have been received from some witnesses and can be accessed as supplementary submissions.
Senator James Paterson, Chair of the Committee, said, “It is vital that we hear from the companies and industries affected by the proposed framework under the Bill, to ensure that the serious cyber security risks we face can be met effectively with the lowest possible regulatory burden and cost to consumers.”
Further information on the inquiry can be obtained from the Committee’s website.
More information regarding Submissions can be found here.
This is a developing story, follow Infrastructure for the hearing’s findings.