The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was recently introduced to Australian parliament by Home Affairs Minister Peter Dutton. If passed, the legislation would give government agencies the power to defend networks and systems of critical infrastructure against cyber-attacks, much to the alarm of global tech companies.
The bill will give effect to an “enhanced regulatory framework” for critical infrastructure and systems of national significance, building on the Security of Critical Infrastructure Act (SOCI) passed in 2018. This means communications; data storage and processing; and financial services will be added to the electricity, gas, water and port entities currently regulated under the SOCI Act.
Defence industry, high education and research, food and grocery, healthcare and medical, space technology, transport, and water and sewerage will now also be recognised as critical infrastructure.
Under the proposed legislation, critical infrastructure operators would be subject to a new “all-hazards positive security obligation” that will require companies to hand over ownership and operational information. It also includes “enhanced cyber security obligations” for operators of systems of national significance that could direct companies to undertake “prescribed” activities; as well as “last resort” assistance powers that, in “exceptional circumstances”, allow the government to intervene in a cyber-incident deemed serious by the Home Affairs Minister..
Activities could include the development of cyber-security incident response plans, cyber-security exercises, and vulnerability assessments, according to the bill’s explanatory memorandum.
The powers will allow the Australian Signals Directorate to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from the premises. This power has drawn the ire of the tech community, with Microsoft, Amazon Web Services, Telstra, Cisco and Salesforce all having raised concerns about it. Microsoft called for more checks and balances before government intervention is allowed, while Cisco said it remained unclear how targeted intervention could occur for companies that worked across multiple geographies. AWS was similarly worried that the powers “may give government overly broad powers to issue directions or act autonomously”.
Introducing the Bill, Minister Dutton said there was a need for the laws in order to respond to cyber-attacks, which are increasingly prevalent, adding: “Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation’s wealth and prosperity, and national security.
“While Australia hasn’t suffered a catastrophic critical-infrastructure attack, we’re not immune. Australia is facing increasing cyber-security threats to essential services, businesses and all levels of government. While owners and operators of critical infrastructure are best placed to deal with such threats, positive change requires a team effort. The government’s last resort powers would only take effect if the entity is unwilling or unable to take responsible steps to resolve the cyber security incident.”
Dutton committed to continue consultations “to ensure the reforms are operationalised in the most appropriate and effective manner” and “impose the least regulatory burden”.
If passed, the enhanced cyber-security obligations, positive security obligations and governance assistance powers contained in the legislation will commence on 1 July 2021.