Cth Bill to Enhance Critical Infrastructure Protection Framework
Friday 18 February 2022 @ 3.31 p.m. | Legal Research
On 10 February 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) (‘the Bill’) was introduced to the House of Representatives by Minister for Home Affairs Karen Andrews ('the Minister').
The Bill has subsequently passed the lower house on 16 February 2022 and is currently awaiting consideration by the Senate. Prior to its introduction, the Department of Home Affairs undertook public consultation and received 70 formal submissions on its Exposure Draft and accompanying explanatory material.
What is critical infrastructure?
The federal and state governments use the definition contained within the Critical Infrastructure Resilience Strategy 2015 which defines critical infrastructure as:
“those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.”
Background of the Bill
On 10 December 2020, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (‘the Critical Infrastructure Bill’) was introduced to enhance the regulatory framework for Australian critical infrastructure assets contained within the Security of Critical Infrastructure Act 2018 (Cth) (‘the SOCI Act’). This Bill was discussed in an earlier Timebase article.
The Critical Infrastructure Bill was then referred to the Parliamentary Joint Committee on Intelligence and Security ('the Joint Committee'). The Committee recommended that the Criitical Infrastructure Bill be split in order to prioritise the most urgent reforms of mandatory cyber incident reporting and government assistance.
The recommendations of the Joint Committee were implemented and the Critical Infrastructure Bill had certain provisions removed prior to receiving assent.
The Bill intends to implement the remaining elements that were removed from the Critical Infrastructure Bill.
According to the Bill's Explanatory Memorandum, the key reforms proposed are:
- "critical infrastructure risk management programs for critical infrastructure assets (proposed Part 2A of the SOCI Act); and
- enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance (proposed Parts 2C and 6A of the SOCI Act)."
Critical Infrastructure Risk Management Program
According to the Explanatory Memorandum, the SOCI Act presently contains two “all-hazards positive security obligations”. These obligations are:
- mandatory cyber incident reporting; and
- critical infrastructure asset register reporting.
The Bill proposes to add a third obligation requiring entities to establish and maintain a critical infrastructure program.
According to the Explanatory Memorandum, a critical infrastructure risk management program would require a responsible entity to:
- "identify hazards for which there is a ‘material risk’ that the hazard impact their business operations;
- minimise the material risks of those hazards occurring; and
- mitigate the impacts of hazards on the operation of their critical infrastructure asset(s). "
Enhanced Cyber Security Obligations
The Bill also identifies a smaller subset of critical infrastructure assets which will be the important to the security, economy and sovereignty of Australia. As explained by the Explanatory Memorandum, the Bill seeks to enable the Minister Affairs to declare such assets as:
“systems of national importance [given] their interdependencies across sectors and consequences of cascading disruption to other critical infrastructure assets and sectors.”
If passed, entities responsible for a system of national importance, may be required to:
- Comply with statutory incident response planning obligations;
- Conduct cyber security exercises;
- Undertake a vulnerability assessment;and
- If a computer is a system of national significance, or is needed to operate a system of national significance, grant the Australian Signals Directorate access to system information.
The Explanatory Memorandum further elaborates that:
“The enhanced cyber security obligations will support the sharing of near-real time threat information to provide industry with a more mature understanding of emerging cyber security threats, and the capability to reduce the risks of a significant cyber attack against Australia’s most critical assets.”
TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products. Nothing on this website should be construed as legal advice and does not substitute for the advice of competent legal counsel.
Sources:
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) and explanatory materials available from TimeBase's LawOne website