09 November 2020

SOCI

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) - aka SOCI - is identified as reflecting a commitment to 'protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure'. 

The consultation version of the Explanatory Memo states 

As the threats and risks to Australia’s critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver. 

2. Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty. 

3. Threats ranging from natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders) all have the potential to significantly disrupt critical infrastructure. Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, natural disasters and the impacts of COVID-19 illustrate that threats to the operation of Australia’s critical infrastructure assets continue to be significant. Further, the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others. 

4. The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life, causing:

  • shortages or destruction of essential medical supplies; 

  • instability in the supply of food and groceries; 

  • impacts to water supply and sanitation; 

  • impacts to telecommunications networks that are dependent on electricity; 

  • the inability of Australians to communicate easily with family and loved ones; 

  • disruptions to transport, traffic management systems and fuel; 

  • reduced services or shutdown of the banking, finance and retail sectors; and 

  • the inability for businesses and governments to function. 

5. While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune:

  • over the last two years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network, as the transport and education sectors; 

  • malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities; and 

  • key supply chain businesses transporting groceries and medical supplies have also been targeted. 

6. Accordingly, Government will introduce an enhanced regulatory framework, building on existing requirements under the SOCI Act. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 gives effect to this framework by introducing:

  • a Positive Security Obligation for critical infrastructure, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting; 

  • enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and 

  • government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure assets. 

7. These changes will be underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy. This will include a range of activities that will improve our collective understanding of risk within and across sectors. 

8. The enhanced framework will uplift security and resilience in all critical infrastructure sectors. When combined with better identification and sharing of threats, this framework will ensure that Australia’s critical infrastructure assets– whether industry or government owned and operated – are more resilient and secure. Government will work in partnership with responsible entities of critical infrastructure assets to ensure the new requirements build on and do not duplicate existing regulatory frameworks. 

9. This framework will apply to owners and operators of critical infrastructure regardless of ownership arrangements. This creates an even playing field for owners and operators of critical infrastructure and maintains Australia’s existing open investment settings, ensuring that businesses who apply security measures are not at a commercial disadvantage. 

10. The Australian Government’s Critical Infrastructure Resilience Strategy currently defines critical infrastructure as: ‘those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.’ 

11. Within that broad definition of critical infrastructure, the SOCI Act currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors. 

12. As such, the amendments in this Bill will enhance the obligations in the SOCI Act, and expand its coverage to the following sectors: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage. ... 

The reforms 

14. The Commonwealth needs to establish a clear, effective, consistent and proportionate approach to ensuring the resilience of Australia’s critical infrastructure. The amendments to the SOCI Act will drive the uplift of the security and resilience of Australia’s critical infrastructure. 

15. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) will introduce an all-hazards Positive Security Obligation for a range of critical infrastructure assets across sectors. This ensures industry is taking the appropriate steps to manage the security and resilience of their assets. The specific matters to be included in a critical infrastructure risk management program will be prescribed in rules, which will be co-designed between industry and government. 

16. The Bill also recognises those assets that are the most critical to the security, economy and sovereignty of Australia. These ‘systems of national significance’ will bear additional cyber obligations recognising the cyber threat environment we currently face. Finally, while these measures are designed to ensure we do not suffer a catastrophic cyber attack, the Bill will ensure Government has the necessary powers to provide direct assistance to industry in the event of a serious cyber security incident. 

Positive Security Obligation 

17. The Positive Security Obligation will build on the existing obligations in the SOCI Act to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened. It will also provide greater situational awareness of threats to critical infrastructure assets. 

18. The Positive Security Obligation involves three aspects:

  • adopting and maintaining an all-hazards critical infrastructure risk management program; 

  • mandatorily report serious cyber security incidents to the Australian Signals Directorate (ACSC); and 

  • where required, providing ownership and operational information to the Register of Critical Infrastructure Assets. 

19. Importantly, each aspect of the Positive Security Obligation will only apply once a rule is made in relation to that aspect for a critical infrastructure asset or class of critical infrastructure assets. The rules will prescribe which aspects are ‘switched on’ for a critical infrastructure asset or class of critical infrastructure assets. 

20. The critical infrastructure risk management program will require responsible entities of critical infrastructure assets to manage and mitigate risks. Responsible entities of critical infrastructure assets will be required to take an all-hazards approach when identifying and understanding those risks – both natural and human induced hazards. 

21. Partnerships with industry sit at the foundation of this measure. Government and industry stakeholders will work together to co-design the sector-specific requirements which will underpin the risk management program obligation. The co-design process will develop a clear set of requirements for each of the regulated sectors, which:

  • recognise and do not duplicate existing regulatory or non-regulatory approaches across sectors; 

  • are principles-based and proportionate to the risk profile of the particular sector; and 

  • impose the least regulatory burden necessary to achieve the security outcomes. 

22. Responsible entities of critical infrastructure assets will be required to report serious cyber security incidents to the relevant Commonwealth body. The objective of this reform is to collect information which will support the development of an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry. This will better inform both proactive and reactive cyber response options – ranging from providing immediate assistance to industry to working with industry to uplift broader security standards. 

23. Part 2 of the current SOCI Act requires assets covered by the Act to provide ownership and operational information to the Secretary of Home Affairs. This information is held on the Register of Critical Infrastructure Assets (the Register). The Bill will extend this requirement to the expanded class of critical infrastructure assets where appropriate (for example, it may not be necessary where information is being collected under an equivalent regime for certain assets). 

24. The increased range of sectors covered by the Register will enable the Government to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary. Analysis of the information in the Register will enable the Critical Infrastructure Centre to:

  • assess ultimate ownership, and therefore influence and control over, critical infrastructure assets; 

  • analyse interdependencies among critical infrastructure assets and sectors; and 

  • identify commonalities in services being used by critical infrastructure assets, such as shared IT service providers or shared control systems. 

25. The successful delivery of all aspects of the Positive Security Obligation is predicated on the identification of sector-specific regulators to manage the implementation and compliance of these elements of the reforms. The Department of Home Affairs, or other relevant Commonwealth regulator prescribed in the rules, will be provided with the standard monitoring and investigation powers under the Regulatory Powers (Standard Provisions) Act 2014 to support compliance and enforcement activities. 

26. Regulators will adopt a risk-based approach to developing and enforcing the Positive Security Obligation. Sector regulators will work with entities to ensure the Positive Security Obligation is applied in a proportionate and reasonable manner, taking into account the needs and existing capabilities of each sector. Regulators will have a role in monitoring and enforcing compliance while seeking to minimise the economic and operational impact on businesses. 

Enhanced Cyber Security Obligations for systems of national significance 

27. The Enhanced Cyber Security Obligations in the Bill will support a bespoke, outcomes-focused partnership between Government and Australia’s most critical assets – privately declared as ‘systems of national significance’. These obligations will enhance the already mature Government-industry information sharing arrangements to build an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry. 

28. Systems of national significance are a significantly smaller subset of critical infrastructure assets that, by virtue of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors, are crucial to the nation. 

29. Under the Enhanced Cyber Security Obligations, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more prescribed cyber security activities. These include the development of cyber security incident response plans, cybersecurity exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities for remediation, and provision of system information to build Australia’s situational awareness. The Bill explicitly requires the Secretary of Home Affairs to request the prescribed activity in order to ensure activities have a clear, stated security objective. 

30. Through consultation in developing this Bill, stakeholders provided support for greater threat information sharing and partnerships with Government. The Enhanced Cyber Security Obligations will support the sharing of near-real time threat information to provide industry with a more mature understanding of emerging cyber security threats, and the capability to reduce the risks of a significant cyber attack against Australia’s most critical assets. 

Government Assistance

31. This Bill introduces a Government Assistance regime to respond to serious cyber security incidents that applies to all critical infrastructure sector assets. Government recognises that industry should and in most cases, will respond to the vast majority of cyber security incidents, with the support of Government where necessary. However, Government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the Bill provides for Government assistance to protect assets during or following a significant cyber attack. 

32. During consultation, stakeholders were broadly supportive of the Government actively protecting critical infrastructure in exceptional circumstances, while calling for clearly defined safeguards and oversight mechanisms. The Government Assistance powers in the Bill are clearly defined and are confined, proportionate and appropriate. Further details on the scope of powers and safeguards are outlined in Part 3A of the Bill. 

Consultation 

33. Over a five week period from 12 August 2020, the Department of Home Affairs on behalf of the Australian Government, undertook an extensive consultation process. During this period the Department met with over 2,000 people from over 540 entities across all affected sectors, peak bodies and states and territories, and received 194 submissions. 

34. Consultation revealed cautious support for an enhanced regulatory framework for Australia’s critical infrastructure while noting:

  • the need for genuine co-design of sector-specific requirements and recognition that voluntary partnerships remain the first preference for resolving incidents; 

  • the need for greater clarity around how critical infrastructure assets and systems of national significance are to be defined; 

  • concern over the extent of the proposed Government Assistance powers; 

  • the unclear and possibly high regulatory impost, as well as possible duplication with existing regulatory frameworks (particularly in sectors with existing, mature security frameworks); and 

  • the risks in pursuing the reforms on an expedited timeframe. 

35. Feedback received during consultation has informed the development of an exposure draft Bill. 

36. Further engagement on the exposure draft legislation, coupled with ongoing stakeholder co- design, a continued emphasis on cooperative partnerships and graduated implementation of sector-specific obligations, will minimise regulatory burden, and manage industry and jurisdictions’ concerns. 

Voluntary engagement through the Trusted Information Sharing Network 

37. Increased engagement and education will underpin the success of the regulatory reforms outlined above. The Trusted Information Sharing Network for Critical Infrastructure Resilience was established in 2003 and remains the primary voluntary engagement mechanism for business-government information sharing and resilience building initiatives. However, in recent years industry has sought greater value from this mechanism. 

38. The Government will enhance the existing Trusted Information Sharing Network by co-designing with industry a new fit-for-purpose engagement mechanism that allows for greater cross-sector collaboration in preparing for and responding to the evolving environment. The refreshed engagement mechanism will ensure industry participants can discuss resilience issues which impact Australia’s critical infrastructure which will increase participation by owners and operators of critical infrastructure, supply chain entities and state and territory governments. 

39. The new engagement mechanism will be a channel for developing and communicating critical infrastructure resilience information and a forum to co-design sector-specific obligations and best practice guidance. This approach will encourage all affected responsible entities, large and small, to participate in their design and ensure the resulting obligations provide a level playing field for all participants. The new engagement mechanism will also be used to inform the new Critical Infrastructure Resilience Strategy (due for release in early 2021), capturing lessons learned from crises this year including COVID-19.