The report by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the operation, effectiveness and implications of the Security of Critical Infrastructure Act 2018 features the following recommendations -
Recommendation 1
that the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be split in two, so that the urgent elements of the reforms contained within the government assistance measures in proposed Part 3A, with the definitions and meanings of expanded critical infrastructure sectors and assets, and other enabling provisions contained within proposed amendments to Part 1, Part 2B, Part 4, Part 5 and Schedule 2 of the current Bill, be retained, amended in line with the principles outlined in paragraph 3.18 of this report, and legislated in the shortest time possible (Bill One).
Recommendation 2
that proposed Part 2B of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be retained in Bill One, and that Part be amended to: extend the requirement under proposed section 30BC for formal written notification to be made by an affected entity within 84 hours if an initial oral notification is given when a critical cyber security incident is having a significant impact on the availability of the critical infrastructure asset the entity is responsible for; and that proposed sections 30BC and 30BD be amended to allow for an entity and the relevant Commonwealth body to agree that a written notification is not required for an incident, if upon investigation it is agreed that the incident does not meet the requirement of an incident or does not have the defined impact outcome.
Recommendation 3
that the rules to be designed for the purposes of amended Part 2B of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be developed in consultation with relevant entities and incorporated into explanatory material to Bill One.
Recommendation 4
that Bill One include a provision that as soon as practicably after a government assistance measure is directed or requested the Parliamentary Joint Committee on Intelligence and Security be notified in writing about the circumstances, actions, status and parties involved in each measure used relative to any cyber security incident.
Recommendation 5
that, subject to the amendments outlined above, the resultant Security Legislation Amendment (Critical Infrastructure) Bill (Bill One) be passed.
Recommendation 6
that the Cyber and Infrastructure Security Centre within the Department of Home Affairs, be reformed to additionally provide technical support and advice regarding the functions of Bill One.
Recommendation 7
that the remaining non-urgent elements of the current Security Legislation Amendment (Critical Infrastructure) Bill 2020 not recommended for inclusion in Bill One, be deferred and amended into a separate Bill (Bill Two) in line with the principles outlined in paragraph 3.49.
Recommendation 8
that Bill Two be amended in consultation with key stakeholders, released for feedback and with further consultation on incorporated amendments based on that feedback, prior to being reintroduced to Parliament. Once reintroduced, Bill Two should be referred to the Parliamentary Joint Committee on Intelligence and Security for review, with a concurrent review of the operation to date of the amendments to the Security of Critical Infrastructure Act 2018 resulting from Bill One.
Recommendation 9
that any rules to be designed under Bill Two be co-designed, agreed and finalised to the extent possible before the introduction of that Bill and made available as part of the explanatory material for the Bill.
Recommendation 10
that proposed Schedule 2 of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be amended in accordance with the principles outlined in paragraph 3.62 and included as part of Bill One.
Recommendation 11
that subsection 13A(2) of the Intelligence Services Act 2001 be amended to restrict cooperation or assistance provided by an agency under that Act to agencies or other bodies by regulation outlined in subsection 13A(1) only to the functions and extent authorised by other Commonwealth legislation.
Recommendation 12 that the Government review the risks to democratic institutions, particularly from foreign originated cyber-threats, with a view to developing the most appropriate mechanism to protect them at Federal, State and local levels.
Recommendation 13
that the Government review the processes and protocols for classified briefings for the Opposition during caretaker periods in response to serious cyber-incidents, and consider the best practice principles for any public announcement about those incidents.
Recommendation 14
that the Bill One include a provision that the Parliamentary Joint Committee on Intelligence and Security may conduct a review of the operation, effectiveness and implications of the reformed security of critical infrastructure legislative framework contained within the Security of Critical Infrastructure Act 2018 not less than three years from when that Bill receives Royal Assent.
