The ANAO report 'Administration of Critical Infrastructure Protection Policy: Department of Home Affairs' (Auditor-General Report No.38 2021–22) comments
The department’s administration and regulation of critical infrastructure protection policy was partly effective.
The department has partly effective governance arrangements to administer critical infrastructure protection policy. Implementation of critical infrastructure related risk assessments and reporting was not captured in risk documentation. The effectiveness of the department’s stakeholder coordination arrangements is reduced by not having an engagement strategy and providing limited support to other critical infrastructure regulators. The department’s performance framework as it related to critical infrastructure was not adequate, with performance statements, regulatory performance assessment, and use of internal measures to inform policy and regulation requiring improvement.
The department’s administration of compliance activities consistent with critical infrastructure protection requirements is partly effective. The department’s compliance framework does not reflect existing responsibilities or compliance requirements. Compliance activities are not supported by approved procedures or systems controls. The department has not established a risk-based decision framework for achieving compliance outcomes or demonstrating its impact on asset security or resilience. The department does not have a process of effectively reviewing its use of regulation tools, impact on industry or to inform continuous improvement.
Supporting findings
Governance arrangements
10. The department identified key critical infrastructure risks and had appropriate governance arrangements to assess and assign responsibility for these risks. The department’s critical infrastructure risk management does not represent an integrated approach to risk management between its enterprise and operational, legislative and policy functions. Implementation of critical infrastructure related risk assessments and reporting was not captured in risk documentation, which reduces its use to inform business planning, legislative reform, and policy decisions. (See paragraphs 2.3 to 2.23)
11. While the department undertakes coordination activities with key stakeholders, including through some long-established forums, it does not have a documented stakeholder engagement strategy to identify the engagement purpose, means by which engagement occurs or scenarios are managed, or the basis for there being more established information-sharing arrangements with some key stakeholders than with others. (See paragraphs 2.26 to 2.35)
12. The department’s performance framework requires improvement. Critical infrastructure related content in the department’s 2020–21 performance statements is not adequate. The department did not assess its critical infrastructure functions against the Regulator Performance Framework. The department has established internal performance reporting but could improve its use of measures in the Critical Infrastructure Resilience Strategy to inform policy development and regulation. (See paragraphs 2.38 to 2.51)
Compliance activities
13. The department has established a compliance framework comprised of the Critical Infrastructure Resilience Strategy, Compliance Strategy and Administrative Guidelines. This framework would be enhanced by updating documents in the framework to align with and clarify the department’s existing responsibilities and regulatory posture. (See paragraphs 3.2 to 3.7)
14. The majority of policy and procedural documents (15 of 22) to support possible critical infrastructure related compliance activities were drafted, but not finalised and approved, or included in the department’s policy and procedural repository. A lack of procedures, or procedures that remain in draft, increases the risk of inconsistency in administration and decision-making. The department does not have an established process to ensure that appropriately trained officials are engaged in investigations under critical infrastructure regulations. Classified network and critical infrastructure-related system security controls do not meet the requirements to mitigate the risk of unauthorised access. (See paragraphs 3.10 to 3.20)
15. The department’s use of regulatory tools is not always consistent with legislative and procedural requirements, and approved procedures or decision records do not exist for all compliance activities and outcomes. Use of regulatory tools was consistent with the department’s documented regulatory posture. Decisions on whether to escalate to higher tiers of the regulatory compliance model were not supported by approved procedures, processes, or documented analysis of the administrative or financial burden associated with an escalation of compliance activity. (See paragraphs 3.23 to 3.29)
16. The department does not have an established process to obtain assurance of regulatory compliance. This limited the department’s capacity to demonstrate that it has a proportionate and effective approach to resolving non-compliance, or has improved the security or resilience of critical infrastructure assets. (See paragraphs 3.30 to 3.44)
17. The department has not established a process to effectively review regulatory tool use, impacts on industry, or lessons learned to inform continuous improvement. (See paragraphs 3.45 to 3.46)
The Recommendations are
Recommendation no. 1 Paragraph 2.24 Recommendation no. 2 Paragraph 2.36 The Department of Home Affairs ensures that implementation of critical infrastructure related risk assessments and reporting is appropriate to inform policy and regulatory decisions.
Department of Home Affairs response: Agreed. The Department of Home Affairs establish an engagement strategy to document how it will coordinate with stakeholders with shared responsibility for critical infrastructure security and resilience.
Department of Home Affairs response: Agreed. Recommendation no. 3 Paragraph 2.52
Recommendation no. 4 Paragraph 3.8 Recommendation no. 5 Paragraph 3.21 The Department of Home Affairs ensure performance measurement: 1. (a) in its corporate plan is adequate and measurable; 2. (b) aligns with the Regulator Performance Guide; and 3. (c) is used to inform policy and regulatory improvements.
Department of Home Affairs response: Agreed. The Department of Home Affairs revise or replace the Critical Infrastructure Resilience Strategy with documentation that reflects current policy, regulatory responsibilities and posture, and outlines its application by the department in relation to other critical infrastructure asset sector policy leads and regulators.
Department of Home Affairs response: Agreed. The Department of Home Affairs support effective use of the full suite of available critical infrastructure related regulatory tools by having in place procedures that: 1. (a) are finalised, approved and lodged on the internal policy and procedural repository; 2. (b) ensure that trained officials are appropriately engaged in investigations; and 3. (c) align with the Protective Security Policy Framework and Information Security Manual requirements.
Department of Home Affairs response: Agreed. The Department of Home Affairs approve, apply and monitor consistent use of policies, procedures and processes to: 1. (a) trigger, triage and manage escalated use of critical infrastructure compliance powers, including by making better use of its information gathering, and investigatory powers where national security concerns have been identified; and 2. (b) revise its risk approach and implement processes that enable effective assessment, prioritisation and management of non-compliance risks.
Department of Home Affairs response: Agreed.
Recommendation no. 6 Paragraph 3.39 Recommendation no. 7 Paragraph 3.47 The Department of Home Affairs evaluate, monitor, and report on: 1. (a) the extent to which regulatory tools are used to effectively improve security and resilience of critical infrastructure assets to risks; and 2. (b) implementation of actionable items in strategies, reviews and lessons learned for which it is responsible and how they contribute to intended outcomes.
Department of Home Affairs response: Agreed.
For some cyber security students the report's value will be in contextualisation paragraphs such as
1.1 Australian society and its economy are supported by a network of interconnected infrastructure assets across a broad range of industry sectors. The Australian Government defines critical infrastructure as:
those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security.
1.2 Threats such as natural disasters, pandemics, sabotage, and espionage have the potential to significantly disrupt critical infrastructure. Secure and resilient infrastructure ensures continuous access to services that are essential for everyday life, such as food, water, health, energy, communications, transport, and banking. A disruption to any of these critical infrastructure sectors could have serious implications for business, government, and the community.
1.3 The Commonwealth, state and territory governments have different responsibilities for critical infrastructure depending on the sector or nature of the threats being mitigated. Responses to a threat can involve the asset owner and operator, technical and operational lead for that jurisdiction, and emergency services or law enforcement. Coordination among entities is therefore required to prepare and respond to critical infrastructure threats.
1.4 The Department of Home Affairs (the department) is the lead Australian Government agency responsible for the administration of critical infrastructure policy and regulation.
Critical infrastructure policy and regulation
Regulatory options
1.5 Governments may approach regulation through either legislative or non-legislative models. Non-legislative models involve achieving regulatory ends through non-legislative means, such as guidelines on market participants, and can include light touch or principles-based regulation4, self-regulation5 and quasi-regulation. Legislated approaches involve either co-regulation or explicit government regulation, which is used where ‘there is a high perceived risk or public interest and achieving compliance is seen as critically important’.
1.6 Australian Government regulators are empowered by, and subject to, a range of legal and other requirements including the following.
• Legislation that establishes the regulatory powers of an entity, and underpinning policies and relevant directions.
• The Public Governance, Performance and Accountability Act 2013 along with delegated legislation such as the Public Governance, Performance and Accountability Rule 2014, the Commonwealth Procurement Rules, and the Commonwealth Risk Management Policy.
• The Australian Government Regulator Performance Framework — introduced in October 2014 — to encourage regulators to achieve their objectives while minimising their impact on regulated entities. On 1 July 2021, the Regulator Performance Guide replaced the 2014 Framework and included a transition year for regulators to assess their approach to complying with its requirements.
1.7 The Australian Government’s critical infrastructure regime is comprised of a combination of light touch, co-regulation and explicit government regulation.
Overview of the Australian Government critical infrastructure regime
1.8 Terrorist attacks in the United States in 2001, and Indonesia in 2002, were the catalyst for formal engagement between the Commonwealth, state and territory governments, and industry on how to prepare for and respond to threats against critical infrastructure assets. In 2003, the Australian Government established a Trusted Information Sharing Network as the primary engagement mechanism for business and government information sharing, and resilience building initiatives on critical infrastructure.
1.9 Prior to the introduction of critical infrastructure focussed policy and legislation in 201810, national security threats to assets were primarily assessed under the Foreign Investment and Takeovers Act 1975 (FATA). Under the FATA, certain proposed foreign investments, including those related to critical infrastructure assets require approval from the Treasurer. Conditions may be imposed, existing conditions may be varied, or a divestment from an approved investment may be required where a national security risk emerges.
1.10 The Treasury remains the lead entity for assessments under the FATA. The department provides national security advice to support decisions made under the FATA, and may impose and enforce conditions on approved applications. In 2020–21, the department received 943 applications for review from the Treasury, an increase from the 640 received during 2019–20.
1.11 The Australian Government Critical Infrastructure Resilience Strategy was released in May 2015.11 The strategy comprises a policy statement and plan, and sets out the Australian Government’s policy position that:
• critical infrastructure is essential to Australia’s economic and social prosperity; • resilient critical infrastructure plays an essential role in supporting broader community and disaster resilience; • businesses and governments have a shared responsibility for the resilience of critical infrastructure, requiring strong partnerships; and • all states and territories have their own critical infrastructure programs that best fit the operating environments and arrangements in each jurisdiction.
1.12 The policy statement sets out an approach based on non-regulatory business–government partnerships, mature risk management, and effective information sharing. The policy statement required the strategy to be reviewed in 2020.
1.13 The Critical Infrastructure Centre was established in 2017 to coordinate the management of risks to Australia’s critical infrastructure and deliver more coordinated national security assessments to inform foreign investment decisions in significant and complex cases. In December 2017, critical infrastructure policy, regulatory and strategy functions were transferred to the department and the Critical Infrastructure Centre became a division within the department.
Critical infrastructure legislation
1.14 In 2018, legislative coverage of the security of critical infrastructure expanded from the FATA to include:
• the Security of Critical Infrastructure Act 2018 (SoCI Act), which commenced on 11 July 2018; and
• the amendments to Part 14 of the Telecommunications Act 1997, or Telecommunications Sector Security Reforms (TSSR), which commenced on 18 September 2018.
1.15 The legislation in paragraph 1.14 enables the government to obtain information to undertake risk assessments in relation to critical infrastructure, and gives government the power to issue directions to address national security risks if necessary.
Security of Critical Infrastructure Act 2018
1.16 The SoCI Act was introduced to ‘strengthen the Government’s capacity to manage the national security risks of espionage, sabotage and coercion arising from foreign involvement in Australia’s critical infrastructure’. The SoCI Act defines a critical infrastructure asset, and what assets can, and must not be prescribed as being ‘critical’. The SoCI Act has three measures to manage national security risks related to critical infrastructure.
• The Register of Critical Infrastructure Assets (the Register), provides the government visibility of who owns and controls the assets.
• The information gathering power, provides the ability to obtain more detailed information from owners and operators of assets in certain circumstances.
• The Ministerial directions powers, provide the ability to intervene and issue directions in cases where there are significant national security concerns that cannot be addressed through other means.
1.17 In 2020, the Australian Government approved changes to the critical infrastructure regulatory regime on the basis that the SoCI Act did not enable it to impose requirements on entities to protect their assets, and an over-reliance on the FATA to manage risks arising from foreign ownership. In 2020, the department sought public contributions on the design of ‘an enhanced regulatory framework, building on existing requirements under the SoCI Act’.
1.18 In December 2020, the Australian Government introduced a Bill that included amendments to the SoCI Act. These amendments would enact the regulatory framework that was the subject of public consultation. The Bill proposed mandatory incident reporting, an expanded application of the register of critical infrastructure sectors and assets, powers to obtain ownership, operational and risk management information, and powers to respond to serious cyber incidents. The amendments to the SoCI Act were described when they were introduced, as being ‘underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy’.
1.19 In December 2020, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) commenced an inquiry into the Bill that would amend the SoCI Act, as well as a statutory review into the Act. In September 2021 the PJCIS published an Advisory Report on the concurrent reviews of the Bill and statutory review of the SoCI Act and made 14 recommendations. Among the recommendations was that the Bill be split in two so that government assistance and an expanded definition of critical infrastructure sectors and assets could be legislated in the shortest time possible.
1.20 An additional $42.4 million over two years from 2021–2221 was included in the 2021–22 Budget for ‘Protecting Critical Infrastructure and Systems of National Significance’.
• In September 2021, the Critical Infrastructure Centre was re-branded as the Cyber and Infrastructure Security Centre.
• In December 2021, amendments to the SoCI Act expanded the asset classes covered from four to 22 across 11 sectors to include: communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage. The department estimated that it would have ten times the number of assets on its Register under the SoCI Act as a result of this change.
• Also in December 2021, the Australian Government commenced consultations on further amendments to the SoCI Act.
• In March 2022, the PJCIS published an Advisory Report on the proposed further amendments to the SoCI Act and made 11 recommendations.
1.21 In March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 was passed by the Parliament. Details of changes to Australian Government critical infrastructure legislation are in Appendix 3.
Telecommunications Sector Security Reforms
1.22 The TSSR established a regulatory framework ‘to better manage the national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities’. The purpose of the TSSR is to:
• introduce a comprehensive risk-based regulatory framework to better manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities; and
• better protect networks, and the confidential information stored on and carried across them, from unauthorised interference and access.
1.23 The aim of the TSSR is to encourage early engagement on proposed changes to networks and services that could give rise to national security risks, and to facilitate collaboration on the management of those risks. Key elements of the TSSR include:
• a security obligation that requires all carriers, carriage service providers and carriage service intermediaries to do their best to protect networks and facilities from unauthorised access or interference;
• a notification obligation that requires carriers and nominated carriage service providers to notify the Australian Government of planned changes to their networks and services that are likely to have a material adverse effect on their capacity to comply with the security obligation;
• that the Secretary of the department can obtain information and documents for the purpose of assessing carriers and carriage service providers compliance with their security obligations; and
• that the Minister for Home Affairs can direct a carrier, carriage service provider or carriage service intermediary to: − not use or supply carriage services if the Minister considers the use or supply prejudicial to national security; and − do, or not do, a specified thing that is reasonably necessary to protect networks and facilities from national security risks.
1.24 In September 2020, the PJCIS commenced a statutory review of the operation of the TSSR. The PJCIS published its report on the statutory review in February 2022 and made six recommendations. ...
Critical infrastructure security and resilience roles
1.26 The Commonwealth, state and territory governments, and industry, have a shared responsibility to ensure the security and resilience of critical infrastructure, and to prevent, prepare, respond to, and recover from all hazards. Each participant has different roles as shown in Table 1.1.
1.27 The Department, as the lead agency for ensuring the protection of critical infrastructure, must coordinate, complement, and support the programs and activities of all these participants. When the Critical Infrastructure Centre and SoCI Act were established, it was recognised that the Australian Government would have limited powers to implement risk management strategies, and monitor and enforce compliance, and should first leverage existing state and territory regimes to conduct these activities.