Bills Digest No. 29, 2024-25

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024

Home Affairs

Author

Jonathan Mills

Go to a section

Key points


Introductory InfoDate of introduction: 2024-10-09

House introduced in: House of Representatives

Portfolio: Home Affairs

Commencement: Schedules 1 to 4 and 6 commence on the earlier of proclamation or 6 months after Royal Assent. Schedule 5, Parts 1, 2 and 4 commence on the earlier of proclamation or 12 months after Royal Assent. The commencement of Schedule 5, Part 3 is contingent on other commencements:

Purpose of the Bill

The purpose of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (the Bill) is to amend the Security of Critical Infrastructure Act 2018 (the SOCI Act) to implement legislative reforms outlined in Shield 4 of the 2023-2030 Cyber Security Strategy and further detailed in Measures 5 to 9 of the 2023-2030 Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper. These reforms specifically relate to strengthening the security and resilience of critical infrastructure. The Bill also makes consequential and contingent amendments to the Australian Security Intelligence Organisation Act 1979, the Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 1979.

The Bill is part of the Cyber Security Legislative Package 2024 along with the Cyber Security Bill 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024. The other Bills in the package implement reforms set out in other parts of the Cyber Security Strategy. For more information see the Bills Digest for those Bills.

Structure of the Bill

The Bill consists of six schedules.

Schedule 1 will amend the SOCI Act to clarify that data storage systems that hold business critical data for critical infrastructure assets are part of the critical infrastructure asset. This relates to Measure 5 in the Consultation Paper.

Schedule 2 will amend the SOCI Act to broaden the powers available to manage the consequences of impacts of incidents on critical infrastructure assets.

Schedule 3 will amend the SOCI Act to introduce new definitions relating to protected information to clarify the provisions relating to the use and disclosure of that information.

Schedule 4 will amend the SOCI Act to introduce a directions power to vary a critical infrastructure risk management program where necessary due to a serious deficiency.

Schedule 5 will amend the SOCI Act to introduce provisions relating to security regulation for critical telecommunications assets. The relevant provisions will be taken from the existing Telecommunications Sector Security Reforms in the Telecommunications Act 1997 into the SOCI Act and the obligations and operation clarified. Consequential and contingent amendments will also be made to other legislation to reflect the regulatory changes.

Schedule 6 will amend the SOCI Act to simplify the notification of a declaration of a system of national significance (SoNS) by removing certain obligations relating to direct interest holders.

Background

The SOCI Act is administered by the Cyber and Infrastructure Security Centre within the Department of Home Affairs, along with the Telecommunications Sector Security Reforms to Part 14 of the Telecommunications Act 1997. The SOCI Act came into force in 2018 and sets out the legal obligations that apply to businesses which own, operate, or have direct interests in critical infrastructure assets. It also sets outs various relevant functions and responsibilities of government agencies. The SOCI Act applies to critical infrastructure in the following sectors, listed in section 8D:

(a) the communications sector;

(b) the data storage or processing sector;

(c) the financial services and markets sector;

(d) the water and sewerage sector;

(e) the energy sector;

(f) the health care and medical sector;

(g) the higher education and research sector;

(h) the food and grocery sector;

(i) the transport sector;

(j) the space technology sector;

(k) the defence industry sector.

Cybersecurity is a continually evolving area, with changes occurring in both the critical infrastructure environment and the nature of cyber-attacks on that infrastructure. The SOCI Act has been amended several times since its introduction. In the Explanatory Memorandum to the Bill, the Government notes that recent incidents have impacted critical infrastructure and highlighted gaps within the current regulatory framework (at page 2).

In response to the changing cyber environment and related threats, the Government released the 2023-2030 Cyber Security Strategy (the Strategy). The Strategy is organised into 6 ‘shields’ covering different aspects that are important to protecting or strengthening cyber security. ‘Shield 4’ of the Strategy discusses issues and proposed responses to better protect critical infrastructure and relates to the amendments in the Bill.

Following the release of the Strategy, the Government released the 2023-2030 Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper (the Consultation Paper) in December 2023 and accepted submissions until March 2024.

Measures 5 to 9 of the Consultation Paper broadly correspond to the amendments contained in the Bill. The Explanatory Memorandum states that the amendments in the Bill have taken into account feedback received during the consultation process and that further targeted consultation with key stakeholders was undertaken in September 2024 (at pages 3–4).

This Bill, together with the other Bills in the Cyber Security Legislative Package 2024 have been referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry and report. Submissions to the Inquiry are available on the Inquiry website. In his Second Reading Speech the Minister for Cyber Security, Tony Burke, stated that the Government ‘will consider any recommendations’ that the committee makes.

Policy position of non-government parties/independents

At the time of writing no specific comments have been located from other parties or independents relating to this Bill.

In November 2023 the Greens released a statement on the Strategy, primarily focussed on aspects unrelated to those in this Bill, but stating ‘(w)hile the existence of the strategy is positive and fills a serious gap, the failure to learn from global best practice and respond with the urgency required is an expected disappointment.’

The Shadow Minister for Cyber Security, Senator Paterson, stated in March 2024 that he feared the Cyber Security Strategy aspired to do ‘too much, too soon, with too little’. He also said that the reforms—particularly to the SOCI Act—‘are incredibly consequential for how government and industry manage cyber risk, and I know many people in industry are concerned that these reforms have been poorly explained in what has been a rushed consultation process’.

Key issues and provisions

Schedule 1 - definitions of data storage systems

Schedule 1 will amend the SOCI Act to clarify the definitions of data storage systems that hold business critical data. This relates to Measure 5 in the Consultation Paper.

Section 9 of the SOCI Act sets out an extensive list of assets that are critical infrastructure assets, including ‘critical data storage or processing assets’, which are defined at section 12F. Section 9 also provides for rules to be made to prescribe that an asset is or is not a critical infrastructure asset. Items 2 and 3 clarify that ‘data storage systems that store or process business critical data are part of the critical infrastructure asset’ and, in proposed subsection 9(7), set out 4 requirements for data storage systems which, if satisfied, will mean that the data storage system is taken to be part of the critical infrastructure asset.

Where a data storage system is taken to be part of a critical infrastructure asset, various obligations under the SOCI Act will be enlivened. For example, responsible entities will be required to account for the data storage systems when reporting for the Register of Critical Infrastructure Assets, and include the data storage system in their risk management programs and notification obligations (Explanatory Memorandum, p. 9).  

In a submission to the Consultation Paper, the National Australia Bank (NAB) stated (at page 7) that it ‘does not consider the proposed amendments are necessary’ as:

the SOCI Act already captures data storage systems which could cause significant disruption or damage to critical infrastructure. Given the level of generality of the existing definitions, adding additional reference to data storage systems may create further confusion as there may be other specific examples not identified, leading to uncertainty on whether those examples fall within the more general definitions.

Telstra was supportive of the proposed amendments in its submission to the PJCIS Inquiry, in particular the 4 requirements for data storage systems to be considered part of the critical infrastructure asset. The submission states (at page 3) ‘(t)hese are important limitations that prevent capturing systems that have no impact on Australia’s critical infrastructure or national security.’ 

Schedule 2 – powers to manage incident consequences

Schedule 2 will amend the SOCI Act to clarify and broaden the powers available to manage the consequences of impacts of incidents on critical infrastructure assets.

Part 3A of the SOCI Act sets out the ‘regime for the Commonwealth to respond to serious cyber security incidents’ that have impacted a critical infrastructure asset by providing that the Minister may authorise the Secretary to give information‑gathering or action directions to a relevant entity for the asset, or to give an intervention request to the authorised agency (being the Australian Signals Directorate (ASD)).

The amendments in Schedule 2 will expand the scope or flexibility of the powers by applying its provisions to ‘serious incidents relating to critical infrastructure assets’ in place of the current references to ‘serious cyber security incidents’. Other amendments will make it clear that the relevant provisions can also apply to ‘one or more relevant impacts on one or more critical infrastructure assets’ and that the directions may relate to ‘one or more relevant entities'. Section 8G of the SOCI Act provides that a relevant impact is an impact on the availability, integrity, and reliability of the asset, and the impact on the confidentiality of information about the asset, information stored in the asset and, if the asset is computer data, the computer data. The relevant impact may be direct or indirect.  

The Explanatory Memorandum notes, at page 11, that these amendments will allow the provisions and responses of the SOCI Act to apply to non-cyber incidents which nevertheless impact critical cyber infrastructure, such as physical attacks or natural disasters. The amendments will also allow for responses to multi-asset incidents or where an incident causes downstream consequences to further assets. However, an intervention request to the ASD will remain available only if the incident is a cyber security incident. As set out in the Explanatory Memorandum:

Intervention requests authorise the Australian Signals Directorate to do the types of acts or things specified in section 35AC, including to access or modify computers in order to resolve a cyber incident. These would not be appropriate in responding to non-cyber incidents like natural disasters (p. 11).

Schedule 3 – use and disclosure of protected information

Schedule 3 will amend the SOCI Act to introduce new definitions for protected information to clarify that the provisions relating to the use and disclosure of that information only apply where the disclosure of the information would or could cause specified harms, or where it contains confidential commercial information.

At present, the definition of protected information is provided in section 5 and consists of a lengthy list of categories of information tied to actions under various provisions within the SOCI Act.

Item 3 would repeal this definition and insert a reference to a new definition to be inserted by item 8 as proposed section 5A.

Proposed section 5A provides a new definition for protected information and a consequent definition for relevant information. The proposed definition of relevant information is broadly consistent in scope with the existing definition of protected information, but it would be qualified by the fact that the proposed definition of protected information only includes such relevant information where its disclosure could cause specified harms. In particular, protected information is relevant information the disclosure of which would or could reasonably be expected to prejudice national security or the defence of Australia, the social or economic stability of Australia or its people, or the availability, integrity, reliability or security of a critical infrastructure asset. Protected information also includes relevant information that contains, or is, confidential commercial information.

Further amendments are introduced by items 10 to 30 to expand the scope of persons authorised to deal with protected information and to clarify various circumstances under which information can be shared. The expanded classes of authorised persons in various provisions include state and territory ministers who have responsibility for law enforcement or emergency management, authorised APS employees and relevant entities.

Schedule 4 – directions to vary a critical infrastructure risk management program

Schedule 4 will amend the SOCI Act to introduce a directions power to vary a critical infrastructure risk management program where necessary due to a serious deficiency.

The SOCI Act provides for a written critical infrastructure risk management program that applies to a particular entity responsible for one or more critical infrastructure assets (section 30AH). The critical infrastructure risk management program must:

  • identify each hazard where there is a material risk that it could have a relevant impact on the asset
  • so far as it is reasonably practicable to do so—minimise or eliminate any material risk of such a hazard occurring
  • so far as it is reasonably practicable to do so—mitigate the relevant impact of such a hazard on the asset
  • comply with any requirements specified in the rules.

Section 30AJ currently provides that a critical infrastructure risk management program may be varied.

Item 3 would insert proposed section 30AI which would provide a relevant official with the power to direct a responsible entity to vary the entity’s critical infrastructure risk management program if the official is satisfied that there are any serious deficiencies with the program. A relevant official may be the Secretary or executives or acting executives of a relevant Commonwealth regulator. A serious deficiency is defined as one that poses a material risk to national security, the defence of Australia or the social or economic stability of Australia or its people.

Before a direction may be issued, the relevant official must give the responsible entity a written notice of the deficiencies and allow 14 days for a written submission to be provided (proposed subsection 30AI(6)). The official must have regard to the written submission in deciding whether to give a direction (proposed subsection 30AI(7)).

A direction would have to specify the serious deficiencies and require the responsible entity to vary its critical infrastructure risk management program to address those deficiencies within a specified period of not less than 14 days (proposed subsection 30AI(4)).

Schedule 5 – security regulation for critical telecommunication assets

Schedule 5 will amend the SOCI Act to introduce provisions relating to security regulation for critical telecommunications assets into that Act. The relevant provisions will be largely transferred from relevant existing obligations under Part 14 of the Telecommunications Act 1997 into the SOCI Act, and the obligations and operation clarified to fit the revised context. The Explanatory Memorandum describes the broad intent of the amendments as follows (at page 39):

Schedule 5 uplifts, enhances and clarifies current security and related obligations under the Telecommunications Sector Security Reforms (which are amendments made by the Telecommunications and Other Legislation Amendment Act 2017) into the SOCI Act. The amendments in this section concerning existing obligations under the Telecommunications Act intend to strengthen and clarify obligations, while translating them into the context of the SOCI Act. [Links added]

Part 1 of Schedule 5 contains amendments to the SOCI Act, which set out security obligations specific to critical telecommunications assets. In particular, item 27 introduces proposed Part 2D, consisting of proposed sections 30EA to 30EF, into the SOCI Act to set out enhanced security obligations and regulation for critical telecommunications assets.

Proposed section 30EB sets out an obligation for the responsible entity for a critical telecommunications asset to protect the asset. The entity must protect the asset, so far as reasonably practicable, against any hazard that could have a relevant impact (explained above), to ensure the confidentiality of communications and information contained on the asset; and the availability and integrity of the asset (proposed subsection 30EB(2)). Critical telecommunications assets will be prescribed by the rules (proposed subsection 30EB(1)).

This obligation echoes and modifies those obligations set out in subsections 313(1A) and (1B) of the Telecommunications Act 1997 for carriers or carriage service providers. Those subsections are to be repealed by item 39 of Schedule 5.

Proposed subsection 30EB(2) also introduces a civil penalty for non-compliance of up to 1,500 penalty units (a penalty unit is currently $330, Crimes Act 1914, section 4AA). The size of the penalty is said by the Explanatory Memorandum to be proportionate to the risk of non-compliance and the fact that it applies to bodies corporate (at page 53).

Proposed section 30EC introduces certain notification obligations for responsible entities. An entity must notify the Secretary if they become aware that a change or proposed change by them to a telecommunications service or system is likely to have a material adverse effect on their ability to comply with their protection obligations under proposed subsection 30EB(2). The notification must be given in writing as soon as reasonably practicable and the Secretary may request further information.

This obligation is taken, in a slightly altered form, from the obligation under section 314A of the Telecommunications Act 1997 that applies to carriers or nominated carriage service providers. That section (among others) is to be repealed by item 46 of Schedule 5.

A non-exhaustive list of the changes or proposed changes to a telecommunications service or system that are relevant to these provisions is set out in proposed section 30EE. This list is closely adapted from a list in subsection 314A(2) of the Telecommunications Act 1997.

Proposed section 30ED sets out the procedures under which the Secretary must consider and respond to a notification given under proposed subsection 30EC(2) by a responsible entity. The Secretary must consider the notification and respond with a notice stating whether the Secretary considers there is or is not a risk to the asset in relation to the change. If there is a risk, the Secretary must set out the consequences of not complying with the entity’s obligation to protect the asset and may set out measures that could be adopted to eliminate or reduce the risk.

These procedures reflect those set out in section 314B of the Telecommunications Act 1997 and which apply to the consideration by a Communications Security Coordinator of a notice from a carrier or a nominated carriage service provider. That section is also to be repealed by item 46 of Schedule 5.

Proposed section 30EF provides the Minister with the power to give a responsible entity a written direction not to use a carriage service or services themselves or supply to another, where the Minister considers that such use or supply would be, or is, prejudicial to security. Such a direction can only be given where an adverse security assessment in respect of the carrier or carriage service provider is given to the Minister in connection with the section (adverse security assessment is defined under section 35 of the Australian Security Intelligence Organisation Act 1979).

A similar power is set out in section 315A of the Telecommunications Act 1997 and in that context applies to the Home Affairs Minister giving a direction to a carrier, carriage service provider or carriage service intermediary. That section is also to be repealed by item 46 of Schedule 5.

A failure to comply with a direction under this section attracts a civil penalty of up to 2,000 penalty units (proposed subsection 30EF(5)).

Part 2 of Schedule 5 introduces consequential amendments into the Australian Security Intelligence Organisation Act 1979, the Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 1979 to reflect the amendments to the SOCI Act. Some of these amendments involve the repeal of provisions which have been translated to the SOCI Act, as noted above.

Issue: definition of critical telecommunication asset

At present the definition of a critical telecommunication asset in section 5 of the SOCI Act includes (in paragraph (b)) a facility (within the meaning of the Telecommunications Act 1997) that is owned or operated by a carrier or a carriage service provider, and is used to supply a carriage service.

Item 6 would repeal paragraph (b) and replace it with a new paragraph specifying that a critical telecommunication asset includes any other asset that is owned or operated by a carrier or a carriage service provider, and is used in connection with the supply of a carriage service.

The Explanatory Memorandum notes at page 42 that this amendment is intended to align the obligations to terminology in the SOCI Act.

Telstra is opposed to this change, stating in its submission to the PJCIS Inquiry that the change from the term ‘facility’ to ‘asset’ and the replacement of ‘used to supply’ with ‘used in connection with the supply of’ may lead to ambiguity. Telstra recommended no change be made or that the Explanatory Memorandum be amended to ‘clarify that secondary data storage assets would only be captured as critical telecommunications assets where they met the criteria in section 9(7) of the SoCI Act’ (page 3).

Schedule 6 – simplifying notification of a declaration of a system of national significance

Schedule 6 will amend the SOCI Act to simplify the notification of a declaration of a system of national significance (SoNS) by removing certain obligations relating to direct interest holders.

At present, Part 6A of the SOCI Act provides that the Minister may declare a critical infrastructure asset to be a SoNS. Upon doing so, the Minister must notify each reporting entity for a declared asset and if a reporting entity for an asset ceases to be such a reporting entity, or becomes aware of another reporting entity for the asset, the entity must notify the Secretary. (Section 45 of the SOCI Act provides that it is an offence to disclose that an asset has been declared a SoNS.)

Reporting entity is defined at section 5 of the SOCI Act as either the responsible entity for the asset or a direct interest holder in relation to the asset. An entity is a direct interest holder in an asset if it (together with any associates) holds an interest of at least 10% in the asset or holds an interest that puts it in a position to directly or indirectly influence or control the asset. (It is possible for an entity to be both the responsible entity for an asset and a direct interest holder in relation to the asset.)

Schedule 6 proposes amendments that would replace references to ‘each reporting entity’ or ‘a reporting entity’ with ‘the responsible entity’. In particular, Item 4 would repeal and replace paragraph 52B(3)(a) to require the Minister to give written notification of a declaration in writing to ‘the responsible entity for the asset’ rather than to ‘each reporting entity for the asset’.

Item 5 would repeal and replace section 52D to remove the requirement for a reporting entity to notify the Secretary if they cease to be a reporting entity for the asset or become aware of another reporting entity for the asset. Instead, proposed section 52D would only require the responsible entity for a declared asset to notify the Secretary if they cease to be the responsible entity.

The tracking and reporting of changes to joint interest holders related to assets is described in the Explanatory Memorandum as ‘an unreasonably onerous responsibility for a responsible entity’ (page 82). Government oversight is not affected as the amendments do not alter the obligations on reporting entities to give information and notify events under Part 2 of the SOCI Act.