The Bill and referral
1.1
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the SOCI Bill) was introduced to the House of Representatives by the Hon Peter Dutton MP, then Minister for Home Affairs on 10 December 2020, the final Parliamentary sitting day of 2020.
1.2
In his second reading speech Minister Dutton outlined the rationale for the SOCI Bill:
Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation's wealth and prosperity, and national security.
While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune.
Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on federal parliamentary networks, logistics, the medical sector and universities, just to mention a few.
Internationally, we have seen cyberattacks on critical infrastructure, including water services and airports.
COVID-19 has also strained the ability of critical infrastructure to deliver essential services. These disruptions show how quickly events can cause widespread physical, financial and indeed psychological damage.
While owners and operators of critical infrastructure are best placed to deal with such threats, it takes a team effort to bring about positive change. That is why the ongoing security and resilience of critical infrastructure must be a shared responsibility, not only by all governments and the owners and operators of the infrastructure but indeed by all Australians. The cost of inaction is far too great to ignore.
1.3
The SOCI Bill’s Explanatory Memorandum summarises the intended reforms as:
…an enhanced regulatory framework, building on existing requirements under the SOCI Act. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 gives effect to this framework by introducing:
additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;
enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and
government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure assets.
1.4
On 11 December 2020 the Hon Christian Porter MP, then Attorney-General, wrote to the Committee to refer the provisions of the SOCI Bill to the Committee for inquiry and report pursuant to subparagraph 29(b)(ia) of the Intelligence Services Act 2001 (the IS Act), noting the relevance to this provision as the SOCI Bill engages the Australian Signals Directorate as the technical authority.
1.5
As a result of a recommendation in the Committee’s Advisory Report on the Security of Critical Infrastructure Bill 2017, section 60A of the Security of Critical Infrastructure Act 2018 (the Act) requires the Committee to commence a review into the operation, effectiveness and implications of the reforms introduced in the Act by 11 April 2021.
1.6
As the proposed SOCI Bill amends the regime provided for by the Act, which would be reviewed as per section 60A, the Attorney-General suggested that the Committee commence the statutory review in conjunction with the SOCI Bill review, especially in relation to “the requirement at paragraph 60A(l)(b) noting that the Bill seeks to amend the SOCI Act to capture additional assets as critical infrastructure assets. This requires the Committee to consider the appropriateness of a unified scheme to cover all critical infrastructure assets”.
Conduct of the inquiry
1.7
The Committee resolved to undertake an inquiry into the SOCI Bill, agreed with the Attorney-General’s suggestion, and launched the Bill inquiry and statutory review of the Security of Critical Infrastructure Act 2018 as a joint inquiry on 21 December 2020, with details uploaded to the Committee’s website at www.aph.gov.au/pjcis. Submissions were invited and requested by 12 February 2021 (aligning with submission requests for two other Bill inquiries launched by the Committee in December 2020).
1.8
The Committee received 88 submissions (including three confidential submissions), 66 supplementary submissions, and four attachments (three confidential) over the course of the inquiry, made up of extra submissions, answers to Questions on Notice, opening statements from panel public hearings, and other material provided by submitters or upon request. A list of submissions can be found at Appendix A.
1.9
The Committee held public hearings on 11 June 2021 and 8, 9 and 29 July 2021. A list of witnesses appearing at the public hearings can be found at Appendix B.
1.10
The Committee has also received private (classified) briefings throughout the 46th Parliament regarding the threat environment and increasing hazard of cyber security to critical infrastructure within Australia.
1.11
Copies of submissions, transcripts of proceedings from public hearings, and links to the SOCI Bill and Explanatory Memorandum can be accessed from the Committee’s webpage.
Report structure
1.12
The report consists of four chapters:
This chapter sets out the context and conduct of the inquiry and the concurrent status of this inquiry with other Committee processes;
Chapter 2 provides an outline of the SOCI Bill, the threat that is to be countered by the proposed framework, the main themes of evidence received by the Committee, with a focus on the key points of contention, as well as a summary of the challenges faced in the conduct of the inquiry;
Chapter 3 outlines the Committee’s identified priority for the SOCI Bill’s intended impact, as well as recommendations for a way forward to address the cyber security threat to Australia’s critical infrastructure; and
Chapter 4 briefly identifies proposed Committee action regarding the statutory review of the Act and the related statutory review of Part 14 of the Telecommunications Act 1997 – Telecommunications Sector Security Reforms (the TSSR Review).
Concurrent reviews
1.13
As outlined above, the Committee agreed to commence the statutory review required under section 60A of the Act at the same time as adopting the Bill review.
1.14
The statutory review requirements in section 60A were set based on recommendation 9 of the Committee’s Advisory Report on the Security of Critical Infrastructure Bill 2017. Those requirements are:
60A Review of this Act
(1) The Parliamentary Joint Committee on Intelligence and Security must:
(a) review the operation, effectiveness and implications of this Act; and
(b) without limiting paragraph (a), consider whether it would be appropriate to have a unified scheme that covers all infrastructure assets (including telecommunication assets) that are critical to:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; and
(c) review the circumstances in which any declarations have been made under Part 6 of this Act (declarations of assets by the Minister); and
(d) report the Committee’s comments and recommendations to each House of the Parliament.
1.15
These requirements were set in recommendation by the Committee to allow for the review of the Act and requisite assessment of whether the contentions made by the Australian Government regarding the establishment of the Act were appropriate.
1.16
The focus on the above aspects of the operation of the Act were in response to industry concerns raised about a lack of clarity in that Bill regarding Ministerial directions power, definitions and their scope, and the potential effect of Commonwealth directions on State owned critical infrastructure entities. Similar concerns have been mirrored regarding the Bill relevant to this report, which will be discussed further in Chapter 2.
1.17
In consideration of the statutory review requirements, as the Committee received submissions, most industry representatives expressed little to no view on the operation of the existing Act, focusing on the expansions provided for in the SOCI Bill instead. Similarly the Department of Home Affairs (the Department), the regulator for the Act and the proposed expanded regime in the SOCI Bill, only provided five pages out of its 45 page primary submission regarding the operation of the Act to the date the SOCI Bill was referred.
1.18
This primary focus on the SOCI Bill alone has presented a challenge to the Committee in conducting the concurrent statutory review. This challenge was compounded by the fact that the Bill under review amends the Act to be reviewed, making concurrent analysis problematic.
1.19
This challenge and the result is commented on further in Chapter 4.
Review of Part 14 of the Telecommunications Act 1997 – Telecommunications Sector Security Reforms
1.20
The Committee is conducting the TSSR review contemporaneously with this Bill review. While the TSSR was established to provide a regulatory framework to manage the national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities and resides within the Telecommunications Act 1997 (the Telco Act), the SOCI Bill under review proposes to potentially subsume the regulation of telecommunications for the purposes of many of these risks.
1.21
Much like the statutory review of the Act, a majority of the evidence received by the Committee in submissions and public hearing testimony was dedicated to the proposed changes to the sector from the SOCI Bill, somewhat hampering the Committee’s ability to conduct the related, yet discrete, review required under the Telco Act.
1.22
More commentary on this is provided for in Chapter 4 of this report.