Statutory review of the Security of Critical Infrastructure Act 2018
4.1
As mentioned earlier in this report, the SOCI Bill and its referral coincided with the launch of a statutory review of the Act’s operation to this date in its original form, as passed in 2018.
4.2
The requirements of the statutory review, as set out in section 60A of the Act, are to analyse the operation, effectiveness and implications of the Act and to:
consider whether it would be appropriate to have a unified scheme that covers all infrastructure assets (including telecommunication assets) that are critical to:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; and
review the circumstances in which any declarations have been made under Part 6 of this Act (declarations of assets by the Minister); and
report the Committee’s comments and recommendations to each House of the Parliament.
4.3
As mentioned in Chapter 1, even though the Committee requested submissions and evidence to the Bill review as well as the above statutory review, the overwhelming majority of evidence received was focused solely on the SOCI Bill and did not identify any concerns with the current Act and its operation. The Department was effectively the only substantive submitter on the statutory review elements.
4.4
The first area of focus for the statutory review, that was set by the Committee in its Advisory Report on the Security of Critical Infrastructure Bill 2017, is effectively made redundant by the expansions proposed in the SOCI Bill.
4.5
The second area for focus regarding declarations of assets as critical infrastructure assets was identified by the Department in its submission:
11 private declarations of critical infrastructure (at the date of the submission – February 2021);
168 assets on the register – 58 electricity, 20 ports, 61 gas, and 29 water.
4.6
While the Committee was provided with these statistics, there was no detail provided as to the circumstances regarding why these declarations were made, except to the extent that the Minister considered the factors required by section 51 of the Act. The Committee did not pursue any evidence on these declarations, as the alteration of the Act proposed in the SOCI Bill became the primary focus of the conduct of the inquiry.
4.7
In a similar vein, the information gathering powers under section 37 of the Act and the directions powers under section 32 of the Act had not been used up to the end of 2020, so these elements of the Act were not pursued for inquiry by the Committee either.
4.8
Effectively, the only evidence received regarding the statutory review’s scope were the statistics above, and the numbers of notifications received from reporting entities of assets included on the Register of Critical Infrastructure Assets – 748 to the date of the Department’s submission.
Committee comment
4.9
The Committee is mindful of its statutory duty to review the operation, effectiveness and implications of the Act, as required under section 60A of the Act. However, the introduction of the SOCI Bill and its effective alteration of elements of the Act that would be reviewed transformed the Committee’s ability to undertake the review.
4.10
As outlined above and earlier in this report, the focus of submitters and witnesses was primarily on the Bill, and this required a parallel focus from the Committee as well. Trying to review the operation of an Act that had not had a number of its key provisions utilised, with a Bill to fundamentally amend that Act before the Committee as well, was a challenging exercise. Ultimately it was an exercise that the Committee could not undertake effectively in the face of overwhelming concern regarding the SOCI Bill’s potential impact.
4.11
Accordingly, the Committee is using this report as commentary on the SOCI Bill with recommendations for change, as well as a vehicle for finalising the statutory review. However, the conclusions of the statutory review are that the shifting landscape that the Bill created did not allow for the statutory review to be analysed in a way that created an evidence base to meaningfully recommend any change. This is also reflective of the fact that the recommended changes from Bills One and Two will alter this landscape even further.
4.12
As a result, the Committee is finalising the current statutory review requirements under section 60A of the Act without any recommendations. However, the Committee is cognisant of the fact that the legislative changes from Bills One and Two will require further scrutiny once implemented. This is equally important given the indications by the Secretary that further critical infrastructure legislative change is envisaged for the future.
4.13
Therefore the Committee is recommending that Bill One include the mechanism for a further statutory review into the operation, effectiveness and implications of the reformed security of critical infrastructure legislative framework. This review may be launched not less than three years after Bill One receives Royal Assent, to allow the Committee to tailor commencement to any timeframes regarding the Bills from this report and any further amendments to the legislation that the Government may introduce in the meantime.
4.14
The Committee envisages that any other amending legislation to the Act will be referred to it, therefore potentially requiring a maximum review launch period, as it may well be undertaking relevant Bill reviews in that period.
4.15
Additionally, this further statutory review will enable the Committee to inquire into the ongoing nature of industry collaboration that is crucial to the success of the Security of Critical Infrastructure framework.
4.16
The Committee recommends that the Bill One include a provision that the Parliamentary Joint Committee on Intelligence and Security may conduct a review of the operation, effectiveness and implications of the reformed security of critical infrastructure legislative framework contained within the Security of Critical Infrastructure Act 2018 not less than three years from when that Bill receives Royal Assent.
Review of Part 14 of the Telecommunications Act 1997 – Telecommunications Sector Security Reforms
4.17
Much like the commentary above for the impact that the SOCI Bill had on the statutory review of the Act, the concurrent review that the Committee is undertaking into the TSSR regime has been unduly affected by the introduction of the Bill.
4.18
Section 315K of the Telco Act was introduced as a result of Recommendation 12 of the Committee’s Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016, requiring a statutory review to be commenced within three years of Royal Assent of that Bill.
4.19
Like the critical infrastructure statutory review, the operation, effectiveness and implications of the reforms were to be reviewed, along with:
the security of critical and sensitive data,
the adequacy of information-sharing arrangements between government and industry, and
the adequacy and effectiveness of the administrative guidelines in providing clarity to industry on how it can demonstrate compliance with the requirements set out in the Bill.
4.20
These requirements reflected a summary of concerns regarding the Bill’s potential effect at the time of that report, but much like the impacts outlined earlier in this Chapter, the introduction of the SOCI Bill affected the approach and focus of evidence tendered to the TSSR review, highlighting the potential impact of the SOCI Bill on telecommunications assets, as they are to be included as part of the communications sector covered by the Bill.
4.21
While this impact did not prevent submitters and witnesses from providing evidence to the TSSR review, it did alter the focus of evidence, with submissions and witnesses highlighting potential duplication of regulation or the unknown future state of the TSSR. The Department itself acknowledged that reforms to the Act were being developed in its submission to the TSSR review in November 2020.
4.22
The Explanatory Memorandum to the Bill does acknowledge TSSR impacts:
For the positive security obligations to apply to a ‘critical telecommunication asset’ a rule must be made by the Minister to turn the obligations on. The telecommunications sector already has robust security frameworks in place in the Telecommunications Act 1997, including obligations under TSSR in Part 14 of that Act. Reforms to the TSSR regime will be considered in 2021, to be informed by the Parliamentary Joint Committee on Intelligence and Security’s ‘Review of Part 14 of the Telecommunications Act 1997’, and through consultation with industry.
Government will consider the outcome of this Review before considering applying the SOCI Act’s positive security obligations to the telecommunications sector. This will allow sufficient time to amend the Telecommunications Act 1997, if needed, and will avoid duplication of regulatory requirements on industry. However, retaining the definition of ‘critical telecommunications’ at this stage will clarify, for example, the telecommunications assets on which there must be a relevant impact to trigger the powers in Part 3A—Responding to serious cyber security incidents.
4.23
Further evidence was tendered by the Department regarding interactions between the SOCI Bill and the TSSR regime in its submissions.
4.24
Throughout all of the Department’s evidence regarding the interactions between the SOCI Bill and the TSSR regime, the focus was on the Part 3A government assistance measures being made available to telecommunications assets under the Bill, but that other obligations would not be ‘switched on’ unless the TSSR regime was considered inadequate. This assessment would be further informed by, and based on, the outcomes of the Committee’s review of the TSSR regime.
Committee comment
4.25
The Committee is mindful of the statutory duties it is to fulfil with the statutory review of the TSSR regime. However, the same impacts on the critical infrastructure statutory review were evident to the process for the TSSR review. The crossover between the two is less than completely clear and the potential for regulatory duplication, and the industry’s resultant hesitance, is evident.
4.26
Despite the indications regarding careful consideration, the Committee is unclear about the intention of the Department’s management of the TSSR regime going forward given the following observation from the Secretary regarding potential regulatory duplication and whether an on-switch could be utilised:
The safeguards are set out in the legislation. The decision-makers have to be satisfied—they can't do it on a whim—that the tests have been met, the thresholds have been met, and they include a lack of regulatory duplication. I will give you one counterfactual straight up, because the Department of Home Affairs is the regulator under the Telecommunications Act of the TSSR scheme. In fact it is on my pen, because the act sets out the responsibilities of both the minister and the secretary. I happen to be that officer, and I can tell you, Chair, and the rest of the committee, the TSSR is inadequate for this purpose. I can absolutely assure you, because we are the regulator.
4.27
The Committee has concluded its review of the evidence provided for the TSSR review within the twelve month requirement set in section 315K of the Telco Act, and will report in the future with recommendations for potential reform to be considered and potentially implemented to improve the TSSR regime, and how that might interact with the Security of Critical Infrastructure Act 2018 in the form it takes in the future.
Senator James Paterson
Chair
24 September 2021