I present a supplementary explanatory memorandum to the bill, and I ask leave of the House to move government amendments (1) to (59), as circulated, together.
Leave granted.
Mrs ANDREWS: I move:
(1) Clause 2, page 2 (table item 2), omit the table item, substitute:
2. Schedule 1, Parts 1 and 2 |
The day after this Act receives the Royal Assent. |
|
(2) Clause 2, page 2 (table item 3, column headed “Column 2”), omit “2020”, substitute “2021”.
(3) Schedule 1, page 4 (line 8), omit the heading.
(4) Schedule 1, items 2 and 3, page 4 (lines 9 to 19), omit the items.
(5) Schedule 1, item 5, page 4 (lines 25 and 26), omit paragraph (c).
(6) Schedule 1, item 5, page 5 (lines 1 to 4), omit paragraph (d).
(7) Schedule 1, item 5, page 5 (line 5), before “(e)”, insert “; and”.
(8) Schedule 1, item 6, page 5 (lines 16 to 18), omit paragraph (b) of the paragraph beginning “The framework consists of the following:” in section 4.
(9) Schedule 1, item 6, page 5 (lines 20 and 21), omit paragraph (d) of the paragraph beginning “The framework consists of the following:” in section 4.
(10) Schedule 1, item 6, page 6 (lines 20 and 21), omit the paragraph beginning “The Minister may privately declare a critical infrastructure asset” in section 4.
(11) Schedule 1, item 7, page 13 (lines 23 and 24), omit the definition of critical infrastructure risk management program in section 5.
(12) Schedule 1, item 7, page 14 (line 22), omit the definition of cyber security exercise in section 5.
(13) Schedule 1, item 7, page 15 (line 16), omit the definition of designated officer in section 5.
(14) Schedule 1, item 7, page 16 (line 1), omit the definition of evaluation report in section 5.
(15) Schedule 1, item 7, page 16 (lines 2 and 3), omit the definition of external auditor in section 5.
(16) Schedule 1, item 7, page 19 (line 3), omit the definition of incident response plan in section 5.
(17) Schedule 1, item 7, page 20 (line 32), omit “52(4); or”, substitute “52(4).”.
(18) Schedule 1, item 7, page 20 (lines 33 and 34), omit paragraphs (r) and (s) of the definition of notification provision in section 5.
(19) Schedule 1, item 11, page 21 (lines 22 and 23), omit paragraph (ba).
(20) Schedule 1, item 11, page 21 (lines 27 to 31), omit paragraphs (bc) and (bd).
(21) Schedule 1, item 11, page 22 (lines 1 to 6), omit paragraphs (bf) to (bh).
(22) Schedule 1, item 16, page 23 (line 23), before “10”, insert “sections”.
(23) Schedule 1, item 16, page 23 (lines 24 and 25), omit “, 12N,”, substitute “and 12N”.
(24) Schedule 1, item 16, page 23 (line 25), omit “30AG,”.
(25) Schedule 1, item 16, page 23 (line 25), omit “30CB, 30CM, 30CR, 30CU and 30CW”.
(26) Schedule 1, item 17, page 23 (line 27), before “10”, insert “sections”.
(27) Schedule 1, item 17, page 23 (lines 28 and 29), omit “, 12N,”, substitute “and 12N”.
(28) Schedule 1, item 17, page 23 (line 29), omit “30AG,”.
(29) Schedule 1, item 17, page 23 (line 29), omit “30CB, 30CM, 30CM, 30CR, 30CU and 30CW”.
(30) Schedule 1, item 18, page 24 (lines 20 and 21), omit the definition of system information event-based reporting notice.
(31) Schedule 1, item 18, page 24 (lines 22 and 23), omit the definition of system information periodic reporting notice.
(32) Schedule 1, item 18, page 24 (lines 24 and 25), omit the definition of system information software notice.
(33) Schedule 1, item 18, page 24 (lines 26 and 27), omit the definition of system of national significance.
(34) Schedule 1, item 18, page 25 (line 13), omit the definition of vulnerability assessment.
(35) Schedule 1, item 18, page 25 (lines 14 and 15), omit the definition of vulnerability assessment report.
(36) Schedule 1, item 21, page 29 (lines 1 to 14), omit subsection 8G(3).
(37) Schedule 1, item 32, page 53 (lines 10 to 13), omit subsection 12L(25).
(38) Schedule 1, item 32, page 54 (after line 15), after subsection 12N(1), insert:
(1A) The following is an example of a situation where a person is not entitled to cause access, modification or impairment of a kind mentioned in subsection (1): a person who is an employee or agent of the responsible entity for an asset would exceed the person’s authority as such an employee or agent in causing such access, modification or impairment in relation to the asset.
(39) Schedule 1, item 39, page 57 (line 9) to page 66 (line 15), omit Part 2A.
(40) Schedule 1, item 39, page 67 (line 23), at the end of subsection 30BBA(2), add:
; and (d) if the Minister is aware that an entity is the responsible entity for an asset that is, or is proposed to be, specified in the rules:
(i) give the entity a copy of the draft rules or amendments; and
(ii) if a submission is received from the entity within the 28-day period mentioned in paragraph (a)—give the entity a written statement that sets out the Minister’s response to the submission.
(41) Schedule 1, item 39, page 68 (line 23), omit “48”, substitute “84”.
(42) Schedule 1, item 39, page 68 (after line 27), at the end of section 30BC, add:
Exemption — written record
(5) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by written notice given to an entity, exempt the entity from subsection (3) in relation to a report about a specified cyber security incident.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003.
(6) A notice under subsection (5) is not a legislative instrument.
(7) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by writing, delegate any or all of the head’s powers under subsection (5) to a person who:
(a) is an SES employee, or acting SES employee, in the relevant Commonwealth body; or
(b) holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
(8) In exercising powers under a delegation, the delegate must comply with any directions of the head (however described) of the relevant Commonwealth body.
(43) Schedule 1, item 39, page 69 (after line 28), at the end of section 30BD, add:
Exemption — written record
(5) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by written notice given to an entity, exempt the entity from subsection (3) in relation to a report about a specified cyber security incident.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003.
(6) A notice under subsection (5) is not a legislative instrument.
(7) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by writing, delegate any or all of the head’s powers under subsection (5) to a person who:
(a) is an SES employee, or acting SES employee, in the relevant Commonwealth body; or
(b) holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.
(8) In exercising powers under a delegation, the delegate must comply with any directions of the head (however described) of the relevant Commonwealth body.
(44) Schedule 1, item 39, page 70 (after line 4), after section 30BE, insert:
30BEA Significant impact
For the purposes of this Part, a cyber security incident has a significant impact (whether direct or indirect) on the availability of an asset if, and only if:
(a) both:
(i) the asset is used in connection with the provision of essential goods or services; and
(ii) the incident has materially disrupted the availability of those essential goods or services; or
(b) any of the circumstances specified in the rules exist in relation to the incident.
30BEB Consultation — rules
Scope
(1) This section applies to rules made for the purposes of paragraph 30BEA(b).
Consultation
(2) If the Minister is aware that an entity is the responsible entity for a critical infrastructure asset, then, before making or amending the rules, the Minister must:
(a) give the entity a copy of the draft rules or amendments; and
(b) give the entity a written notice inviting the entity to make a submission to the Minister about the draft rules or amendments within 28 days after the notice is given; and
(c) consider any submission received within the 28-day period mentioned in paragraph (b); and
(d) if a submission is received from the entity within the 28-day period mentioned in paragraph (b)—give the entity a written statement that sets out the Minister’s response to the submission.
(45) Schedule 1, item 39, page 70 (line 17) to page 95 (line 3), omit Part 2C.
(46) Schedule 1, item 44, page 95 (lines 19 to 24), omit section 35AAA.
(47) Schedule 1, item 45, page 103 (after line 16), at the end of section 35AD, add:
(3) If subsection (1) or (2) requires an entity to be consulted, that consultation must involve:
(a) giving the entity a copy of the draft Ministerial authorisation; and
(b) inviting the entity to make a submission to the Minister about the draft Ministerial authorisation within 24 hours after receiving the copy of the draft Ministerial authorisation.
(48) Schedule 1, item 45, page 114 (lines 5 to 10), omit section 35AU.
(49) Schedule 1, item 45, page 122 (after line 23), at the end of Part 3A, add:
Division 6 — Reports to the Parliamentary Joint Committee on Intelligence and Security
35BK Reports to the Parliamentary Joint Committee on Intelligence and Security
(1) If the Secretary gives one or more directions under section 35AK or 35AQ, or one or more requests under section 35AX, in relation to a cyber security incident, the Secretary must give the Parliamentary Joint Committee on Intelligence and Security a written report about the incident.
(2) The report must include a description of each of the directions or requests.
(50) Schedule 1, item 53A, page 124 (lines 15 to 17), omit the item.
(51) Schedule 1, item 61, page 134 (line 12), omit paragraph (2A)(b).
(52) Schedule 1, item 66, page 135 (line 18) to page 140 (line 8), omit the item.
(53) Schedule 1, item 69, page 140 (lines 15 to 20), omit paragraphs (f) and (g).
(54) Schedule 1, item 69, page 140 (line 21), before “(h)”, insert “; and”.
(55) Schedule 1, item 69, page 140 (lines 25 to 32), omit paragraphs (j) to (m).
(56) Schedule 1, item 69, page 141 (line 8), omit “financial year; and”, substitute “financial year.”.
(57) Schedule 1, item 69, page 141 (lines 9 to 11), omit paragraph (r).
(58) Schedule 1, page 142 (after line 3), after item 70, insert:
70A After section 60A
Insert:
60B Review of this Act
The Parliamentary Joint Committee on Intelligence and Security may:
(a) review the operation, effectiveness and implications of this Act; and
(b) report the Committee’s comments and recommendations to each House of the Parliament;
so long as the Committee begins the review before the end of 3 years after the Security Legislation Amendment (Critical Infrastructure) Act 2021 receives the Royal Assent.
(59) Schedule 1, heading to Part 3, page 144 (line 3), omit “2020”, substitute “2021”.
The Parliamentary Joint Committee on Intelligence and Security has made 14 recommendations in its advisory report. Notably, it recommends that the bill be split into two separate bills, with the first bill to incorporate the urgent cyberincident response framework and reporting regime. The government acknowledges and thanks the committee for its work in relation to this bill and other government national security priorities. The Australian people are safer and more secure as a result of the responsible approach that members of this committee take, working together in a truly bipartisan way in the national interest.
These government amendments respond to the urgent recommendations of the Parliamentary Joint Committee on Intelligence and Security’s 29 September 2021 advisory report on this bill and statutory review of the Security of Critical Infrastructure Act 2018. The intelligence and security committee recommended that these amendments, outlined in recommendations (1) to (5) along with recommendations (10) and (14), be legislated in the shortest possible time. The government is taking immediate action by acting in the very first sitting week since the committee’s advisory report was released
The reason for this urgency is clear: cyberattacks pose a serious threat to Australian infrastructure. On 19 June 2020, the Prime Minister announced that Australian organisations were currently being targeted by a sophisticated, state-based cyberactor. They were targeting our critical sectors, including government essential service providers and operators of critical infrastructure. Cyberattacks continue. Internationally, we have seen cyberincidents cause significant impacts. The 2021 Colonial Pipeline ransomware attack prevented the distributed of energy supplies to customers along the east coast of the United States. Repeated attacks over the past years on the Ukraine power grid show the devastating impact that malicious cyberactors can cause to critical infrastructure.
The Australian Cyber Security Centre’s 2021 annual cyberthreat report, released on 15 September 2021, highlights that the volume of cybercrime reporting equates to one report of a cyberattack every eight minutes, compared to one every 10 minutes last financial year. Approximately one-quarter of reported cybersecurity incidents affected critical infrastructure organisations, including essential services that all Australians require, such as education, communications, electricity, water and transport.
These government amendments address recommendation 1 of the advisory report by amending this bill to retain only the measures that the Parliamentary Joint Committee on Intelligence and Security recommended be taken forward to the first bill. The measures in the bill as amended will specifically expand the scope of the Security of Critical Infrastructure Act 2018 to include assets across 11 industry sectors as critical infrastructure assets, provide a mechanism to require cyberincident reporting, enable government responses to serious cybersecurity incidents and retain associated definitions and powers. The amendments do not, however, define offensive cyberaction. This bill is clear that the use of offensive cybercapabilities is expressly prohibited from any direction or intervention that the Minister for Home Affairs can authorise.
The bill and explanatory material also respond to recommendations 2 and 3 of the Parliamentary Joint Committee on Intelligence and Security’s advisory report through amendments to the cyberincident reporting requirement. In accordance with recommendation 4 of the advisory report, these government amendments also include a provision to ensure that, as soon as practicable after a government assistance measure is directed or requested, the Parliamentary Joint Committee on Intelligence and Security be notified in writing about the circumstances, actions, status of, and parties involved in each measure used relative to any cybersecurity.
The government amendments include a provision that the Parliamentary Joint Committee on Intelligence and Security may conduct a review of the operation, effectiveness and implications of the reformed security of critical infrastructure legislative framework in the Security of Critical Infrastructure Act not less than three years from when this bill receives royal assent in accordance with recommendation 14 of the advisory report. The amendments also change the commencement of the bill to the day after royal assent and deal with other minor technical matters, including that the bill be passed as per recommendation 5 of the advisory report. These urgent reforms will put the laws in place to respond to a cyberincident and protect Australian critical infrastructure. I commend the government amendments to the House.