I move:
That this bill be now read a second time.
The Australian government is committed to protecting the essential services that all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver.
Critical infrastructure is increasingly interconnected and interdependent. These interconnections deliver efficiencies and economic benefits to all Australians. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or even inadvertently cause disruption and result in cascading consequences across our economy, our security and our sovereignty.
Threats ranging from natural hazards, such as extreme weather events, through to human induced threats like foreign interference, cyberattacks and trusted insiders all have the potential to significantly disrupt critical infrastructure. Recent incidents such as the December 2021 Log4j vulnerability, compromising systems in Australia and across the globe, as well as the impacts of COVID-19, illustrate that threats to the operation of Australia’s critical infrastructure continue to be significant and far-reaching.
It is a regrettable fact that malicious threat actors continue to target the infrastructure that underpins the provision of essential services that all Australians rely on. The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic not just to our economy, security and sovereignty but the Australian way of life.
Following the tabling of the Parliamentary Joint Committee on Intelligence and Security’s advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the statutory review of the Security of Critical Infrastructure Act 2018 in September 2021, the government moved swiftly to respond and introduce government amendments to these critical recommendations.
In the passage of the Security Legislation Amendment (Critical Infrastructure) Act 2021, known as the SLACI Act, the government addressed recommendations 1 through 5, 10 and 14 of the advisory report in order to legislate the measures of highest criticality to protecting the security of Australian critical infrastructure in the shortest possible time. The SLACI Act has implemented key elements of the framework by introducing mandatory cyberincident reporting and government assistance to relevant entities in response to significant cyberattacks that impact Australia’s critical infrastructure assets.
Today, the government is now seeking to legislate the preventative measures to ensure the continued protection of Australian critical infrastructure through the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, known as the SLACIP Bill. The bill is the culmination of over two years of concerted effort of government and industry working in partnership to develop an approach that will safeguard our critical infrastructure from those threats.
The bill sets out two key obligations. Firstly, the requirement to have, comply with, review and update a risk management program. The risk management program asks critical infrastructure entities to identify material risks that could have an impact on the critical infrastructure asset and, as far as reasonably practicable, minimise, eliminate or mitigate the risk from occurring.
The bill proposes that the risk management program is reported to a critical infrastructure assets board, council or governing body. This ensures that the material risks in the functioning of the asset art reported and raised with the most senior levels of critical infrastructure assets.
The risk management program requirement is designed to be incorporated into the existing risk management arrangements. If a critical infrastructure asset looks at and indeed, I hope, exceeds the requirements in the risk management program rules, then this is suitable for fulfilling the obligation. This obligation is meant to be additive to, as well as the least and lightest regulatory impact. Ensuring that there is appropriate risk management in place, such as for cyber and information security, physical and natural hazards, and personnel risks, is increasingly important given the interconnected nature of Australia’s critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security and sovereignty.
In line with recommendations 8 and 9 of the PJCIS’s advisory report, a comprehensive program of consultation has been undertaken with industry to design the rules and definitions that underpin these reforms. From ministerial round tables that I personally conducted to official-level town halls and working groups, the government has spent over 12 months working in partnership with thousands of entities across industry to ensure that these reforms effectively balance security with compliance costs.
Importantly, none of the risk management program requirements will come into force without additional consultation with industry and careful consideration of any issues they raise, including the timing on when the requirements will come into force. Indeed, if passed by the parliament, my intention is to delay the obligation for critical assets impacted by recent supply chain issues—including the freight services and infrastructure, as well as food assets—until 1 January 2023 at the earliest. Additionally, there are a number of assets that already have existing obligations in place, and I don’t intend to apply the risk management program to every critical infrastructure asset. Detail about the coverage of assets is outlined in the explanatory memorandum.
The government understands that the introduction of reforms that impact many businesses across our economy will cause apprehension. The government is committed to ensuring that the requirements remain fit for purpose in a dynamic and evolving space.
Pursuant to the committee’s advisory report recommendation 6, I have written to the Secretary of the Department of Home Affairs to outline my expectations that the Cyber and Infrastructure Security Centre within the Department of Home Affairs provide technical support and advice to industry regarding the functions of the SOCI Act.
Additional guidance on how to meet the requirements of the risk management program will be jointly developed with industry and government partners over the coming weeks and months. Stakeholders have expressed their appreciation of the government’s commitment to working with industry to develop that guidance material.
The Cyber and Infrastructure Security Centre will take a pragmatic, active and engaged regulatory and partnership approach, working in collaboration with industry, as we build the security and resilience of Australia’s critical infrastructure.
Second, there are some critical infrastructure systems and networks that are so vital, interconnected and of such national significance to the functioning of Australian society, defence or security that, if they were subject to a cyber attack, it would cause disproportionate consequences. The bill sets out criteria for the declaration of a system of national significance. The focus is on identifying critical infrastructure assets that are of national significance, noting interdependencies across key sectors in the economy and consequences should the asset be impacted.
These reforms will mean that not only will we be able to respond in times of crisis, we will also have legislation in place that assists in mitigation of the chances of a crisis emerging in the first place. In line with this objective, the SLACIP Bill implements recommendations 7, 8 and 9 of the committee’s advisory report.
I note the exclusion of the portion of recommendation 7 relating to merits review. This recommendation requested that a merits review system of appeal to the Security Division of the AAT be implemented.
The Administrative Review Council’s publication What decisions should be subject to merit review? identified that national security considerations could justify the exclusion of merits review, particularly those decisions that involve consideration of issues of the highest consequence to the government and where that decision-making power is vested in a minister.
Decisions about systems of national significance involve highly sensitive information that, if released to the public record, would have the potential to highlight assets for targeting by malicious actors. The government notes that judicial review remains available for all decisions made under the SOCI Act.
The SLACIP Bill also enables the government to work with industry to strengthen the cyberpreparedness and resilience of entities that operate assets of the highest criticality to Australia’s national interests. These assets of highest criticality are defined as systems of national significance due to the role they serve in the economy and the consequences to the national interest should they be unavailable or inoperable.
The enhanced cybersecurity obligations will support a bespoke outcomes-focused partnership between government and Australia’s most critical infrastructure asset operators, and will build an aggregated threat picture and understanding of cybersecurity risks to critical infrastructure in a way that is mutually beneficial to government and industry.
The report also notes the following recommendations of the PJCIS report, that:
Under recommendation 11, subsection 13A(2) of the Intelligence Services Act 2001 be amended to restrict cooperation or assistance provided by an agency under that act to agencies or other bodies by regulation outlined in subsection 13A(1), only to the functions and extent authorised by other Commonwealth legislation. To deliver on this intent, the Minister for Defence has issued a direction to the Australian Signals Directorate to limit the scope of ASD’s assistance to the government assistance measures in the SOCI Act;
Under recommendation 12, the government review the risks to democratic institutions, particularly from foreign originated cyberthreats, with a view to developing the most appropriate mechanism to protect them at federal, state and local levels. The government agrees that it is vital to maintain the availability, reliability and integrity of Australia’s democratic institutions. The government will review the risks to these institutions and assess appropriate mitigation mechanisms with reference to existing initiatives across government, including the work of the Electoral Integrity Assurance Taskforce, which brings together government agencies with capabilities to identify, assess and remediate threats to the electoral process, including the Australian Cyber Security Centre. Consideration of these risks will also factor in existing efforts to uplift cyber- and data security policy settings across government—federal, state and local; and
Under recommendation 13, the government review the processes and protocols for classified briefings for the opposition during caretaker periods in response to serious cyberincidents, and consider the best-practice principles for any public announcement about those incidents. The government will consider the issue.
This bill today demonstrates the government’s commitment to uplifting the security and resilience of Australia’s critical infrastructure. The measures that are outlined in this bill will enable Australia to maintain the availability, integrity and confidentiality of assets and networks critical to our national interest, and secure those assets from further severe shocks—shocks such as those we have seen from the COVID-19 pandemic and natural disasters, malicious actors and other hazards.
The bill underpins the continued growth of the resilience of Australian industry and the ability for businesses to compete in overseas markets. The bill provides a necessary uplift to the security of critical infrastructure so that Australia continues to be a safe and prosperous nation. I commend the bill.
Debate adjourned.