The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (CI Bill) was introduced into parliament on 10 December 2020 to amend the Security of Critical Infrastructure Act 2018 (SOCIA). The aim of the CI Bill was to update the Government’s legislative powers and oversight of infrastructure critical to national interest in response to the increasing cyber threat landscape.
The CI Bill proposed a significant expansion of the sectors currently covered by the SOCIA – those being electricity, water, gas and ports – to include the communications, financial services and markets, data storage and processing, defence, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewage sectors. It also significantly expanded government powers, including powers to give binding directions and to intervene in the face of significant cyber incidents, and industry obligations with respect to reporting and implementing risk management frameworks.
The introduction of the CI Bill has been met with significant industry concern. Of particular concern is the overlap with existing regulatory regimes, the cost of compliance, overreach of government powers and lack of sector-specific clarity on how the new laws will apply.
The technology sector has raised concerns around the government’s “step-in” powers and powers to give directions to critical infrastructure owners or controllers. Numerous submissions from the technology sector noted that government directions to install particular security software or direct government intervention in complex IT environments may increase cyber risk and is unlikely to be feasible or acceptable in many cases. Technology providers may also be caught both in their own right as data storage operators or processors, and by virtue of providing services to other regulated sectors, resulting in multiple sector specific regulatory overlays.
As a result of COVID-19, the passage of the CI Bill has been delayed. Following industry consultation on the CI Bill in July 2021, and a number of classified briefings on the evolving cybersecurity threat landscape, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended in an Advisory Report to Parliament in late September 2021 that the CI Bill be split into two separate bills. Specifically, the Advisory Report recommended that:
A high level overview of the proposed two bill approach is set out below.
PJCIS propose that Bill One include the government assistance measures proposed in Part 3A of the CI Bill, including the more controversial powers permitting government to give binding directions or require the direct intervention of the Australian Signals Directorate in response to significant cyber attacks.
The proposal for Bill One also includes enabling provisions for Part 3A to function properly, including:
The remainder of the CI Bill will be included in Bill Two. The PJCIS has, however recommended that these provisions be revisited by the Department of Home Affairs in consultation with industry representatives as a whole before being released as an exposure draft. These less urgent measures include those relating to risk management programs, declarations of Systems of National Significance (SoNs) and related secrecy requirements, immunities for entities, and consequential provisions as a result of the first bill.
The Federal Government is considering the PJCIS’s recommendations and will provide its response. If the recommendations are accepted, we anticipate the first bill will commence its passage in Parliament within the next 6 months, if not sooner.
There is clear appetite within government for Bill One to be assented to rapidly so industry sectors covered by the proposed CI Bill should be preparing to comply with the SOCIA, as may likely be amended by Bill 1 in the short to mid-term future.