The federal government will have the power to order “nationally significant” companies to install software to pass on data to the Australian spy agency after the final tranche of its critical infrastructure reforms were passed by Parliament.
The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 was passed with amendments by the Senate on Wednesday without a debate – the last sitting day for the upper house before the election – and given the tick by the lower house on Thursday.
Critical infrastructure operators will now be subject to increased security obligations, including to create risk management programs which will see them “embed preparation, prevention and mitigation activities into business as usual activities”.
This will require the companies to identify hazards, minimise the material risk of these hazards and mitigate the impact if they do occur.
The laws also impose increased cyber obligations for critical infrastructure assets deemed to be “nationally significant” by the Home Affairs Minister. This will see them enter into a “bespoke, outcomes-focused partnership” with the government to develop cybersecurity incident response plans, conduct exercises, complete vulnerability assessments and provide information to the Australian Signals Directorate.
This could include ordering the company to install or maintain specified computer programs to transmit data and information to the spy agency.
The Coalition made minor amendments to the bill in line with recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) earlier this week.
These included new definitions of “critical component” and “critical worker”, a requirement for the Minister to notify the PJCIS when an asset is designated as “nationally significant”, reporting to the Minister and PJCIS about the operation of the bill and an independent review of it after one year.
Shadow Attorney-General Mark Dreyfus criticised the government for leaving the bill until the last sitting day of Parliament.
“We agree that on balance it is better that the bill be passed in its current form now than be delayed until after the election. The regulation arrangements for the security of critical infrastructure is too important a matter to be left hanging, and that’s why there will be bipartisan support for this bill,” Mr Dreyfus said in Parliament on Wednesday.
“It is just a crying shame that the government has once again left something this important until the last minute, before an election, thus depriving the Parliament and itself of the opportunity to work through the issues that have been identified in a careful and methodical way.”
While the PJCIS also recommended that the government consider establishing a legislative basis for merit reviews for “some or all” of the decisions made by the Minister, this was not included in the final bill passed by Parliament.
The PJCIS last year called on the government to split up its critical infrastructure reforms in order to pass the urgent elements and consult on the other rules.
This saw a bill broadening the scope of companies covered by the critical infrastructure regime and introducing “last resort” powers allowing the government to take control of a company’s networks in the event of a major cyber attack passed into law last year.
The government launched consultation on the other reforms late last year, with submissions closing on 1 February. Just seven working days later the bill was introduced to Parliament and referred to the PJCIS.
The ASD told the national security committee that it will use the new power to install software on a company’s network sparingly.
“We will install software only in instances where a private entity does not have its own capacity to pass to us telemetry or technical artefacts. That’s the starting point,” the ASD said during the inquiry.
“If the entity had those tools themselves, there would be no need for us to use our own tools.”
Do you know more? Contact James Riley via Email.