The final tranche of the federal government’s significant critical infrastructure reforms has been introduced to Parliament, including new powers to require “nationally significant” companies to install software to share data with the spy agency.
The legislation was introduced to the lower house on Thursday morning by Home Affairs Minister Karen Andrews, just days after consultation on the draft bill came to an end.
The bill will now be debated in the House of Representatives next week, with only three sitting days before the budget left to pass it in the upper house ahead of a likely May election.
It brings to an end a series of reforms from the federal government focused on shoring up and improving the security of critical infrastructure assets.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) ordered the government to split up these critical infrastructure reforms last year so some of the powers could be passed urgently late last year.
These included a broadening of the scope of companies covered by the critical infrastructure regime and “last resort” powers allowing the government to take over control of a company’s networks in the event of a major cyber attack.
The final reforms include new positive security obligations and increased responsibilities for systems deemed to be of national significance.
The government began consulting on the final round of reforms in December last year, with submissions closing on 1 February. Just seven working days late, the legislation was introduced to Parliament.
The additional positive security obligations for critical infrastructure operators will come in the form of risk management programs, which will be developed in detail following the passage of the legislation.
These will “embed preparation, prevention and mitigation activities into business as usual activities”, the explanatory memorandum reads.
These plans will include identifying hazards, minimising the material risks to these hazards and mitigating the impacts of hazards on the operation of their critical infrastructure.
The reforms will also impose increased cyber obligations for systems deemed to be of “national significance”. This will include the development of a “bespoke, outcomes-focused partnership” with the federal government, encompassing cybersecurity incident response plans, cybersecurity exercises, vulnerability assessments and the provision of system information to build Australian situational awareness.
The Home Affairs Minister will be handed the power to declare a critical infrastructure asset to be of national significance, making them subject to these government orders.
This will be a “significantly smaller subset” of companies, the bill says, that by “virtue of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors are critical to the nation”.
The government will then be able to order these operators to undertake activities such as providing information to the Australian Signals Directorate or installing and maintaining specified computer programs to transmit data to the spy agency.
Do you know more? Contact James Riley via Email.