Govt embarks on last round of critical infrastructure reforms

Denham Sadler
National Affairs Editor

Consultation has begun on the last round of the government’s significant critical infrastructure reforms which include the power to require companies deemed to be “nationally significant” to install software that shares information with the spy agency.

Home Affairs Minister Karen Andrews announced on Wednesday that consultations had opened for the second half of the critical infrastructure reforms, following the passage of the first chunk last month.

This came after the powerful national security committee ordered the government to split up these reforms to ensure the “urgent” changes, including a broadening of the scope of companies covered by critical infrastructure and “last resort” powers for the government to take over a company in the event of a cyber attack, could be passed rapidly.

Home Affairs Minister Karren Andrews. Photo: NASA/Aubrey Gemignani

The other reforms, including the ability to designate critical infrastructure operators as being of “national significance”, enhanced cybersecurity obligations for these companies and risk management programs, will be up for consultation until the start of February next year.

The Coalition will also consult over the same period of time on legislation implementing critical infrastructure security regulatory regime for the aviation and maritime transport sectors.

“All of our critical infrastructure assets and systems are attractive targets for cyber criminals and other malicious actors, who can harm the essential services Australians rely on,” Ms Andrews said in a statement.

“Over the past two years, we’ve seen increasing and escalating attacks on Australia’s critical infrastructure sectors. This calls for a holistic, collaborative response from government and industry.

“The consultations launched today will ensure our legislation is well-informed, fit-for-purpose and does not impose an undue regulatory burden on industry, while ensuring the safety, security and long-term economic prosperity of Australia.”

The Critical Infrastructure Protection Bill 2022 will enable a framework for critical infrastructure companies to implement risk management programs, give the Minister the power to declare systems of national significance and impose enhanced cybersecurity obligations for these companies.

Under the reforms, the Home Affairs Minister will be able to declare an asset to be of national significant, making them subject to enhanced cybersecurity obligations and government orders.

This will be a “significantly smaller subset” of critical infrastructure companies, the explanatory memorandum says, that by “virture of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors are critical to the nation”.

The government will then be able to require these companies to undertake a prescribed cybersecurity activity, such as providing system information to the Australian Signals Directorate (ASD), or to even install and maintain a specified computer program to transmit data to the spy agency.

“The computer program would be provided by the government and would, for example, operate as a host-based sensor reporting back to the ASD telemetry information used to monitor the system for malicious behaviour,” the draft legislation said.

All owners and operators of critical infrastructure will also have to implement a risk management program as part of the new regime. This will require them to manage the “material risk of any hazards occurring which pose a risk of impacting on the availability, integrity or confidentiality of the critical infrastructure asset”.

While the legislation includes overarching obligations such as identifying and mitigating risks and effective governance, the more detailed requirements will be determined after the bill is passed.

The government is also consulting on legislation which would implement an enhanced critical infrastructure security regulatory regime for the aviation and maritime transport sectors. This will switch the current focus on “unlawful interference” to an “all hazards” regulatory framework and specifically include cybersecurity incidents.

Submissions on both pieces of legislation are open until the start of February next year.

The first round of critical infrastructure reforms passed Parliament in November, despite being labelled “highly problematic” by a group of big tech heavyweights.

These reforms saw the sectors covered by the critical infrastructure regime expanded to include communications, financial services, data storage, defence industry and space, and gave the government “last resort” powers to step in and take control of a piece of critical infrastructure in the event of a cyber-attack.

The legislation had bipartisan support, but the Greens labelled it a “greedy little power grab” and voted against it.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories