Serious issues in the Home Affairs department’s governance and enforcement of critical infrastructure protection have been exposed by the National Audit Office, which identified deficiencies in compliance activities, risk assessments, reporting and stakeholder engagement.
It comes as the department oversees a significant and expedited expansion of critical infrastructure laws that will capture many more assets and allow the government to take control of some as a “last resort” response to a cyber attack.
According to the new audit, nearly 70 per cent of the policy and procedural documents supporting Home Affairs’ critical infrastructure compliance activities were not “finalised or reviewed”, and there was no established process to ensure that appropriately trained officials are engaged in investigations under critical infrastructure regulations.
Home Affairs has accepted seven recommendations to address the issues and said they would be used to support the roll out of the new critical infrastructure laws through the dedicated Cyber and Infrastructure Security Centre it established last year.
The Auditor General on Tuesday tabled his report on the administration of critical infrastructure protection policy by the Home Affairs department, the lead government agency in the area.
It found the Home Affairs’ critical infrastructure compliance activities are “not supported by approved procedures or systems controls” and the department has “not established a risk-based decision framework for achieving compliance outcomes or demonstrating its impact on asset security or resilience”.
Home Affairs has no process for effectively reviewing its use of regulatory tools, the Australian National Audit Office (ANAO) found.
Governance arrangements to administer critical infrastructure protection policy were also deemed only “partly effective” with a failure to properly capture in risk documentation the implementation of critical infrastructure related risk assessments and reporting.
Home Affairs stakeholder engagement was also needs improvement, with the department having no engagement strategy and providing only “limited support” to other critical infrastructure regulators.
The findings come just months after a significant expansion in Australia’s critical infrastructure protection laws, which Home Affairs developed, including leading industry consultation.
In one of the final acts of the previous Parliament, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 was passed, amending legislation to expand the asset types covered tenfold, introduce new security requirements on owners, and hand new control powers to government agencies in certain circumstances.
The new laws expand the coverage of what is considered critical infrastructure from four to 22 asset classes, across 11 sectors.
The reforms were pushed through by Home Affairs despite industry calls to refine the new regulations and provide more clarity on requirements, because of what department secretary Mike Pezzullo said was a pressing cyber-attack risk.
In Opposition at the time, Labor supported the legislation but said it had been left to the “last minute” before the election and several issues still needed to be resolved.
The ANAO examined the effectiveness of the Department of Home Affairs’ administration and regulation of critical infrastructure protection policy because of it is role as the lead Australian Government agency and because of the potential high impact of a successful attack.
It found 28 of Home Affairs’ 36 measures of control effectiveness indicators did not align with enterprise level critical infrastructure risk reporting, and that 15 of 22 policy and procedural documents to support critical infrastructure related compliance activities were not finalised and approved.
In its response to the audit findings, Home Affairs said it accepts all the recommendations and they would inform the implementation of the latest law changes through the Cyber and Infrastructure Security Centre it established in September last year.
“The creation of the Cyber and Infrastructure Security Centre in the Department will bring together a coordinated all hazards approach to the protection of Australia’s critical infrastructure. This will be undertaken both by direct regulatory responsibilities and in partnership with both industry, other Commonwealth regulators, as well as, state and territory governments,” the response said.
The office of new Home Affairs Minister Clare O’Neil declined to comment on the report on Wednesday afternoon.
Do you know more? Contact James Riley via Email.