The final round of significant critical infrastructure reforms is set to be passed into law after the powerful national security committee gave it the green light subject to minor amendments.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) tabled its advisory report on the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 on Friday, recommending the bill be passed with a handful of changes and strengthened consultation after its passage.
The report paves the way for the bill — the final tranche of the federal government’s reforms focusing on shoring up and improving the security of critical infrastructure assets — to pass Parliament this week before the imminent election in May.
The reforms require critical infrastructure operators to develop a risk management program to identify material risks and look to minimise, eliminate or mitigate them. This plan will be reported to a critical infrastructure asset board, council or governing board.
They will also give the Home Affairs minister new powers to designate certain companies or assets as being of “national significance” and subject to enhanced cybersecurity obligations.
These obligations include the development of cybersecurity incident response plans, cybersecurity exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities and the provision of system information for situational awareness.
If designated as a system of national significance, a company may be forced to install the government’s software to share information and data with Australia’s spy agency.
In its report, the PJCIS recommended further consultation on the design of the critical infrastructure rules following its passage, including a fresh round of consultation on the draft rules for risk management programs, and industry roundtables on the rules and guidance materials.
The Minister should also provide a report to the PJCIS on these consultations, the committee said, and also notify the committee within 30 days after a company is designated as being nationally significant.
The PJCIS recommended the government consider establishing a legislative basis for merit reviews for “some or all” of the decisions made by the Minister under the bill, and an independent review of the new powers after one year.
With those changes, the PJCIS approved the passage of the critical infrastructure reforms in this week’s sitting days.
Last year the PJCIS called on the government to split its critical infrastructure bill into two, allowing for the urgent new powers to be passed and for further consultation on the rest.
The first bill, which broadened the scope of companies covered by the scheme and introduced “last resort” powers for the government to take control of a company’s networks in the event of a major attack, was passed last year.
The other half of the reforms are included in the legislation now given the green light by the PJCIS.
The speed of consultation on the reforms and a consultation period running over the Summer break raised the concerns of several companies and industry groups.
Consultation on the draft bill ran from late December to 1 February, and the legislation was introduced to the lower house just seven working days later.
The PJCIS acknowledged these concerns but said the “further deteriorating global security environment” made the pace of inquiry necessary.
“The Committee heard significant classified and public evidence regarding the deteriorating cyber-threat environment, which necessitates the passage of this bill in the shortest time possible,” the PJCIS report said.
“This accelerated need has driven perception that the bill may have been rushed, or that the Department has not taken industry concerns seriously, but the Committee has ultimately concluded that this is not the case.”
The Committee also acknowledged the many concerns around the new powers from the industry, but said they are necessary.
“Fear of the unknown is understandably driving some industry concern, however that fear should not dictate that the government do nothing and leave critical elements of our industry, services and economy exposed to attack,” the report said.
“What would normally be undertaken in three to six months has been compressed into less than six weeks due to the requested reporting date from the Minister, to allow passage of the bill in the Autumn sittings.”
“Regulation like this comes with a cost, and the Committee acknowledges that cost will be borne by industry. The Committee believes that cost will be outweighed, however, by the resultant security uplift that will stem from risk management programs, and that the overall improvements to critical infrastructure security from these measures will offset the potential losses were a serious cyber incident to occur in their absence.”
In terms of the nationally significant assets rules, the PJCIS pointed to the Australian Signals Directorate (ASD) and Home Affairs Department saying the power to have software installed on company’s networks will be used sparingly.
“We will install software only in instances where a private entity does not have its own capacity to pass to us telemetry or technical artefacts. That’s the starting point,” the ASD said during the inquiry.
“If the entity had those tools themselves, there would be no need for us to use our own tools.”
The bill is now likely to be debated and passed by the Senate this week during the budget sitting, the last sitting days before the federal election.
Do you know more? Contact James Riley via Email.