Legislation requiring critical infrastructure operators to reveal all outsourced IT work and to give the government the ability to force these entities to take action to reduce national security risks has passed the Parliament.
The Security of Critical Infrastructure Bill was introduced to the lower house in December last year, and was passed by the Senate late last week with broad support from the Opposition and the Greens.
The bill tightens government’s ability to identify and mitigate risks associated with offshore involvement in running critical infrastructure like electricity, gas, ports and water networks.
Home Affairs Minister Peter Dutton said the bill “strengthens our national security posture against threats of espionage and foreign interference”.
It would “ensure the government has the necessary powers to protect Australia from the national security threats of sabotage, espionage and coercion stemming from malicious foreign involvement in our critical infrastructure”.
The bill includes two main measures: a new register of critical infrastructure assets, and ministerial discretion to direct providers to reduce national security risks.
Under the new legislation, 160 utilities and ports operators will have to provide “specific, high-level information” to the government on who has access to and controls their assets, including outsourced IT providers.
The government has said it is particularly interested in outsourced or offshored industrial control systems, data holding, security systems and corporate systems.
These operators would now have six months to get this information together and hand it over to government. It would be stored on the government’s “secret network”. They then have to update the register within 30 days of a change taking place.
The relevant minister now has a “last resort” power to order the utility providers to “do or not to do a certain thing” in order to reduce a national security risk. This power can be used to “seek information and issue directions to owners and operators of critical assets in the high-risk sectors when there is a risk that is prejudicial to security that cannot otherwise be mitigated”, the government said.
The government has said that this power is a “necessary safeguard to address national security risks where they cannot otherwise by managed”.
The government said the legislation would compliment the launch of the Critical Infrastructure Centre earlier this year, which operates as a central point for the government and industry to mitigate national security risks.
Finance Minister Mathias Cormann said foreign involvement in critical infrastructure is important, but safety must be paramount.
“Foreign involvement in Australia’s critical infrastructure plays an important and beneficial role in supporting economic growth. It can also improve productivity by enabling the development of much-needed infrastructure, introducing new technology, allowing access to global supply chains and markets, and enhancing Australia’s skills base,” Senator Cormann said.
“However, while recognising its many benefits, increasing foreign involvement in our national critical infrastructure means that Australia’s critical infrastructure is more exposed than ever to sabotage, espionage and coercion.”