This article was written by Cheng Lim and Jonathan Beh.
The security and resilience of Australia's critical infrastructure is fundamental to its economy, security and sovereignty.
Last week, the Department of Home Affairs published a consultation paper seeking submissions on proposed reforms to the critical infrastructure regulatory framework. In this alert, we describe what critical infrastructure is and the current regulatory framework, identify the key initiatives from the enhanced regulatory framework being proposed by the Government and explain why it is crucial that industry participates in the development and implementation of a flexible, comprehensive and resilient security strategy.
Three aspects will be of critical interest:
- The sectors and entities that will be subject to the enhanced regulatory framework;
- The content and implications of the Positive Security Obligation, Enhanced Cyber Security Obligations and Government assistance with cyber security; and
- Navigating the journey: ongoing consultation and industry participation in the development of the critical infrastructure regulatory framework.
Why is critical infrastructure so important and what is the current regulatory framework?
Critical infrastructure underpins the delivery of essential services that are fundamental to Australia's economy, security and sovereignty. The Government's Critical Infrastructure Resilience Strategy defines critical infrastructure as:
those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security.
The current regulatory framework is set out in the Security of Critical Infrastructure Act 2018 (Cth) (Act) and consists of 3 main elements:
- a Register of Critical Infrastructure Assets which contains ownership and operational information for specific critical infrastructure assets;
- an information gathering power, which allows the Secretary of the Department of Home Affairs to obtain more detailed information from owners and operators of critical infrastructure assets; and
- a Ministerial direction power, which allows the Minister for Home Affairs to direct an owner or operator of critical infrastructure assets to take, or not take, specified actions to mitigate against a national security risk where no other mechanism will eliminate or reduce that risk.
Who will the enhanced regulatory framework apply to?
Currently, the critical infrastructure regulatory framework only applies to specific entities in the electricity, gas, water and maritime ports sectors. The proposed reforms will significantly expand the scope of the framework, introducing security obligations to the following sectors:
- Banking and finance;
- Communications;
- Data and the Cloud;
- Defence;
- Education, research and innovation;
- Food and grocery;
- Health;
- Space; and
- Transport.
The Government will also introduce 3 broad categories of criticality under which owners and operators of critical infrastructure assets will be classified: Critical Infrastructure Entities, Regulated Critical Infrastructure Entities and Systems of National Significance. Categorisation will depend on a number of factors, including the consequences of a compromise in security and the interdependency of the entity or asset with other functions. Each category will be subject to different obligations, in order to ensure that the obligations are proportionate and appropriate relative to the criticality of each entity.
What new initiatives are being introduced?
The enhanced regulatory framework consists of 3 key security initiatives that the Government will introduce to strengthen the security and resilience of Australia's critical infrastructure.
Government assistance with cyber security
In most cases, critical infrastructure entities will be best placed to protect from and mitigate the effects of cyber attacks on their networks and systems. However, given the unique capabilities of Government and its comprehensive understanding of Australia's threat environment, there may be situations in which Government assistance or intervention is required to effectively respond to and manage cyber attacks.
Under the proposed reforms, if there is an imminent cyber threat or incident that could significantly impact Australia's economy, security or sovereignty and is within the capacity of the entity to address, the Government may provide directions to an entity to ensure all necessary action is taken to manage and reduce the impact of the threat. In even more serious and limited circumstances, where the Government identifies an immediate and serious cyber threat to Australia's economy, security or sovereignty, the Government may declare an emergency and take direct action to protect a critical infrastructure entity or system in the national interest. The Government will consider the potential consequences of the cyber threat, the extent to which the incident could spread across jurisdictions and the imminence of the threat in determining whether to declare an emergency and take direct action.
Positive Security Obligation
Regulated critical infrastructure entities and systems of national significance will also be subject to the Positive Security Obligation (PSO). The PSO will consist of both a sector-agnostic set of principles-based outcomes, as well as sector-specific guidance and requirements that will be co-designed by entities and the appropriate regulator in each sector.
The high-level principles-based security outcomes will be set out in legislation and, at a minimum, ensure that critical infrastructure entities:
- identify and understand risks;
- mitigate risks to prevent security incidents;
- minimise the impact of realised incidents; and
- implement effective governance and oversight processes,
in relation to physical, cyber, personnel and supply chain security.
In order to reflect the specific needs and capabilities of each sector, avoid duplicating existing standards and requirements and reduce the regulatory burden on entities, regulators will work with entities in each sector to develop and implement sector-specific standards and guidance to achieve the security outcomes of the PSO. The regulators will be responsible for educating and guiding entities towards best practice security management, as well as enforcing compliance with the PSO requirements.
Enhanced Cyber Security Obligations
In addition to government assistance with cyber security and the PSO, Australia's most critical entities, the systems of national significance, will also be subject to the Enhanced Cyber Security Obligations. It is intended that these entities will build an active partnership with the Government to better understand, prepare for and manage cyber security threats.
The Government will develop a near real-time national threat picture by obtaining information from a variety of sources, including from industry and commercial partnerships, open source information and Government intelligence and international feeds. At the beginning, provision of information will be on a voluntary basis as the near real-time threat capability is developed and tested; however, it is intended that in the long-term entities will be obligated under legislation to provide information about networks and systems when requested.
The Government will also utilise its understanding of the threat environment to help develop the cyber security capabilities of owners and operators of systems of national significance. Entities will be required to participate in cyber security activities in partnership with the Government, which may include independent assessments by third-party providers, light-touch vulnerability scanning and assessment and Government-critical infrastructure collaboration to detect and isolate threats that have evaded existing security solutions. The Government will also work with key entities to develop a playbook of response plans that will be tailored to each entity's capabilities and needs and outline the roles and responsibilities in the event of a significant security incident.
What does this mean for industry?
Submissions to the consultation paper close on 16 September 2020. However, given the far-reaching consequences of the proposed reforms and their importance to Australia's long-term security and economic wellbeing, the consultation paper is only the start of the consultation process with industry. The Government intends to conduct further cross-sectoral consultation on the reforms, which will inform the development of legislative amendments to the Act. Once the amendments have been passed, regulators will continue to work with critical infrastructure entities to develop and implement sector-specific obligations to give effect to the legislative regime.
The proposed reforms are a key initiative of the Government's Cyber Security Strategy 2020 and reflect an increased focus by the Government on the security risks that Australia's critical systems face. Recent events, particularly the impact of COVID-19, have reflected well on the security and resilience of Australia's critical infrastructure, but have also exposed the underlying vulnerabilities and fragilities of an economy that is increasingly interconnected and interdependent. Industry has an important role to play in participating and shaping the development of the strategies, polices and laws that will protect and promote Australia's economy, security and sovereignty.