Written by Cheng Lim and Thomas Dysart.
The PJCIS recommends the urgent passing of the parts of the SOCI Bill that expand the scope of critical infrastructure sectors; that require critical cyber incident notification; and that enable the exercise of expanded "government assistance" powers. Other provisions should be subject to further consultation and review.
Background to Report
On 24 September 2021, the Commonwealth's Parliamentary Joint Committee on Intelligence and Security ("PJCIS") published an advisory report following its review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 ("SOCI Bill") and the Security of Critical Infrastructure Act 2018 ("SOCI Act"). In this alert, we give an overview of the PJCIS key recommendations and explain what they may mean for Australia's critical infrastructure reforms going forward.
Our previous alerts on the purpose of the reforms and the content of the SOCI Bill are available here, here and here.
The report paints a picture of an expanding threat of cyber security vulnerability and malicious cyber activity for critical infrastructure providers, with the incidence of cyber-attacks, ransomware, and exploitation of vulnerabilities accelerating at an increasing rate. In light of this threat, the PJCIS acknowledges there is a need for both a rapid response and comprehensive response but form the view that both cannot be achieved in the single SOCI Bill.
The PJCIS points to conflicting forces – on the one hand, there is a general consensus on the need to urgently respond to the growing cyber security threats, and on the other hand, there is a widespread sense of uncertainty around the practical implications of the reforms given much of the SOCI Bill's substantive obligations have been left to be defined in subordinate instruments rather than the primary legislation. It is with this context that the PJCIS made its recommendations.
What does it mean for business?
Critical infrastructure asset owners and operators in the key infrastructure sectors subject to the SOCI Bill[1] should prepare for quick passing of "Bill One" referred to below, and should be ready to:
While we initially considered that infrastructure businesses needed to collate interest, control and operational information so that they would be in a position to provide the information to the Department of Home Affairs for inclusion in its Register of Critical Infrastructure Assets, we now understand from the Department that there is no intention to introduce the reporting obligations as part of Bill One.
Comply with the requirement to notify critical cyber security incidents within 12 hours (and if done orally, to provide a written report within an additional 84 hours); and
Comply with the expanded government assistance powers (including intervention, information gathering and action directions).
Overview of key recommendations
The PJCIS report sets out the following key recommendations:
- Split the SOCI Bill - the PJCIS recommends that the SOCI Bill be split in two, so that the urgent elements of the reforms relating to the expanded definitions of critical infrastructure sectors and assets, government assistance measures (Part 3A), and mandatory notifications of cyber security incidents (Part 2B) be amended and legislated in the shortest time possible ("Bill One"), with the remaining elements of the SOCI Bill being amended into a separate Bill following further consultation with industry ("Bill Two").
- Amend and pass Bill One – the PJCIS recommends that the certain parts of the existing SOCI Bill should be passed as Bill One subject to the following amendments:
- (Government assistance) Part 3A – this part of the SOCI Bill sets out the proposed government assistance powers that can be exercised in response to cyber security incidents that seriously prejudices (or is likely to seriously prejudice) the social/economic stability, defence or national security of Australia.
- (Notification of critical cyber security incidents) Part 2B – this part of the SOCI Bill sets out obligations for responsible entities for critical infrastructure assets to notify the relevant Commonwealth body within 12 hours of becoming aware of critical cyber security incidents within 72 hours of becoming aware of other cyber security incidents. The PJCIS recommends that Part 2B be amended so that that where the entity gives oral notice, the written notification can be given within 84 hours of giving oral notice (instead of 48 hours). The PJCIS also recommends that Part 2B be amended so that the entity and Commonwealth body may agree that written notification is not required after oral notification if upon investigation the incident does not have the defined impact outcome.
- (3 Year review) The PJCIS recommends that Bill One include a provision allowing the PJCIS to conduct a review of the operation, effectiveness and implications of the reformed security of critical infrastructure framework not less than 3 years from when Bill One receives Royal Assent.
- Consult on Bill Two – the PJCIS envisages that Bill Two will be comprised of those remaining non-urgent elements of the SOCI Bill, including the obligation to develop and maintain a risk management program for critical infrastructure assets and the enhanced cybersecurity obligations that apply in relation to Systems of National Significance ("SONS"). More specifically, the PJCIS recommends that:
- (Further consultation with industry) following passage of Bill One, the Government releases a draft of Bill Two for further consultation and feedback from industry prior to being reintroduced back to Parliament, with the aim of addressing concerns raised by industry in submissions (e.g. unclear scope and content of regulatory requirements, potential duplication of regulatory systems, uncertain regulatory costs of compliance). The PJCIS specifically acknowledged that many companies, industry bodies or stakeholders did not feel like their input or feedback had been actioned or acknowledged by the Department through its consultation processes on the SOCI Bill;
- (Further PJCIS review) that on reintroduction to Parliament, Bill Two be referred to the PJCIS for review, with a concurrent review of the impact of the amendments resulting from Bill One; and
- (Rules should be finalised and not left to secondary legislation) to the extent possible, rules regarding the content and operation of obligations on critical infrastructure entities be agreed before the introduction of Bill Two and be included as explanatory material to Bill Two (instead of being deferred and introduced by way of secondary legislation).
- Increased oversight, checks and balances – while the PJCIS supported the urgent introduction of the government assistance powers, it did so on the basis that the intention of Government was that they would only be exercised as a "last resort". Consistent with this it recommended that any determination by the Government to exercise these powers be reported to the PJCIS as soon as practicable after the assistance is rendered to enable PJCIS to ensure that the powers were exercised in an appropriate and lawful manner. It also recommended that:
- (Right of reply) any decision or determination made that will affect an entity be amended to also require a right of reply by the affected entity and consideration of that reply in the final decision or determination;
- (Merits review for SONs) there be a merits review system of appeal to the security division of the AAT for any determination under Bill Two for declarations of SONS and exercise of Enhanced Cyber Security Obligation powers in relation to them; and
- (General merits review) there be consideration of the issue of merits review rights in respect of the administrative decisions of the Secretary or Minister under other aspects of the expanded SOCI Bill framework.
- Assess democratic institutions – the PJCIS made additional recommendations directed towards democratic institutions as the 'critical infrastructure' of Australian democracy, recommending that the Government review the risk of cyber threat to all levels of democratic institutions (Federal, State/Territory and local) to ensure that the most appropriate protections are in place. The PJCIS also recommends that Government review processes and protocols for classified briefings for the Opposition during caretaker periods in response to serious cyber-incidents and consider the best practice principles for public announcements about such incidents.
Next Steps
The PJCIS' report and its recommendations will now go back to the House of Representatives for consideration. The message from industry is clear - certain aspects of the SOCI Bill need to be considered in further detail and not rushed out of fear to respond to immediate threats. Whether the House will take on board the PJCIS recommendations and the clear messaging from industry remains to be seen.
[1] Financial Services and Markets; Communications; Data and the Cloud; Education, Research and Innovation; Energy; Food and Grocery; Health; Space; Transport; Water & Sewerage