The Security of Critical Infrastructure Act (SOCI Act) is again being expanded, this time as part of the Australian Government’s 2023-2030 Cyber Security Strategy. Submissions on the proposed changes outlined in the Australian Cyber Security Strategy: Legislative Reforms Consultation Paper (Consultation Paper) are due 1 March 2024. We encourage critical infrastructure stakeholders to share your views by making a submission. Please contact our critical infrastructure team if you need any assistance.
Background
The SOCI Act has undergone extensive changes since its inception in 2018 - first in 2021 when critical infrastructure increased from 4 sectors to 11 sectors and 22 asset classes, and then in 2022 when risk management program obligations were added.
Now, the SOCI Act is being expanded again to improve the resilience of Australia’s critical infrastructure against the increasingly complex cyber security risk. The changes have been signalled after recent cyber incidents and foreshadowed in the 2023-2030 Cyber Security Strategy (see our previous article).
Consultation in Progress
The Australian Government is seeking feedback on 9 proposed legislative measures outlined in the Consultation Paper, being:
- Mandatory standard for consumer-grade Internet of Things (IoT) technology
- No-fault ransomware reporting obligations
- Limited use for information shared with ASD and the Cyber Coordinator
- A Cyber Incident Review Board to conduct no-fault reviews of incidents
- Clarifying SOCI Act obligations for data storage systems for business critical data
- Last resort consequence management powers for the Minister of Home Affairs
- Amending protected information provisions to enable information sharing with government
- Powers to remedy serious deficiencies in risk management programs
- Consolidating telecommunications security requirements under the SOCI Act
Measures 1-4 are proposed to be effected through new cyber security legislation which applies more generally and measures 5-9 through amendments to the SOCI Act. Further details of the proposed measures and our thoughts are set out below.
Summary of the 9 proposed legislative measures
1. Mandatory standard for consumer-grade Internet of Things (IoT) technology to incorporate basic security features by design
The Australian Government supports consistency with international standard and practices, citing the widely accepted international ETSI EN 303 645 standard. Vendors, suppliers, importers and manufacturers are proposed to be covered.
2. No-fault ransomware reporting obligation to improve understanding of ransomware incidents
The Australian Government proposes two reporting obligations: first when businesses are impacted and a ransom demand is received, and again when a ransomware or extortion payment is made. Small businesses with an annual turnover of $10 million or less per year may be exempted.
3. Limited use obligation for information shared with the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator (Cyber Coordinator)
To encourage engagement during cyber incidents, the Australian Government proposes to legislate that information businesses shared with the ASD and Cyber Coordinator could only be used for ‘prescribed cyber security purposes’, including helping businesses respond to cyber incidents and consequence management (see measure 6 below). The information could not be used for investigation or compliance action against the entities.
However, the proposed sharing of information with other agencies may continue to disincentivise open engagement.
4. Establishing an impartial Cyber Incident Review Board (CIRB) to conduct no-fault reviews of significant cyber incidents
The CIRB is not intended to be a law enforcement, intelligence or regulatory body, but is proposed to have modest information gathering powers subject to a limited use obligation. The independent ‘no-blame’ review of the Australian Transport Safety Bureau is given as an example.
Reviews of specific incidents could easily stray into determinations of responsibility and accountability, despite the no-fault remit. Query whether CIRB reviews should be limited to more general and systemic issues.
5. Clarifying SOCI Act obligations for data storage systems for business critical data
The Australian Government proposes to:
- include data storage systems that store business critical data in the definition of ‘asset’ under section 5 of the SOCI Act; and
- include risks to such data storage systems and systems that access the data as ‘material risks’ under the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules.
The changes are intended to ensure data storage systems maintained by critical infrastructure entities are treated the same under the SOCI Act as those outsourced to a data storage or processing provider.
Most critical infrastructure entities should be well prepared for this change.
6. Last resort consequence management powers for the Minister of Home Affairs
The proposed all-hazards power will be integrated into the existing government assistance powers under Part 3A of the SOCI Act, to fill the gaps identified during the recent cyber incidents. Currently, the Australian Government can help defend critical infrastructure from incidents impacting the delivery of essential services, but has limited ability to assist with managing consequences after an incident. This proposed power can only be exercised if there is no existing power available to support a practical and effective response.
By way of examples, the proposed power may be used to direct a critical infrastructure entity to share personal information of affected customers with banks to prevent financial fraud, where the Attorney-General has authorised this. The proposed power could also be used to give directions to critical infrastructure entities who are not themselves the subject of an incident, but which critical infrastructure is likely to suffer a relevant impact as a consequence of a data breach or non-cyber hazard involving another entity.
Entities acting lawfully in accordance with a direction will be immune from civil liability (e.g. from contract breaches).
The examples given illustrate the very wide application of the proposed power, extending to third parties and non-cyber hazards. It raises the question whether existing government emergency powers are already sufficient and highlights the need for appropriate safeguards and oversight.
7. Amending the protected information provisions to enable information sharing
The Australian Government proposes to:
- amend the definition of ‘protected information’, to require individuals to consider the potential harm or risk of disclosure; and
- expand the authorised disclosure provisions, to allow disclosures:
- for the continued operation of, or mitigation of risk to, an asset; and
- to all government entities, where necessary to uphold the security and resilience of critical infrastructure or protect national security.
8. Complementary powers to remedy serious deficiencies in risk management programs
The Australian Government proposes to introduce complementary directions power in Part 2A of the SOCI Act to require an entity to address serious deficiencies in its Critical Infrastructure Risk Management Program (CIRMP). Before issuing a direction, the Secretary/regulator must give the entity an opportunity to respond and remedy the deficiency.
9. Consolidating telecommunications security requirements under the SOCI Act
To consolidate security regulation of the telecommunications sector, the Australian Government proposes to move the Telecommunications Sector Security Reforms (TSSR) currently in the Telecommunications Act 1997 (including Part 14) to the SOCI Act. The current security and notification obligations will be harmonised into a new Telecommunications Security and Risk Management Program (TSRMP) within the SOCI Act.
What’s coming up?
A broader independent review of the SOCI Act under section 60A will commence after the CIRMP obligation is in full effect (the first annual reports that must be approved by Boards are due by 28 September 2024). The Australian Government proposes to use that review to look at more wholistic, less time-critical reforms to the SOCI Act, as well as to evaluate the effectiveness of the cyber security legislative reform measures currently proposed.
Special update
Last year we hosted a fireside chat about the SOCI Act with special guests Michael Minns (Assistant Secretary) and Jared Henry (Director) from the Cyber and Infrastructure Security Centre (CISC) at the Department of Home Affairs (see a report of the webinar here). The CISC has prepared responses to the questions from participants that we did not manage to address during the webinar. The responses can be found here.
