19 October 2017

Espionage, sabotage and infrastructure: what you need to know about the Security of Critical Infrastructure Bill

This article was written by Louis Chiam, Prudence Buckland and Anthony Di Gregorio.  

Following its launch of the Critical Infrastructure Centre (CIC) earlier this year, the Attorney-General’s Department (AGD) has released an exposure draft of the Security of Critical Infrastructure Bill 2017 (the Bill) as part of a coordinated and strategic framework to respond to the increasing risks of sabotage, espionage and coercion against Australia’s national critical infrastructure.

What does the Bill do?

The Government has identified gaps in its information-gathering powers regarding the ownership and control of critical infrastructure, as well as its power to intervene when there are significant risks to national security related to critical infrastructure.

The Bill seeks to bolster the Government’s ability to manage national security risks by:

  • information — requiring operators or owners of critical infrastructure to provide and update ownership and operational information;
  • Register — establishing a Register of Critical Infrastructure Assets within the AGD to record that information (the Register will not be public); and
  • directions — allowing the Attorney-General, as a last resort, to direct operators of critical infrastructure (and certain others) to do, or refrain from doing, a specified act or thing that is reasonably necessary for purposes relating to eliminating or reducing the risk of an act or omission that would be prejudicial to security.

The Bill would not, however, change Australia’s foreign investment framework under the Foreign Acquisitions and Takeovers Act 1975.

Which ‘assets’ are captured?

The Bill focuses on port assets (it lists ‘critical ports’), water assets (large-scale water or sewerage infrastructure) and electricity assets (distribution and transmission assets, as well as some large-scale generators).

The Bill also gives the Minister power to declare other assets or sectors as ‘critical infrastructure’.  This might include gas pipelines.

Security of internet and telecommunications assets is regulated separately by the recent Telecommunications Sector Security Reforms brought in by the Telecommunications and Other Legislation Amendment Act 2017. Find out more in Critical infrastructure security – what lies ahead for electricity, ports and water?  

What information will you be required to give?

A considerable amount of (commercially sensitive) information must be provided, falling into two broad categories:

  • interest and control information — detailed ownership and corporate governance information about owners and operators of critical infrastructure assets; for example, information on voting and veto rights, rights to appoint directors and other appointees and the level of access to the asset.
  • operational information including a description and location of the asset, information about relevant licence holders and the chief operating officer, and information about outsourcing arrangements (for example, arrangements with overseas subcontractors).

How will the information be used and stored?

All information obtained will be ‘protected information’, only disclosable to the Commonwealth Minister responsible for specified portfolios such as national security, foreign investment, taxation and industry.  The sensitive nature of the protected information (as well as the reasons for its collection) will make it exempt from Freedom of Information requests. 

However, there are also further but limited powers to disclose the protected information to State and Territory Ministers and associated staff and agency heads, as well as power to disclose for law enforcement, and with consent.  The protected information may only be used to enable or assist the person to exercise his or her powers or perform his or her functions or duties.

What ‘directions’ can the Minister provide?

The Bill gives the Minister broad power to issue directions to do, or refrain from doing, a specified act or thing. The Minister:

  • must have received an adverse security assessment in respect of the person to whom the direction is to be given;
  • must consult with relevant State or Territory Ministers, as well as the person in question (and give the person at least 28 days’ notice); and
  • must take a detailed list of factors into account (including cost, competition outcomes, impact on customers) — but give the greatest weight to the adverse security assessment.

There is little detail in the Bill on the directions that can be made, but the Explanatory Document provides some examples, such as directing owners or operators to refrain from outsourcing operations to certain providers or moving offshore corporate and operating data to a more secure data storage provider.

The Government is seeking written submissions by 10 November 2017.

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    After a delayed start due to Covid-19 lockdowns and disruption in 2020, the Environment Protection Amendment Act 2018 (new Act) is commencing on 1 July 2021.

    07 June 2021

    China is poised to rollout a new national emissions trading scheme market demonstrating that China is committed to mitigating climate change.

    03 June 2021

    One of the key measures targeting innovation in the Federal budget announced on 11 May 2021, is the introduction of a ‘patent box scheme’ worth over $100 million annually.

    03 June 2021

    Asia Pacific countries are faced with a critical tension between a pressing need for energy to fuel economic development and global pressure to reduce carbon emissions.

    02 June 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.