This article was written by Louis Chiam, Prudence Buckland and Anthony Di Gregorio.
Following its launch of the Critical Infrastructure Centre (CIC) earlier this year, the Attorney-General’s Department (AGD) has released an exposure draft of the Security of Critical Infrastructure Bill 2017 (the Bill) as part of a coordinated and strategic framework to respond to the increasing risks of sabotage, espionage and coercion against Australia’s national critical infrastructure.
What does the Bill do?
The Government has identified gaps in its information-gathering powers regarding the ownership and control of critical infrastructure, as well as its power to intervene when there are significant risks to national security related to critical infrastructure.
The Bill seeks to bolster the Government’s ability to manage national security risks by:
- information — requiring operators or owners of critical infrastructure to provide and update ownership and operational information;
- Register — establishing a Register of Critical Infrastructure Assets within the AGD to record that information (the Register will not be public); and
- directions — allowing the Attorney-General, as a last resort, to direct operators of critical infrastructure (and certain others) to do, or refrain from doing, a specified act or thing that is reasonably necessary for purposes relating to eliminating or reducing the risk of an act or omission that would be prejudicial to security.
The Bill would not, however, change Australia’s foreign investment framework under the Foreign Acquisitions and Takeovers Act 1975.
Which ‘assets’ are captured?
The Bill focuses on port assets (it lists ‘critical ports’), water assets (large-scale water or sewerage infrastructure) and electricity assets (distribution and transmission assets, as well as some large-scale generators).
The Bill also gives the Minister power to declare other assets or sectors as ‘critical infrastructure’. This might include gas pipelines.
Security of internet and telecommunications assets is regulated separately by the recent Telecommunications Sector Security Reforms brought in by the Telecommunications and Other Legislation Amendment Act 2017. Find out more in Critical infrastructure security – what lies ahead for electricity, ports and water?
What information will you be required to give?
A considerable amount of (commercially sensitive) information must be provided, falling into two broad categories:
- interest and control information — detailed ownership and corporate governance information about owners and operators of critical infrastructure assets; for example, information on voting and veto rights, rights to appoint directors and other appointees and the level of access to the asset.
- operational information — including a description and location of the asset, information about relevant licence holders and the chief operating officer, and information about outsourcing arrangements (for example, arrangements with overseas subcontractors).
How will the information be used and stored?
All information obtained will be ‘protected information’, only disclosable to the Commonwealth Minister responsible for specified portfolios such as national security, foreign investment, taxation and industry. The sensitive nature of the protected information (as well as the reasons for its collection) will make it exempt from Freedom of Information requests.
However, there are also further but limited powers to disclose the protected information to State and Territory Ministers and associated staff and agency heads, as well as power to disclose for law enforcement, and with consent. The protected information may only be used to enable or assist the person to exercise his or her powers or perform his or her functions or duties.
What ‘directions’ can the Minister provide?
The Bill gives the Minister broad power to issue directions to do, or refrain from doing, a specified act or thing. The Minister:
- must have received an adverse security assessment in respect of the person to whom the direction is to be given;
- must consult with relevant State or Territory Ministers, as well as the person in question (and give the person at least 28 days’ notice); and
- must take a detailed list of factors into account (including cost, competition outcomes, impact on customers) — but give the greatest weight to the adverse security assessment.
There is little detail in the Bill on the directions that can be made, but the Explanatory Document provides some examples, such as directing owners or operators to refrain from outsourcing operations to certain providers or moving offshore corporate and operating data to a more secure data storage provider.
The Government is seeking written submissions by 10 November 2017.