19 October 2017

Espionage, sabotage and infrastructure: what you need to know about the Security of Critical Infrastructure Bill

This article was written by Louis Chiam, Prudence Buckland and Anthony Di Gregorio.  

Following its launch of the Critical Infrastructure Centre (CIC) earlier this year, the Attorney-General’s Department (AGD) has released an exposure draft of the Security of Critical Infrastructure Bill 2017 (the Bill) as part of a coordinated and strategic framework to respond to the increasing risks of sabotage, espionage and coercion against Australia’s national critical infrastructure.

What does the Bill do?

The Government has identified gaps in its information-gathering powers regarding the ownership and control of critical infrastructure, as well as its power to intervene when there are significant risks to national security related to critical infrastructure.

The Bill seeks to bolster the Government’s ability to manage national security risks by:

  • information — requiring operators or owners of critical infrastructure to provide and update ownership and operational information;
  • Register — establishing a Register of Critical Infrastructure Assets within the AGD to record that information (the Register will not be public); and
  • directions — allowing the Attorney-General, as a last resort, to direct operators of critical infrastructure (and certain others) to do, or refrain from doing, a specified act or thing that is reasonably necessary for purposes relating to eliminating or reducing the risk of an act or omission that would be prejudicial to security.

The Bill would not, however, change Australia’s foreign investment framework under the Foreign Acquisitions and Takeovers Act 1975.

Which ‘assets’ are captured?

The Bill focuses on port assets (it lists ‘critical ports’), water assets (large-scale water or sewerage infrastructure) and electricity assets (distribution and transmission assets, as well as some large-scale generators).

The Bill also gives the Minister power to declare other assets or sectors as ‘critical infrastructure’.  This might include gas pipelines.

Security of internet and telecommunications assets is regulated separately by the recent Telecommunications Sector Security Reforms brought in by the Telecommunications and Other Legislation Amendment Act 2017. Find out more in Critical infrastructure security – what lies ahead for electricity, ports and water?  

What information will you be required to give?

A considerable amount of (commercially sensitive) information must be provided, falling into two broad categories:

  • interest and control information — detailed ownership and corporate governance information about owners and operators of critical infrastructure assets; for example, information on voting and veto rights, rights to appoint directors and other appointees and the level of access to the asset.
  • operational information including a description and location of the asset, information about relevant licence holders and the chief operating officer, and information about outsourcing arrangements (for example, arrangements with overseas subcontractors).

How will the information be used and stored?

All information obtained will be ‘protected information’, only disclosable to the Commonwealth Minister responsible for specified portfolios such as national security, foreign investment, taxation and industry.  The sensitive nature of the protected information (as well as the reasons for its collection) will make it exempt from Freedom of Information requests. 

However, there are also further but limited powers to disclose the protected information to State and Territory Ministers and associated staff and agency heads, as well as power to disclose for law enforcement, and with consent.  The protected information may only be used to enable or assist the person to exercise his or her powers or perform his or her functions or duties.

What ‘directions’ can the Minister provide?

The Bill gives the Minister broad power to issue directions to do, or refrain from doing, a specified act or thing. The Minister:

  • must have received an adverse security assessment in respect of the person to whom the direction is to be given;
  • must consult with relevant State or Territory Ministers, as well as the person in question (and give the person at least 28 days’ notice); and
  • must take a detailed list of factors into account (including cost, competition outcomes, impact on customers) — but give the greatest weight to the adverse security assessment.

There is little detail in the Bill on the directions that can be made, but the Explanatory Document provides some examples, such as directing owners or operators to refrain from outsourcing operations to certain providers or moving offshore corporate and operating data to a more secure data storage provider.

The Government is seeking written submissions by 10 November 2017.

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    This article was written by Tessa Boardman and Dayne Kingsford.  Further to our alert in May, advocacy group Youth Verdict have now made their objections to Waratah Coal’s project (Project...

    01 July 2020

    Australian companies are under increasing pressure to recognise, manage and disclose climate risks as major natural disasters are seeing public and shareholder expectations grow fast.

    24 June 2020

    Alignment on penalties hides major differences between laws states and territories are passing. Industrial manslaughter offences are outcome-based offences, triggered by an event – a workplace death.

    24 June 2020

    Amendments to the Work Health and Safety Act 2011 (NSW) introduced into the NSW parliament last year makes it an offence for a person to enter into, provide, or benefit from insurance or indemnity...

    24 June 2020

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.