On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) tabled its long awaited report (the Report) on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the SOCI Bill).
In an attempt to push legislation through Parliament quickly, the PJCIS has recommended that the current version of the SOCI Bill effectively be split into two, allowing what it considers to be the more urgent elements of the package of reforms to be swiftly legislated whilst other matters are left subject to further discussion and industry consultation.
Since late last year, the Australian Government has been working to implement a package of major reforms to the laws aimed at protecting Australia’s ‘critical infrastructure assets’ and ‘systems of national significance’ from sophisticated cyber threats. This took the form of the SOCI Bill, which proposed a number of amendments to the existing Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). For more information, please see our previous article “Reform of Australia’s critical infrastructure laws”.
The SOCI Bill was referred from Parliament to the PJCIS in December 2020 for inquiry and report. As part of their inquiry, the PJCIS invited and considered over 150 submissions, held several public hearings and received private classified briefings regarding the threat environment and increasing hazard of cyber security to critical infrastructure within Australia. As the Report acknowledges, these processes demonstrated the significant disagreement between industry and government in relation to the proposals in the SOCI Bill and how appropriately to respond to cyber threats, with industry particularly concerned about the potential scope of government power to direct and control responses to a cyber incident.
The release of the Report closely follows the eye-opening findings published in mid-September by the Australian Cyber Security Centre (ACSC) in the ACSC Annual Cyber Threat Report, which found that cyber-attacks are increasingly targeting Australia’s critical infrastructure and essential services and escalating in severity and frequency at a rate of one reported attack every 8 minutes.
The PJCIS made 14 recommendations in its Report. The most significant is a recommendation that the SOCI Bill be split into two parts with a view to prioritising the more urgent elements of the legislation and enabling further industry consultation for the less urgent measures:
- Bill One for rapid passage – the PJCIS recommends that the current SOCI Bill be amended (Bill One) to allow certain key elements of the reforms to be implemented. These urgent elements would include:
- expanding the definition of critical infrastructure sectors and assets that are covered by the SOCI Act so that the Act will create positive security obligations for critical infrastructure assets in a broad range of sectors;
- requiring mandatory notification of cyber security incidents; and
- implementing the contentious government assistance and intervention measures, which give government the power to direct an entity to gather information and take certain actions, or to authorise the Australian Signals Directors (ASD) to intervene in response to cyber-attacks as a “last resort”.
- Bill Two for deferral subject to further consultation – the Report recommended the remaining elements of the SOCI Bill be deferred and be subject to further consultation with industry. These elements include:
- the obligation to adopt and maintain risk management programs;
- the declarations of systems of national significance; and
- the development of enhanced cyber security obligations which are to be defined in delegated legislation. In this regard the PJCIS recognised that the current lack of certainty in relation to these aspects of the regulation creates the spectre of an unknown regulatory burden.
The PJCIS recommended that broader stakeholder consensus be obtained through industry consultation, and that any subsequent drafts of Bill Two be referred back to the PJCIS for further review.
In explaining their two-Bill recommendation, the PJCIS referred to Australia’s serious and “rapidly deteriorating cyber security environment”, pointing out factors such as “compelling” evidence of the unprecedented increase and significance of cyber attacks on critical infrastructure assets and the rapid response required to protect Australian businesses, constraints on the PJCIS’s ability to undertaking meaningful analysis and engage with industry and all interested parties due to the COVID-19 pandemic, and the “small and rapidly diminishing window of opportunity to legislate” in the Parliamentary sitting calendar in 2021.
For organisations which may be impacted by these reforms, the below table provides a snapshot of how the provisions in the original SOCI Bill would likely be split up if Parliament were to adopt the PJCIS’s recommendations.
The original proposed timing for passing of the SOCI Bill has already slipped, and it seems clear that there is an appetite to get something passed as soon as possible even if that means deferring some aspects of the Bill. If Parliament agrees with the PJCIS’ recommendations, Bill One could feasibly be passed soon after the next Parliament sitting date on 18 October. It is worth noting that whilst Labor members agreed with and endorsed the PJCIS recommendations in additional comments to the Report, they at the same time raised concerns about the absence of independent authorisation and the lack of statutory judicial review in relation to the new government assistance and intervention powers. As it is unclear whether these concerns will be enough to halt the passage of Bill One, owners and operators of assets in impacted sectors may need to be ready to implement the actions required by Bill One within very short timeframes.
Authors: Lesley Sutton, Nikhil Shah and Dal Lim