Last month, Australia’s ongoing law reform aimed at protecting critical infrastructure assets and systems of national significance took a major step towards achieving Australia’s Cyber Security Strategy 2020, The Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) will go before Parliament hopefully before the end of 2020.
The Bill is part of several pieces of legislation designed to achieve a more secure nation, mitigating sophisticated cyber-threats by external and internal threat actors through the System of Critical Infrastructure Act 2018 (SOCI Act). Reforms have also been introduced that have resulted from consultation with the private sector, through the ‘Protection Critical Infrastructure and Systems of National Significance’ paper.
Revised Definitions
The Bill has expanded the definition of what is considered a critical infrastructure asset or sector that is of national significance. Below are the revised assets under the new Bill:
- Communications sector;
- Financial Services and Markets sector;
- Data Storage or Processing sector;
- Defence Industry sector;
- Higher Education and Research sector;
- Energy sector;
- Food and Grocery sector;
- Health Care and Medical sector;
- Space Technology sector;
- Transport sector; and
- Water and Sewerage sector.
Furthermore, since an asset is considered to belong within both critical infrastructure and national significance, it becomes subjected to enhanced cybersecurity obligations.
New Cybersecurity Obligations
The Bill introduces several new obligations that critical infrastructure organizations are required to abide by and follow. These are:
- Positive Security Obligation (PSO): This builds on the SOCI Act to ensure businesses in the critical infrastructure are prepared for any threats. PSO has three parts to it.
-
- Register of Critical Infrastructure Assets: Provides an understanding of who owns, controls and has access to the critical infrastructure asset.
-
- Critical Infrastructure Risk Management Program: Designed to respond to and mitigate threats by having a risk management plan, with the plan sent annually to the Secretary of Home Affairs. Failure to comply with the obligations and updating the plan within the timeframe has financial ramifications, with fines ranging between AU$33,000 and AU$45,000.
-
- Mandatory notification to the Australian Signals Directorate (ASD) of any breach: This will help to paint a broader picture and ensure greater understanding of the threat landscape. A responsible entity must take on that task and, should there be any other threats, the ASD must be notified within 24 hours. Failing to do so will also lead to fines.
- Enhanced Cybersecurity Obligations: This is the sharing of real-time threat information and intelligence, in order to strengthen the response and preparedness of critical infrastructure entities. This obligation includes preparing an incident response plan, undertaking cybersecurity exercise plans, vulnerability assessments and provision access to system information in order to build Australia’s situational awareness. Fines will be applied for failure to comply with these obligations.
- Government assistance and intervention: According to the Bill, the government will assist or intervene in response to any cyber-threats that may jeopardize the critical infrastructure asset and affect the nation and its interest. However the conditions provided in the ‘Bill’ are board should this occur cooperation and information sharing will be required with the government or fines and possible imprisonment for up to 2 years can be applied. In certain situations the government may authorize the ASD to respond to the incident.
The Future of the Bill
Given the current two-week consultation period, the Bill will be introduced to Parliament with the hopes of passing the two Houses before the end of 2020. With the current focus on cybersecurity strategy by the government, it is possible that this Bill may be fast tracked for implementation. However, concerns have arisen between the tech industries, universities and the Australian Information Industry Association on certain aspects of the Bill and the government’s new direct action power. Also a concern is whether or not checks and balances have been put in place for the direct action power to be exercised. Recommendations so far have included an economic impact assessment and regulatory impact assessment with further consultation opportunities.
Contact us at Agilient for more information regarding incident response planning and risk management planning.
Author: Saeed Baayoun, Agilient Consultant