In support of its published commitment to protect the essential services all Australians rely on, the Australian Government is progressing reforms which include new legislation to help position and protect Australia’s critical infrastructure from cyberattacks. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Critical Infrastructure Bill) introduced a series of new positive security obligations in relation to critical infrastructure assets and the companies that manage them.
The Bill has received some criticisms and a coalition of Tech and Cybersecurity Groups wrote to the Government requesting it reconsider several parts of the Bill.
The Information Technology Industry Council, Australian Information Industry Association and Cybersecurity Coalition sent the open letter to the Minister for Home Affairs, Karen Andrews, on 14 October 2021. The group claim that in its current state “the Bill will create an unworkable set of obligations and set a troubling global precedent”.
The Bill passed into law on 2 December 2021. The criticisms were not addressed.
Summary of criticisms
- The mandatory reporting of a cyber incident should be changed from 12 hours to 72 hours upon becoming aware of the incident;
- Part 3A of the Bill allowing Ministerial directions and intervention, does not afford reasonable due process and gives the government excessive and far-reaching power which can impact networks, systems and customers of businesses within the critical infrastructure sector;
- There is no mechanism to appeal or review a decision under Part 3A, which sets a dangerous international precedent; and
- The Bill requires further public consultation and should not be fast tracked.
The Critical Infrastructure Bill significantly expands the types of companies which are considered critical infrastructure companies, to include the communications, data storage, financial services, energy, health care, higher education, food and grocery, defence industry and space technology sectors. Therefore, many businesses will be impacted by the mandatory reporting requirements. The Bill requires these businesses to report a cybersecurity incident within 12 hours of becoming aware of the incident. The coalition of Tech and Cybersecurity Groups argue this time period is unreasonably short, diverges from global best practice and should be changed to at least 72 hours. Additionally, the requirement to report all incidents may be an unreasonable burden on certain companies which deal with “millions of threats a week”.
Direction and Intervention Requests
Part 3A of the Critical Infrastructure Bill allows the Minister to make a direction or intervention request as a last resort in response to a cybersecurity incident likely to impact a critical infrastructure asset. Although the Minister is required to assess whether the direction is proportionate, there is no right to appeal or review an application of these powers under Part 3A. The Tech and Cybersecurity Groups have criticised this, arguing it “sets a disturbing precedent for other governments facing similar national security challenges”. Actions under an intervention request include:
- Accessing or modifying computers;
- Analysing computer programs and data;
- Installing a computer program; and
- Adding, restoring, copying, altering or deleting data held in a computer or computer program.
Although these actions need to relate directly to the cybersecurity incident, they are still far-reaching powers with no checks or balances to prevent the Government from overstepping their power.
“Fast-tracking” the Bill
The Parliamentary Joint Committee on Intelligence and Security (the Committee) recommended parts of the Bill be fast tracked to pass some of the powers urgently. The Committee recommend splitting the Bill into two and including both the mandatory reporting requirements and information-gathering, direction and intervention powers in the fast-tracked Bill. However the Bill instead passed both houses on 22 November, assented on 2 December 2021 and is now in force.
It is concerning that the Australian Government fast-tracked the Critical Infrastructure Bill without any further public consultation where tech and cybersecurity groups feel it was needed. Although it is important for the Australian Government to introduce laws to help prevent and better deal with cybersecurity incidents, the laws need to be proportionate and contain safeguards to ensure any powers created are not abused.
For more information, get in touch with us today.
This article was originally published on OneTrust and is available here.