Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Intelligence and Security—Parliamentary Joint Committee—Advisory report on the Security of Critical Infrastructure Bill 2017—Report, March 2018


Download PDF Download PDF

March 2018 CANBERRA

PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

Advisory report on the Security of Critical Infrastructure Bill 2017

Parliamentary Joint Committee on Intelligence and Security

© Commonwealth of Australia

ISBN 978-1-74366-793-4 (Printed Version)

ISBN 978-1-74366-794-1 (HTML Version)

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia License.

The details of this licence are available on the Creative Commons website: http://creativecommons.org/licenses/by-nc-nd/3.0/au/.

iii

Contents

Membership of the Committee .........................................................................................................v

Terms of reference ............................................................................................................................vii

List of abbreviations ..........................................................................................................................ix

List of recommendations ..................................................................................................................xi

The Report

1 Introduction...............................................................................................................1

The Bill and its referral...........................................................................................................1

Context of the inquiry ............................................................................................................2

Consultation on the development of the Bill ......................................................................3

Conduct of the inquiry...........................................................................................................3

Summary of the Bill................................................................................................................4

Report structure ......................................................................................................................5

2 The case for the reforms..........................................................................................7

Rationale for the Bill ...............................................................................................................7

General views on the objectives and development of the Bill .......................................10

3 Critical infrastructure asset ..................................................................................13

Gas sector...................................................................................................................14

Water sector...............................................................................................................16

Other industries........................................................................................................18

Committee comment................................................................................................20

iv

4 Register and other information-related provisions.........................................23

Register of critical infrastructure assets.............................................................................23

Information required to be notified.......................................................................24

Direct interest holders..............................................................................................28

Committee Comment...............................................................................................30

Secretary’s powers ................................................................................................................32

Information-gathering powers ...............................................................................32

Powers to undertake risk assessments ..................................................................33

Protection of information ....................................................................................................35

Committee comment................................................................................................39

5 Directions by the Minister ...................................................................................43

Adverse security assessments.............................................................................................46

Threshold for exercising direction .....................................................................................47

Consultation requirements with states and territories....................................................49

Secretary’s Annual Report ..................................................................................................50

Committee comments ..........................................................................................................51

Concluding comments .........................................................................................................53

Appendix A. List of submissions ...................................................................................55

Appendix B. Witnesses appearing at public hearings ...............................................57

Appendix C. Glossary.......................................................................................................59

v

Membership of the Committee

Chair

Mr Andrew Hastie MP

Deputy Chair

Hon Anthony Byrne MP

Members

Hon Mark Dreyfus QC, MP Senator the Hon Eric Abetz (from 7/2/18)

Hon Dr Mike Kelly AM, MP Senator David Bushby

Mr Julian Leeser MP Senator David Fawcett

Mr Jason Wood MP Senator Jenny McAllister

Senator Bridget McKenzie (to 20/12/17)

Senator the Hon Penny Wong

vii

Terms of reference

On 11 December 2017, the then Attorney-General referred the Security of Critical Infrastructure Bill 2017 to the Committee for inquiry and report.

ix

List of abbreviations

ABN Australian Business Number

AEMO Australian Energy Market Operator

APGA Australian Pipelines and Gas Association

APP Australian Privacy Principle

ASIC Australian Securities and Investment Commission

ASIO Australian Security Intelligence Organisation

ASIO Act Australian Security Intelligence Organisation Act 1979

CIC Critical Infrastructure Centre

FIRB Foreign Investment Review Board

RIS Regulation Impact Statement

TISN Trusted Information Sharing Network

TSSR Telecommunications Sector Security Reforms

WSAA Water Services Association of Australia

xi

List of recommendations

Recommendation 1

3.36 The Committee recommends that the Department of Home Affairs, in consultation with the Department of Defence and the Department of the Environment and Energy, review and develop measures to ensure that Australia has a continuous supply of fuel to meet its national security priorities. As part of developed measures, the Department should consider whether critical fuel assets should be subject to the Security of Critical Infrastructure Bill 2017.

The Committee considers that the Department should conclude this review within 6 months. The Department should brief the Committee on the outcomes of the review following its conclusion.

Recommendation 2

4.34 The Committee recommends that the Department of Home Affairs examine the viability of developing a common data entry portal for use across Commonwealth, state and territory databases that require information from the same reporting entities.

Recommendation 3

4.36 The Committee recommends that the Department of Home Affairs develop guidelines for entities subject to the Security of Critical Infrastructure Bill 2017. The guidelines should:

 enable an entity to determine whether it is a reporting entity, and

xii

 provide the entity with an understanding of the specific information it is required to report.

These guidelines should be made available prior to the end of the three-month transition period.

Recommendation 4

4.39 The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to more appropriately define direct interest holder in order to capture the intended full range of ownership arrangements.

Further, the Explanatory Memorandum and the Bill should clarify that:

 moneylenders are not direct interest holders, where they hold an interest in a critical infrastructure asset through a financing arrangement, and

 intermediate and ultimate holding entities are not direct interest holders.

Recommendation 5

4.71 The Committee recommends that the Department of Home Affairs include in guidelines to be developed for entities subject to the Security of Critical Infrastructure Bill 2017, information regarding:

 the high-level criteria by which the Department will assess risk, and

 the process and the engagement that entities should reasonably expect from the Department as part of a risk assessment.

Recommendation 6

4.74 The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to list the factors that the Secretary must have regard to, when deciding whether to disclose protected information under sections 42 and 43 of the Bill. Factors should include:

 whether the disclosure is consistent with the objects of the Bill, and

 whether the purpose of the disclosure is proportionate to the sensitivity of the information being disclosed.

xiii

Recommendation 7

4.77 The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to clarify that the Bill does not affect the operation of existing privacy obligations.

In particular, the Explanatory Memorandum should clarify that section 39 does not affect the operation of Australian Privacy Principle 11.2 and the Department of Home Affairs, as the administering agency, would need to destroy personal information if it was no longer necessary.

Recommendation 8

5.39 The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the relevant Minister to provide, to the subject entity, notice of an adverse security assessment given in connection to the Bill and merits review rights.

The Committee considers that the Bill should be amended to align with requirements under section 38A of the Australian Security Intelligence Organisation Act 1979.

Recommendation 9

5.47 The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the Parliamentary Joint Committee on Intelligence and Security to review the operation, effectiveness and implications of the reforms, commencing within three years of the Bill receiving Royal Assent.

The review should consider the appropriateness of a unified scheme to cover all critical infrastructure assets, including telecommunications assets.

The review should also consider circumstances that the Minister has used the private declaration power under section 51.

Recommendation 10

5.52 The Committee recommends that, subject to the above recommendations being accepted, the Security of Critical Infrastructure Bill 2017 be passed.

1

1. Introduction

The Bill and its referral

1.1 On 7 December 2017, Senator the Hon Mathias Cormann, Minister for Finance and then Deputy Leader of the Government in the Senate, introduced the Security of Critical Infrastructure Bill 2017 (the Bill) into the Senate.

1.2 In his second reading speech, Minister Cormann stated that the Bill

will ensure the government has the necessary powers to protect Australia from the national security threats of sabotage, espionage and coercion stemming from malicious foreign involvement in our critical infrastructure.1

1.3 On 11 December 2017, the then Attorney-General, Senator the Hon George Brandis QC, wrote to the Committee to refer the provisions of the Bill for inquiry and to request it report by 2 March 2018. He further requested that the Committee should, as far as possible, conduct its inquiry in public.

1.4 In the letter, the then Attorney-General informed the Committee that the Bill’s measures support the work of the Critical Infrastructure Centre (CIC). The CIC works across all levels of government and with critical infrastructure owners and operators to identify and manage national security risks of espionage, sabotage and coercion in the high-risk electricity, gas, ports and water sectors.

1 Senator the Hon Mathias Cormann, Minister for Finance, Senate Hansard, 7 December 2017, p. 10095.

2 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

Context of the inquiry

1.5 In his second reading speech, Minister Cormann said that

increasing foreign involvement in our national critical infrastructure means that Australia's critical infrastructure is more exposed than ever to sabotage, espionage and coercion.2

1.6 Minister Cormann explained:

Foreign involvement can increase a malicious actor's ability to access and control Australia's critical infrastructure. Such access could enable them to target activity in a way that can affect the continuity of services to citizens, as well as having extreme consequences for other dependant infrastructure or defence assets.3

1.7 With respect to the national significance of critical infrastructure, Minister Cormann stated:

Critical infrastructure is integral to the prosperity of the nation. Secure and resilient infrastructure underpins the effective functioning of Australian society - ensuring we have continuous access to essential services for everyday life, such as food, water, energy and communications.4

1.8 The CIC was established on 23 January 2017. The CIC collaborates with asset owners, asset operators and state and territory regulators to identify risks, implement asset-specific mitigation strategies, and develop sector-wide best practice guidelines.5 The CIC engages with asset owners and operators through the Trusted Information Sharing Network (TISN), and directly as needed.6

1.9 The TISN is Australia's primary national engagement mechanism for business-government information sharing and resilience building initiatives

2 Senator the Hon Mathias Cormann, Minister for Finance, Senate Hansard, 7 December 2017, p. 10095.

3 Senator the Hon Mathias Cormann, Minister for Finance, Senate Hansard, 7 December 2017, p. 10095.

4 Senator the Hon Mathias Cormann, Minister for Finance, Senate Hansard, 7 December 2017, p. 10095.

5 Department of Home Affairs, Submission 9, p. 10.

6 Department of Home Affairs, Submission 9, p. 10.

INTRODUCTION 3

for critical infrastructure.7 The TISN provides a secure environment for critical infrastructure owners and operators across eight sector groups to cooperate within and across sectors to address security and business continuity challenges.

1.10 The Bill builds upon the Telecommunications Sector Security Reforms (TSSR), which manage national security risks in the telecommunications sector. The Committee reviewed the Telecommunications and Other Legislation Amendment Bill 2016, which gave effect to TSSR, and tabled its advisory report on 30 June 2017.

Consultation on the development of the Bill

1.11 The development of the Bill was subject to consultation prior to introduction into the Senate. The Explanatory Memorandum refers to the release of a discussion paper in February 2017, separate rounds of consultation with states, territories and industry in March and June 2017, and the release of an exposure draft for five weeks of public consultation in October 2017.8

1.12 In his second reading speech, Minister Cormann advised that the Bill introduced reflects consultation with state and territory governments and industry stakeholders:

The government has made some important changes to the bill in response to the exposure draft consultations. This includes refining key definitions, strengthening consultation requirements, and applying the legislation to specific critical assets in the gas sector.9

Conduct of the inquiry

1.13 The Committee announced the inquiry by media release on 15 December 2017 and invited submissions from interested members of the public by 2 February 2018.

1.14 The Committee received 11 submissions and two supplementary submissions from industry, government and other organisations. A list of submissions received by the Committee is at Appendix A.

7 Information about the TISN is available on its website: https://www.tisn.gov.au/Pages/default.aspx

8 Explanatory Memorandum, pp. 6-7.

9 Senator the Hon Mathias Cormann, Minister for Finance, Senate Hansard, 7 December 2017, p. 10095.

4 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

1.15 The Committee held a public hearing on 9 February 2018. The Committee also received one private briefing from relevant agencies in Canberra. A list of hearings and witnesses who appeared before the Committee is included at Appendix B.

1.16 Copies of submissions received and transcripts of public hearings can be accessed on the Committee’s website at: http://www.aph.gov.au/pjcis. Links to the Bill and the Explanatory Memorandum are also available on the Committee’s website.

Summary of the Bill

1.17 The Bill introduces two new key measures, namely a register of critical infrastructure assets and ministerial directions powers. In summary:

 The Bill requires the Secretary to maintain a register and requires owners and operators of specified critical infrastructure assets to provide specific, high-level information concerning the ownership and operation of the asset, and

 The Bill establishes a directions power, which will enable the Minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate national security risks that cannot be managed through cooperation or existing regulatory mechanisms.  Before being able to issue a direction, the Minister is required to be

satisfied of certain matters, to consult with stakeholders, and give consideration to a range of factors.  The direction power is modelled on a similar power in the TSSR.

1.18 The Bill will apply to a specified set of critical infrastructure assets in the high risk electricity, water, gas and ports sectors (approximately 140 assets in total). Recognising the importance of responding to changes in the national security landscape, the assets, or categories of assets, captured by the legislation can be amended through rules or the Minister’s private declaration power.

1.19 The Bill also has protection and offence provisions for sensitive commercial information that entities provide as part of the reporting obligation or information-gathering power. Access to, and use of, this information is restricted to certain persons and specific purposes.

1.20 The Bill includes a transition period of three months following commencement, to allow entities time to gather information and report

INTRODUCTION 5

required information. Following initial reporting, entities must notify of changes within 30 days of a notifiable event.

1.21 Non-compliance with reporting obligations, a written requirement from the Secretary for information or documents, or a direction from the Minister will attract civil penalties, including civil pecuniary penalties, enforceable undertakes and injunctive relief.

Report structure

1.22 This report consists of five chapters:

 This chapter sets out the context and conduct of the inquiry, as well as a brief summary of the Bill,  Chapter 2 examines the case for the reforms,  Chapter 3 examines the definition of ‘critical infrastructure asset’ and the

intended coverage of assets,  Chapter 4 examines the Register and other-information related provisions, including provisions that protect sensitive information from

unauthorised use and disclosure, and  Chapter 5 examines the Minister’s ability to direct reporting entities and operators of critical infrastructure assets.

7

2. The case for the reforms

Rationale for the Bill

2.1 The stated objective of the Bill is to provide a ‘risk-based regulatory framework to manage national security risks from foreign involvement in Australia’s critical infrastructure’.1 The Bill focuses primarily on the risk of sabotage, espionage and coercion in ‘Australia’s highest-risk critical infrastructure sectors’ of electricity, gas, ports and water.2

2.2 Governments and industry members alike recognise the importance of foreign involvement, in its various forms, in Australia. The Explanatory Memorandum states that

foreign involvement in the economy and in Australia’s infrastructure … plays an important and beneficial role in supporting economic growth, creating employment opportunities, improving consumer choice, and promoting healthy competition, while increasing Australia’s competitiveness in global markets.3

2.3 Energy Networks Australia stated:

Many network service providers are owned wholly or partly by foreign entities. Foreign investment in Australian energy networks delivers valuable benefits for Australia’s economy and community, in supporting economic

1 Explanatory Memorandum, p. 15.

2 Explanatory Memorandum, p. 7.

3 Explanatory Memorandum, p. 3.

8 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

growth, creating employment opportunities, and supporting Australia’s competitiveness in global markets.4

2.4 The Northern Territory Government described the particular importance of foreign involvement from the territory’s perspective:

Large scale commercial ventures such as the Inpex gas plant currently under construction are vital to both the Northern Territory economy and the Commonwealth’s developing northern Australia agenda.5

2.5 The Explanatory Memorandum indicated that the Australian context has evolved, leading to an increasingly complex national security picture of critical infrastructure:

With increased privatisation, outsourcing and offshoring of supply chain arrangements, and the shift in Australia’s international investment profile, critical infrastructure is more exposed than ever to sabotage, espionage and coercion.6

2.6 Witnesses raised similar concerns during the Committee’s inquiry into the Foreign Influence Transparency Scheme Bill 2017 and National Security Legislation Amendment (Espionage and Foreign Interference) Bill 2017. For example, one witness expressed growing concerns, in the international and domestic domain, of foreign intelligence activities in critical infrastructure:

[I]n the United States there's increasing concern from defence and intelligence agencies about the role of Chinese corporations, state-owned and private— private with links to the government or intelligence agencies—gaining a foothold, or more than a foothold, in infrastructure—power, telecommunications and so on.

The same concern is clearly manifest perhaps not quite as much in Australia's defence community but certainly in the intelligence community, and it seems to me and others who understand the objective of the [People’s Republic of China] a really great folly to allow Chinese corporations to get close access to our critical infrastructure.7

4 Energy Networks Australia, Submission 3, p. 1.

5 Northern Territory Government, Submission 1, p. 3.

6 Explanatory Memorandum, p. 15.

7 Parliamentary Joint Committee on Intelligence and Security, Review of the Foreign Influence Transparency Scheme Bill 2017 and Review of the National Security Legislation Amendment

THE CASE FOR THE REFORMS 9

2.7 The Department of Home Affairs outlined existing efforts to manage national security risks in critical infrastructure:

While longstanding government-business partnerships such as the Trusted Information Sharing Network, TISN, and ASIO's Business and Government Liaison Unit, for example, have been effective in facilitating information sharing and enabling critical infrastructure to manage a wide range of risks as part of their normal business continuity, the risks of sabotage, espionage and coercive influence in critical infrastructure are not as well understood or managed.8

2.8 The Explanatory Memorandum states that the Foreign Investment Review Board (FIRB) process assists with managing national security risks in critical infrastructure, but has limitations:

The FIRB process is one existing mechanism through which the Government can implement mitigations. However, this only applies to foreign investments above certain thresholds at the time of the proposed transaction. It is not possible to use it as a mechanism to address risks in outsourcing or offshoring for assets owned by domestic entities or where sales fall outside of the FIRB screening thresholds.9

2.9 The Foreign Acquisitions and Takeovers Act 1975 dictates the FIRB process. In some industries, the FIRB does not screen acquisitions that are equal to, or less than, $1,134 million.10 Acquisitions in ‘sensitive businesses’, as defined by the legislation, can have lower thresholds, depending on the country of the investor and industry of the target business. Sensitive businesses appear to exclude water, gas and electricity, which the Explanatory Memorandum to the Bill describes as ‘highest risk sectors’.11

2.10 As stated in Chapter 1, the then Attorney-General advised that the Bill supports the work of the CIC. Since being established in January 2017, the CIC has been working to identify national security risks and develop

(Espionage and Foreign Interference) Bill 2017, Professor Clive Hamilton, Committee Hansard, Canberra, 31 January 2018, p. 52.

8 Mr Pablo Carpay, First Assistant Secretary, Critical Infrastructure Security, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 13.

9 Explanatory Memorandum, p. 6.

10 Foreign Acquisitions and Takeovers Act 1975, Division 2. A summary of FIRB monetary thresholds is available at http://firb.gov.au/exemption-thresholds/monetary-thresholds.

11 Foreign Acquisitions and Takeovers Regulation 2015, cl 22 defines ‘sensitive business’.

10 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

mitigations in critical infrastructure assets. The Explanatory Memorandum describes the CIC’s approach to identifying and developing risk mitigations:

The Centre aims to build on these [long-standing government-business] partnerships to address the specific national security risks from foreign involvement in critical infrastructure …

Once the Centre has assessed the risks from foreign involvement in an asset, it looks to work collaboratively with the asset owner to develop and implement proportionate mitigations to address the risks.12

2.11 The Regulation Impact Statement (RIS) refers to information gaps that have prevented the CIC from achieving this objective:

[T]he Centre cannot undertake a comprehensive risk assessment without understanding how the asset and sector operates and where there may be vulnerabilities. To determine what vulnerabilities may exist, it is essential to have a detailed understanding of who owns, controls and has access to a particular asset … However, critical asset owners often treat this information as commercial-in-confidence and may be reluctant to share with government unless required to do so.13

2.12 The Explanatory Memorandum also notes challenges in identifying and understanding ownership, control over, and access to, a critical infrastructure asset:

Further, while ownership is an important aspect, the degree of control and access through outsourcing and offshoring arrangements can also be difficult to establish, as they are often detailed in complex contractual arrangements.14

General views on the objectives and development of the Bill

2.13 Broadly, governments and organisations support the underlying national security objectives of the Bill. For example, Energy Networks Australia stated:

12 Explanatory Memorandum, p. 5.

13 Explanatory Memorandum, p. 91. The Explanatory Memorandum includes the RIS.

14 Explanatory Memorandum, p. 5.

THE CASE FOR THE REFORMS 11

Energy Networks Australia recognises that security and resilience of critical infrastructure is necessary to support Australia’s society, economy and future prosperity.15

2.14 The South Australian Government stated that it also

supports the intent of the Bill as a mechanism to mitigate against the risks associated with foreign ownership and control.16

2.15 Some industry members considered that the Bill’s focus on risks arising from foreign ownership, control and access is too narrow:

The legislation directs that water utilities view foreign ownership as a critical risk, in line with many other normal risks such as extreme weather and failure to supply safe drinking water. This approach appears to support a particular direction, without a robust recognition that the consideration of wider and existing prioritised risks have higher risk ratings and operational impacts.17

2.16 Similarly, the Australian Pipelines Gas Association (APGA) stated that while it ‘supports the intent’ of the Bill

APGA is concerned that the function of the CIC is focussed solely on national security risks in respect to foreign involvement. The scope to cover National Security Risks for critical infrastructure should be wider than just foreign involvement.18

2.17 The APGA considered that the consultation process during the development of the Bill was ‘not an ideal process’:

We engaged with the Critical Infrastructure Centre first in March last year as the scope of the organisation in this bill was being determined, and they were consulting with a number of infrastructure organisations and infrastructure sectors about which infrastructure should be included in the bill. They reached their conclusions, and in October the draft bill was released, and it covered electricity, ports and water. So we no longer thought that we were part of the first round of consideration for the process, and we didn't pay too much attention to it from there. And then, come the start of November, about 10 business days before the public consultation on the draft bill closed, gas companies started getting emails from the Critical Infrastructure Centre saying that a decision had been made to include gas infrastructure in the draft bill.

15 Energy Networks Australia, Submission 3, p. 1.

16 South Australian Government, Submission 7, p. 6.

17 Water Services Association of Australia, Submission 8, p. 3.

18 Australian Pipelines Gas Association, Submission 6, p. 2.

12 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

We have no understanding of the decision-making process that originally decided that gas didn't need to be included in the bill and then subsequently did need to be included in the bill.19

2.18 The Water Services Association of Australia (WSAA) made similar remarks about the

lack of detailed consultation with industry in the preparation of the bill. Particularly the approach taken to use the ‘inform’ mode of consultation rather than collaborate or empower.20

2.19 The Department of Home Affairs explained that there had been a ‘sector-wide consultation process’ and that

[e]ach of the sectors was probably represented but the ability to sort of meet with everybody individually—there is a fair bit of diversity there; I think there were more than 700 people attending a whole range of sessions.21

2.20 At the public hearing on 9 February 2018, the Department of Home Affairs informed the Committee that it had committed to meet with representatives from the APGA and the WSAA, and ‘engage more deeply with them’.22

19 Mr Steve Davies, Chief Executive Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 1.

20 Water Services Association of Australia, Submission 8, p. 4.

21 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 19.

22 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 19.

13

3. Critical infrastructure asset

3.1 This chapter discusses the types of critical infrastructure assets that the Bill captures.

3.2 Section 9 of the Bill defines critical infrastructure assets as:

 a critical water asset,  a critical electricity asset,  a critical port,  a critical gas asset,  an asset that the minister declares privately under section 51 of the Bill,

and

 an asset that the rules prescribe.

3.3 The Bill contains definitions of a critical water asset, critical electricity asset, critical port and critical gas asset. In each of these definitions, except for a critical port, the Bill provides thresholds for criticality. For example, subsection 10(1)(a) of the Bill states that ‘a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers’ is a critical electricity asset. The Bill lists specific assets as critical ports in section 11.

3.4 Subsection 9(2) of the Bill allows the rules to prescribe that a critical electricity asset, critical water asset, critical port or critical gas asset is not a critical infrastructure asset.

3.5 The Explanatory Memorandum states that the definition of critical infrastructure asset ‘minimises the regulatory burden by ensuring the legislation and its obligations only apply to Australia’s highest-risk critical infrastructure assets’.1 The Explanatory Memorandum identifies the

1 Explanatory Memorandum, p. 29.

14 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

telecommunications, electricity, gas, water and ports sectors as the highest-risk sectors and notes that TSSR is managing risks in the telecommunications sector.2

3.6 The South Australian Government argued that using the term, ‘critical infrastructure asset’, in the Bill may create potential confusion:

The concept ‘critical infrastructure’ would not be appropriate for this Bill, given the Bill is only intended to apply to a subset of critical infrastructure and address specific concerns associated with foreign ownership and control.3

3.7 Additionally, the South Australian Government had concerns about the definition of each category of critical infrastructure assets. In particular, its concern is that the definitions attach to the physical infrastructure, and not, for example, the water utility that operates the physical infrastructure:

[T]he EM only serves to confound the issue by indicating (contrary to the express definitions in the Bill) that a utility or other entity may itself be, or form part of, a critical infrastructure asset.4

Gas sector

3.8 Section 12 of the Bill defines a ‘critical gas asset’ as:

 a gas processing facility that has a capacity of at least 300 terajoules per day or any other capacity prescribed by the rules,  a gas storage facility that has a maximum daily quantity of 75 terajoules per day or any other quantity prescribed by the rules,  a network or system for the distribution of gas to ultimately service at

least 100 000 customers or any other number of customers prescribed by the rules, or  a gas transmission pipeline that is critical to ensuring the security and reliability of a gas market, in accordance with rules.

3.9 The Explanatory Memorandum states that the reason that the gas sector is included in the Bill is that

Gas in Australia is an important energy source, an export commodity and an input for a wide range of industrial, commercial and residential uses. Gas is particularly important for gas powered electricity generators which account

2 Explanatory Memorandum, p. 30.

3 South Australian Government, Submission 7, p. 4.

4 South Australian Government, Submission 7, pp. 4, 7.

CRITICAL INFRASTRUCTURE ASSET 15

for approximately 20 per cent of Australia’s electricity, and manufacturing which relies on gas for approximately 40 per cent of net energy requirements.5

3.10 The Explanatory Memorandum states that the Bill will capture four key components involved in ensuring the security and availability of gas for the domestic and export markets—gas processing, storage, distribution and transmission.6 The Explanatory Memorandum describes the types of gas transmission assets that the Bill intends to capture:

 Transmission assets that are critical for transporting gas from processing plants to major demand centres for distribution networks or large gas users such as electricity generators and industrial users, and to certain facilities and hubs for export purposes.7

3.11 The Explanatory Memorandum also states the intended thresholds for gas transmission assets:

 Subclause 12(2) prescribes that the rules will specify the basis for determining critical transmission assets captured by the Act once in force. This is to be based on a set terajoule capacity per day for the particular market the transmission asset services. The intended thresholds for each market are:

 Eastern market - 200 terajoules per day

 Northern market - 80 terajoules per day

 Western market - 150 terajoules per day8

3.12 The APGA argues that gas transmission infrastructure should not be captured by the Bill, or at the least, the Bill should be amended to adopt a less intrusive means of achieving the Bill’s intent, as

these entities [direct customers of gas infrastructure (in particular gas transmission infrastructure)] place reliability and security of supply and the confidentiality of information at the forefront of their requirements when negotiating energy supply arrangements.9

3.13 The APGA ‘acknowledges that some positive changes were made to the proposed thresholds in response to feedback received from gas industry

5 Explanatory Memorandum, p. 30.

6 Explanatory Memorandum, p. 33.

7 Explanatory Memorandum, p. 33.

8 Explanatory Memorandum, p. 33.

9 Australian Pipelines and Gas Association, Submission 6, pp. 1-2.

16 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

stakeholders in November’.10 However, APGA suggests that the thresholds for captured gas transmission assets should extend beyond capacity:

the characteristics that are relevant to a determination that a gas transmission pipeline is critical infrastructure for the purposes of the draft bill are:

 Capacity;

 Number of customers; and

 Type of customers.11

Water sector

3.14 Section 5 of the Bill defines a ‘critical water asset’ as a water or sewerage system or network that is used to ultimately deliver services to at least 100 000 water connections or 100 000 sewerage connections under the management of a water utility.

3.15 The Explanatory Memorandum states that the reason that the water sector is included in the Bill is that

[a] clean and reliable supply of water is essential to all Australians, including other critical infrastructure sectors. A disruption to Australia’s water supply or water treatment facilities could have major consequences for the health of citizens and impact the diverse range of businesses that rely on water—from the cooling towers used at power stations to food processing. Water providers also hold large data sets about customers and their water usage.12

3.16 The Explanatory Memorandum states that the thresholds for critical water asset, as set out in section 5, were determined by considering the following factors:

 Large population hubs:

 The Bureau of Meteorology currently uses 100,000 connections as its highest data point to capture the water utilities servicing the major population hubs in Australia.

 Total residential population serviced - the assets captured by this definition individually service at least 275,000 people. As a collective, these utilities service 80% of Australia’s population.

10 Australian Pipelines and Gas Association, Submission 6, p. 7.

11 Australian Pipelines and Gas Association, Submission 6, p. 7.

12 Explanatory Memorandum, p. 30.

CRITICAL INFRASTRUCTURE ASSET 17

 Economic interests: Gross value added - the assets captured contribute approximately 75% of Australia’s gross value added.

 Critical infrastructure interdependencies - as the utilities captured service the major population hubs in Australia, their interdependencies include:

 data centres—including holders of bulk data and Government data;

 hospitals and other health services; electricity generation assets, and;

 telecommunications - the supply of water is important for some telecommunications infrastructure for heating ventilation and air conditioning purposes.13

3.17 The WSAA suggested that a threshold of 100 000 connections may be too narrow and does not capture water utilities that have limited connections, but important reliance, such as electricity generation.14 In particular, the WSAA argued that

The current approach to classifying critical water infrastructure based on numbers of property connections highlights a fundamental lack of understanding of the way water infrastructure works and links to other critical infrastructure.15

3.18 The WSAA suggested that it would like to understand the specific water assets that the Bill will cover, but was not necessarily seeking legislative clarification.16 The WSAA acknowledged the ability to prescribe other entities in rules, but argued that greater upfront certainty would allow utilities to ‘provide budgets and to avoid unnecessary costs on customers’.17

3.19 The Department of Home Affairs argued that the current legislative thresholds capture interdependencies, to the extent that the Department currently understands.18 However, the Department of Home Affairs also noted that it could only understand a detailed systems picture in deep

13 Explanatory Memorandum, p. 19.

14 Dr Greg Ryan, Manager Utility Excellence, Water Services Association of Australia, Committee Hansard, Canberra, 9 February 2018, p. 10.

15 Water Services Association of Australia, Submission 8, p. 3.

16 Dr Greg Ryan, Manager Utility Excellence, Water Services Association of Australia, Committee Hansard, Canberra, 9 February 2018, pp. 10-11.

17 Dr Greg Ryan, Manager Utility Excellence, Water Services Association of Australia, Committee Hansard, Canberra, 9 February 2018, p. 10.

18 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 17.

18 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

consultation with industry, during the risk assessment process.19 The Department of Home Affairs stated an intention to engage on specific cases and through the Trust Information Sharing Network to understand those points of criticality and interdependency.20

Other industries

3.20 Some submissions questioned whether other industries may be worth including as critical infrastructure assets. For example, Doctors Against Forced Organ Harvesting suggested that the Bill should also cover healthcare:

We highly recommend this area be incorporated into the framework, as investment into Australia's healthcare by foreign companies presents a significant threat of large-scale medical records theft and cyber attacks and opens doors for potential abuse.21

3.21 The Department of Home Affairs argued that other industries, which the Bill does not apply to, have lower risk profiles:

While other critical infrastructure sectors, including banking and finance, health and aviation are at risk from espionage, sabotage and coercion, the level of existing regulation in place lowers their risk profile.22

3.22 The Northern Territory Government argued that the fuel sector should be included as a critical infrastructure asset in the near future:

The largely foreign owned fuel market and supply chain in Australia would be subject to the same national security risks of sabotage, espionage and coercion, as outlined in the Bill.23

3.23 At the public hearing, the Committee raised concerns about whether the Bill should apply to fuel infrastructure, such as refineries, and the Committee questioned the capacity of states and territories to use other nodes of distribution during a disruption to fuel supply. The Committee referred to inquiries by other Parliamentary Committees in recent years and reports

19 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 17.

20 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 17.

21 Doctors Against Forced Organ Harvesting, Submission 5, p. 1.

22 Department of Home Affairs, Submission 9, p. 6.

23 Northern Territory Government, Submission 1, p. 6.

CRITICAL INFRASTRUCTURE ASSET 19

that had been considered in the context of those inquiries.24 A 2013 report, Australia’s liquid fuel security, by John Blackburn AO, argued that Australia’s ‘liquid fuels supply resilience in the face of a potential range of supply shocks is fragile’ due to

[t]he very small consumption stockholdings in this country, combined with what appears to be narrow assessment of our liquid fuels supply chain vulnerabilities.25

3.24 The report further suggested that refineries can be subject to similar liquid fuel supply risks as ports:

There is little to no surplus tankage for crude oil at refineries so a delay in arrival of oil shipments could interrupt fuel production. As with ports, refineries can be subject to disruption by a range of incidents including accidents, catastrophic equipment failures, industrial action, natural disasters and terrorist attacks.26

3.25 The House of Representatives Standing Committee on Economics, Report on Australia’s oil refinery industry, published in January 2013, refers to closures of refineries that resulted in a reduction in Australia’s refining capacity, leading to a lack of fuel supply in the Australian market.27 However, the report states that the lack of supply was not due to the lack of international supply of crude or refined fuel.28 The report also concludes that:

24 House of Representatives Standing Committee on Economics, Report on Australia’s oil refinery industry, January 2013; Senate References Committee on Rural and Regional Affairs and Transport, Report on Australia’s transport energy resilience and sustainability, June 2015; John Blackburn AO’s report, Australia’s Liquid Fuel Security, was Attachment 1 to Submission 18, National Roads and Motoring Association, to that Senate Committee inquiry.

25 Senate References Committee on Rural and Regional Affairs and Transport, Inquiry into Australia’s transport energy resilience and sustainability, National Roads and Motorists’ Association, Submission 18, Attachment 1, pp. 14-15.

26 Senate References Committee on Rural and Regional Affairs and Transport, Inquiry into Australia’s transport energy resilience and sustainability, National Roads and Motorists’ Association, Submission 18, Attachment 1, pp. 14-15.

27 House of Representatives Standing Committee on Economics, Report on Australia’s oil refinery industry, January 2013, p. 67.

28 House of Representatives Standing Committee on Economics, Report on Australia’s oil refinery industry, January 2013, p. 67.

20 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

Our liquid fuel energy security remains largely unchanged from 2009 and is assessed as high trending to moderate in the long term. High energy security is when the economic and social needs of Australia are being met.29

3.26 The Department of Home Affairs indicated that the fuel sector did not meet the same risk threshold as gas, electricity, water and ports due to the diversity and disaggregated supply of liquid fuels in the Australia.30

3.27 The Department of the Environment and Energy suggested that a disruption to a fuel refinery would have regional impacts, but the geographical dispersion of the fuel market and ability to divert resources would reduce the impact on the overall sector.31 Further, the Department of the Environment and Energy noted that the intent of the Bill was not to address vulnerabilities associated with domestic liquid fuel requirements.32

Committee comment

3.28 The Committee supports the need to manage national security risks arising from malicious foreign involvement in critical infrastructure. The Committee supports the intent of the Bill in attempting to strike an appropriate regulatory balance while providing the necessary powers and functions to manage national security risks. The Committee notes that state and territory governments, industry and organisations support the general intent of the Bill. However, witnesses have expressed concerns about some aspects of the Bill.

3.29 As indicated in Chapters 1 and 2, the Bill was subject to consultation during its development. The Committee appreciates some industry concerns expressed about this consultation process. The Committee has sought to strengthen the Bill incorporating feedback from these industry members. The Committee is satisfied that the Department of Home Affairs will take additional steps to engage more deeply with industry bodies. The Committee notes that aside from industry bodies from the gas transmission

29 House of Representatives Standing Committee on Economics, Report on Australia’s oil refinery industry, January 2013, p. 66.

30 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 20.

31 Ms Helen Bennett, Assistant Secretary, Department of the Environment and Energy, Committee Hansard, Canberra, 9 February 2018, p. 20.

32 Ms Helen Bennett, Assistant Secretary, Department of the Environment and Energy, Committee Hansard, Canberra, 9 February 2018, p. 21.

CRITICAL INFRASTRUCTURE ASSET 21

and water sectors, the Committee did not receive evidence of concerns from representatives in other industries captured by the Bill.

3.30 The Committee notes the establishment of the CIC, which would lead implementation of the provisions proposed in the Bill. In particular, the Committee supports the CIC’s collaborative approach to working with industry.

3.31 The Committee considered concerns raised regarding thresholds and definitions of critical infrastructure assets in the Bill. However, the Committee is satisfied that the proposed approach will provide the clarity and security required to manage national security risks.

3.32 The Committee also considered industry concerns that the Bill may exclude assets that have limited capacity, connections or customers and do not meet the thresholds, but are important because they provide a service to other dependent critical infrastructure assets. The Committee notes that the Bill allows the Minister, in certain circumstances, to add assets or industries. The Committee concludes that this power will provide sufficient flexibility for circumstances where the risk profile of industries may increase over time or where assets with significant interdependencies are identified.

3.33 While the Committee is satisfied that other critical infrastructure industries should not be included in the Bill at this time, the Committee notes the national importance of ensuring a continuous supply of fuel. There are identified supply chain vulnerabilities in the fuel sector in Australia and the Committee is concerned that these risks are actively managed in the most appropriate manner. In particular, the Committee considers there is a serious requirement to assess these vulnerabilities, and test the effectiveness of any existing or potential risk mitigations, particularly in scenarios of heightened geo political tensions.

3.34 The Committee notes the need to examine Australia’s security of fuel supply and dependence upon fuel from a national perspective, involving collaborative efforts between governments and industry. The Committee notes that other countries, such as Sweden, may have undertaken work to date in this field, which may provide valuable models for the development of an appropriate Australian response.

3.35 The Committee recommends that the Department of Home Affairs undertake a national security review of the fuel industry. The Department of Home Affairs should develop measures to ensure Australia has a continuous supply of fuel to meet its national security priorities. To ensure that these measures are appropriate, the Committee considers that the Department of

22 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

Home Affairs should brief the Committee on the outcomes of the review following its conclusion.

Recommendation 1

3.36 The Committee recommends that the Department of Home Affairs, in consultation with the Department of Defence and the Department of the Environment and Energy, review and develop measures to ensure that Australia has a continuous supply of fuel to meet its national security priorities. As part of developed measures, the Department should consider whether critical fuel assets should be subject to the Security of Critical Infrastructure Bill 2017.

The Committee considers that the Department should conclude this review within 6 months. The Department should brief the Committee on the outcomes of the review following its conclusion.

23

4. Register and other information-related provisions

4.1 This chapter discusses:

 the register of critical infrastructure assets—the Bill places obligations on reporting entities of critical infrastructure assets to notify the Secretary of certain information,

 Secretary’s powers—the Bill provides the Secretary with new information-gathering powers and an ability to undertake risk assessment of critical infrastructure assets, and

 information sharing and confidentiality—the Bill sets out how information obtained under the Bill may be used and disclosed.

Register of critical infrastructure assets

4.2 Section 19 of the Bill requires the Secretary of the Department of Home Affairs to keep a Register of Critical Infrastructure Assets (the Register). The Bill requires that this Register is not made public.

4.3 The Bill places reporting obligations on reporting entities, which are direct interest holders and responsible entities:

 Direct interest holders must provide notice of interest and control information. The Bill defines direct interest holder as an entity that ‘holds a legal or equitable interest of at least 10 per cent in the asset’, or ‘holds a lease of, or an interest in, the asset that puts the entity in a position to directly or indirectly influence or control the asset’.

24 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

 Responsible entities must provide notice of operational information. The Bill defines responsible entities differently depending on the sector. For example, for critical electricity assets or critical gas assets, the responsible entity is the entity that holds the licence, approval, or authorisation to operate the asset to provide the service to be delivered by the asset.

4.4 The Explanatory Memorandum states that the Register will

assist the Government to identify who owns and controls the asset, its board structure, ownership rights of interest holders, and operational, outsourcing and offshoring information.1

Information required to be notified

4.5 Section 6 of the Bill defines the following information as interest and control information:

 the name of entities,  the Australian Business Number (ABN) or other business number,  for non-individuals, the principal address and country of incorporation,  for individuals, citizenship, residential address and country,  the type and level of interest the entity holds in the asset or “first entity”,  information about the influence or control the first entity is able to exert

on the asset, including decision-making and governance,  information about the ability of an appointed person to directly access networks or systems, necessary for the operation or control of the asset,

and

 any other information prescribed by rules.

4.6 Section 7 of the Bill defines the following information as operational information:

 location of the asset,  a description of the area the asset services,  the name, ABN (or other number), address and incorporation country of each entity that is the responsible entity or operator of the asset,

 the full name and citizenship of the Chief Executive Officer of the responsible entity,  a description of arrangements under which each operator operates the asset or a part of the asset,

1 Explanatory Memorandum, p. 9.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 25

 a description of arrangements under which data prescribed by the rules relating to the asset is maintained, and  any other information prescribed by rules.

4.7 The Bill requires reporting entities to notify the Secretary within 30 days of a notifiable event. Section 26 of the Bill defines a notifiable event as:

 Information previously obtained by the Secretary becoming incorrect or incomplete - for example, an entity needs to update its circumstances due to a change in operation arrangements,

 An entity becoming a reporting entity - for example, by acquiring a direct interest of 10 per cent or more in the asset, or  A reporting entity becoming an entity to which the Bill applies - for example, an entity that is not covered by the Bill changes its structure

and becomes an incorporated body.2

4.8 The Explanatory Memorandum states that the Register will ‘impose a minimal compliance burden on industry’.3

4.9 APGA suggested that the cost of complying with reporting obligations would not be ‘huge’:

As I've already alluded to in the scheme of cost to a business, it is not a huge cost but one of the challenges is, when you have to start providing duplicate information to multiple agencies, they invariably request it in different formats.4

4.10 The Department of Home Affairs also stated that

the information we are requesting in the baseline reporting is fairly minimal. It's fairly light touch. It's not a lot of information.5

4.11 The RIS states that leveraging information from existing sources to create a Commonwealth register for critical infrastructure was an option that was considered.6 In considering this option, the RIS refers to existing information

2 These examples appear in the Explanatory Memorandum, p. 40.

3 Explanatory Memorandum, p. 7.

4 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 5.

5 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 18.

6 Explanatory Memorandum, pp. 93-94 (Option 2).

26 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

held by the Australian Securities and Investments Commission (ASIC) and the Australian Energy Market Operator (AEMO), but states that

[c]umulatively, these existing registers do not provide sufficient information on ownership and control to address the issues identified by the Centre.7

4.12 In relation to each state and territory’s existing information holdings, the RIS states that

the scope of information currently collected generally, or as part of a register administered by the Australian Government or states and territories, varies from one jurisdiction to another.8

4.13 The APGA argued that the Register duplicates reporting obligations on infrastructure owners and operators:

APGA does not support an outcome whereby infrastructure owners and operators have reporting obligations to multiple registers concerned with infrastructure resilience and security. Industry should not be placed in the position of reporting different aspects of information related to resilience and security to different registers at the state and federal level.9

4.14 The AGPA suggested that the information and documents required under the Bill are

either public documents already or held by another government statutory authority, and there seems to be little need to then have a further information gathering power on the gas transmission industry.10

4.15 The APGA indicated these other government statutory authorities include the ASIC, the Australian Energy Regulator, the AEMO and state regulators.11 The APGA also provided a list of various Commonwealth agencies it engages with on terrorism, cyber security, strategic defence, natural disasters and espionage issues.12

7 Explanatory Memorandum, p. 94.

8 Explanatory Memorandum, p. 93.

9 Australian Pipelines and Gas Association, Submission 6, p. 5.

10 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 3.

11 Australian Pipelines and Gas Association, Submission 6, pp. 4-5.

12 Australian Pipelines and Gas Association, Submission 6.1, p.1.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 27

4.16 The Department of Home Affairs suggested that it has looked closely at potential duplication, but

have not been able to find the direct interest and the chain of interest in any of the other mechanisms, nor a complete picture of the operational contractual arrangements or the data management contractual arrangements.13

4.17 The APGA and WSAA suggested that, depending on the interpretation of the Bill, reporting obligations could require quite granular information, such as information about all supply chain contracts.14

4.18 In response, the Department of Home Affairs stated:

The intention is to only capture the contractual information associated with an actual operator of an asset, so there are some cases we've seen where an asset may appear at face value to be owned by one entity, even a state government, for example, but the operation of the asset is outsourced. It's that contractual information that we're interested in, not all of their downstream supply chain contracts.15

4.19 APGA suggested that a common form between Commonwealth agencies would alleviate concerns around duplication.16 However, the Department of Home Affairs argued that becoming an aggregator for these information is ‘complex in its own right, and there are costs involved in doing that’.17

4.20 The Department of Home Affairs suggested that in addition to the establishment of the CIC, the transition to the Department of Home Affairs will minimise duplication:

The transition of the Centre into the newly formed Department of Home Affairs provides further opportunities to minimise duplication for industry in engaging with Government. Home Affairs brings the Department of Immigration and Border Protection together with security, law enforcement and national security policy, critical infrastructure and emergency

13 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 18.

14 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 4; Water Services Association of Australia, Submission 8, p. 4.

15 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 16.

16 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 5.

17 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 18.

28 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

management from the Attorney General’s Department, counter-terrorism and cyber security policy from the Department of the Prime Minister and Cabinet, multicultural affairs from the Department of Social Services and the Office of Transport Security from the Department of Infrastructure and Regional Development.18

Direct interest holders

4.21 As stated above, subsection 8(1) of the Bill defines a direct interest holder as an entity that either holds an interest of at least 10 per cent in the asset, or holds an interest that puts the entity in a position to directly or indirectly influence or control the asset.

4.22 Subsection 8(2) of the Bill clarifies that an entity will still be a direct interest holder if it is a trust, partnership, superannuation fund or an incorporated foreign company. The Explanatory Memorandum states that the provision is ‘included to ensure that the reporting obligations apply to any direct interest holder regardless of the nature of that interest holder’.19

4.23 The Explanatory Memorandum states that influence and control extends to the ability to:

 exercise voting or veto rights,  materially impact the day-to-day operations or strategic direction of the asset,  appoint persons to the body that governs the asset,  influence or determine the business or other management plan for the

asset,

 influence or determine the appointment of key personnel involved in the day-to-day operation of the asset,  influence or determine major expenditures in relation to the asset or its operations,  influence or determine major contracts or transactions in relation to the

asset or its operations, or  influence or determine indebtedness of any kind in relation to the asset or its operations.20

4.24 In its submission, the Department of Home Affairs noted its intention to amend the definition of direct interest holder:

18 Department of Home Affairs, Submission 9.1, p. 2.

19 Explanatory Memorandum, p. 29.

20 Explanatory Memorandum, pp. 28-29.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 29

Some stakeholders have recently indicated that our definition of direct interest holder may not capture some entities that we intended it to (for example, entities whose subsidiaries hold an interest in the critical infrastructure asset). Home Affairs is working with the Office of Parliamentary Counsel to correct this through re-drafting to ensure that the policy intent to capture such ownership is clarified.21

4.25 The Law Council had concerns about whether the definition of direct interest holder captures intermediate and ultimate interest holders:

[I]t is not clear from the drafting whether a direct interest holder under proposed section 8 is limited to the immediate shareholder or interest holder of the asset or whether it could extend to intermediate or ultimate holding entities of the assets.22

4.26 The Department of Home Affairs stated its intention is that intermediate or ultimate interest holders would not be direct interest holders and advised that

the department will seek to clarify that a ‘direct interest holder’ under section 8 is limited to the immediate shareholder or interest holder and does not extend to any intermediate or ultimate holding entities. Information relating to these intermediate or ultimate holding entities is still a key component of the register, but is required to be reported by the ‘direct interest holder’ as a result of paragraph 6(1)(h) of the definition of ‘interest and control information’.23

4.27 The Law Council also suggested that the Bill would benefit from greater clarity about the application of subsection 8(2) as

it is not clear whether ‘entity’ in proposed subsection 8(1) is limited to the entities listed at proposed paragraphs 8(2)(a)-(d) or whether the entities listed in proposed subsection 8(2) are in addition to the entities in the definition of ‘entity’ in proposed section 5 of the Bill.24

4.28 In response, the Department of Home Affairs stated:

The department will also clarify that a ‘direct interest holder’ includes, but is not exclusive to, those entities listed in subclause 8(2).25

21 Department of Home Affairs, Submission 9, p. 6.

22 Law Council of Australia, Submission 10, p. 2.

23 Department of Home Affairs, Submission 9.1, p. 4.

24 Law Council of Australia, Submission 10, pp. 2-3.

25 Department of Home Affairs, Submission 9.1, p. 4.

30 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

4.29 The Law Council also recommended a carve-out for moneylending agreements, noting that

the definition of influence or control could cover ordinary course of business financing arrangements where financiers have a certain level of influence or control over the assets, whether or not the they have enforced their security.26

4.30 The Department of Home Affairs clarified that its intention was not to capture certain moneylenders:

It is not the intention of the legislation to capture money lenders where their interest in the asset is through a financing arrangement with the true ‘direct interest holder’ and as a result are not in a position to exercise any influence or control. To address these circumstances, we will look to provide a carve-out modelled on regulation 27 of the Foreign Acquisitions and Takeovers Regulation 2015.27

4.31 Additionally, the Department of Home Affairs sought to provide further clarity around the term ‘influence and control’ under the Bill:

To provide further clarity on the interaction between the term ‘direct interest holder’ and other entities in a position to exercise influence and control, the department will look to introduce a definition of ‘influence and control’ drawing on the guidance already included in the explanatory memorandum (paragraph 150).28

Committee Comment

4.32 The Committee supports the establishment of a register of critical infrastructure assets. The Committee notes that the Department of Home Affairs has analysed existing information sources. The Committee notes the Department of Home Affairs’ conclusion that the reporting obligations under the Bill would require information from critical infrastructure asset owners and operators that is mostly unavailable through existing sources.

4.33 The Committee is satisfied that the additional burden on reporting entities is not significant. However, the Committee has concerns that updating distinct government databases with similar industry information may compromise data integrity over time. The Committee recommends that the Department of Home Affairs examine the viability of developing a common data entry

26 Law Council of Australia, Submission 10, p. 3.

27 Department of Home Affairs, Submission 9.1, p. 5.

28 Department of Home Affairs, Submission 9.1, p. 4.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 31

portal for use across Commonwealth, state and territory databases that require information from the same reporting entities.

Recommendation 2

4.34 The Committee recommends that the Department of Home Affairs examine the viability of developing a common data entry portal for use across Commonwealth, state and territory databases that require information from the same reporting entities.

4.35 The Committee notes that the Explanatory Memorandum includes example forms. Although these forms are a useful first step, the Committee considers that entities require further guidance to understand their reporting obligations. The Committee recommends that the Department of Home Affairs prepare guidelines to advise entities of their reporting requirements in advance of the transition period.

Recommendation 3

4.36 The Committee recommends that the Department of Home Affairs develop guidelines for entities subject to the Security of Critical Infrastructure Bill 2017. The guidelines should:

 enable an entity to determine whether it is a reporting entity, and

 provide the entity with an understanding of the specific information it is required to report.

These guidelines should be made available prior to the end of the three-month transition period.

4.37 The Committee notes concerns about the definition of direct interest holders and evidence from the Department indicating an intention to amend the definition in the Bill. Further, the Bill would benefit from greater clarity about its application to moneylenders, intermediate and ultimate interest holders of critical infrastructure assets. The Committee notes that one of the objectives of the Register is to capture information about beneficial ownership. The Committee notes evidence from the Department of Home Affairs, which indicates that the Bill is not intended to capture moneylenders, intermediate and ultimately holding entities as direct interest holders.

32 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

4.38 In particular, the Committee recommends that the Bill is amended to clarify that the definition of direct interest holder does not capture moneylenders, intermediate and ultimate interest holders of critical infrastructure assets.

Recommendation 4

4.39 The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to more appropriately define direct interest holder in order to capture the intended full range of ownership arrangements.

Further, the Explanatory Memorandum and the Bill should clarify that:

 moneylenders are not direct interest holders, where they hold an interest in a critical infrastructure asset through a financing arrangement, and

 intermediate and ultimate holding entities are not direct interest holders.

Secretary’s powers

Information-gathering powers

4.40 Under section 37 of the Bill, the Secretary can require a reporting entity or operator to give information or produce document. Subsection 37(1) of the Bill limits this power to circumstances where the Secretary has reason to believe that the entity has information or documents that

 is relevant to the exercise of a power, duty or function under the Bill, or  may assist with determining whether a power under the Bill should be exercised.

4.41 The Explanatory Memorandum states that this power will allow

 the Secretary to ensure that the information provided by reporting entities is correct and up to date, and  further information to be sought, where that information is required to gain a clearer national security risk picture in respect of the critical

infrastructure asset.29

4.42 Under subsection 37(3), prior to giving the entity notice, the Secretary:

29 Explanatory Memorandum, p. 71.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 33

 must have regard to the costs that would be likely to be incurred by the entity in complying with the notice, and  may have regard to any other matters the Secretary considers relevant.

4.43 The Explanatory Memorandum states that these considerations will ensure that

wherever possible the notice directly targets the information sought and does not create unnecessary expense or burden on the entity.30

Powers to undertake risk assessments

4.44 Section 57 of the Bill allows the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset. The Register will inform risk assessments to identify and manage national security risks in critical infrastructure assets.31

4.45 The Explanatory Memorandum states that

any risk assessment conducted by the Secretary would be conducted in collaboration with the asset’s owners and operators, as well as relevant state and territory agencies and regulators.32

4.46 The WSAA suggested that the Bill include a ‘trigger’ so that ASIO must furnish an adverse security assessment prior to the Secretary undertaking a risk assessment.33 The WSAA stated that its concerns are that the Secretary’s risk assessments will require ‘undue attention compared to all the other risks—climate change, natural disasters and the like’ and that the risk assessment may require ‘potentially unnecessary costs on customers’.34

4.47 The Department of Home Affairs argued that requiring an ASIO adverse security assessment as a pre-condition to the Secretary’s risk assessment would prevent the Bill from achieving its intent:

From a proactive stance, the reason we would do the risk assessment would be to understand what those vulnerabilities are and then try and mitigate them before we get to a point where there is in fact a concern. So, again, if people are

30 Explanatory Memorandum, p. 72.

31 Explanatory Memorandum, p. 11.

32 Explanatory Memorandum, p. 86.

33 Water Services Association of Australia, Submission 8, p. 3.

34 Dr Greg Ryan, Manager Utility Excellence, Water Services Association of Australia, Committee Hansard, Canberra, 9 February 2018, p. 12.

34 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

prepositioning, once you have realised they are prepositioned, it is probably better to have mitigated that up-front. Conceptually, I am not sure that trigger actually meets the intent of what we are trying to achieve, which is to forestall the ability for these things to occur.35

4.48 The WSAA suggested that greater disclosure around the Secretary’s risk assessment methodology and criteria may alleviate its concerns with the process:

It would be good to have greater transparency in the requirements, definitely, and potentially some sort of case study or clear guidance around what the risk assessments would entail and what things you would have to prepare to streamline the process but also to give surety on the likely cost.36

4.49 The APGA echoed this sentiment and sought further clarity about the criteria and factors that may go to assessing the risk of a foreign actor.37 The Department of Home Affairs suggested that it intends to ‘provide some guidance to industry on the nature of our risk assessment process’.38

4.50 In addition to the need for further clarity, the potential financial burden was raised by industry. Both WSAA and APGA expressed concerns about the cost implications of implementing risk mitigations that may eventuate from the Secretary’s risk assessment.39

4.51 The Department of Home Affairs argued that that the cost of risk mitigations is part of the ordinary course of business, similar to other types of risks, such as fire hazards.40 However, the Department of Home Affairs would consider the proportionality of mitigations and the cost impact as part of the

35 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 17.

36 Dr Greg Ryan, Manager Utility Excellence, Water Services Association of Australia, Committee Hansard, Canberra, 9 February 2018, p. 12.

37 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 7.

38 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 17.

39 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 4; Dr Greg Ryan, Manager Utility Excellence, Water Services Association of Australia, Committee Hansard, Canberra, 9 February 2018, pp. 9-10.

40 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 14.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 35

process.41 Additionally, the Department of Home Affairs stated that mechanisms exist within the regulator markets to deal with cost pressures.42 The Department of Home Affairs stated that it has had some discussions with regulators

who have indicated that a direction would constitute a change of law event that could be taken into account.43

Protection of information

4.52 Section 5 of the Bill makes the following information, in relation to a critical infrastructure asset, ‘protected information’:

 information obtained by a person in the course of exercise powers, duties or functions under the Bill,  the fact that an asset is privately declared, under section 51, and  information obtained by way of authorised disclosure under the Bill.

4.53 Section 45 of the Bill creates an offence to make a record of, or disclose, protected information unless authorised. The offence is punishable by imprisonment for 2 years or 120 penalty units, or both.

4.54 Part 4, Subdivision 3A of the Bill provides a number of authorised uses and disclosures of protected information, including:

 the Secretary may disclose protected information to a Commonwealth Minister, state or territory minister, a staff member of the Minister, the department of a Minister, for Ministers responsible for:  National security  Law enforcement  Foreign investment in Australia  Taxation policy  Industry policy  Promoting investment in Australia  Defence

41 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 14.

42 Mr Pablo Carpay, First Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 14.

43 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 14.

36 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

 The regulation or oversight of the relevant industry for the critical infrastructure asset  the Secretary may disclose to an enforcement body, as defined by the Privacy Act 1988.

4.55 Section 44 of the Bill also allows an entity to use or disclose protected information that it obtains, for the purpose that the information was originally disclosed to the entity.

4.56 The Explanatory Memorandum states that these authorised uses and disclosures are consistent with the Bill’s objective to promote a collaborative and cooperative approach to managing national security risks.44

4.57 Section 46 of the Bill provides a number of exceptions to the offence:

 disclosure or use that is required under Commonwealth, or state or territory laws prescribed by the rules,  an entity acting in good faith and in purported compliance with an authorised use or disclosure, or the Minister’s private declaration

powers, and  disclosing protected information to the subject entity, the subject entity is the disclosing entity, or disclosure occurs with the express or implied

consent of the subject entity.

4.58 In relation to these exceptions, the Explanatory Memorandum states:

Recognising the severity of a criminal sanction as the highest form of punishment or deterrence, these exceptions ensure that the criminal penalty does not extend to situations where there is no criminal culpability, such as in complying with another law, or disclosing the information with the consent of the person to whom the information relates.45

4.59 Subsections 6(2) and 7(2) of the Bill state that interest and control information and operational information may be personal information within the meaning of the Privacy Act 1988 (Privacy Act).

Box 4.1 Information about the Australian Privacy Principles The Australian Privacy Principles (APPs) are contained in schedule 1 of the Privacy Act. They outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations

44 Explanatory Memorandum, p. 74.

45 Explanatory Memorandum, p. 76.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 37

with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.

While the APPs are not prescriptive, each APP entity needs to consider how the principles apply to its own situation. The principles cover:

 the open and transparent management of personal information including having a privacy policy,  an individual having the option of transacting anonymously or using a pseudonym where practicable,  the collection of solicited personal information and receipt of

unsolicited personal information including giving notice about collection,  how personal information can be used and disclosed (including overseas),  maintaining the quality of personal information,  keeping personal information secure, and  rights for individuals to access and correct their personal

information.46

4.60 Section 39 of the Bill allows the Secretary to retain a document for as long as is necessary. The Explanatory Memorandum states that this section would

enable the document to be used for the purpose for which it was obtained, as well as for any other purpose authorised under Part 4, Division 3.47

4.61 APP 11.2 requires that an APP entity take reasonable steps to destroy or de-identify personal information where it is no longer necessary. The Law Council suggested that the Secretary’s ability to retain documents may be inconsistent with this APP:

The Law Council queries whether the Secretary’s ability to retain documents for an unlimited time period may be inconsistent with APP 11.2. This requires that where an APP entity holds personal information, and they no longer need to the information for which it was used or disclosed by the entity, the entity

46 A summary of the Australian Privacy Principles can be found on the Office of the Australian Information Commissioner’s website: https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles.

47 Explanatory Memorandum, p. 73.

38 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

must take reasonable steps to destroy the information or to ensure that the information is de-identified.

To ensure that the Bill is consistent with APP 11.2, the Law Council recommends that section 39 of the Bill be amended to reflect the requirement that the Secretary must take reasonable steps to destroy the information when it is no longer necessary.48

4.62 In response, the Department of Home Affairs stated that

provisions in the Bill have been developed to be consistent with the Australian Privacy Principles (APPs). The department will consider amendments to the explanatory memorandum to clarify that the Centre in administering the legislation will comply with all relevant Australian Privacy Principles.49

4.63 The Explanatory Memorandum states that sharing information with states and territories is important, as they have responsibilities as owners and regulators:

The information obtained under the Bill may have broader policy implications for states and territories, particularly in relation to maintaining the security and resilience of critical infrastructure assets. This acknowledges that the states and territories, as owners and regulators of critical infrastructure assets share the responsibility with the Government to manage national security risks.50

4.64 The WSAA expressed concerns about whether laws in states and territories would protect sensitive, critical infrastructure information adequately:

The sensitive information protections currently existing at the State/Territory level are inconsistent, to prevent sensitive Critical Infrastructure information from being released into the public domain (e.g. through State Audit reports, Regulatory Reports or Freedom of Information requests). Therefore the need to ensure a consistent approach to sharing and protection of critical infrastructure related information is imperative and an obvious gap in the current legislation.51

48 Law Council of Australia, Submission 10, p. 4.

49 Department of Home Affairs, Submission 9.1, p. 5.

50 Explanatory Memorandum, pp. 11-12.

51 Water Services Association of Australia, Submission 8, p. 5.

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 39

4.65 The WSAA suggested that the Bill could address its concern through wholly exempting protected information from freedom of information laws.52 However, under the Freedom of Information Act 1982, a range of exemptions already exist that allow an agency or minister to refuse release of documents, including exemptions for national security, documents containing material obtained in confidence, and Commonwealth-State relations.

4.66 The Department of Home Affairs stated that it will establish security measures to protect the Register:

Given the sensitivity of the information required to be provided and stored in aggregate, the Register will be held on a classified network. This will ensure that all information provided for the Register, including commercially sensitive information, is kept secure.53

Committee comment

4.67 The Committee did not receive evidence of concerns about the scope or exercise of the Secretary’s information-gathering powers. As such, the Committee makes no comment about these powers and supports these provisions in the Bill.

4.68 The Committee notes industry concerns about the Secretary’s power to undertake a risk assessment. The Committee does not consider that an ASIO adverse security assessment should be a pre-condition to the Secretary’s ability to undertake a risk assessment. The Committee notes that this pre-condition could limit the ability to mitigate risks proactively, which is the intent of the regime.

4.69 The Committee notes industry concerns about potential cost implications that may arise from the implementation of risk mitigations. The Committee notes advice from the Department of Home Affairs that the Secretary would consider the proportionality of risk mitigations and the cost impact as part of a risk assessment process.

4.70 While the Committee supports the need for greater clarity around the intended risk assessment process, it does not support publicly detailing the entirety of the risk assessment process as this may reveal sensitive national security information. The Committee notes that the Department indicated it

52 Dr Greg Ryan, Manager Utility Excellence, Water Services Association of Australia, Committee Hansard, Canberra, 9 February 2018, pp. 11-12.

53 Department of Home Affairs, Submission 9, p. 6.

40 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

intended to provide ‘some guidance’ on the risk assessment process. The Committee considers that the timely provision of such advice is warranted, and recommends that the Department of Home Affairs develop high-level guidance for reporting entities and operators about the risk assessment process.

Recommendation 5

4.71 The Committee recommends that the Department of Home Affairs include in guidelines to be developed for entities subject to the Security of Critical Infrastructure Bill 2017, information regarding:

 the high-level criteria by which the Department will assess risk, and

 the process and the engagement that entities should reasonably expect from the Department as part of a risk assessment.

4.72 The Committee notes that the Bill enables the Secretary to use or disclose protected information to a significant number of ministers and government agencies at the Commonwealth, state and territory level. The Committee acknowledges that collaboration between the Commonwealth, industry, states and territories is important for building a secure and resilient critical infrastructure landscape. The Committee notes that existing laws protect the use and disclosure of personal information, including the Privacy Act 1988, the Australian Security Intelligence Organisation Act 1979, and the Notifiable Data Breaches scheme.

4.73 However, the Committee considers that the Bill’s information-sharing provisions can be strengthened to ensure greater transparency of decision-making. In particular, the Committee recommends that the Explanatory Memorandum to the Bill clarify the factors that the Secretary must take into account when exercising discretion to disclose protected information. This addition would increase the public’s confidence in the integrity of the process and that disclosure occurs only after proper consideration.

Recommendation 6

4.74 The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to list the factors that the Secretary must have regard to, when deciding whether to disclose protected information under sections 42 and 43 of the Bill. Factors should include:

REGISTER AND OTHER INFORMATION-RELATED PROVISIONS 41

 whether the disclosure is consistent with the objects of the Bill, and

 whether the purpose of the disclosure is proportionate to the sensitivity of the information being disclosed.

4.75 The Committee notes concerns about section 39 of the Bill, which enables the Secretary to retain documents for as long as necessary. The Committee considers that this provision does meets the requirements under APP 11.2.

4.76 The Committee appreciates that further clarity of the interaction between APP 11.2 and section 39 of the Bill would be beneficial. The Committee recommends that the Explanatory Memorandum be amended to clarify that these provisions are to be read consistent with the obligations under the Privacy Act.

Recommendation 7

4.77 The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to clarify that the Bill does not affect the operation of existing privacy obligations.

In particular, the Explanatory Memorandum should clarify that section 39 does not affect the operation of Australian Privacy Principle 11.2 and the Department of Home Affairs, as the administering agency, would need to destroy personal information if it was no longer necessary.

43

5. Directions by the Minister

5.1 This chapter discusses the Minister’s powers, set out in the Bill, to issue written directions to reporting entities or operators of critical infrastructure assets. This chapter also discusses the power’s safeguards, consultation requirements prior to the power’s exercise, and oversight, review and reporting requirements for the regime.

5.2 Section 32 of the Bill enables the Minister to give a reporting entity or operator a written direction requiring that it do or refrain from doing a specified act or thing.

5.3 This power is subject to a number of safeguards under subsection 32(3) of the Bill, including:

 the Minister must be satisfied that the direction is reasonably necessary for the purpose of eliminating or reducing the risk,  the Minister must be satisfied that reasonable steps have been taken to negotiate in good faith with the entity to achieve an outcome of

eliminating or reducing the risk,  an adverse security assessment has been given to the Minister, and  the Minister must be satisfied that no existing regulatory system of the

Commonwealth, a state or a territory could be used instead.

5.4 Under subsection 32(3) of the Bill, the Minister must also have regard to a number of factors before giving an entity a written direction, including:

 the adverse security assessment,  the costs that would be likely to be incurred by the entity,  the potential consequences on competition in the relevant industry,  the potential consequences on the entity’s customers or services, and  any representations given by the entity or a consulted minister, which

includes state and territory ministers.

44 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

5.5 The Bill requires that the Minister must give the greatest weight to the adverse security assessment. The Bill also allows the Minister to have regard to any other matter, he or she considers relevant.

5.6 The Explanatory Memorandum states the need for the directions power to be broad in scope:

Given the range of security risks that could arise, the directions power is designed to provide the Minister with the necessary scope to issue a direction that can sufficiently manage the risk.1

5.7 The Explanatory Memorandum states that the safeguards are adequate in ensuring issued directions are proportionate to the risk:

However, to balance the breadth of the power, there are significant safeguards built into the use of the power at subsections 32(3), 32(4) and 33. These safeguards ensure that any direction issued is only after significant consultation, consideration and is proportionate to the risk being managed.2

5.8 Energy Networks Australia supported the direction’s safeguards:

Due consideration to ‘the costs that would be likely to be incurred by the entity in complying with the direction’ is particularly welcome, given the already significant regulatory reporting which energy network service providers undertake.3

5.9 The Law Council also supported the safeguards, with qualifiers:

The Law Council supports the inclusion of safeguards in the Bill to ensure the Minister only exercises the directions power as a last resort, and only after negotiation in good faith with the affected entity, and consultation with the relevant State or Territory Minister. However, the Law Council has concerns that uncertainty remains regarding the threshold for the Minister to exercise the directions power, in particular the definition of ‘prejudicial to security’ and the Minister’s consideration of an adverse security assessment.4

5.10 APGA suggested the Bill should include an ability to issue a regulatory notice prior to the exercise of the Minister’s direction power.5 APGA argued

1 Explanatory Memorandum, p. 66.

2 Explanatory Memorandum, p. 66.

3 Energy Networks Australia, Submission 3, p. 1.

4 Law Council of Australia, Submission 10, p. 5.

5 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 4.

DIRECTIONS BY THE MINISTER 45

that a regulatory notice would not be as extreme as a direction and provide an opportunity for infrastructure operators to discuss the most appropriate cost recovery approach with customers.6 In response, the Department of Home Affairs stated that

there would be nothing precluding the minister making a direction even though it was done in collaboration and voluntarily with an operator. It's not a requirement of the direction that the operator wouldn't undertake the activity voluntarily.7

5.11 APGA had concerns with the lack of clarity of the circumstances that would lead to the Minister issuing a direction.8 In particular, APGA was interested in understanding the way that the Commonwealth may attempt to leverage existing mechanisms to resolve issues prior to the Minister relying on a direction.9 APGA suggested that the Department of Home Affairs could alleviate APGA’s concerns through publicly documenting the criteria for issuing directions, beyond the existing legislative safeguards.10

5.12 In response, the Department of Home Affairs stated that it could provide broad guidance about of the kinds of things that would occur in the lead up to the Minister issuing a direction.11 The Department of Home Affairs also stated:

As part of the consultation process that will occur prior to a direction being issued, the Centre will work closely with the asset operator and both Commonwealth and state or territory regulators to gain a detailed understanding of:

1 the existing regulatory environment in which the asset operates, and

6 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 4.

7 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 15.

8 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 3.

9 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 3.

10 Mr Steve Davies, Chief Executive, Australian Pipelines and Gas Association, Committee Hansard, Canberra, 9 February 2018, p. 3.

11 Ms Samantha Chard, Assistant Secretary, Department of Home Affairs, Committee Hansard, Canberra, 9 February 2018, p. 15.

46 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

2 whether the mitigations could be implemented by leveraging existing regulatory mechanisms.12

Adverse security assessments

5.13 As stated previously, the Bill requires that an adverse security assessment be given to the Minister, prior to the Minister issuing a direction.

5.14 Subsection 38(1) of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) requires that the Commonwealth agency must give the subject of an adverse security assessment, a copy of that assessment along with information on their right to appeal to the Administrative Appeals Tribunal.

5.15 Subsection 38(2) of the ASIO Act provides the power to the Attorney-General to

 withhold notice of the making of the assessment if the Attorney-General is satisfied that it is essential to the security of the nation, or  exclude the statement of grounds, or part of the statement, if it would be prejudicial to the interests of security.

5.16 Section 38A of the ASIO Act allows the Attorney-General to exclude information in an adverse security assessment where the disclosure is prejudicial to the interests of security, but does not allow the Attorney-General to withhold notice of a security assessment.

5.17 The Telecommunications and Other Legislation Amendment Act 2017, which gives effect to TSSR, amends section 38A of the ASIO Act, so that section 38A applies to the Attorney-General’s ability to issue directions as part of TSSR. The Department of Home Affairs stated that the Minister’s directions power is ‘modelled on a similar power in the TSSR’.13

5.18 The Inspector General of Intelligence Security argued:

The critical infrastructure scheme is modelled on the TSSR measures. Aligning the notification requirements for ASAs [adverse security assessments] issued in connection with each scheme would ensure the equal treatment of regulated entities in this regard.14

5.19 The Department of Home Affairs responded:

12 Department of Home Affairs, Submission 9.1, p. 1.

13 Department of Home Affairs, Submission 9, p. 7.

14 Inspector General of Intelligence and Security, Submission 2, p. 3.

DIRECTIONS BY THE MINISTER 47

It was always the intention that an unclassified statement of the grounds for the adverse security assessment, which is included in the assessment, be provided to the affected critical asset owner or operator to assist them in understanding the security concern and need for a Ministerial direction. With the Bill as currently drafted, it would be open for the Attorney-General to withhold the notice on national security grounds. This was never the Department’s intent.15

Threshold for exercising direction

5.20 In addition to the safeguards listed above, subsection 32(1) of the Bill requires that, prior to issuing a direction, the Minister must be satisfied that there is a risk of an act or omission that would be prejudicial to security.

5.21 The Explanatory Memorandum states:

The term ‘prejudicial to security’ is to be given its ordinary meaning, but interpreted in a manner that is consistent with the term ‘activities prejudicial to security’ contained in the ASIO Act. As a matter of guidance only, activities prejudicial to security may cover activities relevant to ‘security’, as defined under the ASIO Act, that could be considered capable of causing damage or harm to Australia, the Australian people, or Australian interests, or to foreign countries to which Australia has responsibilities.16

5.22 The Law Council suggested that the term ‘prejudicial to security’ should be defined in the Bill to be consistent with the rule of law:

This [defining the term in the Bill] would also ensure that the term ‘prejudicial to security’ could not be later redefined without adequate Parliamentary scrutiny.17

5.23 The Department of Home Affairs responded that

it would not be appropriate to introduce a definition of the phrase ‘prejudicial to security’… Defining the phrase ‘prejudicial to security’ may result in the phrase being given inconsistent meanings between different national security legislative frameworks [with reference to TSSR], thereby causing unintended operational consequences.18

15 Department of Home Affairs, Submission 9.1, p. 6.

16 Explanatory Memorandum, p. 65.

17 Law Council of Australia, Submission 10, p. 6.

18 Department of Home Affairs, Submission 9.1, p. 5.

48 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

5.24 The Law Council also suggested that the required risk thresholds, prior to an exercise of the direction power, should be more transparent and embedded in the Bill:

The threshold for the exercise of the directions power should only be permitted where there is a sufficient level of risk to security to justify the exercise of the powers. This could be achieved, for example, by amending proposed section 32(3) of the Bill to require that the Minister is satisfied that there is substantial and imminent risk or unauthorised interference with, or unauthorised access to, a critical infrastructure asset that would be prejudicial to security.19

5.25 The Department of Home Affairs argued that

the provision as drafted, including the requirement for an ASIO adverse security assessment already ensures that the Minister’s directions power is properly limited to circumstances where there is a sufficient level of risk …

However, including a temporal element to the test may unnecessarily limit the use of the power given the Bill is designed to enable action to be taken to prevent pre-positioning for acts of sabotage.

In these circumstances, it may not be possible to satisfy an ‘imminence’ test. Additionally, the requirement of ‘unauthorised’ access or interference may be difficult to satisfy in circumstances where the risk arises through legitimate involvement in the critical infrastructure asset, for example, through direct ownership or legitimate business activities.20

5.26 The Committee considered a similar issue in its inquiry into the Telecommunications and Other Legislation Amendment Bill 2016. In that Bill, industry associations sought to define the meaning of ‘prejudicial to security’ in the legislation and increased transparency and scrutiny of the adverse security assessment process. In that inquiry, the Committee concluded that:

The Committee does not support further defining the term ‘prejudicial to security’ in the Bill.

In regards to whether the criteria for an adverse security assessment should be made public, there are national security considerations that must be taken into account. The risks include that such information could be used by those

19 Law Council of Australia, Submission 10, p. 7.

20 Department of Home Affairs, Submission 9.1, p. 6.

DIRECTIONS BY THE MINISTER 49

seeking to harm Australia’s security to act in a manner designed to avoid detection by ASIO.

Accordingly, the Committee does not support making the criteria for adverse security assessments available to industry.21

Consultation requirements with states and territories

5.27 One of the safeguards mentioned above is that the Minister cannot give a direction unless he or she is satisfied that no existing regulatory system of the Commonwealth, state or territory could be used to eliminate or reduce the risk.

5.28 Section 33 of the Bill requires that before giving an entity a direction, the Minister must consult the First Minister of a state and territory, and each state and territory minister who has responsibility for the regulation or oversight of the relevant industry for the critical infrastructure asset. Each consulted minister has at least 28 days to provide written representations, or a shorter period if necessary because of urgent circumstances.

5.29 In relation to these consultation requirements with states and territories, the Explanatory Memorandum states:

This provision ensures the relevant state or territory minister, and Premier or Chief Minister have been directly consulted and have provided a formal state view on the proposed risk, how it could or should be addressed, including through a possible direction, and the impacts of such a direction.22

5.30 The South Australian Government is concerned about the power for the Commonwealth to direct state and state instrumentalities regarding state-owned asset operations:

It is recognised that safeguards are built into the Bill and the increased articulation of consultation requirements has strengthened these. However, the concern fundamentally remains, particularly considering the ability for the Commonwealth to privately declare assets as critical infrastructure assets without prior consultation with the state and the potential implications of directions, if made, on owners.23

21 Parliamentary Joint Committee on Intelligence and Security, Advisory Report on the Telecommunications and Other Legislation Amendment Bill 2016, June 2017, p. 66.

22 Explanatory Memorandum, p. 68.

23 South Australian Government, Submission 7, p. 3.

50 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

5.31 The Northern Territory Government also had concerns that states and territories may incur costs as a result of an entity complying with a ministerial direction:

the Northern Territory Government considers it appropriate that the Bill operate in a manner that ensures that it, as ultimate owner of critical infrastructure assets, is adequately engaged throughout consultation and negotiation processes relating to risk assessments and mitigations, and in respect of Ministerial directions, even in situations where the Minister may have identified the Port Operator as the entity best placed to manage the particular risk.24

5.32 The Department of Home Affairs noted that it released an exposure draft of the Bill for five weeks of public consultation in October 2017 and ‘the Bill reflects the feedback received during these consultation sessions’.25 In particular, one of the refinements involved ‘strengthening consultation requirements’.26

5.33 The South Australian Government acknowledged those changes to the Bill in its submission, but maintains its fundamental concern about the Commonwealth directing states:

It is pleasing that some feedback from jurisdictions and industry has been incorporated into the Bill, including strengthening the consultation requirements with states.27

Secretary’s Annual Report

5.34 Section 60 of the Bill requires the Secretary to give the Minister a report on the operation of the Bill, for presentation to the Parliament, each financial year. Subsection 60(2) of the Bill requires that the report deal with:

 the number of notifications that were made during the financial year to the Secretary for the register of critical infrastructure assets,  any directions given during the financial year by the Minister,  the use of the Secretary’s powers to obtain information or documents,  any enforcement action taken against an entity, and

24 Northern Territory Government, Submission 1, p. 4.

25 Department of Home Affairs, Submission 9, p. 9.

26 Department of Home Affairs, Submission 9, p. 9.

27 South Australian Government, Submission 7, p. 2.

DIRECTIONS BY THE MINISTER 51

 the number of private declarations of critical infrastructure assets that were made by the Minister.

5.35 The Explanatory Memorandum states:

This annual overview on the operation of the Bill provides accountability and transparency of the Bill’s application to critical infrastructure assets, including how often the powers are used.28

5.36 The Explanatory Memorandum clarifies that the report can deal with matters beyond the requirements under subsection 60(2) of the Bill listed above.29

Committee comments

5.37 The Committee notes the similarities between the Minister’s directions power in this Bill and the Attorney-General’s directions power in TSSR. The Committee considers that the notification requirements for adverse security assessments should not differ between TSSR and this Bill.

5.38 The Committee recommends that the Bill be amended so that the Attorney-General cannot issue a certificate preventing the subject entity from knowing that it is the subject of an adverse security assessment.

Recommendation 8

5.39 The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the relevant Minister to provide, to the subject entity, notice of an adverse security assessment given in connection to the Bill and merits review rights.

The Committee considers that the Bill should be amended to align with requirements under section 38A of the Australian Security Intelligence Organisation Act 1979.

5.40 The Committee notes industry’s concerns about the lack of clarity of the circumstances that would lead to the use of the Minister’s directions power. The Committee’s expectation is that the Minister would only use his or her power to issue directions as a last resort.

28 Explanatory Memorandum, p. 87.

29 Explanatory Memorandum, p. 87.

52 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

5.41 The Committee notes that the Bill requires the Minister to table a report to Parliament each financial year. The report must contain information about any use of the Minister’s direction power and private declarations of critical infrastructure assets. The Committee supports these requirements, as they will provide the public confidence that the Minister uses these powers sparingly and as a last resort, as the Bill intends.

5.42 The Committee notes concerns about further clarity on the definition of ‘prejudicial to security’ and the need for greater transparency around this risk threshold. The Committee does not support further defining the term ‘prejudicial to security’ in the Bill.

5.43 The Committee notes concerns from some state and territory governments that the Commonwealth can direct reporting entities, which states and territories may ultimately own. The Committee notes that consultation requirements with states and territories under the Bill have strengthened during its development. The Committee supports ongoing collaboration between Commonwealth, state and territory governments in recognition that national security in Australia’s critical infrastructure is a shared concern. The Committee does not consider further change to the Bill is required.

5.44 The Committee notes that the Telecommunications and Other Legislation Amendment Act 2017 requires that the Committee review the operation of the legislation three years after Royal Assent. The Committee recommends that this Bill also be subject to a review, given the similarities in powers and the national security risks that both laws are designed to manage.

5.45 Given that the Telecommunications and Other Legislation Amendment Act 2017 received the Royal Assent on 18 September 2017, the Committee anticipates that its review would be holistic and consider the interaction between both laws. The Committee considers that the scope of the review should include whether further amendments are necessary. In particular, the Committee wishes to review the effectiveness of placing obligations upon private operators to manage national security risks, and whether a unified scheme should cover all critical infrastructure assets.

5.46 The Committee notes that its review of the Bill would also provide an opportunity to review the Minister’s power to declare critical infrastructure assets privately under section 51 of the Bill. The Committee considers that its review would strengthen oversight of the use of this declaration power, supplementing the annual reporting requirements.

DIRECTIONS BY THE MINISTER 53

Recommendation 9

5.47 The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the Parliamentary Joint Committee on Intelligence and Security to review the operation, effectiveness and implications of the reforms, commencing within three years of the Bill receiving Royal Assent.

The review should consider the appropriateness of a unified scheme to cover all critical infrastructure assets, including telecommunications assets.

The review should also consider circumstances that the Minister has used the private declaration power under section 51.

Concluding comments

5.48 The Committee notes that the objective of the Bill is to provide a risk-based framework to manage national security risks arising from foreign involvement in critical infrastructure. The Committee has carefully considered the objective and has concluded that the Bill is a necessary and proportionate response. The Committee supports the intent of the Bill.

5.49 The Committee notes the industry consultation undertaken during the development of the Bill. The recommendations made in this report aim to enhance transparency and provide greater clarity to industry, as well as strengthen safeguards and oversight.

5.50 The Committee thanks all participants in the inquiry for their valuable contributions and constructive approach.

5.51 The Committee commends the report to the Parliament and recommends that, subject to the recommendations in this report being accepted, the Bill be passed.

Recommendation 10

5.52 The Committee recommends that, subject to the above recommendations being accepted, the Security of Critical Infrastructure Bill 2017 be passed.

54 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

Mr Andrew Hastie MP

Chair

March 2018

55

A. List of submissions

1 Northern Territory Government

2 Inspector-General of Intelligence and Security

3 Energy Networks Australia

4 Centre for Disaster Management and Public Safety, University of Melbourne

5 Doctors Against Forced Organ Harvesting (DAFOH)

6 Australian Pipelines & Gas Association (APGA)

 6.1 Supplementary

7 South Australian Government

8 Water Services Association of Australia

9 Department of Home Affairs

 9.1 Supplementary

10 Law Council of Australia

11 Confidential

57

B. Witnesses appearing at public hearings

Friday, 9 February 2018

Parliament House, Canberra

Australian Pipelines & Gas Association

 Mr Steve Davies, Chief Executive Officer

Water Services Association of Australia

 Dr Gregory Ryan, Manager Utility Excellence

Department of Home Affairs

 Mr Pablo Carpay, First Assistant Secretary  Ms Samantha Chard, A/g First Assistant Secretary

Treasury

 Mr Roger Brake, Division Head

Australian Security Intelligence Organisation

 Mr Peter Vickery, Deputy Director-General  Dr Wendy Southern, Deputy Director-General

Department of the Environment and Energy

 Ms Helen Bennett, Assistant Secretary

Department of Foreign Affairs and Trade

 Mr James Wiblin, Assistant Secretary

58 ADVISORY REPORT ON THE SECURITY OF CRITICAL INFRASTRUCTURE BILL 2017

 Ms Patricia Holmes, Assistant Secretary

59

C. Glossary

Adverse security assessment - has the meaning given by section 35 of the Australian Security Intelligence Organisation Act 1979:

 security assessment means a statement in writing furnished by ASIO to a Commonwealth agency expressing any recommendation, opinion or advice on, or otherwise referring to, the question whether it would be consistent with the requirements of security for prescribed administrative action to be taken in respect of a person or the question whether the requirements of security make it necessary or desirable for prescribed administrative action to be taken in respect of a person, and includes any qualification or comment expressed in connection with any such recommendation, opinion or advice, being a qualification or comment that relates or that could relate to that question.

 adverse security assessment means a security assessment in respect of a person that contains:  any opinion or advice, or any qualification of any opinion or advice, or any information, that is or could be prejudicial to the interests of

the person; and  a recommendation that prescribed administrative action be taken or not be taken in respect of the person, being a recommendation the

implementation of which would be prejudicial to the interests of the person.

Telecommunications Sector Security Reforms - a general term used to describe the reforms set out in the Telecommunications and Other Legislation Amendment Act 2017.