Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Security Legislation Amendment (Critical Infrastructure) Bill 2021

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

2019-2020-2021

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

HOUSE OF REPRESENTATIVES

SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE) BILL 2020

SUPPLEMENTARY EXPLANATORY MEMORANDUM

(Circulated by authority of the Minister for Home Affairs,

the Hon Karen Andrews MP)



 

AMENDMENTS TO THE SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE) BILL 2020

 

OUTLINE

The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver. 

The purpose of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) is to amend the Security of Critical Infrastructure Act 2018 (the Act) to introduce an enhanced regulatory framework, building on existing requirements under the Act. The Bill gives effect to this framework by introducing:

  • government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure assets.
  • additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;
  • enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and
  • additional critical infrastructure assets, which means that the existing powers under the Act, and the new powers to be introduced under this Bill, will apply to a broader range of assets.

Overview of the Government Amendments

The amendments address a number of recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 of 29 September 2021 (the PJCIS report) .

The amendments would:

(a)    omit the following proposed new Parts of the Act, and related provisions:

                 (i)             proposed new Part 2A of the Act - critical infrastructure risk management programs 

              (ii)             proposed new Part 2C of the Act - enhanced cyber security obligations

            (iii)             proposed new Part 6A of the Act - declaration of systems of national significance.

(b)    amend the proposed regime requiring the mandatory reporting of a cyber security incident by an entity to a relevant Commonwealth body to allow for the written report to be made within 84 hours (instead of 48 hours) of an oral report being made, and to empower a relevant Commonwealth body to exempt an entity from the requirement to provide a written report;

(c)    Require the Secretary to give a written report to the PJCIS about a cyber security incident in relation to which directions or requests in relation government assistance measures are given or made under sections 35AK, 35AQ or 35AX . The report must describe each of the directions or requests made in relation to the incident;

(d)    Allow the PJCIS to conduct a review of the operation, effectiveness and implications of the security of critical infrastructure legislative framework in the Act, to begin not more than three years from when the Bill receives the Royal Assent.

(e)    Require any draft rules relating to the mandatory reporting obligations be provided directly to any entities which would reasonably be impacted by the draft rules and include an obligation that the Minister must formally respond to any submissions made by responsible entities;

(f)     insert a definition of significant impact ;

(g)    In relation to a Ministerial authorisation under new section 35AD, if consultation is required, to inform relevant entities in writing and invite the entities to make a submission within 24 hours after receiving the draft authorisation;

(h)    include an example of where a person is not entitled to cause access, modification or impairment of computer data or a computer program, being that if a person (including employees or agents of a responsible entity) exceeds their authority, then this will amount to such unauthorised access, modification or impairment for the purpose of the Act.

These amendments respond to the urgent recommendations in the PJCIS Report. These Government amendments represent the first and most urgent amendments to deal with post-cyber incident responses and reporting.  Preventative measures and the design of the Risk Management Programs, Systems of National Significance and Enhanced Cyber Security Obligations will be proposed in a separate Bill that the Government intends to bring back to the Parliament for consideration at a later date. 

FINANCIAL IMPACT STATEMENT

The amendments have no financial impact.

STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

A Statement of Compatibility with Human Rights has been completed in relation to the amendments proposed to the Bill and assessed the amendments to be compatible with Australia’s human rights obligations.  A copy of the Statement of Compatibility with Human Rights is at Attachment A .

AMENDMENTS TO THE SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE) BILL 2020

NOTES ON AMENDMENTS

Amendment (1) - Clause 2, page 2 (table item 2), omit the table item, substitute:

1.                   This amendment amends the commencement provision in table item 2 of subsection 2(1) of the Bill to provide that Schedule 1, Parts 1 and 2, will commence on the day after the Act receives the Royal Assent, rather than by Proclamation.

Amendment (2) - Clause 2, page 2 (table item 3, column headed “Column 2”), omit “2020”, substitute “2021”; and Amendment (59) - Schedule 1, heading to Part 3, page 144 (line 3), omit “2020”, substitute “2021”

2.                   Amendments (2) and (59) are technical amendments to update references to the Federal Circuit and Family Court of Australia Act 2020 to the Federal Circuit and Family Court of Australia Act 2021 .

Amendments (3)-(21), (23)-(25), (27)-(37), (46), (48), (50)-51), (53)-(57)

3.                   Amendments (3)-(21), (23)-(25), (27)-(37), (46), (48), (50)-(51) and (53)-(57) are technical amendments omitting references to provisions that are related to proposed new Parts of the Act that are being omitted from the Bill (see amendments Nos 39, 45 and 52).

Amendment (22) - Schedule 1, item 16, page 23 (line 23), before “10”, insert “sections”; and Amendment (26) - Schedule 1, item 16, page 23 (line 23), before “10”, insert “sections”.

4.                   These are technical amendments to correct a minor error in items 16 and 17 of the Bill. These items should also have omitted the word ‘sections’ from paragraphs (a) and (b) of the definition of security . Amendments (22) and (26), in conjunction with items 16 and 17, omit the words ‘sections 10 and 12’ and replace them with the new words set out in amended items 16 and 17.

Amendment (38) - Schedule 1, item 32, page 54 (after line 15), after subsection 12N(1), insert:

5.                   This amendment adds a new subsection 12N(1A) to insert an example of a situation where a person is not entitled to cause access, modification or impairment of computer data or a computer program, as set out in subsection 12N(1). Section 12N sets out the meaning of unauthorised access, modification or impairment for the purposes of the Act.

6.                   The example is a person who is an employee or agent of the responsible entity for an asset who would exceed their authority as an employee or agent in causing such access, modification or impairment in relation to the asset (i.e. an ‘insider’).

7.                   The purpose of this amendment is to implement Recommendation 1 of the PJCIS report, as described at dot point 1 of paragraph 3.18.

Amendment (39) - Schedule 1, item 39, page 57 (line 9) to page 66 (line 15), omit Part 2A.

8.                   This amendment omits Part 2A from the Bill. Part 2A relates to critical infrastructure risk management programs.

9.                   The purpose of this amendment is to implement Recommendation 1 of the PJCIS report that the Bill be split into two Bills.

10.               Recommendation 7 of the PJCIS report was that the remaining non-urgent elements of the Bill (including Part 2A) not recommended for inclusion in Bill One, be deferred and amended into a separate Bill.

Amendment (40) - Schedule 1, item 39, page 67 (after line 23), at the end of subsection 30BBA(2), add

11.               This amendment adds a new paragraph 30BBA(2)(d) in relation to consultation on rules made for section 30BB. Section 30BB provides that the notification requirements in Part 2B of the Act apply to a critical infrastructure asset if (amongst other things) the asset is specified in the rules. Part 2B of the Act sets out the reporting requirements in relation to cyber security incidents that impact on critical infrastructure assets and section 30BBA sets out the consultation requirements for rules made for the purposes of section 30BB.

12.               The amendment provides that where the Minister is aware that an entity is responsible for an asset that is specified, or proposed to be specified, in rules for section 30BB, the Minister must give the entity a written copy of the proposed rules. If the entity provides a submission to the Minister within the 28 day period set out in paragraph 30BBA(2)(a), the Minister must provide the entity with a written response to the submission. 

13.               The purpose of this amendment is to implement Recommendation 1 of the PJCIS report, as described at dot point 2 of paragraph 3.18.

Amendment (41) - Schedule 1, item 39, page 68 (line 23), omit “48”, substitute “84”.

14.               The amendment amends paragraph 30BC(3)(b) of the Bill. Section 30BC provides for notification of a cyber security incident that has had, or is having, a significant impact on the availability of the asset, in relation to entities specified in rules made under section 30BB.

15.               The amendment provides that an entity must provide the written report referred to the provision to the relevant Commonwealth body within 84 hours (rather than 48 hours) after an oral report was made in relation to a cyber security incident that is having a significant impact on the availability of the asset.

16.               The purpose of this amendment is to implement dot point one of recommendation 2 of the PJCIS report.

Amendment (42) - Schedule 1, item 39, page 68 (after line 27), at the end of section 30BC, add:

17.               The amendment adds new subsections 30BC(5) and (6). Section 30BC provides for notification of critical cyber security incidents in relation to entities specified in rules made under section 30BB.

18.               Subsection 30BC(5) provides that the head of Commonwealth body (however that head is described) may exempt an entity from the requirement to provide a written report referred to in subsection 30BC(3). This may occur, as an example, because of an agreement made between the Commonwealth body and the entity about the matter.

19.               Subsection 30BC(6) provides that an exemption under subsection 30BC(5) is not a legislative instrument. Exempting an entity from the obligation to provide a written report under section 30BC(3) is beneficial to the entity. The exemption will provide the entity with assurance that they will not later be required to provide a written report.

20.               Under subsections 30BC(7) and (8), the head of the Commonwealth body may delegate their power to:

·          an SES employee or acting SES employee in the Commonwealth body; or

·          a person who holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.

21.               The delegation power is necessary as a Commonwealth body may frequently be required to provide the exemptions set out in subsection 30BC(5). The SES level (or equivalent) is considered a sufficiently senior level to exercise the power.

22.               The purpose of this amendment is to implement dot point two of recommendation 2 of the PJCIS report.

Amendment (43) - Schedule 1, item 39, page 69 (after line 28), at the end of section 30BD, add:

23.               The amendment adds new subsections 30BD(5) and (6). Section 30BD provides for notification of cyber security incidents (other than critical incidents) in relation to entities specified in rules made under section 30BB.

24.               The amendment provides that the head of Commonwealth body (however that head is described) may exempt an entity from the requirement to provide a written report referred to in subsection 30BC(3). This may occur, as an example, because of an agreement made between the Commonwealth body and the entity about the matter.

25.               Subsection 30BD(6) provides that an exemption under subsection 30BD(5) is not a legislative instrument. Exempting an entity from the obligation to provide a written report under section 30BD(3) is beneficial to the entity. The exemption will provide the entity with assurance that they will not later be required to provide a written report.

26.               Under subsections 30BD(7) and (8), the head of the Commonwealth body may delegate their power to:

·          an SES employee or acting SES employee in the Commonwealth body; or

·          a person who holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.

27.               The delegation power is necessary as a Commonwealth body may frequently be required to provide the exemptions set out in subsection 30BD(5). The SES level (or equivalent) is considered a sufficiently senior level to exercise the power.

28.               The purpose of this amendment is to implement dot point two of recommendation 2 of the PJCIS report.

Amendment (44) - Schedule 1, item 39, page 70 (after line 4), after section 30BE, insert:

29.               This amendment adds a new section 30BEA to define when a cyber security incident is having a ‘significant impact’ and must therefore be reported under section 30BC. The incident will have a ‘significant impact’ if:

(a)    the incident has materially disrupted the availability of essential goods or services provided using the asset; or

(b)    any of the circumstances specified in the rules exist in relation to the incident.

30.               In assessing whether an incident is a critical cyber security incident, a responsible entity should consider the services being provided by the asset, the impact of a disruption to essential services and, the nature and extent of the cyber security incident.

31.               A significant impact on the availability of an asset is a material disruption to the essential services provided by that asset. An impact on other functions, for example, certain corporate systems, which do not impact the provision of essential services would not meet this threshold. The intention of providing a threshold for ‘significant impact’ is to capture more specific and extreme circumstances than what is captured by ‘relevant impact’ as defined under proposed new section 8G. The significant impact threshold is limited to circumstances which impact the asset’s availability (compare with relevant impact which relates to availability, integrity, reliability, confidentiality). Accordingly, this threshold will be met in circumstances in which a critical infrastructure asset’s essential services have been materially disrupted.

32.               For example, a cyber security incident which affects the availability of a critical clearing and settlement facility for a very brief period may materially disrupt its essential services which are likely to result in significant economic repercussions. In contrast, an incident that affects the availability of a critical education asset for the same period of time may have a substantially lower economic material impact on the services provided by that asset. Both assets’ essential services are disrupted however, due to the time sensitive nature of the services provided by a critical clearing and settlement facility, a relatively short disruption will clearly have a significant impact that may be considered ‘material’. Accordingly, responsible entities will need to consider the risk of cascading impacts of any disruption to determine when to report a cyber security incident.

33.               This amendment also adds a new section 30BEB in relation to rules made under new paragraph 30BEA(b). In summary, section 30BEB requires the Minister to consult entities about proposed rules under section 30BEA that affect the entity. The Minister will be required to provide 28 days for consultation and provide a written response to any submission from the affected entity made within that time period.

34.               The purpose of this amendment is to implement Recommendation 1 of the PJCIS report, as described at dot point 4 of paragraph 3.18.

Amendment (45) - Schedule 1, item 39, page 70 (line 17) to page 95 (line 3), omit Part 2C:

35.               This amendment omits Part 2C from the Bill. Part 2C relates to enhanced cyber security obligations.

36.               The purpose of this amendment is to implement Recommendation 1 of the PJCIS report that the Bill be split into two Bills.

37.               Recommendation 7 of the PJCIS report was that the remaining non-urgent elements of the Bill (including Part 2C) not recommended for inclusion in Bill One, be deferred and amended into a separate Bill.

Amendment (47) - Schedule 1, item 45, page 103 (after line 16), at the end of section 35AD, add:

38.               This amendment adds a new subsection 35AD(3). The amendment will require the Minister, if required to consult under subsections 35AD(1) or (2), to give the entity a copy of the proposed ministerial authorisation and provide the entity 24 hours to make a submission.

39.               If consultation is not required under subsection 35AD(1) or (2) then subsection 35AD(3) does not apply. For example, if consultation is not required under subsection 35AD(1) or (2) because consultation would frustrate the effectiveness of the Ministerial authorisation, compliance with subsection 35AD(3) is not required.

40.               The consultation requirement in section 35AD applies in relation to a Ministerial authorisation given under new section 35AB, in relation to the exercise of government assistance powers by the Secretary in relation to a cyber security incident

41.               The purpose of this amendment is to implement Recommendation 1 of the PJCIS report, as described at dot point 5 of paragraph 3.18.

Amendment (49) - Schedule 1, item 45, page 122 (after line 23), at the end of Part 3A, add:

42.               This amendment adds a new section 35BK. Subsection 35BK(1) requires the Secretary to give the PJCIS a written report about a cyber security incident in relation to which directions or requests in relation to government assistance measures are given or made under new sections 35AK, 35AQ or 35AX . Subsection 35BK(2) provides that the report must describe each of the directions or requests made in relation to the incident.

43.               The Secretary is not required to make a separate written report to the PJCIS in relation to each direction or request, but is required to describe each direction or request in a report relating to each incident.

44.               This amendment implements recommendation 4 of the PJCIS report.

Amendment (52) - Schedule 1, item 66, page 135 (line 18) to page 140 (line 8), omit the item:

45.               This amendment omits Part 6A from the Bill. Part 6A relates to declaration of systems of national significance by the Minister.

46.               The purpose of this amendment is to implement Recommendation 1 of the PJCIS report that the Bill be split into two Bills.

47.               Recommendation 7 of the PJCIS report was that the remaining non-urgent elements of the Bill (including Part 6A) not recommended for inclusion in Bill One, be deferred and amended into a separate Bill.

Amendment (58) - Schedule 1, page 142 (after line 3), after item 70, insert:

48.               This amendment adds a new section 60B to provide that the PJCIS may conduct a review of the operation, effectiveness and implications of the Act, including the reformed security of critical infrastructure legislative framework made by the Security Legislation Amendment (Critical Infrastructure) Act 2021 . The PJCIS may report its comments and recommendations to each House of the Parliament.

49.               The PJCIS must commence the review under this provision before the end of three years after the Security Legislation Amendment (Critical Infrastructure) Act 2021 receives the Royal Assent.

50.               The purpose of this amendment is to implement recommendation 14 of the PJCIS report.

 



 

Attachment A

 

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020

These amendments are compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the

Human Rights (Parliamentary Scrutiny) Act 2011 .

Overview of the Bill

The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver. 

The purpose of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) is to amend the Security of Critical Infrastructure Act 2018 (the Act) to introduce an enhanced regulatory framework, building on existing requirements under the Act. The Bill gives effect to this framework by introducing:

  • government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure assets.
  • additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;
  • enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and
  • additional critical infrastructure assets, which means that the existing powers under the Act, and the new powers to be introduced under this Bill, will apply to a broader range of assets.

Overview of the Government Amendments

The amendments address a number of recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 of 29 September 2021 (the PJCIS report) .

The amendments would:

(a)    omit the following proposed new Parts of the Act, and related provisions:

(i)  Proposed new Part 2A of the Act - critical infrastructure risk management programs; 

(ii)  Proposed new Part 2C of the Act - enhanced cyber security obligations; (iii) Proposed new Part 6A of the Act - declaration of systems of national significance.

(b)    amend the proposed regime requiring the mandatory reporting of a cyber security incident by an entity to a relevant Commonwealth body to allow for the written report to be made within 84 hours (instead of 48 hours) of an oral report being made, and to empower a relevant Commonwealth body to exempt an entity from the requirement to provide a written report;

(c)    require the Secretary to give a written report to the PJCIS about a cyber security incident in relation to which directions or requests in relation government assistance measures are given or made under sections 35AK, 35AQ or 35AX . The report must describe each of the directions or requests made in relation to the incident;

(d)    allow the PJCIS to conduct a review of the operation, effectiveness and implications of the security of critical infrastructure legislative framework in the Act, to begin not more than three years from when the Bill receives Royal Assent.

(e)    require any draft rules relating to the mandatory reporting obligations be provided directly to any entities which would reasonably be impacted by the draft rules and include an obligation that the Minister must formally respond to any submissions made by responsible entities;

(f)     insert a definition of significant impact ;

(g)    in relation to a Ministerial authorisation under new section 35AD, if consultation is required, to inform relevant entities in writing and invite the entities to make a submission within 24 hours after receiving the draft authorisation;

(h)    include an example of where a person is not entitled to cause access, modification or impairment of computer data or a computer program, being that if a person (including employees or agents of a responsible entity) exceeds their authority, then this will amount to such unauthorised access, modification or impairment for the purpose of the Act.

Human rights implications

 

The human rights impacts of the Bill were outlined in the Statement of Compatibility with Human Rights that accompanied the Bill as introduced on 10 December 2020. As such, this Statement of Compatibility only addresses specific Government amendments to the Bill. The limited scope of those amendments do not engage any of the applicable rights or freedoms. 

 

Conclusion

The amendments are compatible with human rights as they do not raise any human rights issues.