Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Security Legislation Amendment (Critical Infrastructure) Bill 2020

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

2019-2020

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

HOUSE OF REPRESENTATIVES

Security Legislation Amendment

(Critical Infrastructure) Bill 2020

EXPLANATORY MEMORANDUM

(Circulated by authority of the Minister for Home Affairs,

the Honourable Peter Dutton MP)



Security Legislation Amendment (Critical Infrastructure) Bill 2020

OUTLINE

1. The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver. 

2. Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty.

3. Threats ranging from natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders) all have the potential to significantly disrupt critical infrastructure. Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, and the impacts of COVID-19 illustrate that threats to the operation of Australia’s critical infrastructure assets continue to be significant. Further, the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others. 

4. The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life, causing: 

·          shortages or destruction of essential medical supplies;

·          instability in the supply of food and groceries; 

·          impacts to water supply and sanitation;

·          impacts to telecommunications networks that are dependent on electricity;

·          the inability of Australians to communicate easily with family and loved ones;

·          disruptions to transport, traffic management systems and fuel;

·          reduced services or shutdown of the banking, finance and retail sectors; and

·          the inability for businesses and governments to function. 

5. While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune:

·          over the last two years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network;

·          malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities; and

·          key supply chain businesses transporting groceries and medical supplies have also been targeted.

6. Accordingly, Government will introduce an enhanced regulatory framework, building on existing requirements under the SOCI Act. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 gives effect to this framework by introducing:

·          additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements, and mandatory cyber incident reporting;

·          enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance; and

·          government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact on Australia’s critical infrastructure assets.

7. These changes will be underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy. This will include a range of activities that will improve our collective understanding of risk within and across sectors.

8. The enhanced framework will uplift security and resilience in all critical infrastructure sectors. When combined with better identification and sharing of threats, this framework will ensure that Australia’s critical infrastructure assets are more resilient and secure. Government will work in partnership with responsible entities of critical infrastructure assets to ensure the new requirements build on and do not duplicate existing regulatory frameworks. 

9. This framework will apply to owners and operators of critical infrastructure regardless of ownership arrangements. This creates an even playing field for owners and operators of critical infrastructure and maintains Australia’s existing open investment settings, ensuring that businesses who apply security measures are not at a commercial disadvantage. 

10. The Australian Government’s Critical Infrastructure Resilience Strategy currently defines critical infrastructure as:

‘those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.’

11. In the context of this, the SOCI Act currently places regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors. 

12. As such, the amendments in this Bill will enhance the obligations in the SOCI Act, and expand its coverage to the following sectors: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage.  

The reforms

13. The Commonwealth needs to establish a clear, effective, consistent and proportionate approach to ensuring the resilience of Australia’s critical infrastructure. The amendments to the SOCI Act will drive the uplift of the security and resilience of Australia’s critical infrastructure. 

14. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) will introduce an all-hazards positive security obligation for a range of critical infrastructure assets across critical sectors. This ensures industry is taking the appropriate steps to manage the security and resilience of their assets. The obligations to be included in the Act in relation to a critical infrastructure risk management program will be supported by specific requirements which will be prescribed in rules, which will be co-designed between industry and government.  

15. The Bill also recognises those assets that are the most critical to the security, economy and sovereignty of Australia.  These ‘systems of national significance’ will bear additional cyber obligations recognising the cyber threat environment we currently face.

16. Finally, while these measures are designed to ensure we do not suffer a catastrophic cyber attack, the Bill will ensure Government has the necessary powers to provide direct assistance to industry in the event of a serious cyber security incident.

Positive Security Obligations 

17. The additional positive security obligations will build on the existing obligations in the SOCI Act to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened. It will also provide greater situational awareness of threats to critical infrastructure assets.

18. The positive security obligations involve three aspects:

·          adopting and maintaining an all-hazards critical infrastructure risk management program;

·          mandatory reporting of serious cyber security incidents to the Australian Signals Directorate (ACSC); and

·          where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.

19. Importantly, each aspect of the positive security obligations will only apply once a rule is made in relation to that aspect for a critical infrastructure asset or class of critical infrastructure assets. The rules will prescribe which aspects are ‘switched on’ for a critical infrastructure asset or class of critical infrastructure assets. 

20. The critical infrastructure risk management program will require responsible entities of specified critical infrastructure assets to manage and mitigate risks. Responsible entities of critical infrastructure assets will be required to take an all-hazards approach when identifying and understanding those risks - both natural and human induced hazards. 

21. Responsible entities of specified critical infrastructure assets will be required to report cyber security incidents to the relevant Commonwealth body. Collecting this information will support the development of an aggregated threat picture to inform both proactive and reactive cyber response options -from providing immediate assistance to working with industry to uplift broader security standards.

22. Part 2 of the current SOCI Act requires assets covered by the Act to provide ownership and operational information to the Secretary of Home Affairs for the Register of Critical Infrastructure Assets (the Register). The Bill will extend this requirement to the expanded class of critical infrastructure assets where appropriate to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary.

Enhanced Cyber Security Obligations for systems of national significance

23. The Enhanced Cyber Security Obligations in the Bill will support a bespoke, outcomes-focused partnership between Government and Australia’s ‘systems of national significance.’ These are a significantly smaller subset of critical infrastructure assets that are crucial to the nation, by virtue of their interdependencies across sectors and consequences of cascading disruption to other critical infrastructure assets and sectors. 

24. Under the Enhanced Cyber Security Obligations, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more prescribed cyber security activities. These include the development of cyber security incident response plans, cyber security exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities for remediation, and the provision of system information to build Australia’s situational awareness.

25. The Enhanced Cyber Security Obligations will support the sharing of near-real time threat information to provide industry with a more mature understanding of emerging cyber security threats, and the capability to reduce the risks of a significant cyber attack against Australia’s most critical assets.

Government Assistance

26. This Bill introduces a Government Assistance regime to respond to serious cyber security incidents that applies to all critical infrastructure sector assets. Government recognises that industry should and in most cases, will respond to the vast majority of cyber security incidents, with the support of Government where necessary. However, Government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the Bill provides for Government assistance to protect assets immediately prior, during or following a significant cyber attack.  

27. Detailed notes on the clauses of the Bill is included at Attachment A

financial IMPACT statement

28. A detailed Regulation Impact Statement to assess the high level regulatory impact to industry of uplifting the security and resilience of Australia’s critical infrastructure assets is at Attachment B .

Sector specific rules are expected to be developed in early 2021 through a co-design process with industry. These rules will inform a more detailed regulation impact statement which will provide clarity around the costs and benefits for each sector of the specific obligations contained in Part 2A of the Bill (Critical Infrastructure Risk Management Programs).

statement OF COMPATIBILITY with Human rights

29. A Statement of Compatibility with Human Rights has been completed in relation to the Bill. It has been assessed that the amendments are compatible with Australia’s human rights obligations. A copy of the Statement of Compatibility with Human Rights is at Attachment C .

 

COMMON ABBREVIATIONS AND ACRONYMS

Abbreviation or acronym

Meaning

AAT

Administrative Appeals Tribunal

Acts Interpretation Act

Acts Interpretation Act 1901

ACMA

Australian Media and Communications Authority

ADJR Act

Administrative Decisions (Judicial Review) Act 1977

AEMO

Australian Energy Market Operator

APRA

Australian Prudential Regulation Authority

ASA

Australian Shareholders’ Association

ASD

Australian Signals Directorate

ASIC

Australian Securities and Investments Commission

ASIO

Australian Security Intelligence Organisation

ASIO Act

Australian Security Intelligence Organisation Act 1979

ATSA

Aviation Transport Security Act 2004

AusCheck Act

AusCheck Act 2007

Corporations Act

Courts Act

Corporations Act 2001

Federal Court and Family Court of Australia Act 2020

Criminal Code

Criminal Code Act 1995

DISP

Defence Industry Security Program

Department

Department of Home Affairs

FATA

Foreign Acquisitions and Takeovers Act 1975

FIRB

Foreign Investment Review Board

IGIS

Inspector General of Intelligence and Security

Intelligence Services Act

Intelligence Services Act 2001

Legislation Act

Legislation Act 2003

MTOFSA

Maritime Transport and Offshore Facilities Security Act 2003

MW

Megawatts

NEM

National Energy Market

NSI Act

National Security Information (Criminal and Civil Proceedings) Act 2004

Privacy Act

Privacy Act 1988

PSPF

Protective Security Policy Framework

RBA

Reserve Bank of Australia

Regulatory Powers Act

Regulatory Powers (Standard Provisions) Act 2014

Secretary

Secretary of the Department of Home Affairs

SOCI Act

Security of Critical Infrastructure Act 2018

SCADA

Supervisory Control and Data Acquisition

Telecommunications Act

Telecommunications Act 1997

TEQSA

Tertiary Education Quality and Standards Agency

TIA Act

Telecommunications (Interception and Access) Act 1979

TSSR

Telecommunications sector security reforms contained in the Telecommunications and Other Legislation Amendment Act 2017



 

Attachment A

Security Legislation Amendment (Critical Infrastructure) Bill 2020

NOTES ON CLAUSES

Section 1                  Short title

1.       Section 1 of the Bill provides that the short title of the Act is the Security Legislation Amendment (Critical Infrastructure) Act 2020

Section 2                  Commencement

2.       Section 2 of the Bill sets out the times at which the Act commences once passed by the Parliament.

3.       Subsection (1) provides that each provision of the Bill specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. The table provides that:

·          sections 1 to 3 of the Bill and anything not otherwise covered by the table commences the day the Act receives the Royal Assent (item 1)

·          Parts 1 and 2 of Schedule 1 to the Bill commence on a single day to be fixed by Proclamation. If a Proclamation is not made within 6 months beginning on the day that the Bill receives the Royal Assent, these provisions will commence the next day (item 2)

·          Part 3 of Schedule 1 to the Bill commences the later of immediately after table item 2, and the commencement of the Federal Court and Family Court of Australia Act 2020 (the Courts Act) (item 3). This item also provides that, if the Courts Act never commences, then the amendments in Part 3 of Schedule 1 never occur

·          Part 4 of Schedule 1 to the Bill commences the later of immediately after table item 2 and the commencement of the National Emergency Declaration Act 2020 (the NED Act) (item 4). This item also provides that, if the NED Act never commences, the then amendments in Part 4 of Schedule 1 never occur, and

·          Schedule 2 to the Bill commences the day after the Bill receives the Royal Assent (item 5). 

4.       A note explains that this table relates only to the provisions of this Bill as originally enacted. It will not be amended to deal with any later amendments.

5.       A fixed date, as by Proclamation, or 6 months after Royal Assent, will allow Government to provide certainty to industry and investors on the scope and application of the obligations under the Act. It will also allow industry and investors to become familiar with the obligations in the Act, and understand how these obligations may apply to their assets prior to commencement.

6.       Subsection (2) provides that any information in column 3 of the table is not part of the Bill. Information may be inserted in this column, or information in it may be edited, in any published version of this Bill.

Section 3                  Schedules

7.       Section 3 of the Bill provides that legislation that is specified in a Schedule to the Bill is amended or repealed as set out in the applicable items in the Schedule concerned. In addition, this clause provides that any other item in a Schedule to this Act has effect according to its terms.

8.       There are two Schedules to the Bill. Part 1 of Schedule 1 to the Bill will make amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) to:

·          insert new Part 2A, which provides that specified critical infrastructure assets must adopt and maintain a critical infrastructure risk management program

·          insert new Part 2B, which will require that specified critical infrastructure assets are required to report cyber security incidents

·          insert new Part 2C, to provide for a number of enhanced cyber security obligations that may be applied in relation to systems of national significance

·          insert new Part 3A, which outlines a number of government assistance measures that may be exercised in the most serious and significant of cyber security incidents, and

·          insert new Part 6A, to confer a power on the Minister to make a private declaration that an asset is a system of national significance

·          include additional measures concerning annual reporting, disclosure and use of protected information etc., and

·          outline relevant definitions that are required to support these amendments. 

9.       Part 1 of Schedule 1 also makes amendments to the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act) to exclude certain decisions made under the SOCI Act from judicial review under that Act, and to the AusCheck Act 2007 (the AusCheck Act) to provide that the AusCheck scheme established under section 8 of that Act can apply if triggered by a legislative instrument made by the Minister under new subsection 30AH(2) of the SOCI Act.

10.   Parts 2 and 3 of Schedule 1 to the Bill provide for the application of amendments in Part 1 of Schedule 1, and for the making of contingent amendments related to the proposed amalgamation of the Federal Circuit Court and Family Court of Australia. 

11.   Schedule 2 to the Bill will amend the Criminal Code to provide for an immunity to apply in relation to the Australian Signals Directorate (ASD) for conduct occurring, or reasonably believed to occur, outside of Australia. 

Schedule 1—Security of critical infrastructure

Part 1—General amendments

Administrative Decisions (Judicial Review) Act 1977

Item 1                      Before paragraph (da) of Schedule 1

12.   Item 1 of Schedule 1 to the Bill inserts new paragraph (dae) into Schedule 1 to the ADJR Act , to provide that any decision made under new Part 3A of the SOCI is not a ‘decision to which this Act applies’. This means that a decision made under new Part 3A in response to a ‘serious cyber security incident’ is not subject to judicial review under the ADJR Act  (see further explanation regarding new Part 3A below). 

 

13.   The Administrative Review Council (ARC), in their 2012 report Federal Judicial Review in Australia , identified a number of reasons that may justify an exemption from review under the ADJR Act. National security considerations were one such reason identified by the ARC as justifying excluding ADJR Act review, particularly where sensitive information is involved which may be publicly disseminated through judicial proceedings.

 

14.   When making a decision under new Part 3A of the SOCI Act, the Minister must be satisfied that there is a material risk that a ‘cyber security incident’ (as defined by new section 12M, see item 7 of Schedule 1 below) has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice, the social or economic stability of Australia or its people, the defence of Australia or national security. Decisions of this nature are likely to be based on sensitive and classified information and deal with the capabilities of intelligence agencies as well as security vulnerabilities. This could include intelligence information and covert investigation methods and procedures, the disclosure of which may impact ongoing investigations, compromise intelligence methodologies or other damage Australia’s national security and defence. The same applies equally to decisions of the Secretary and the authorised agency under new Part 3A who operationalise the Ministerial authorisations.

 

15.   For this reason, it is reasonable to exempt decisions made under new Part 3A of the SOCI Act from review under the ADJR Act as the public dissemination of the sensitive information and capabilities that may be used to make decisions under new Part 3A would pose a risk to national security and the defence of Australia.

 

16.   Similar to decisions made under the Foreign Acquisitions and Takeovers Act 1975 , which are exempt from review under the ADJR Act (see paragraph (h) of Schedule 1 to that Act), decisions made under Part 3A are also likely to deal with classified and commercially confidential material that is relevant to the operation of assets critical to Australia’s economy. This further supports the need for the exemption noting the potential impact to the economy if the confidentiality of this information was compromised. 

 

17.   Owners and operators of critical infrastructure assets may be reluctant or unwilling to disclose such information to government for the purpose of Part 3A, despite the penalties that such non-compliance could attract, if there is potential for this information to be disclosed publicly in court proceedings under the ADJR Act. This could delay or seriously inhibit the Minister, Secretary or authorised agency from making decisions under new Part 3A to protect assets critical to the Australian economy from imminent or released threats.

 

18.   Furthermore, Part 3A is designed to be used in emergency circumstances where it is necessary for the Government to respond rapidly to the most serious cyber security incidents that are affecting critical infrastructure assets. Any unnecessary delays in the use of these mechanisms may prejudice the national interest noting the complex nature of such serious cyber security incidents, and the importance of critical infrastructure assets to Australia’s social and economic stability, defence and national security. An exemption from review under the ADJR Act ensures the mechanisms in new Part 3A can be deployed as required and without delay.

 

19.   Whilst decisions under new Part 3A will be exempt from review under the ADJR Act, there are certain safeguards and limitations included in the Bill to ensure that any decisions made under the Part are appropriate. In particular, the Minister can only make an authorisation for the exercise of powers where the Minister is satisfied that: 

·          a cyber security incident has occurred, is occurring or is imminent (paragraph 35AB(1)(a))

·          the incident has had, is having, or is likely to have, a ‘relevant impact’ (as defined in new section 8G) on a critical infrastructure asset (paragraph 35AB(1)(b))

·          there is a material risk that the incident has seriously prejudiced, is serious prejudicing, or is likely to seriously prejudice the social or economic stability of Australia or its people, defence or national security (paragraph 35AB(1)(c)), and

·          no other regulatory system could be used to provide a practical and effective response to the incident (paragraph 35AB(1)(d)).

 

20.   Further, consultation requirements are built into each stage of the regime to ensure any concerns of the entity are considered, and that any decisions are informed.

 

21.   Importantly, the Inspector-General of Intelligence and Security will oversee the activities of the authorised agency under the Part. The Commonwealth Ombudsman also maintains jurisdiction in relation to any of the Secretary’s activities under new Part 3A.

22.   It is noted that the amendment does not have the effect of entirely excluding judicial review of decisions under Part 3A of the SOCI Act. A person who is the subject of a decision under Part 3A is still entitled to seek judicial review under section 39B of the Judiciary Act 1903 or subsection 75(v) of the Constitution.  

AusCheck Act 2007

Item 2                      Subsection 4(1)

23.   Item 2 to Schedule 1 to the Bill inserts a definition of ‘critical infrastructure risk management program’ into subsection 4(1) of the AusCheck Act, which refers to the meaning given by the SOCI Act (in new section 30AH, see further at item 39 of Schedule 1 to the Bill). 

Item 3                      After paragraph 8(1)(b)

24.   Section 8 of the AusCheck Act provides that regulations may provide for the establishment of the AusCheck scheme, which relates to the conduct and coordination of background checks if conditions outlined in paragraphs 8(1)(a), (b), (c) or (d) are met.  Item 3 of Schedule 1 to the Bill inserts new paragraph 8(1)(ba) into the AusCheck Act, to provide that the AusCheck scheme may also be established if critical infrastructure risk management programs are required, by rules made under the SOCI Act, to include provisions that require background checks of individuals to be conducted under the AusCheck scheme.

25.   The AusCheck scheme is currently established in relation to Aviation and Maritime Security Identification Cards, security sensitive biological agents and major national events. The elements of a background check that may be enabled under the AusCheck scheme include an identity check, a criminal history check, an immigration status check, and a security assessment conducted by the Australian Security Intelligence Organisation (ASIO) under Part IV of the Australian Security Intelligence Organisation Act 1979 .

26.   This amendment to the AusCheck Act will enable background checks, should they be required as part of a critical infrastructure risk management program under new Part 2A of the SOCI Act, to be used as a measure to mitigate against the threat that trusted insiders may pose to critical infrastructure assets. New section 30AL provides the consultation requirements for the making of rules in relation to requirements for a critical infrastructure risk management program.

Security of Critical Infrastructure Act 2018

Item 4                      Section 3

27.   Item 4 of Schedule 1 to the Bill amends the objects provision of the SOCI Act (section 3), to omit the words ‘to national security’.

28.   This amendment reflects the additional and broader purpose of the SOCI Act (as a result of amendments in this Bill) which is to manage the threats posed by, and the impacts of, a variety of hazards including those that are human induced and naturally occurring in relation to critical infrastructure assets and systems of national significance.

Item 5                      At the end of section 3

29.   Section 3 of the SOCI Act currently outlines the original intent of the SOCI Act which was to provide a regulatory framework to manage risks to national security relating to Australia’s critical infrastructure. The national security risks of particular focus were sabotage, espionage and coercion.

30.   As a result of the evolved security environment, amendments are required to the SOCI Act, and in turn, the intent and purpose of the SOCI Act has been augmented to reflect these amendments.

31.   Item 5 of Schedule 1 to the Bill inserts paragraphs (c), (d) and (e) into section 3 of the SOCI Act, which describe how the purpose of the SOCI Act is carried out. Paragraph (c) provides that the object of the SOCI Act is carried out by requiring responsible entities for critical infrastructure assets to identify and manage risks relating to those entities. These ‘positive security obligations’ will involve adopting and maintaining a ‘critical infrastructure risk management program’ under new Part 2A of the SOCI Act, reporting cyber security incidents under new Part 2B and the existing register obligations under Part 2 of the Act.

32.   Paragraph (d) provides that the object of the SOCI Act is carried out by security imposing enhanced cyber obligations on relevant entities for systems of national significance in order to improve their preparedness for, and ability to respond to, cyber security incidents, which is a reference to new Part 2C of the SOCI Act. 

33.   Finally, paragraph (e) provides that the object of the SOCI Act is carried out by providing a regime for the Commonwealth to respond to serious cyber security incidents, which is a reference to new Part 3A of the SOCI Act. 

Item 6                      Section 4

34.   Item 6 repeals and substitutes section 4 of the SOCI Act, which contains the simplified outline of the Act which is designed to assist the reader of the legislation in understanding the structure and content of the SOCI Act. 

Section 4             Simplified outline of this Act

35.   New section 4 of the SOCI Act outlines that the Act, as amended by the Bill, creates a framework for managing risks relating to critical infrastructure, based on elements including:

·          a private register of information in relation to assets that are critical infrastructure assets

·          requiring a responsible entity for an asset to have and comply with a critical infrastructure risk management program, and to notify Government about cyber security incidents

·          imposing enhanced cyber security obligations that relate to systems of national significance

·          requiring certain entities relating to a critical infrastructure asset to provide information in relation to an asset and to notify of certain events

·          allowing the Minister to require an entity to do or refrain from doing certain things if the Minister is satisfied that there is a risk that the act or omission would be prejudicial to security

·          allowing the Secretary to require certain entities to provide certain information or documents

·          setting up a regime for the Commonwealth to respond to serious cyber security incidents, and

·          allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset. 

36.   The third paragraph notes that certain information in relation to this Act is protected information and that the use and disclosure of this information is restricted.

37.   The fourth paragraph notes that the civil penalty provisions in this Act may be enforced using civil penalty orders, injunctions or infringement notices, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. It also notes that the Regulatory Powers Act is applied for these purposes. The paragraph also notes that some provisions of the Act are subject to monitoring and investigation under the Regulatory Powers Act and that certain provisions of the Act can be enforced by criminal proceedings.

38.   The fifth paragraph notes that the Minister may privately declare an asset to be a critical infrastructure asset. The sixth paragraph notes that the Minister may also privately declare an asset to be a system of national significance. The final paragraph notes that the Secretary must give the Minister reports on the operation of the Act that are to be presented to Parliament.

Item 7                      Section 5

39.   Item 7 of Schedule 1 to the Bill provides a number of definitions for terms that facilitate the amendments to the SOCI Act being made by the Bill. A number of terms are defined by reference to other acts, for example the term aircraft operator has the same meaning as it does in the Aviation Transport Security Act 2004 (ATSA). For terms defined in this manner it is intended that the term in the SOCI Act has the meaning as it appears in the Acts referred to from time to time.

40.   In this explanatory memorandum those terms have been described according to how they are defined in the respective acts at the time of the introduction of the Bill.

access

41.   In relation to a computer program, means the execution of the computer program. The purpose of this definition is to differentiate between instances in the Bill where access has its ordinary meaning, and instances where its use relates to accessing a computer program that is installed on a computer

access to computer data

42.   This definition has been separated into three paragraphs reflecting the different methods data may be regarded as being accessed depending on how it is held. Paragraph (a) provides that access to computer data means, in a case where the computer data is held in a computer, the display of the data by the computer or any other output of the data from the computer.

43.   Paragraph (b) defines access to computer data to also mean, in the case where the computer data is held in a computer, the copying or moving of the data to any other location in the computer, another computer or a data storage device. Paragraph (c) also defines access to computer data as meaning, in the case where the computer data is held in a storage device, the copying or moving of the data to a computer or to another data storage device.

aircraft operator

44.   This term has the same meaning as in the ATSA. At the time of the introduction of the Bill section 9 of the ATSA provides that aircraft operator means a person who conducts, or offers to conduct, an air service. This term is used in the definition of ‘critical aviation asset’. At the time of the introduction of the Bill, in the ATSA, air service means a service of providing air transportation of people or goods, or both people and goods. 

airport

45.   Has the same meaning as in the ATSA. At the time of the introduction of the Bill subsection 28(1) of the ATSA provides that an ‘airport’ is an area of land or water (including any buildings, installations or equipment situated in the area) intended for use either wholly or partly in connection with the arrival, departure or movement of aircraft. It also includes any area that is controlled by the airport operator that is contiguous with such an area of land or water. This term is used in the definition of ‘critical aviation asset’.

airport operator

46.   Has the same meaning as in the ATSA. At the time of the introduction of the Bill section 9 of the ATSA provides that ‘airport operator’ means the operator of an airport. This term is used in the definition of ‘critical aviation asset’.

air service

47.   Has the same meaning as in the ATSA. At the time of the introduction of the Bill section 9 of the ATSA provides that ‘air service’ means a service of providing air transportation of people or goods, or both people and goods. This term is used in the definition of ‘critical aviation asset’.

approved staff member of the authorised agency

48.   This term has the meaning given in new section 35BJ of the SOCI Act.

ASD   

49.   Means the Australian Signals Directorate.

asset

50.   The definition of ‘asset’ is non-exhaustive and is intended to clarify the types of physical and electronic things that can be considered to be an ‘asset’. This is particularly relevant for the definition of ‘critical infrastructure asset’at section 9 of the SOCI Act (see items 22-29 of Schedule 1 to the Bill, below). The term ‘asset’ is also used in the definition of ‘critical infrastructure sector asset’ at new section 8E of the Bill.

51.   The use of ‘asset’, including in the definition of ‘critical infrastructure asset’ and ‘critical infrastructure sector asset’, may refer to individual components of infrastructure or a collection of components of infrastructure, which while individually could be regarded as assets, as a collection interact to provide, or support the provision of, a service or thing.

associated entity

52.   This term has the same meaning as in the Corporations Act. At the time of introduction of the Bill, section 50AAA of that Act provides that an entity is an ‘associated entity’ of another entity (the principal) if any of the criteria listed in subsections 50AAA(2)-(7) are satisfied. Some examples of the criteria are that:

·          the associate and the principal are related bodies corporate

·          the principal controls the associate, or

·          the associate controls the principal and the operations, resources and affairs of the principal are material to the associate.

associated transmission facility

53.   The definition captures those pieces of equipment or other things that are required to operate a radio communications transmitter. ‘Associated transmission facilities’ form part of a ‘broadcasting transmission asset’ which is used in the definition of ‘critical broadcasting asset’ at new section 12E of the Bill.

AusCheck scheme

54.   Has the same meaning as in the AusCheck Act. At the time of the introduction of the Bill, section 8 of the AusCheck Act states that regulations may provide for the establishment of an AusCheck scheme which relates to the conduct and coordination of background checks.

Australia

55.   When used in a geographical sense, includes the external Territories.

Australian CS facility licence

56.   Has the same meaning as in Chapter 7 of the Corporations Act 2001 (the Corporations Act), which at the time of the introduction of the Bill means a licence under section 824B of that Act which authorises a person to operate a clearing and settlement facility. This term is used in the definition of ‘critical financial market infrastructure asset’ at section 12 of the Bill.

Australian derivative trade repository licence

57.   Has the same meaning as in Chapter 7 of the Corporations Act. This term is relied upon for the meaning of ‘critical financial market infrastructure asset’ at section 12D of the Bill.

Australian market licence

58.   Has the same meaning as in Chapter 7 of the Corporations Act, which at the time of the introduction of the Bill is defined as being a licence applied for under section 795B of that Act. This term is relied upon in the definition of ‘critical financial market infrastructure asset’ at section 12D of the Bill.

authorised agency

59.   Authorised agency means ASD. This term is particularly relevant to new Division 5 of Part 3A of the Bill—the serious cyber incident response powers which are part of the government assistance measures.

authorised deposit-taking institution

60.   Has the same meaning as in the Banking Act 1959 (the Banking Act), which at the time of introduction of the Bill means a body corporate in relation to which an authority under subsection 9(3) of that Act is in force. This term is relied upon in the definition of ‘critical banking asset’ at section 12G of the Bill.

background check

61.   Has the same meaning as in the AusCheck Act. Section 5 of the AusCheck Act, at the time of introduction of the Bill, provides that a background check in relation to an individual is an assessment of information relating to one or more of the following:

·          the individual’s criminal history

·          in certain circumstances, whether the individual has been charged with a serious offence or whether a charge for a serious offence has been resolved in relation to the individual

·          matters relevant to a security assessment of the individual as defined in the ASIO Act

·          the individual’s citizenship status, residency status or the individual’s right to work in Australia, including whether the person is an Australian citizen, a permanent resident or an unlawful non-citizen, and

·          the identity of the individual.

banking business

62.   Has the same meaning as in the Banking Act. At the time of introduction of the Bill the term is defined as:

·          a business that consists of banking within the meaning of paragraph 51(xiii) of the Constitution, or

·          a business that is carried on by a corporation to which paragraph 51(xx) of the Constitution applies and that consists of both taking money on deposit (otherwise than as a part payment for good or services) and making advances of money, or other financial activities prescribed by regulations made under the Banking Act for the purposes of the definition.

63.   This term is relied upon in the definition of ‘critical banking asset’ in section 12G of the Bill.

benchmark administrator licence

64.   Has the same meaning as in the Corporations Act. At the time of introduction of the Bill a ‘benchmark administrator licence’ is defined as a licence granted under section 908BC of the Corporations Act. This term is relied upon in the definition of ‘critical financial market infrastructure asset’ in section 12D of the Bill.

broadcasting re-transmission asset

65.   This term means a radiocommunications transmitter, a broadcasting transmission tower, or an associated transmission facility (as these terms are defined respectively in the SOCI Act), that is used in connection with the transmission of a service to which, as a result of section 212 of the Broadcasting Services Act 1992 (the Broadcasting Services Act), the regulatory regime established by that Act does not apply.

broadcasting service

66.   Has the same meaning as in the Broadcasting Services Act, which at the time of introduction of the Bill means a service that delivers television programs or radio programs to persons having equipment appropriate for receiving that service, whether the delivery uses the radiofrequency spectrum, cable, optical fibre, satellite or any other means or a combination of those means, but does not include:

·          a service (including a teletext service) that provides no more than data, or no more than text (with or without associated still images); or

·          a service that makes programs available on demand on a point-to-point basis, including a dial-up service; or

·          a service, or a class of services, that the Minister determines, under subsection (2) of that Act, not to fall within this definition.

67.   ‘Broadcasting service’ is used in the context of defining the ‘communications sector’.

broadcasting transmission asset

68.   The definition identifies the individual assets or components (paragraphs (a)-(c)) that are used, or capable of being used, for the transmission of a national broadcasting service, a commercial radio broadcasting service or a commercial television broadcasting service.

broadcasting transmission tower

69.   The term has the same meaning as the Broadcasting Services Act. At the time of the introduction of the Bill item 2 of Schedule 4 to that Act defines a ‘broadcasting transmission tower’ as being a tower, pole, mast or a similar structure that is used to supply:

·          a broadcasting service by means of radiocommunications using the broadcasting services bands, or

·          a datacasting service provided under, and in accordance with the conditions of a data casting licence.

business critical data

70.   The definition of ‘business critical data’ outlines the categories of data that are of most significance to the operation and security of ‘critical infrastructure assets’, or otherwise represent a potential security vulnerability. This includes bulk holdings of personal information, within the meaning of the Privacy Act 1988 (the Privacy Act) (paragraph (a)), including sensitive data. This definition largely aligns with the existing reporting requirements for data arrangements under section 5 of the current Security of Critical Infrastructure Rules 2018 (the SOCI Rules) and paragraph 7(1)(f) of the SOCI Act.

71.   The purpose of this term is to limit the application of new subsection 12F(2) of the SOCI Act so that ‘critical data storage or processing assets’ are those assets owned or operated by a ‘data storage or processing provider’, and used to store or process ‘business critical data’ that relates to another asset captured as a ‘critical infrastructure asset’.

carriage service

72.   Has the same meaning as in the Telecommunications Act 1997 (the Telecommunications Act), which at the time of introduction of the Bill means a service for carrying communications by means of guided and/or unguided electromagnetic energy. This term is used in the definition of ‘critical telecommunications asset’, and in the definition of the ‘communications sector’ .

carriage service provider

73.   Has the same meaning as in section 87 of the Telecommunications Act . The term is used in the definition of ‘critical telecommunications asset’.

carrier

74.   Has the same meaning as in the Telecommunications Act, which at the time of introduction of the Bill means the holder of a carrier licence. Carrier licence is defined at section 56 of the Telecommunications Act . This term is used in the definition of ‘critical telecommunications asset’.

chief executive of the authorised agency

75.   Means the Director-General of the Australian Signals Directorate.

clearing and settlement facility

76.   Has the same meaning as in Chapter 7 of the Corporations Act. At the time of introduction of the Bill section 768A of the Corporations Act defined the term as meaning a facility that provides a regular mechanism for the parties to transactions relating to financial products to meet obligations to each other that arise from entering into the transactions and are of a kind prescribed by regulations made under the Corporations Act for the purposes of that paragraph (paragraph 768A(1)(b) of the Corporations Act).

77.   This term is relied upon for the meaning of ‘critical financial market infrastructure asset’ at new section 12D of the SOCI Act, and is used in the definition of ‘financial services and markets sector’.

commercial radio broadcasting service

78.   Has the same meaning as in the Broadcasting Services Act . At the time of introduction of the Bill the term was defined as meaning a commercial broadcasting service that provides radio programs.

commercial television broadcasting service

79.   Has the same meaning as in the Broadcasting Services Act, which at the time of introduction of the Bill means a commercial broadcasting service that provides television programs.

communications sector

80.   Means the sector of the Australian economy that involves supplying a carriage service, providing a broadcasting service, owning or operating assets that are used in connection with the supply of a carriage service, owning or operating assets that are used in connection with the transmission of a broadcasting service, or administering an Australian domain name system.

81.   The communications sector is a critical enabler of economic and social activity. Communications have always been necessary to ‘doing business’ and the functioning of society. Many industries rely heavily on the sector and would see the ongoing and safe operation of their industry significantly compromised without it.  The Internet enables Australians to communicate (for example, via over-the-top communications providers) and access essential services (for example, Telehealth services which proved critical during the COVID-19 pandemic), and has facilitated industry with accessing and competing in overseas markets.

82.    As noted by the Australian Competition & Consumer Commission in a Final report on Communications Sector Market Study released in April 2018, the communications sector is subject to rapid changes in technology, product innovation and consumer preferences as well as major structural changes. For example, the greater availability of high-speed broadband and changing business models within the communications sector has resulted in broadcasters and carriers alike looking to cross-platform delivery as a business necessity. As such, the definition is intended to be flexible so that it continues to be relevant as the sector evolves.

83.   An ‘Australian domain name system’ means any country code Top Level Domain managed within Australia and its external territories (such as Norfolk Island) and generic Top Level Domains.

computer

84.   The meaning of ‘computer’ is intended to capture all or parts of an individual computer, a collection of computers that form a network or system, or any combination of these. A ‘computer’ has the capability to store or process data, or be used to monitor, control or do anything else that is connected to the functioning of an asset. For example, a Supervisory Control and Data Acquisition (SCADA) system is considered to be a ‘computer’ .

computer data

85.   Means any data held in a computer or a data storage device, irrespective of the form in which that data exists .

computer device

86.   Means a device connected to a computer. ‘Computer devices’ include any hardware that is designed, or has the capability, to be connected to and enable the use or functioning of a computer. Examples of things that are a ‘computer device’ are monitors, keyboards, computer storage devices and other devices that receive communications from the computer.

connected

87.   Means connection otherwise than by means of physical contact, for example, a connection by means of radiocommunication. 

constable

88.   Has the same meaning as in the Crimes Act 1914 (the Crimes Act), which at the time of introduction of the Bill means a member or special member of the Australian Federal Police or a member of the police force or police service of a State or Territory.

credit facility

89.   Has the meaning given by regulations made for the purposes of paragraph 12BAA(7)(k) of the Australian Securities and Investments Commission Act 2001 .

credit facility business

90.   Means a business that offers, or provides services in relation to, a credit facility.

critical aviation asset

91.   A ‘critical aviation asset’ is defined as:

·          an asset that is used in connection with the provision of an air service and is owned or operated by an aircraft operator

·          an asset that is used in connection with the provision of an air service and is owned or operated by a regulated air cargo agent, or

·          an asset that is used by an airport operator in connection with the operation of an airport.

92.   The aviation industry provides the only rapid global network for the transportation of goods and people, making it essential for global business. The industry generates economic growth through the creation of jobs locally as well as the facilitation of international trade and tourism. The geographic expansiveness of Australia also makes it crucial to the domestic economy as well as supporting dispersed populations. The aviation industry is dependent on distributed architectures for delivery of efficient services, included distributed networks and interdependent physical and cyberspace functions which presents complex security challenges. Breaches can have dire consequences ranging from privacy breaches, the theft of trade secrets and risk to life.

93.   The aviation industry already has robust security frameworks in place, in the ATSA. Comprehensive reforms to this regime are anticipated to be progressed in 2021. This will ensure that key assets regulated by this regime would similarly implement the positive security obligations, including in relation to the significant threat posed by cyber and systems attacks. The Department will work closely with industry to coordinate the implementation of these reforms across the aviation industry. It is however crucial to ensure the sector is captured by the framework in the amended SOCI Act to ensure that further enhancements and protective measures are available.

94.   The note to the definition explains that under section 9 of the SOCI Act the rules may prescribe that a specified ‘critical aviation asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical banking asset

95.   This term is defined in new section 12G of the SOCI Act. The note to the definition explains that under section 9 of the SOCI Act the rules may prescribe that a specified ‘critical banking asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical broadcasting asset

96.   This term is defined in new section 12E of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical broadcasting asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical data storage or processing asset

97.   This term will be defined in new section 12F of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical data storage or processing asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical defence capability

98.   A critical defence capability is one which provides for the ability to shape Australia’s strategic environment, deter actions against Australia’s interests, and respond with credible military force when required to protect Australia’s national security and national interests. This is a non-exhaustive definition as what is a critical defence capability will shift in reflection of the changing risks to Australia’s national security and defence environment.

99.   The term ‘critical defence capability’ includes materiel, technology, a platform, a network, a system and a service, that is required in connection with either the defence of Australia or with national security. Broadly, this may include things that:

·          support operational requirements to respond to an existing and imminent threat;

·          provide support to, prepare for, and sustain additional government-directed operations;

·          maintain high-readiness contingency forces;

·          conduct government directed regional engagement;

·          maintain and sustain Defence capability for force generation, including training, medical, health and welfare; and

·          deliver business continuity for Defence and defence industry.

critical defence industry asset

100.           A ‘critical defence industry’ asset is an asset that is being, or will be, supplied by an entity to the Defence Department, or the Australian Defence Force, under a contract and consists of, or enables, a critical defence capability.

101.           The reference to ‘will be’ in the definition is intended to capture assets, for which there is a contract in place, however the supply has not yet commenced.

102.           The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical defence industry asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

103.           These assets are key enablers of Defence capability. They provide the ability to shape Australia’s strategic environment, deter actions against Australia’s interests, and respond with credible military force when required to protect Australia’s national security and national interests. This definition includes only those goods and services that are provided directly to Defence to meet a critical capability need, as well as critical components to those goods, technologies and services. This definition is intended to exclude those industry entities that could be considered key enablers of Defence capability but would be captured under other sectors in the Bill (e.g. electricity or water).

104.           The definition of critical defence industry asset is intended to be a sub-set of the ‘critical military-related goods, services and technologies’ identified in the context of the proposed reforms to the Foreign Acquisitions and Takeovers Regulations 2015; noting reforms to Australia’s foreign investment review framework are still subject to Parliamentary consideration.

105.           While assets that fall within this definition may be subject to each of the positive security obligations, it is proposed that the Department of Defence will continue to manage security practices through its pre-existing DISP framework.

critical domain name system

106.           This term is defined in new section 12KA of the SOCI Act.

critical education asset

107.           This term is defined as meaning a university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers. The National Register of Higher Education Providers is administered by the Tertiary Education Quality and Standards Agency (TESQA) and is accessible on their website.

108.           Australian universities contribute strongly to Australia’s economy. For example, a 2018 report by London Economics found that Group of Eight universities, which comprise Australia’s leading research-intensive universities, had an annual economic impact to the Australian economy of some $66.4 billion each year. Universities are also responsible for a significant portion of critical research and innovation activities in Australia. Universities Australia estimates that Australian universities undertook 34 per cent of Australia’s total research and development, and more than 70 per cent of public sector research in 2017-18. This research and innovation underpins a wide range of aspects of Australia’s society, economy and defence.

109.           Australian universities are likely to continue to be a key contributor to research and innovation activities as they are required to undertake research, and offer Masters and Doctoral research degrees, in at least three broad fields, as a condition of registration with the Tertiary Education Quality and Standards Agency. Accordingly, maintaining the security and stability of critical education assets is key to the continued prosperity in Australia.

110.           The definition for critical education asset refers to an institution that is owned or operated by an Australian university rather than particular aspects of the institution that are owned or operated. This reflects the complex, interconnected and multi-functional nature of universities. However, should obligations under Part 2A of the Bill be applied to critical education assets, the Department will work closely with responsible entities to ensure that any requirements are reasonable and proportionate in relation to the various components of the institution such as physical and electronic assets such as campuses, research labs and computing infrastructure and networks, while not unduly impacting non-critical aspects of a university such as recreational facilities.

111.           The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical education asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical energy market operator asset

112.           This term is defined as an asset that is owned or operated by Australian Energy Market Operator Limited (ACN 072010327), or Power and Water Corporation, or Regional Power Corporation, or Electricity Networks Corporation, that is

·          used in connection with the operation of an energy market or system (paragraph (b)), and

·          critical to ensuring the security and reliability of an energy market (paragraph (c)).

113.           However, a ‘critical energy market operator asset’ does not include a ‘critical electricity asset’, a ‘critical gas asset’ or a ‘critical liquid fuel asset’ (see paragraphs (d), (e) and (f)).

114.           Energy market operators play a crucial role in ensuring the safe and reliable provision of energy which supports the broader functioning of society, the economy, national security and defence of Australia. A disruption to these critical assets could have significant and widespread impacts on communities, businesses and national security capabilities. Specifically, electricity and gas market operators play an essential role in ensuring electricity and gas systems operate safely and reliably, and allow for the trading of energy commodities that are ultimately sold to customers.

115.           In this context, an asset that is owned or operated by an energy market operator will be critical to ensuring the security and reliability of an energy market if the asset is essential to the market operator undertaking its statutory functions, for example managing market trading and ensuring the security and reliability of the physical infrastructure. Although Western Power’s primary function is as a transmission and distribution network operator, it has been included within the definition of a critical energy market operator as it undertakes market operator functions.

116.           The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical energy market operator asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical financial market infrastructure asset

117.           This term is defined in new section 12D of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical financial market infrastructure asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical food and grocery asset

118.           This term is defined in new section 12K of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may that a specified ‘critical food and grocery asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical freight infrastructure asset

119.           This term is defined in new section 12B of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical freight infrastructure asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical freight services asset

120.           This term is defined in new section 12C of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical freight asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical hospital

121.           A ‘critical hospital’ means a hospital that has a general intensive care unit. These assets are critical as they have the ability to provide specialised treatment to patients who are acutely unwell and require critical care, have multi-disciplinary medical professionals and the necessary equipment to provide critical care for patients with a variety of medical, surgical and trauma conditions. These hospitals are therefore integral to the sustainment of life in Australia.

122.            The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical hospital’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical infrastructure risk management program

123.           This term is defined in new section 30AH of the SOCI Act. 

critical infrastructure sector

124.           This term is defined in new section 8D of the SOCI Act.   

critical infrastructure sector asset

125.           This term is defined in new subsection 8E(1) of the SOCI Act.

critical insurance asset

126.           This term is defined in new section 12H of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical insurance asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical liquid fuel asset

127.           This term is defined in new section 12A of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical liquid fuel asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical public transport asset

128.           The term is defined as a public transport network or system that is both managed by a single entity and is capable of handling at least five million passenger journeys per month. However the definition provides that it does not include a critical aviation asset.

129.           Such assets play a vital role in enhancing economic productivity and the national economy by facilitating the efficient movement of people around Australia’s cities. Australia’s cities are growing rapidly and the movement of people is increasingly important to facilitating our prosperity. In our five largest cities (Adelaide, Brisbane, Melbourne, Perth and Sydney), close to half of the population live in the outer suburbs and have a high reliance on functioning and regular public transport networks. [1]  Further, these assets are critical to supporting the functioning of Australian society and culture by facilitate efficient freedom of movement.

130.           Unfortunately, international events have shown that this criticality can also make these large and connected public transport networks prime targets for terrorist activities or other unlawful acts. This is particularly due to their accessibility and the large numbers of people being concentrated together at peak and predictable times. Some public transport providers also hold large data sets relating to their customers, including billing information and their public transport usage, which also need to be appropriately protected.

131.           A public transport network or system may be comprised of multiple modes of transport, such as buses, trams and trains, which are managed by a single entity. The requirement for the critical public transport asset to be capable of handling at least five million passenger journeys a month, focuses the definition on those networks and systems that service major population hubs and whose disruption would cause significant economic impact and social disconnection.

132.           The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical public transport asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical superannuation asset

133.           This term is defined in new section 12J of the SOCI Act. The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical superannuation asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

critical telecommunications asset

134.           A ‘critical telecommunications asset’ means:

·           a telecommunications network that is owned or operated by a carrier and used to supply a carriage service, or

·          a telecommunications network or any other asset that is owned or operated by a carriage service provider an used in connection with the supply of a carriage service.

135.           The definition mirrors the assets currently regulated under the Telecommunications and Other Legislation Amendment Act 2017 , also known as the Telecommunications Sector Security Reforms. The definition covers the networks that carry voice and data between users across Australia and overseas and includes wires, fibre, towers, sensors, satellites, radio spectrum and physical infrastructure such as cable landing stations.

136.           The security and resilience of telecommunications infrastructure significantly affects the social and economic well-being of the nation. Government and business are increasingly storing and communicating large amounts of information on and across telecommunications networks and facilities. They are crucial to a functioning society and economy and by their nature, telecommunications networks and facilities hold sensitive information. For example, lawful interception systems and customer billing and management systems which, if unlawfully accessed, can reveal sensitive law enforcement operations or the location of persons. Therefore, in addition to being a critical facilitator of so many aspects of society, these assets also present a rich intelligence target for those who wish to harm Australian interests. Telecommunications networks are also vital to the delivery and support of other critical infrastructure and services such as power, water and health. For these reasons, the telecommunications networks of carriers and carriage service providers are attractive targets for espionage, sabotage and foreign interference activity by state and non-state actors.

137.           The definition does not include ‘Over-the-Top’ applications or services which operate over the top of this infrastructure. Over-the-Top refers to applications and services which are accessible over the internet, without any direct influence or control from network operators or internet service providers. These may include communications services such as voice and messaging (e.g. Skype), content streaming (e.g. Netflix) or cloud-based storage (e.g. Dropbox).

138.           The note to the definition explains that under section 9 of this Act the rules may prescribe that a specified ‘critical telecommunications asset’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

139.           For the positive security obligations to apply to a ‘critical telecommunication asset’ a rule must be made by the Minister to turn the obligations on. The telecommunications sector already has robust security frameworks in place in the Telecommunications Act 1997 , including obligations under TSSR in Part 14 of that Act. Reforms to the TSSR regime will be considered in 2021, to be informed by the Parliamentary Joint Committee on Intelligence and Security’s ‘Review of Part 14 of the Telecommunications Act 1997’, and through consultation with industry.

140.           Government will consider the outcome of this Review before considering applying the SOCI Act’s positive security obligations to the telecommunications sector. This will allow sufficient time to amend the Telecommunications Act 1997 , if needed, and will avoid duplication of regulatory requirements on industry. However, retaining the definition of ‘critical telecommunications’ at this stage will clarify, for example, the telecommunications assets on which there must be a relevant impact to trigger the powers in Part 3A—Responding to serious cyber security incidents.

cyber security exercise

141.           This term is defined in new section 30CN of the SOCI Act.

cyber security incident

142.           This term is defined in new section 12M of the SOCI Act.

data

143.           ‘Data’ is defined in a non-exhaustive manner to include information in any form.

data storage

144.           ‘Data storage’ is defined as data storage that involves information technology, and includes data held in all forms on computer hardware and software systems . For avoidance of doubt, the definition expressly provides that data back-up is included within the definition.

data storage device

145.           Means a thing (for example, a disk or file server) containing (whether temporarily or permanently), or designed to contain (whether temporarily or permanently), data for use by a computer.

data storage or processing provider

146.           Means an entity that provides a data storage or processing service.

data storage or processing sector

147.           This term is defined to mean the sector of the Australian economy that involves providing data storage or processing services. These services are critical to maintaining the supply and availability of data and cloud services in Australia which are increasingly relied upon by, and facilitate the effective functioning of, government and industry.

148.           New high-speed networks are enabling an exponential growth in services including the Internet of Things and cloud technology. In 2019, Deloitte reported that the adoption of cloud services by businesses in Australia has resulted in a cumulative productivity benefit to the economy of $9.4 billion over the previous 5 years, with 42% of businesses in Australia using a paid cloud.

149.           Industries that have the highest adoption rates of cloud services include information, media and telecommunications (64% of businesses in the industry), mining (53%), healthcare and social assistance (45%) and retail trade (42%).

150.           While the adoption of data storage and cloud services offers numerous economic and social benefits, it also introduces new risks for data security as businesses and governments aim to address challenges such as skill shortages in IT and cybersecurity, compatibility of new technologies with legacy systems and the cost associated with maintaining IT infrastructure. More than ever, commercially sensitive and personal data is being uploaded and processed online. This presents an attractive target for malicious actors.

151.           As companies rely on third party providers for data storage and processing services for operational needs, these services have become vital for business continuity. The demand for data storage services, including Disaster Recovery as a Service, is expected to increase to address the risk of data centre outages.

data storage or processing service

152.           Means either a service that enable end-users to store or back-up data, or a data processing service.

Defence Department

153.           Means the Department of State that deals with defence and that is administered by the Defence Minister.

defence industry sector

154.           The ‘defence industry sector’ means the sector of the Australian economy that involves the provision of critical defence capabilities. The definition is intended to cover entities that provide or support, whether directly or indirectly through supply chain arrangements, a critical capability which enables the Defence Department’s or the Australian Defence Force’s (collectively referred to as Defence) ability to shape Australia’s strategic environment, deter actions against Australia’s interests, and respond with credible military force when required to protect Australia’s national security and national interests. This includes entities that supply essential goods, technologies and services to Defence to meet a critical defence capability need, and entities that provide critical components to such a critical capability. Many different entities may play a role in the creation and supply of a critical defence capability.

155.           Further, the defence industry sector includes those suppliers or producers of goods, technology and services that:

·          Defence needs to ensure ongoing access due to the highly essential nature of the goods, technology or services to Defence’s capability advantage; or

·          Defence needs to limit others’ access to due to the highly sensitive nature of the goods, technology or services and their potential impact on their interests.

156.           A strong defence industry sector is essential to delivering Australia’s modernised defence capabilities. The demand will increase for this sector to build and maintain fleets of new ships, submarines, armoured vehicles, infrastructure and facilities, and contribute to intelligence, surveillance and reconnaissance, cyber and other electronic and information based capabilities. Australian design, construction, integration, sustainment, services and support capabilities will be critical to meeting that demand.

Defence Minister

157.           The ‘Defence Minister’ is the Minister administering section 1 of the Defence Act 1903 .

derivative trade repository

158.           This term is defined by reference to Chapter 7 of the Corporations Act . That Act defines a ‘derivative trade repository’ as a facility to which information about derivative transactions, or about positions relating to derivative transactions, can be reported (whether or not other information or data can also be reported to the facility).

designated officer

159.           This term is defined in new section 30DQ of the SOCI Act.

Electricity Networks Corporation

160.           Means the Electricity Networks Corporation established under section 4 of the Electricity Corporations Act 2005 (WA).

electronic communication

161.           Means a communication of information in any form by means of guided or unguided electromagnetic energy.

energy sector

162.           The ‘energy sector’ is the sector of the Australian economy that involves one of the following:

·          the production, transmission, distribution or supply of electricity

·          the production, processing, transmission, distribution or supply of gas, or

·          the production, processing, transmission, distribution or supply of liquid fuel.

163.           This sector is crucial to ensuring the ongoing and reliable supply of energy in Australia, and in turn, facilitates the operation of society, the economy and defence of Australia. If the energy sector were impacted by a significant disruption it would lead to cascading consequences across all sectors, significantly impacting Australia’s security and economy. The energy sector provides essential services to almost all people and businesses across the Australian economy.

164.           The consequences of a prolonged and widespread failure in the energy sector could have significant implications across the economy, such as shortages or destruction to essential medical supplies or the inability for businesses and governments to function. Any number of these situations would be catastrophic to Australia’s economy, security and sovereignty, as well as the Australian way of life.

165.           The definition is intended to be flexible so that it continues to be relevant as business models and technologies for the supply of electricity, gas and liquid fuels change over time. For example, technological advances, including advanced metering technologies, battery storage and virtual power plants, are transforming the Australian electricity industry.

166.           For example, the sector might encompass electricity generators, gas and electricity transmission and distribution networks, gas processing and storage assets, liquid fuel refineries, transmission and storage assets and energy market operators. However it does not capture energy consumers.

engage in conduct

167.           ‘Engage in conduct’ means to do an act or thing or omit to perform an act or thing.

evaluation report

168.           This term is defined in new section 30CS of the SOCI Act. 

external auditor

169.           Means a person authorised under section 30CT of the SOCI Act to be an external auditor for the purposes of this Act.

financial benchmark

170.           ‘Financial benchmark’ is defined by reference to Part 7.5B of the Corporations Act. At the time of the introduction of the Bill, the Corporations Act definition of ‘financial benchmark’ in section 908AB provides that it is a price, estimate, rate, index or value that:

·          is made available to users

·          is calculated periodically from one or more transactions, instruments, currencies, prices, estimates, rates, indices, values, financial products, bank accepted bills or negotiable certificates of deposit, or other interests or goods (whether tangible or intangible), and

·          is referenced or otherwise used for purposes that include one or more of the following: calculating the interest, or other amounts, payable under financial products, bank accepted bills or negotiable certificates of deposit; calculating the price at which a financial product, bank accepted bill or negotiable certificate of deposit may be traded, redeemed or dealt in; calculating the value of a financial product, bank accepted bill or negotiable certificate of deposit; or measuring the performance of a financial product, bank accepted bill or negotiable certificate of deposit.

financial market

171.           This term is defined by reference to Chapter 7 of the Corporations Act. At the time of the introduction of the Bill, Section 767A of the Corporations Act defines a ‘financial market’ as a facility through which:

·          offers to acquire or dispose of financial products are regularly made or accepted, or

·          offers or invitations are regularly made to acquire or dispose of financial products that are intended to result or may reasonably be expected to result in the making of offers to acquire or dispose of financial products or the acceptance of such offers.

172.           Subsection 767A(2) of the Corporations Act also provides circumstances that are not financial markets.

financial services and markets sector

173.           Means a sector of the Australian economy that involves:

·          carrying on a banking business, operating a superannuation fund; or

·          carrying on an insurance business; or

·          carrying on a life insurance business; or

·          carrying on a health insurance business; or

·          operating a financial market; or

·          operating a clearing and settlement facility; or

·          operating a derivative trade repository; or

·          administering a financial benchmark; or

·          operating a payment system; or

·          carrying on financial services business; or

·          carrying on credit facility business.

174.           This is intended to be an expansive and broad definition that includes not only each of the above types of businesses, but other entities that support each of the above outcomes.

175.           The financial services and markets sector is a key driver of Australia’s economy and is important to the prosperity of the Australian population. In 2019-20 Financial and Insurance Services was the industry that contributed the second largest share to current price gross value add (8.9 per cent) [2] .

176.           The sector also plays a critical role in the accumulation of capital, investment and commerce, and the production of goods and services. The existence of robust financial markets and services facilitates the international flow of funds between countries and tends to lower search and transactions costs in the economy. Highly developed financial markets make Australia one of the major centres of capital markets activity in Asia.

177.           The accelerating rate of technological change and increasing penetration of mobile devices, combined with shifting customer preferences, will have dramatic implications for the ways in which financial services are structured, delivered and consumed. This trend is evident in Australia and is perhaps even more apparent in other countries in the Asia-Pacific region.

178.           The prevalence and dependence on advanced technologies, and the importance of financial services and markets to the Australian economy means that this sector will continue to be a target for malicious actors. That is why the Boston Consulting Group concluded in their report ‘Global Wealth 2019: Reigniting Radical Growth’ [3] that financial firms are 300 times more likely than other institutions to experience cyber attacks.

financial services business

179.           This term is defined by reference to Chapter 7 of the Corporations Act where the term ‘financial services business’, at the time of introduction of the Bill,is defined as meaning a business of providing financial services.

food

180.           Means food that is fit for human consumption.

food and grocery sector

181.           The ‘food and grocery sector’ means the sector of the Australian economy that involves manufacturing, processing, packaging, distributing or supplying food or groceries on a commercial basis. Primary production and agriculture are not intended to be captured within the food and grocery sector definition.

182.           The definition recognises that the reliable and secure access to food and grocery are key components for the sustainment of life for all Australians. As such, the definition captures those entities that are integral to the supply chain of the food and groceries in Australia. While supermarkets are often the most visible point for consumers within the supply chain, when it comes to the purchasing and acquiring of food and groceries, there are numerous suppliers and components that are required in order for food and groceries to make it onto the shelves of supermarkets throughout each part of the large and diverse supply chain.

gas

183.           Means a substance that:

·          is in a gaseous state at standard temperature and pressure, and

·          consists of naturally occurring hydrocarbons and non-hydrocarbons, the principal constituent of which is methane, and

·          is suitable for consumption.

general intensive care unit

184.           Means an area within a hospital that is equipped and staffed so that it is capable of providing to a patient mechanical ventilation for a period of several days, and invasive cardiovascular monitoring, has admission and discharge policies in operation, and is supported by:

·          during normal working hours—at least one specialist, or consultant physician, in the specialty of intensive care, who is immediately available, and exclusively rostered, to that area. and

·          at all times—at least one medical practitioner who is present in the hospital and immediately available to that area; and

·          at least 18 hours each day—at least one nurse.

government business enterprise

185.           This term is defined by reference to the Public Governance, Performance and Accountability Act 2013 (the PGPA Act). Section 8 of the PGPA Act, at the time of introduction of the Bill, defines ‘government business enterprise’ as meaning a Commonwealth entity or Commonwealth company that is prescribed by rules made under that Act.

health care

186.           A non-exhaustive definition of ‘health care’ is provided which includes a range of medical and allied health care services such as services provided by individuals who practice in any of the following professions and occupations: dental (including the profession of a dentist, dental therapist, dental hygienist, dental prosthetist and oral health therapist, medical, medical radiation practice, nursing, midwifery, occupational therapy, optometry, pharmacy, physiotherapy, podiatry, psychology, or a profession or occupation specified in Ministerial rules made under section 61 of the SOCI Act. The definition also includes treatment and maintenance as a patient in a hospital

health care and medical sector

187.           The ‘health care and medical sector’ is the sector of the Australian economy that is involved in the provision of health care such as public health and preventive services, primary health care, emergency health services, hospital-based treatment, e-health services, pharmaceutical services, rehabilitation and palliative care, and diagnostic and imaging services. The definition also captures the production, distribution and supply of medical supplies which includes products that support the provision of health care services (for example, personal protective equipment and diagnostic equipment), pharmaceutical products and medicines, pacemakers and prosthetics.

188.              The Australian health care and medical system is one of the best in the world and provides quality, safe and affordable health care for all Australians. It is a key reason why Australians enjoy one of the longest life expectancies in the world. Its criticality was also apparent and tested during COVID-19, where it played a central role in saving a number of lives and providing continued care to the most vulnerable members of the public.

189.           Malicious actors have been known to exploit these dependencies, and the mass of sensitive information held, for profit. Evidence suggests that cyber security incidences are a significant area of concern for the health care and medical sector. According to the Office of the Australian Information Commissioner, the health sector has remained among the top reporting sectors for data breaches since January 2018. In 2019, the Victorian health sector was subject to a ransomware attack, and advanced persistent threats have been witnessed targeting Australian health sector organisations and medical research facilities.

190.           International experience also highlights the dire consequences that could occur as a result of a cyber security incident impacting the health care and medical sector. In 2017, WannaCry ransomware infected over 300,000 computers and impacted organisations in 150 countries. Among them, several health organisations were affected such as the United Kingdom National Health Service which had to cancel surgeries and divert ambulances. More recently, in September 2020, hackers disabled computer systems at Düsseldorf University Hospital in Germany, which led to the death of a patient after an ambulance had to be diverted.

191.           Importantly, the definition of the sector has been developed to be intentionally broad in order to capture advances in health care and medicine in the future. However, the definition is not intended to capture the provision of services that are cosmetic rather than for example therapeutic or diagnostic.

health insurance business

192.           This term is defined by reference to the Private Health Insurance Act 2007 (the Private Health Insurance Act), which at the time of introduction of the Bill, defines ‘health insurance business’ as the business of undertaking liability by way of insurance or an employee health benefits scheme that relates in a particular way to hospital treatment or general treatment.

higher education and research sector

193.           The ‘higher education and research sector’ means the sector of the Australian economy that involves being a higher education provider, or undertaking a program of research that is supported financially (wholly or in part) by the Commonwealth, or is relevant to a critical infrastructure sector other than the higher education and research sector itself.

194.           This definition captures institutions that contribute significantly to the Australian economy, competitiveness, skilled workforce, and Australia’s global standing both as quality providers of education and as cutting-edge research institutions. For example, this could include institutions that carry out medical research or institutions that own large-scale infrastructure that is essential to Australia’s national interest. This definition does not capture the services provided by early learning centres, primary and secondary schools.

195.           While higher education providers account for a large portion of research activities in Australia, private institutions may also conduct nationally significant research and development. These institutions are only caught within the definition of the sector to the extent that they receive financial assistance from the Australian Government, or relate to another critical infrastructure sector. For example, entities that have received financial assistance from the Australian Research Council or the National Health and Medical Research Council, and research activities that are relevant to the space or health sector fall within the higher education and research sector.

higher education provider

196.           This term is defined by reference to the Tertiary Education Quality and Standards Agency Act 2011 . At the time of introduction of the Bill section 5 of that Act defines ‘higher education provider’ to mean:

·          a constitutional corporation that offers or confers a regulated higher education award

·          a corporation that offers or confers a regulated higher education award and is established by or under a law of the Commonwealth or a Territory, or

·          a person who offers or confers a regulated higher education award for the completion of a course of study provided wholly or partly in a Territory.

hospital

197.           This term is defined by reference to the Private Health Insurance Act. At the time of introduction of the Bill subsection 121-5(5) of that Act provides that a ‘hospital’ is a facility for which a declaration under subsection 121-5(6) of the Private Health Insurance Act is in force. Subsection 121-1(6) of the Private Health Insurance Act provides that the Minister may declare a facility is a ‘hospital’.

IGIS official

198.           IGIS officials means the Inspector-General of Intelligence and Security, or any other person covered by subsection 32(1) of the Inspector-General of Intelligence and Security Act 1986 (the IGIS Act).

impairment of electronic communication to or from a computer

199.           This term is defined non-exhaustively to include the prevention of any such communication, and the impairment of any such communication on an electronic link or network used by the computer, but does not include a mere interception of any such communication. For example, this would include an action that disabled the ability for a computer to connect with the internet, irrespective of whether that action involved access the computer itself.

incident response plan

200.           This term is defined in new section 30CJ of the SOCI Act.

inland waters

201.           This term means waters within Australia other than waters of the sea.

insurance business

202.           This term is defined by reference to the Insurance Act 1973 (the Insurance Act). At the time of introduction of the Bill section 3 of the Insurance Actdefines the term ‘insurance business’ as meaning the business of undertaking liability, by way of insurance (including reinsurance), in respect of any loss or damage, including liability to pay damages or compensation, contingent upon the happening of a specified event, and includes any business incidental to insurance business as so defined. The definition then lists a number of things that are not an ‘insurance business’.

internet carriage service

203.           This term means a listed carriage service that enables end-users to access the internet.

life insurance business

204.           This term is defined by reference to the Life Insurance Act 1995 . At the time of introduction of the Bill the term was defined as meaning a business that consists of any or all of the following:

·          the issuing of life policies,

·          the issuing of sinking fund policies

·          the undertaking of liability under life policies

·          the undertaking of liability under sinking fund policies.

205.           The definition also includes any business related to the above businesses and provides for what is not a ‘life insurance business’ .

liquid fuel

206.           This term has the same meaning as in the Liquid Fuel Emergency Act 1984 . At the time of introduction of the Bill, section 3 of that Act defined the term as meaning liquid petroleum, a liquid petroleum product, a liquid petrochemical, methanol or ethanol. This includes crude oil and condensate, as well as refined products such as petrol, diesel and jet fuels, and biodiesel.

 

listed carriage service

207.           This term has the same meaning as in the Telecommunications Act . At the time of introduction of the Bill ‘listed carriage service’ is defined in that Act to be:

·          a carriage service between a point in Australia and one or more other points in Australia,

·          a carriage service between a point and one or more other points, where the first mentioned point is in Australia and at least one of the other points is outside Australia,

·          a carriage service between a point and one or more other points, where the first-mentioned point is outside Australia and at least one of the other points is in Australia.

208.           The definition in section 16 of the Telecommunications Act also clarifies what a ‘point’ is for the purposes of that definition.

local hospital network

209.           This term has the same meaning as in the National Health Reform Act 2011 . At the time of the introduction of the Bill section 5 of that Act defined ‘local hospital network’ as meaning an organisation that is a local hospital network (however described) for the purposes of the National Health Reform Agreement.

managed service provider

210.           This term, when used in relation to an asset, means an entity that:

·          manages the asset or part of the asset,

·          manages an aspect of the asset or a part of the asset,

·          manages an aspect of the operation of the asset or part of the asset.

211.           For example, an operator of a critical infrastructure asset may outsource responsibility for maintaining its information technology infrastructure to a separate legal entity through a contractual service-level agreement. As a result, the managed service provider has effective control and responsibility for the information technology of the critical infrastructure asset. 

medical supplies

212.           This term is defined non-exhaustively and includes goods for therapeutic use and other things that are specified in the rules made under this Act.

Ministerial authorisation

213.           This term means an authorisation under new section 35AB of the SOCI Act.

modification

214.           ‘Modification’is defined in reference to two scenarios. In respect of computer data it means either the alteration or removal of the data or an addition to the data. In respect of a computer program is means the alteration or removal of the program or an addition to the program.

national broadcasting service

215.           This term has the same meaning as the Broadcasting Services Act. At the time of introduction of the Bill the definition in section 13 of that Act provided that national broadcasting services are:

·          broadcasting services provided by the Australian Broadcasting Corporation in accordance with section 6 of the Australian Broadcasting Corporation Act 1983 , or

·          broadcasting services provided by the Special Broadcasting Service Corporation in accordance with section 6 of the Special Broadcasting Service Act 1991 , or

·          broadcasting services provided under the Parliamentary Proceedings Broadcasting Act 1946.

216.           Section 13 of the Broadcasting Services Act further provides what is not included in the definition.

National Register of Higher Education Providers

217.           Means the register that is established and maintained under section 198 of the Tertiary Education Quality and Standards Agency Act 2011 .

notification provision

218.           Notifications provisions are those provisions listed in paragraphs (a) to (s) in this definition.

Ombudsman official

219.           Means the Ombudsman, a Deputy Commonwealth Ombudsman or a person who is a member of the staff referred to in subsection 31(1) of the Ombudsman Act 1976 .

Item 8                      Section 5 (paragraph (b) of the definition of operator )

220.           Item 8 of Schedule 1 to the Bill repeals and replaces paragraph (b) of the definition of ‘operator’ in section 5 of the SOCI Act. New paragraph (b) defines operator to mean, for a critical infrastructure asset other than a critical port, an entity that operates the asset or part of the asset.  

Item 9                      Section 5

221.           Item 9 of Schedule 1 to the Bill inserts a definition of ‘payment system’ into section 5 of the SOCI Act. 

payment system

222.           ‘Payment system’ has the same meaning as in the Payment Systems (Regulation) Act . At the time of the introduction of the Bill section 7 of that Act defined payment system as a funds transfer system that facilitates the circulation of money, and includes any instruments and procedures that relate to that system.

 Item 10                   Section 5

223.           Item 10 of Schedule 1 to the Bill inserts a definition of ‘Power and Water Corporation’ into section 5 of the SOCI Act. 

Power and Water Corporation

224.           Means the Power and Water Corporation that is established under section 4 of the Power and Water Corporation Act 1987 (NT).

 Item 11                   Section 5 (after paragraph (b) of the definition of protected information )

225.           Item 11 of Schedule 1 to the Bill expands the definition of ‘protected information’ in section 5 of the SOCI Act, to include information that relates to new provisions being inserted into the SOCI Act under the Bill, the disclosure of which may contain commercially sensitive information, reveal security vulnerabilities or is otherwise sensitive and its disclosure needs to be managed. 

226.           The additional types of documents or information that will be ‘protected information’ under the Bill includes information that:

·          records or is the fact that an asset is declared under section 52B to be a system of national significance (paragraph (ba))

·          records or is the fact that the Minister has given a Ministerial authorisation or revoked a Ministerial authorisation (paragraph (bb))

·          is, or is included in, a critical infrastructure risk management program that is adopted by an entity in compliance with section 30AC (paragraph (bc))

·          is, or is included in, a report that is given under section 30AG (paragraph (bd))

·          is, or is included in, a report under section 30BC or 30BD (paragraph (be))

·          is, or is included in, an incident response plan adopted by an entity in compliance with section 30CD (paragraph (bf))

·          is, or is included in, an evaluation report prepared under section 30CQ or 30CR (paragraph (bg))

·          is, or is included in, a vulnerability assessment report prepared under section 30CZ (paragraph (bh))

·          is, or is included in, a report in compliance with a system information periodic or event-based reporting notice (paragraph (bi))

·          records or is the fact that the Secretary has given a direction under section 35AK or revoked such a direction (paragraph (bj))

·          records or is the fact that the Secretary has given a direction under section 35AQ or revoked such a direction (paragraph (bk)), or

·          records or is the fact that the Secretary has given a request under section 35AX or revoked such a request (paragraph (bl)).

227.           Importantly, there are a number of circumstances where the use and disclosure of protected information is authorised or exceptions to the prohibition (see Division 3 of Part 4 of the SOCI Act. Notably, the offence in section 45 which prohibits an entity from using or disclosing the protected information does not apply if the entity is the entity to which the protected information relates, or that entity consents to such disclosure or use (see subsection 46(4) of the SOCI Act). This recognises that the entity is well placed to manage the sensitivities associated with the information so far as it relates to their asset and may need to disclose the information to meet their obligations under the Act, or otherwise effectively operate the asset.

Item 12                    Section 5 (paragraph (c) of the definition of protected information )

228.           Paragraph (c) of the definition of ‘protected information’ in section 5 of the SOCI Act currently provides that information is ‘protected information’ if it is a document or information to which paragraphs (a) or (b) applies. Item 12 of Schedule 1 to the Bill amends paragraph (c) to make reference to the different types of information that is ‘protected information’ in new paragraphs (ba) to (bh) of the definition, as outlined in Item 11 above. 

Item 13                    Section 5

229.           Item 13 of Schedule 1 to the Bill inserts further definitions into the SOCI Act that are required as a result of the amendments being made by the Bill. 

radiocommunications transmitter

230.           Has the same meaning as the Radiocommunications Act 1992 (the Radiocommunications Act). At the time of the introduction of the Bill subsection 7(2) of that Act defines ‘radiocommunications transmitter’ as:

·          a transmitter designed or intended for use for the purpose of radiocommunications

·          anything (other than a line within the meaning of the Telecommunications Act) designed or intended to be ancillary to, or associated with, such a transmitter for the purposes of that use, or

·          anything (whether artificial or natural) that is designed or intended for use for the purpose of radiocommunication by means of the reflection of radio emissions and that the Australian Communications and Media Authority determines in writing to be a radiocommunications transmitter for the purposes of the Radiocommunications Act.

regional centre

231.           This term means a city, or a town, that has a population of 10,000 or more people.

Regional Power Corporation

232.           This term means the Regional Power Corporation established by section 4 of the Electricity Corporations Act 2005 (WA).

registrable superannuation entity

233.           This term has the same meaning as in the Superannuation Industry (Supervision) Act 1993 . At the time of introduction of the Bill section 10 of that Act defined ‘registrable superannuation entity’ as meaning a regulated superannuation fund, an approved deposit fund or a pooled superannuation trust, but does not include a self-managed superannuation fund.

regulated air cargo agent

234.           This term has the same meaning as in the ATSA. At the time of the introduction of the Bill, the ATSA defined the term to mean a person designated as a regulated air cargo agent in accordance with regulations made under section 44C of the ATSA.

related body corporate

235.           This term has the same meaning as the Corporations Act. At the time of introduction of the Bill, a ‘related body corporate’ was defined in that Act to mean, in relation to a body corporate, a body corporate that is related to the first-mentioned body by virtue of section 50 of the Corporations Act.

relevant Commonwealth regulator

236.           This term means either a Department that is specified in the rules made by the Minister under section 61 of the SOCI Act or a body that is established by a law of the Commonwealth and specified in the rules.

relevant entity

237.           A ‘relevant entity’, in relation to an asset, means an entity that is the responsible entity for the asset, or is a direct interest holder in relation to the asset, or is an operator of the asset, or is a managed service provider for the asset. Operator is used is this context consistent with the definition in section 5 to include an entity that operates the asset or part of the asset.

relevant impact

238.           This term is defined in new section 8G of the SOCI Act.

 Item 14                   Section 5 (definition of relevant industry )

239.           Item 14 of Schedule 1 to the Bill repeals the definition of ‘relevant industry’, as this has been replaced in the Bill by the concept of ‘critical infrastructure sector’ as defined in new section 8D of the SOCI Act (see Item 21 of Schedule 1 to the Bill, below). 

Item 15                    Section 5 (definition of responsible entity )

240.           Item 15 of Schedule 1 to the Bill repeals the definition of ‘responsible entity’ in section 5 of the SOCI Act and replaces it with a definition which refers to new section 12L, where the term will now be defined (see further at Item 32 of Schedule 1 to the Bill, below). 

Item 16                    Section 5 (paragraph (a) of the definition of security )

241.           Item 16 of Schedule 1 to the Bill amends paragraph (a) of the definition of ‘security’ to provide that ‘security’ has the meaning given by the ASIO Act except in the definition of critical energy market operator asset and sections 10, 12, 12A, 12D, 12G, 12H, 12J, 12M, 12N, 30AG, 30CB, 30CM, 30CR, 30CU and 30CW where ‘security’ has its ordinary meaning and is not necessarily limited to national security. 

Item 17                    Section 5 (paragraph (b) of the definition of security )

242.           Item 17 of Schedule 1 to the Bill amends paragraph (b) of the definition of ‘security’ to provide that ‘security’ has the meaning given by the ASIO Act except in the definition of critical energy market operator asset and sections 10, 12, 12A, 12D, 12G, 12H, 12J, 12M, 12N, 30AG, 30CB, 30CM, 30CR, 30CU and 30CW where ‘security’ has its ordinary meaning and is not necessarily limited to national security. 

Item 18                    Section 5

243.           Item 18 of Schedule 1 to the Bill inserts further definitions into the SOCI Act that are required as a result of the amendments being made by the Bill. 

significant financial benchmark

244.           This term has the same meaning as in the Corporations Act. At the time of introduction of the Bill, section 908AC of the Corporations Act provides that a ‘significant financial benchmark’ is a financial benchmark declared under subsection 908AC(2) of the Act. That subsection provides that ASIC may, by legislative instrument, declare a financial benchmark to be a ‘significant financial benchmark’ if satisfied of the criteria in paragraphs 908(2)(a)-(2)(c).

space technology sector

245.           The ‘space technology sector’ is the sector of the Australian economy that involves the commercial provision of space-related services. The space technology sector touches every aspect of the Australian economy and is heavily relied on by other critical infrastructure for their daily functioning. For example, space-based technology provides essential data in support of other services such as weather forecasting, emergency management, communications and online banking. This dependence poses a serious security dilemma as incidents can have far-reaching and potentially catastrophic consequences for other critical infrastructure sectors such as communications, banking and transport.

246.           The definition is intended to capture the assets that provide the services, as well as those that support them. The note to the definition provides the following non-exhaustive examples of what may be regarded as space-related services noting that it is a dynamic and evolving sector of the economy:

·          position, navigation and timing services in relation to space objects,

·          space situation awareness services,

·          space weather monitoring and forecasting,

·          communications, tracking, telemetry and control in relation to space objects,

·          remote sensing earth observations from space, or

·          facilitating access to space.  

247.           These examples align with the National Civil Space Priority Areas outlined in the Department of Industry, Science, Energy and Resources’ Australian Civil Space Strategy 2019-2028. The space technology sector is a rapidly evolving sector with new space-related services and new methods of utilising space technology constantly being developed. In Australia, the space technology sector is growing strongly and is expected to grow at an annualised 7.1 per cent over the five years through 2023-24.

staff member

248.           In relation to the authorised agency, means a staff member of the Australian Signals Directorate (within the meaning of the Intelligence Services Act).

system information event-based reporting notice

249.           This means a notice under new subsection 30DC(2) of the SOCI Act. 

system information period reporting notice

250.           This means a notice under new subsection 30DB(2) of the SOCI Act.

system information software notice

251.           This means a notice under new subsection 30DJ(2) of the SOCI Act.

system of national significance

252.           This term has the meaning given in new section 52B of the SOCI Act.

technical assistance notice

253.           This term has the same meaning as in Part 15 of the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a notice that has been issued under section 317L of the Telecommunications Act.

technical assistance request

254.           This term has the same meaning as in Part 15 of the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a request made under paragraph 317G(1)(a) of the Telecommunications Act.

technical capability notice

255.           This term has the same meaning as in Part 15 of the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a notice given under section 317T of the Telecommunications Act.

telecommunications network

256.           This term has the same meaning as in the Telecommunications Act. At the time of introduction of the Bill, the term was defined in that Act as meaning a system, or series of systems, that carries, or is capable of carrying, communications by means of guided and/or unguided electromagnetic energy.

therapeutic use

257.           This term has the same meaning as in the Therapeutic Goods Act 1989. At the time of the introduction of the Bill, the term was defined in that Act as meaning use in, or in connection with:

·          preventing, diagnosing, curing or alleviating a disease, ailment, defect or injury in persons,

·          influencing, inhibiting or modifying a physiological process in persons

·          testing the susceptibility of persons to a disease or ailment

·          influencing, controlling or preventing conception in persons

·          testing for pregnancy in persons, or

·          the replacement or modification of parts of the anatomy in persons.

transport sector

258.           The ‘transport sector’ means the sector of the Australian economy that involves:

·          owning or operating assets that are used in connection with the transport of goods or passengers on a commercial basis, or

·          the transport of goods or passengers on a commercial basis.

259.           The definition recognises the important role that the sector plays in the economy by facilitating the movement of goods and people across Australia, as well as the assets that support that movement. The geographic spread of Australia’s population coupled with economic reliance on goods that are produced in remote areas means that the reliable and efficient transport of goods, such as food, and passengers is essential to the functioning of the economy and social cohesion. For instance, the transport of essential food and groceries into remote areas of the Northern Territory relies on the availability of long combination vehicles or ‘road trains’ (as they are commonly referred to).

260.           The intent of extending the definition to capture entities that own or operate assets used in connection with the transport of goods and passengers on a commercial basis is to capture those enabling assets that, if disrupted, would undermine the operation of Australia’s transport capability. For example, the definition is intended to capture logistics services without which freight operations could not function. In another example, transport is often reliant on intermodal facilities that provide for the efficient transfer of goods and people from one mode of transport to another.

unauthorised access, modification or impairment

261.           This term has the meaning given by new section 12N of the SOCI Act.

vulnerability assessment

262.           This term has the meaning given by new section 30CY of the SOCI Act.

vulnerability assessment report

263.           This term has the meaning given by new section 30DA of the SOCI Act.

water and sewerage sector

264.           The ‘water and sewerage sector’ means the sector of the Australian economy that involves either operating water or sewerage systems or networks, or manufacturing or supplying goods, or providing services, for use in connection with the operation of water or sewerage systems of networks.

265.           This definition is intended to capture wastewater, potable water, raw water and recycled water and encompasses desalination plants, water utilities and bulk water providers. The definition also captures the supply chains that support these services, such as the manufacturers and suppliers of chemicals used in the treatment of water.

266.           This sector is critical to the continued supply of clear and safe water for all Australians and to the functioning of other critical infrastructure. Water and sewerage are essential to socio-economic development, healthy ecosystems and to human survival itself. Combined, they are vital to reducing the burden of disease and improving the health, welfare and productivity of the Australian population. Water is a finite and irreplaceable resource that must protected. 

267.           International examples have shown that these services can be the target of malicious actors who intend to cause serious harm to populations. For example, Israel’s National Cyber Directorate received reports about attempted cyber attack in April 2020 and June 2020 on its water infrastructure. If successful, the attack would have led to the increased chlorination of treated water, causing the poisoning of the local population served by the affected treatment facility.  

Item 19                    Section 5 (definition of water utility )

268.           Item 19 of Schedule 1 to the Bill will insert the words ‘or sewerage services, or both.’ at the end of the definition of ‘water utility’. This is intended to provide consistency with the breadth of the water and sewerage sector as well as the existing definition of critical water asset in section 5 of the SOCI Act. 

Item 20                    At the end of section 6

269.           Item 20 of Schedule 1 to the Bill inserts new subsections (5) and (6) into section 6 of the SOCI Act, which outlines the meaning of ‘interest and control information’. 

270.           Subsection 6(5) provides that, if the ‘first entity’ (i.e. the entity operating an asset) is the Governor-General, the Prime Minister or a Minister, and is a direct interest holder in relation to an asset because of paragraph 8(1)(b) of the SOCI Act, the first entity is not required to provide any interest or control information. 

271.           The note to subsection 6(5) reminds the reader that the term Minister is defined in section 2B of the Acts Interpretation Act 1901 (Acts Interpretation Act).

272.           As provided at item 26, the broader range of assets that are intended to be captured as critical infrastructure assets may include Commonwealth government business enterprises. In light of this, subsection 6(5) ensures these individuals, who would otherwise be required to provide interest or control information as a result of the office they hold, are not required to report information for the register.

273.           However, subsection 6(6) clarifies that subsection 6(5) does not affect the obligation of the Commonwealth to provide interest and control information in relation to the asset if the Commonwealth is also a direct interest holder in relation to the asset because of paragraph 8(1)(a) or (b) of the SOCI Act.

274.           This means that if the Commonwealth identifies as a direct interest holder for an asset, then the Commonwealth is required to provide interest and control information. The practical effect of this provision is that the Commonwealth department or agency responsible for the asset will provide interest and control information in relation to that asset on the register of critical infrastructure assets.

Item 21                    After section 8C

275.           Item 21 of Schedule 1 to the Bill inserts new sections 8D, 8E, 8F and 8G into the SOCI Act. 

Section 8D          Meaning of critical infrastructure sector

276.           New section 8D of the SOCI Act lists each of the following sectors of the Australian economy as a ‘critical infrastructure sector’:

·          the communications sector (paragraph (a))

·          the data storage or processing sector (paragraph (b))

·          the financial services and markets sector (paragraph (c))

·          the water and sewerage sector (paragraph (d))

·          the energy sector (paragraph (e))

·          the health care and medical sector (paragraph (f))

·          the higher education and research sector (paragraph (g))

·          the food and grocery sector (paragraph (h))

·          the transport sector (paragraph (i))

·          the space technology sector (paragraph (j)), and

·          the defence industry sector (paragraph (k)). 

277.           The definitions for each separate sector are included in section 5, by operation of the Bill. 

278.           This definition, in combination with the amendments to sections 9 and 51 of the SOCI Act, serves to limit the sectors from which the Minister may prescribe or declare additional critical infrastructure assets. The definition is also used in the definition of critical infrastructure sector assets (defined in new section 8E of the SOCI Act).

Section 8E          Meaning of critical infrastructure sector asset

279.           New section 8E of the SOCI Act provides that an asset is a ‘critical infrastructure sector asset’ if it relates to a ‘critical infrastructure sector’ as defined in new section 8D, above. In addition, certain assets are deemed to be critical infrastructure sector assets as outlined in subsections (2)-(11). These deeming provisions are not intended to limit the interpretation of a critical infrastructure sector asset but rather clarify that particular critical infrastructure assets relate to certain critical infrastructure sectors.

280.           Section 8E is used to limit the assets to which the serious cyber incident response powers at new Part 3A may apply.

281.           While the serious cyber incident response powers are focused on protecting critical infrastructure assets, the high-level of interdependencies across the Australian economy and through supply chains means that actions in relation to an asset in a sector identified in new section 8D may be required to respond to a serious cyber security incident.

Subsections 8E(2)-(11)—Deeming—when asset relates to a sector

282.           Subsection (2) provides that, for the purposes of the SOCI Act, each of the following assets (each of which is defined) is taken to relate to the communications sector:

·          a critical telecommunications asset (paragraph (a))

·          a critical broadcasting asset (paragraph (b)), and

·          a critical domain name system (paragraph (c)).

283.           Subsection (3) provides that, for the purpose of the SOCI Act, a critical data storage or processing asset is taken to relate to the data storage or processing sector.

284.           Subsection (4) provides that each of the following assets (each of which is separately defined), are taken to relate to the financial services and market sector:

·          a critical banking asset (paragraph (a))

·          a critical superannuation asset (paragraph (b))

·          a critical insurance asset (paragraph (c)), and

·          a critical financial market infrastructure asset (paragraph (d)).

285.           Subsection (5) provides that for the purpose of the SOCI Act a critical water asset is taken to relate to the water and sewerage sector.

286.           Subsection (6) provides that each of the following assets (each of which is separately defined), are taken to relate to the energy sector:

·          a critical electricity asset (paragraph (a))

·          a critical gas asset (paragraph (b))

·          a critical energy market operator asset (paragraph (c)), and

·          a critical liquid fuel asset (paragraph (d)).

287.           Subsection (7) provides that for the purposes of the SOCI Act a critical hospital is taken to relate to the health care and medical sector. Subsection (8) provides that a critical education asset is taken to relate to the higher education and research sector. Subsection (9) provides that a critical food and grocery asset is taken to relate to the food and grocery sector.

288.           Subsection (10) provides that the following assets (each of which is a term defined separately) relate to the transport sector:

·          a critical port (paragraph (a))

·          a critical freight infrastructure asset (paragraph (b))

·          a critical freight services asset (paragraph (c))

·          a critical public transport asset (paragraph (d)), and

·          a critical aviation (paragraph (e)).

289.           Subsection (11) provides that a critical defence industry asset is taken to relate to the defence industry.

Section 8F           Critical infrastructure sector for a critical infrastructure asset

290.           New section 8F of the SOCI Act clarifies that, for the purposes of the SOCI Act, the critical infrastructure sector for a critical infrastructure asset is the critical infrastructure sector to which the asset relates. 

Section 8G          Meaning of relevant impact

291.           New section 8G of the SOCI Act defines the term ‘relevant impact’ in relation to a hazard on a critical infrastructure asset, a cyber security incident on a critical infrastructure asset and a cyber security incident on a system of national significance.

292.           This term is used in several places in the SOCI Act to refer to the types of impacts on an asset that are the focus of the obligations. For example, an impact on customer service or the quality of the service being provided will not necessarily be regarded as a relevant impact unless it also impacts the availability, integrity, reliability or confidentiality of information about the asset. This term is intended to focus the obligations under the SOCI Act to only those impacts on the security of critical infrastructure assets and systems of national significance, and therefore, impact Australia’s social and economy stability, national security and defence.

293.           The relevant impact may be direct or indirect. This is intended to focus the definition on the result of the hazard or cyber security incident rather than its source, emphasising the all-hazards approach being taken under the Bill.

294.           Subsection (1) provides that the relevant impact of a hazard on a critical infrastructure asset is the impact (whether direct or indirect) of the hazard on:

·          the availability of the asset (paragraph (a))

·          the integrity of the asset (paragraph (b))

·          the reliability of the asset (paragraph (c)), or

·          the confidentiality of information about the asset, information stored in the asset an computer data (paragraph (d)).

295.           For instance, the relevant impact of a hazard on a critical infrastructure asset in the energy sector could be an extreme weather event (e.g. heatwave, severe storm) creating a black out across a metropolitan area. This amounts to a ‘relevant impact’ because the availability of the critical electricity asset has been compromised, such that a significant population does not have access to power, or the supply is unreliable.  This would  lead to considerable disruption to interconnected networks that rely on electricity, impacting their integrity, reliability and availability, potentially resulting in:

·          reduced services or shutdown of the banking, finance and retail sectors,

·          impacts to clean water supply, and

·          disruptions to the transport sector, traffic management systems and availability of fuel.

296.           The relevant impact of an unauthorised access to the systems of a data centre could directly result in a compromise to the confidentiality of the information held in that data centre, resulting in an impact on businesses ability to trust in the integrity of the data held in that facility.   

297.           It is important to note that a relevant impact must be more serious than a reduction in the quality of service being provided.

298.           Subsection (2) provides that the relevant impact of a cyber security incident on a critical infrastructure asset is the impact (whether direct or indirect) of the cyber security incident on:

·          the availability of the asset (paragraph (a))

·          the integrity of the asset (paragraph (b))

·          the reliability of the asset (paragraph (c)), or

·          the confidentiality of information about the asset, information stored in the asset an computer data (paragraph (d)).

299.           Subsection (3) provides that the relevant impact of a cyber security incident on a system of national significance is the impact (whether direct or indirect) of the cyber security incident on:

·          the availability of the system (paragraph (a))

·          the integrity of the system (paragraph (b))

·          the reliability of the system (paragraph (c))

·          the confidentiality of information about the system, information stored in the asset an computer data (paragraph (d)).

Item 22                    Paragraphs 9(1)(a), (b), (c) and (d)

300.           Section 9(1) of the SOCI Act defines the term ‘critical infrastructure asset’ through the list in paragraphs (1)(a) to (f). Item 22 of Schedule 1 to the Bill repeals paragraphs (1)(a) to (d), and inserts paragraphs (1)(a) to (dr), which provides for the inclusion of the additional 18 classes of critical infrastructure assets introduced through the Bill. 

301.           Building on the existing definition in the SOCI Act, definitions of additional critical infrastructure assets within the eleven critical infrastructure sectors will be introduced while retaining the Minister for Home Affairs’ existing ability to prescribe or declare additional assets, noting the amendments to paragraph 9(3)(b).

302.           Critical infrastructure assets across each sector have been identified through an assessment of criticality to the social or economic stability of Australia or its people, the defence of Australia, or national security. In particular, considerations include, but are not limited to, whether, if destroyed, degraded, or rendered unavailable, there would be a significant detrimental impact on:

·          maintaining basic living standards for the Australian population - this includes those essential services and other services without which the safety, health or welfare of the Australian community or a large section of the community would be endangered or seriously prejudiced;

·          industries, commercial entities and financial institutions that underpin Australia’s wealth and prosperity;

·          the security of large or sensitive data holdings which, if undermined, could lead to the theft of personal or commercially sensitive information, intellectual property or trade secrets, and national security and defence capabilities.

Item 23                    At the end of subsection 9(1)

303.           Item 23 of Schedule 1 to the Bill will insert a note at the end of subsection 9(1) directing the reader to see subsection 13(3) of the Legislation Act 2003 (Legislation Act) with regard to the prescription by class. Subsection 13(3) of the Legislation Act provides that if enabling legislation, such as this Act, confers on a person the power to make a legislative instrument that specifies or declares or prescribes a matter, or doing anything in relation to a matter, then in exercising the power, the person may identify the matter by referring to a class or classes of matters.

Item 24                    Paragraphs 9(2)(a), (b), (c) and (d)

304.           Under subsection 9(2) of the SOCI Act, the rules made by the Minister under section 61 may prescribe that a specific asset is not a critical infrastructure asset. Item 24 of Schedule 1 to the Bill reflects the same changes made under item 22, in that it repeals paragraphs (a) to (d) and replaces them with the new paragraphs (a) to (v), creating a list of twenty two classes critical infrastructure assets from which the rules may prescribe a specific asset as not being a critical infrastructure asset.

Item 25                    At the end of subsection 9(2)

305.           Item 25 of Schedule 1 to the Bill will insert a note at the end of subsection 9(2) directing the reader to see subsection 13(3) of the Legislation Act with regard to the prescription by class. Subsection 13(3) of the Legislation Act provides that if enabling legislation, such as this Act, confers on a person the power to make a legislative instrument that specifies or declares or prescribes a matter, or doing anything in relation to a matter, then in exercising the power, the person may identify the matter by referring to a class or classes of matters.

Item 26                    After subsection 9(2)

306.           Item 26 of Schedule 1 to the Bill inserts new subsections 9(2A) and (2B) after the existing subsection 9(2).

307.           New subsection (2A) applies where an asset is owned by the Commonwealth or a body corporate established by a law of the Commonwealth. When this subsection applies, the asset concerned will not be a critical infrastructure asset unless:

·          the asset is declared under section 51 of the SOCI Act to be a critical infrastructure asset (paragraph (c)), or

·          the asset is prescribed by the rules for the purposes of paragraph 9(1)(f) (paragraph (d)). 

308.           The Government acknowledges the need to critical of, and the need to safeguard and protect, assets, networks and infrastructure that are necessary for the effective operation of government and democratic institutions. This is critical to maintaining trust and confidence in government and democratic institutions, and the effective functioning of government services.

309.           However, the measures and powers in this Bill will not apply to all Commonwealth assets because these assets are already subject to existing frameworks that are designed to maintain security and resilience. The Commonwealth is also in a position to provide active assistance should these assets be subject to a serious cyber incident.

310.           Commonwealth assets are subject to the Protective Security Policy Framework (PSPF) which requires government departments and agencies to implement certain security measures in relation to four key areas:

·          Governance: to manage security risks and support a positive security culture

·          Personnel: to ensure employees and contractors are suitable to access Government resources, and meet appropriate standards of integrity and honesty

·          Information: to maintain confidentiality, integrity and availability of official information

·          Physical: to provide a safe and secure physical environment for people; information and assets.

311.           The PSPF is supported by other government initiatives that are designed to maintain information security standards, including:

·          The Information Security Registered Assessors Program (IRAP), which is an Australian Signals Directorate initiative to provide high-quality information and communications technology security assessment services to government.

·          The Australasian Information Security Evaluation Program (AISEP) evaluates and certifies products to provide a level of assurance in its security functionality in order to protect systems and information against cyber threats. These evaluation activities are certified by the Australasian Certification Authority (ACA).

·          the Australian Government Information Security Manual outlines a cybersecurity framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.

·          The Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of adversaries.

312.           Furthermore, the Government has announced a package of work to strengthen the defences of Commonwealth public sector networks as part of Australia’s Cyber Security Strategy 2020. The first priority of this work is to centralise the management and operations of the large number of networks run by Australian Government agencies, including considering secure hubs. Centralisation reduces the number of targets available to hostile actors such as nation states or state-sponsored adversaries, allowing the Australian Government to focus its cyber security investment on a smaller number of more secure networks. A centralised model will be designed to promote innovation and agility while still achieving economies of scale.

313.           The centralisation of cyber security systems across government will be complemented by the work of government agencies to strengthen cyber security and implement the ACSC’s Essential Eight strategies to mitigate cyber security incidents. This work will be informed and supported by the ACSC’s ongoing cyber security advice and assistance. This approach to the uplift of government systems will be designed to reduce the risk of compromise, and prevent the common techniques used by malicious cyber actors to compromise systems. Australian government agencies will also put a renewed focus on policies and procedures to manage cyber security risks. Standard cyber security clauses will be included in Australian Government IT contracts.

314.           However, as provided at new paragraph 9(2A)(b) this exemption for Commonwealth assets does not extend to those assets owned by a Commonwealth body corporate that is a government business enterprise . This is because government business enterprises are in essence commercial entities. Accordingly, and generally speaking, Government has limited control over the daily operations of these entities and the manner in which they provide services may be regarded as more closely resembling private sector entities. NBN Co Limited and the Australian Postal Corporation are examples of government business enterprises .

315.           However, new paragraphs 9(2A)(c)-(d) provides a mechanism by which Commonwealth assets may be prescribed or declared to be critical infrastructure assets in the future should there be a change circumstances and the existing security treatments no longer be regarded as appropriate.

316.           New subsection (2B) provides that an asset is not a critical infrastructure asset, if, or to the extent to which, that asset is located outside of Australia. In effect, the various definitions of critical infrastructure assets will be limited to the aspects of the assets that are located in Australia permanently, or from time to time (for example in the case of an airplane). It is notable that ‘Australia’, as defined under section 5 of this Act, includes the external territories.

Item 27                    Paragraph 9(3)(b)

317.           Under paragraph 9(1)(f) of the SOCI Act, an asset prescribed in the rules for the purposes of the paragraph will be a critical infrastructure asset. Paragraph 9(3)(b) currently provides that the Minister, amongst other things, must not prescribe an asset for the purposes of paragraph 9(1)(f) unless the Minister is satisfied that there is a risk, in relation to the asset, that may be prejudicial to security.

318.           Item 27 of Schedule 1 to the Bill repeals and replaces paragraph 9(3)(b) of the SOCI Act to provide that the Minister must be satisfied that the asset relates to a critical infrastructure sector before prescribing the asset as a critical infrastructure asset under paragraph 9(1)(f).

319.           The repealed provision is no longer appropriate in light of the new obligations being introduced by the Bill which focus on identifying critical infrastructure assets and ensuring they are resilient. The criticality of the assets, and the essential role they play in Australia, must be the exclusive focus when identifying the focus of the SOCI Act. Further the amendment reflects the reality that there is some security risk associated with all critical infrastructure assets, limiting the utility of this criterion.

320.           In its place, new paragraph 9(3)(b) limits the scope of assets that the Minister may prescribe as critical to those that relate to a critical infrastructure sector. This will ensure that assets cannot be prescribed economy wide, but rather must be from a sector of the economy that is regarded as critical.

Item 28                    Subparagraph 9(4)(a)(i)

321.           Subparagraph 9(4)(a)(i) of the SOCI Act provides that the Minister must not prescribe an asset under paragraph 9(1)(f) unless the Minister has first consulted the First Minister of the State or Territory in which the asset is located. Item 28 of Schedule 1 to the Bill amends subparagraph to refer to the State or Territory in which the asset is wholly or partly located. This is intended to reflect the national, or cross-jurisdictional, footprint of some critical infrastructure assets.

Item 29                    Subparagraph 9(4)(a)(ii)

322.           Item 29 of Schedule 1 to the Bill omits the words ‘industry for the asset’ and substitutes the words ‘critical infrastructure sector’ in subparagraph 9(4)(a)(ii) of the SOCI Act. This is to reflect the introduction of the concept of a ‘critical infrastructure sector’ in new section 8D, as outlined above. 

Item 30                    Paragraph 10(1)(a)

323.           Section 10 of the SOCI Act defines the term ‘critical electricity asset’. One of the current criteria for being a ‘critical electricity asset’ is that the asset is a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers.

324.           Item 30 of Schedule 1 to the Bill inserts the words ‘or any other number of customers prescribed by the rules’ at the end of paragraph 10(1)(a) which will allow the Minister, through rules made under section 61 of the SOCI Act, to change the number of customers that qualifies an asset to be a ‘critical electricity asset’. 

325.           Electricity is fundamental to every facet of Australian society, underpinning just about everything in the digital age. The Bill draws on the existing definition in the SOCI Act and provides for the option to extend its application to a broader set of assets in recognition that the prolonged disruption to Australia’s electricity networks would have a significant impact on communities, businesses and national security capabilities. This change is intended to future-proof the framework.

Item 31                    Paragraph 12(1)(b)

326.           Section 12 of the SOCI Act defines the term ‘critical gas asset’. Paragraph 12(1)(b) currently provides that a ‘critical gas asset’ includes a gas storage facility that has a maximum daily quantity of at least 75 terajoules per day or any other quantity prescribed by the rules.

327.           Item 31 of Schedule 1 to the Bill repeals paragraph 12(1)(b) of the SOCI Act, and substitutes that a ‘critical gas facility’ is a gas storage facility that has a maximum daily withdrawal capacity of at least 75 terajoules per day or any other maximum daily withdrawal capacity prescribed by the rules.

328.           This is not intended to be a change in policy but rather clarify the application of the paragraph to more accurately reflect the terminology used in the sector.

Item 32                    After section 12

329.           This item inserts new sections 12A, 12B, 12C, 12D, 12E, 12F, 12G, 12H, 12J, 12K, 12L, 12M, 12N and 12P into the SOCI Act, which outline further definitions required in relation to the amendments being made by the Bill.

Section 12A        Meaning of critical liquid fuel asset

330.           New section 12A of the SOCI Act outlines a definition of ‘critical liquid fuel asset’.  Subsection (1) provides that a critical liquid fuel asset is any of the following:

·          a liquid fuel refinery that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (2) (paragraph (a))

·          a liquid fuel pipeline that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (3) (paragraph (b)), or

·          a liquid fuel storage facility that is critical to ensuring the security and reliability of a liquid fuel market, in accordance with subsection (4) (paragraph (c)). 

331.           The definition recognises the role that these assets play in delivering critical services that are essential to energy security and relied on to support the economy. A prolonged disruption to Australia’s liquid fuel supply would have a significant impact on communities, businesses and national security capabilities. For example, liquid fuel underpins every aspect of our daily life, from our groceries to our commute to work and our emergency services. The then Commonwealth Department of the Environment and Energy, in an interim report released in April 2019, reported that o n average each Australian uses nearly three times more energy from liquid fuel than they do electricity. The liquid fuel market also powers machinery on which other sectors rely, such as transport or space technology. This definition captures the assets needed to refine liquid fuel to be suitable for consumption, the pipelines required to distribute the fuel, and facilities used to store it to ensure it is accessible at key locations.

332.           A note to subsection (1) reminds the reader that under section 9 the rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset.

333.           Subsection (2) provides that rules made under paragraph (1)(a) may prescribe specified liquid fuel refineries that are critical to ensuring the security and reliability of a liquid fuel market (paragraph (a)), or requirements for a liquid fuel refinery to be critical to ensuring the security and reliability of a liquid fuel market (paragraph (b)). The rules are expected to prescribe, initially, the three major Australian crude oil refineries (Geelong, Altona and Lytton). These refineries play a major part in Australia’s fuel supply chain, with Australian refineries providing for approximately 50 per cent of Australia’s transport fuel needs.

334.           Subsection (3) provides that rules made under paragraph (1)(b) may prescribe specified liquid fuel pipelines that are critical to ensuring the security and reliability of a liquid fuel market (paragraph (a)), or requirements for a liquid fuel pipeline to be critical to ensuring the security and reliability of a liquid fuel market (paragraph (b)). The rules are expected initially to prescribe the distribution pipelines that are critical for inter-city distribution and for movement from refineries and ports to terminals.  

335.           Subsection (4) provides that rules made under paragraph (1)(c) may prescribe specified liquid fuel storage facilities that are critical to ensuring the security and reliability of a liquid fuel market (paragraph (a)), or requirements for a liquid fuel storage facility to be critical to ensuring the security and reliability of a liquid fuel market (paragraph (b)).  The rules are expected to initially prescribe a 100 mega litre storage threshold, capturing approximately 14 assets owned by seven organisations across all states and territories, except Tasmania and the Australian Capital Territory. These storage facilities are critical to building resilience to supply disruptions, thereby protecting consumers and the economy from fuel shortages.

336.           Rules made under these subsections will ensure that only those liquid fuel assets that are critical to Australia at any point in time fall within the definition of critical liquid fuel asset. This flexibility is necessary to ensure the definition can be reasonably adapted to adjust to changes in the liquid fuel market and interdependencies with that market.

Section 12B        Meaning of critical freight infrastructure asset

337.           New section 12B of the SOCI Act provides the definition of ‘critical freight infrastructure asset’. Subsection (1) provides that an asset is a critical freight infrastructure asset if it is any of the following:

·          a road network that, in accordance with subsection (2), functions as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a))

·          a rail network that, in accordance with subsection (3), functions as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)), or

·          a intermodal transfer facility that, in accordance with subsection (4), is critical to the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (c). 

338.           The freight industry is an essential component of the national economy. These assets play an important role in ensuring capital cities and population centres can access critical products (such as medical supplies and food and groceries) as well as facilitating businesses that rely on land based supply chains. An efficient intermodal facility is an important component of the overall effectiveness of regional transport services and plays a crucial role in road to road and road to rail interchange activities. Facilities improve the predictability of pick-up and delivery times and address congestion on city roads. For example, large vehicles will service manufacturing through to distribution between urban centres whilst smaller distribution trucks will operate in and out of the cities. The criticality of these networks and facilities became all the more apparent during the COVID-19 outbreaks where demand increased for critical supplies across States, Territories and regional centres.

339.           A note to subsection (1) reminds the reader that under section 9 the rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset.

340.           Subsection (2) provides that the rules may prescribe, for the purpose of paragraph (1)(a), specified road networks that function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a)), or requirements for a road network to function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)). 

341.           Subsection (3) provides that the rules may prescribe, for the purpose of paragraph (1)(b), specified rail networks that function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a)), or requirements for a rail network to function as a critical corridor for the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)). 

342.           Subsection (4) provides that the rules may prescribe, for the purpose of paragraph (1)(c), specified intermodal transfer facilities that function are critical to the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (a)), or requirements for an intermodal transfer facility to be critical to the transportation of goods between two States, a State and a Territory, two Territories or two regional centres (paragraph (b)). 

343.           Considerations when determining criticality under subsections 12B(2), (3) and (4) may include:

·          the volume of freight the network or facility enables to be transported;

·          the value of the commodities the network or facility enables;

·          the frequency of heavy vehicles the network or facility utilising the network or facility;

·          whether the network or facility enables the transport of specific commodities of high economic significance for the region; or

·          whether any alternative transport routes are available should the network or facility became unavailable.

344.           Major road and rail assets are vital in responding to and mitigating the impacts of natural disasters. The criticality of these assets is amplified if there is a lack of redundancy, as inconvenience gives may to a threat to national interests. For example, the 2009 floods in Queensland’s north and north-west temporarily closed the Bruce highway and limited the availability of food and supplies to the region.

345.           Similarly, intermodal terminals play a significant role in facilitating the consolidation, storage and transfer of freight between rail and road at the beginning and end of each rail journey. Intermodal terminals provide connectivity to ports, regional networks and other capital cities and regional centres and are central to the stability and security of road and rail infrastructure. These facilities are also useful in enabling redundancies by allowing goods to be transferred between modes of transport should one be compromised.

346.           The Department will work closely with the freight industry and State and Territory Governments to identify which road networks, rail networks or intermodal transfer facilities function as critical corridors.

Section 12C        Meaning of critical freight services asset

347.           New section 12C of the SOCI Act provides the definition of ‘critical freight services asset’. Subsection (1) provides that an asset is a critical freight services asset if it is a network that is used by an entity carrying on a business that, in accordance with subsection (2), is critical to the transportation of goods by road, rail, inland waters or sea.

348.           The note to subsection (1) reminds the reader that under section 9 the rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset.

349.           Subsection (2) provides that the rules may prescribe, for the purpose of subsection (1), specified businesses that are critical to the transportation of goods by road, rail, inland waters or sea (paragraph (a)), or requirements for a businesses that to be critical to the transportation of goods by road, rail, inland waters or sea (paragraph (b)). 

350.           Critical freight services assets are critical to Australia’s trade and commerce, and social stability as they are responsible for logistics and movement of valuable goods and products across the country. These assets assist businesses to transport products to consumers, and ensuring communities can access critical supplies, including food and groceries. The COVID-19 pandemic and recent natural disasters have highlighted the importance of freight services, and the assets they rely on, in transporting personal protective equipment, medical supplies, food and groceries, and other critical supplies across Australia.

351.           The Department will work closely with the freight industry and State and Territory Governments to identify critical freight services. The factors the Minister may consider when making rules may include:

·          the relevant business’ market share;

·          the volume, value and criticality of goods transported;

                                                              i.       for example, whether the business is responsible for the transport of niche goods that enable the delivery of critical services (for instance medical supplies that enable intensive care units to remain operational or vaccines); and

·          whether any redundancies exist if that freight service is rendered unavailable.

Section 12D        Meaning of critical financial market infrastructure asset

352.           New section 12D of the SOCI Act provides the definition of ‘critical financial market infrastructure asset’. These assets are critical to the functioning, security and stability of financial services and markets.  

353.           A significant disruption to financial market infrastructure assets would have a detrimental impact in terms of public trust, financial stability and market integrity and efficiency. The reasons for this include their central and enabling position within the financial system and inability of participating financial institutions and, in most cases, ultimately also consumers and businesses, to leverage substitute services.

354.           Financial market infrastructure licensed in Australia support transactions in securities with a total annual value of $16 trillion and derivatives with a total annual value of $150 trillion. These markets turn over value equivalent to Australia’s annual GDP every three business days. [4]

355.           Subsection (1) provides that a critical financial market infrastructure asset is any of the following assets:

·          an asset that is owned or operated by an Australian body corporate that holds an Australian market licence and is used in connection with the operation of a financial market that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (2) (paragraph (a))

·          an asset that is owned or operated by an associated entity of an Australian body corporate that holds an Australian market licence and is used in connection with  the operation of a financial market that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (2) (paragraph (b))

·          an asset that is owned or operated by an Australian body corporate that holds an Australian CS facility licence and is used in connection with the operation of a clearing and settlement facility that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (3) (paragraph (c))

·          an asset that is owned or operated by an associated entity of an Australian body corporate that holds an Australian CS facility licence and is used in connection with the operation of a clearing and settlement facility that is critical to the security and reliability of the financial services and markets sector in accordance with subsection (3) (paragraph (d))

·          an asset that is owned or operated by an Australian body corporate that holds a benchmark administrator licence and is used in connection with the administration of a significant financial benchmark that is critical to the security and reliability of the financial services and markets sector, in accordance with subsection (4) (paragraph (e))

·          an asset that is owned or operated by an associated entity of an Australian body corporate that holds a benchmark administrator licence and is used in connection with the administration of a significant financial benchmark that is critical to the security and reliability of the financial services and markets sector, in accordance with subsection (4) (paragraph (f))

·          an asset that is owned or operated by an Australian body corporate that holds an Australian derivative trade repository licence and is used in connection with the operation of a derivative trade repository that, in accordance with subsection (5), is critical to the security and reliability of the financial services and markets sector (paragraph (g))

·          an asset that is owned or operated by an associated entity of an Australian body corporate that holds an Australian derivative trade repository licence and is critical to the operation of a derivative trade repository in accordance with subsection (5) (paragraph (h)), or

·          an asset that is used in connection with the operation of a payment system that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector (paragraph (i)).

 

356.           Subsection (2) provides that for the purpose of paragraphs (1)(a) and (1)(b) the rules may prescribe specified financial markets that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a financial market to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

357.           Consistent with advice from existing financial regulators, the rules may prescribe, for example, a threshold that captures a narrower cohort of the Domestic (s795B(1)) Tier 1 market licensees, and may be determined by a turnover metric.

358.           Financial markets are used by participants to either raise funds (e.g. by issuing securities) or invest savings (by buying securities and other financial assets). The stability and operational efficiency of Australia’s financial markets is of critical importance to business confidence and the Australian economy. The importance of financial markets is evident from the value of financial transactions. For example, the Australian equity market daily average turnover for the June 2020 quarter was $9 billion, up from a daily average $6.82 billion in the June 2019 quarter. [5]

359.           Subsection (3) provides that for the purpose of paragraphs (1)(c) and (1)(d) the rules may prescribe specified clearing and settlement facilities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a clearing and settlement facility to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

360.           Requirements for a clearing and settlement facility to be critical to the security and reliability of the financial services and markets sector may include, but not be limited to, the following criteria:

·          the size of the facility in Australia;

·          the availability of substitutes for the facility's services in Australia;

·          the nature and complexity of the products cleared or settled by the facility; or

·          the degree of interconnectedness with other parts of the Australian financial system.

 

361.           Reliable and timely clearing, transfer of ownership and settlement arrangements are essential to the efficient and effective operation of financial markets. A rigorous and reliable clearing and settlement infrastructure allows market participants to undertake bond market transactions without undue risk from default, market, systemic or other broader risks. Accordingly, the effectiveness of such systems significantly affects the development of secondary market activity.

362.           Subsection (4) provides that for the purpose of paragraphs (1)(e) and (1)(f) the rules may prescribe specified significant financial benchmarks that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a significant financial benchmark to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

363.           Significant financial benchmarks are of critical importance to a wide range of users in financial markets and throughout the broader economy. Benchmarks affect the pricing of key financial products such as credit facilities offered by financial institutions, corporate debt securities, exchange-traded funds, foreign exchange and interest rate derivatives, commodity derivatives, equity and bond index futures and other investments and risk management products. They also drive or influence asset allocation decisions within investment portfolios.

364.           If the availability or integrity of a significant financial benchmark is disrupted, this could lead to financial contagion or systemic instability, and impact on both retail and wholesale investors.

365.           Subsection (5) provides that for the purpose of paragraphs (1)(g) and (1)(h) the rules may prescribe specified derivative trade repositories that are critical to the security or reliability of the financial services and markets sector (paragraph (a)), or requirements for a derivative trade repository to be critical to the operation of the financial services and markets sector (paragraph (b)). 

366.           A derivative trade repository is a facility to which information about derivative transactions, or about positions relating to derivative transactions, can be reported. They act as a centralised registry that maintains an electronic database of records of transactions. Derivative trade repositories are a core component of the infrastructure supporting derivatives markets. A derivative trade repository may be part of a network linking various entities (e.g. clearing and settlement facilities, dealers or financial custodians) and therefore a disruption in a derivative trade repository could risk spreading to linked entities and having cascading impacts across the economy.

 

367.            Derivative trade repositories have emerged as a relatively new type of financial market infrastructure and have recently grown in importance, particularly in light of the Group of Twenty commitments reached at the summit in Pittsburgh in 2009 in relation to the necessity of substantial reforms to practices in over-the-counter derivatives markets.

 

368.           Whilst there is currently no domestically incorporated derivative trade repository that is licensed in Australia, the intention of including derivative trade repositories is to future-proof the regime should there emerge a domestic derivative trade repository noting it would potentially play a critical role in the financial system.

369.           Subsection (6) provides that for the purpose of paragraph (1)(i) the rules may prescribe specified payment systems that are critical to the operation of the financial services and markets sector (paragraph (a)), or requirements for  a payment system to be critical to the operation of the financial services and markets sector (paragraph (b)). 

370.           Requirements which, if present in a payment system, mean that such a payment system is critical to ensuring the security and reliability of the financial services and markets sector may include, but not be limited to:

·          a minimum aggregate value and/or volume of Australian dollar payments processed through the system over a specified period;

·          the time-criticality of the payments processed;

·          a minimum average value of the payments processed through the system over a specified period;

·          the provision of important payment services for which there are few or no close substitutes;

·          the system being used to settle payments that effect settlement in one or more financial market infrastructures; or

·          other factors indicating that the system has the potential to trigger or transmit systemic disruption, or, if unavailable, result in significant disruption to economic activity.

371.           Payment systems refer to arrangements which allow consumers, businesses and other organisations to transfer funds usually held in an account at a financial institution to one another. Australian payment systems contribute to the smooth functioning of the economy. Financial transactions are now more than ever before facilitated by the internet and mobile-based technologies. Non-cash payments account for most of the value of payments in the Australian economy. On average, in 2019 non-cash payments worth around $255 billion were made each business day, equivalent to around 13 per cent of annual GDP. [6]

372.           Consumers and businesses are heavily dependent on the continued functioning and security of infrastructure and assets that are used to operate these payment systems.

373.           The development of any rules under this section will involve close consultation with industry and existing Commonwealth financial regulators.

374.           Subsection (7) provides that, for the purposes of section 12D, ‘Australian body corporate’ means a body corporate that is incorporated in Australia.

Section 12E    Meaning of critical broadcasting asset

375.           New section 12E of the SOCI Act provides the definition of ‘critical broadcasting asset’. Subsection (1) provides that one or more broadcasting transmission assets are a ‘critical broadcasting asset’ if:

·          the broadcasting transmission assets are owned or operated by the same entity and located on a site that, in accordance with subsection (2), is a critical transmission site (paragraph (a)), or

·          the broadcasting transmission assets are owned or operated by the same entity, located on at least 50 different sites and not broadcasting re-transmission assets (paragraph (b)), or

·          the broadcasting transmission assets are owned or operated by an entity that, in accordance with subsection (3), is critical to the transmission of a broadcasting service (paragraph (c)). 

376.           Broadcast media play an important role in emergencies, both in disseminating and collecting information about an incident. While there is no legislative requirement for broadcasters to undertake the role of disseminating emergency warnings to communities, the Commonwealth, State and Territories have established working relationships with broadcasters to ensure emergency information is disseminated effectively in a crisis. However, the ability for national and commercial broadcasters to deliver emergency messages is dependent on the resilience and security of transmission and distribution infrastructure.

377.           A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical broadcasting asset is not a critical infrastructure asset.

378.           Subsection (2) provides that, for the purposes of paragraph (1)(a), the rules may prescribe specified sites as being critical transmission sites (paragraph (a)), or requirements for sites to be critical transmission sites (paragraph (b)). For example, the rules may prescribe a particular transmission site may service a key population centre with no alternative sites meaning that any disruption to that site could cause significant difficulties in an emergency.

379.           The Department will work closely with industry and State and Territory Governments to determine whether rules will need to be made to capture particular critical transmissions sites that do not meet the 50-site threshold.

380.           Paragraph (1)(b) provides that a network of broadcasting transmission assets across 50 different sites is critical as this represents an extensive network of transmission infrastructure that is relied upon by key broadcasters to service significant population areas in Australia. The services that are provided by networks captured by this limb of the definition are crucial to ensuring key broadcasters are able to service the community during emergency circumstances.

381.           However, assets that are used exclusively for retransmission purposes are not within the scope of the test at subsection (b). Re-transmission sites include broadcasting transmission assets that are used in connection with the re-transmission of a service to which, as a result of section 212 of the Broadcasting Services Act, the regulatory regime under that Act does not apply.

382.           This reflects that retransmission sites do not themselves form a critical network for the transmission of radio and television. Instead, re-transmission sites play a support role and are designed to address gaps in a transmission in network. As a result, only certain re-transmission sites are critical to facilitating the services offered by broadcasters.

383.           That is why paragraph (2)(a) provides scope for the Minister to prescribe broadcasting transmission assets (including re-transmission sites) located on a critical transmission site to be critical broadcasting assets. In determining whether a certain transmission site is a critical broadcasting asset, the Minister will consider factors such as its geographic location, redundancies in relation to alternative transmission sites, and the size of the population serviced by the asset.

384.           Paragraph (c) provides that a critical broadcasting asset may also be one or more broadcasting transmission assets if those assets are owned or operated by an entity that, in accordance with subsection (3), is critical to the transmission of a broadcasting service. For the purposes of this paragraph, the rules may prescribe specified entities that are critical to the transmission of a broadcasting service, or requirements for an entity to be critical to the transmission of a broadcasting service.

Section 12F         Meaning of critical data storage or processing asset

385.           New section 12F of the SOCI Act provides the definition of ‘critical data storage or processing asset’. Demand for data and cloud services has significantly increased as more business is conducted online. This means that data and cloud services have become an important component for day-to-day business operations.

386.           The definition encompasses those assets that are critical to maintaining the commercial supply and availability of data and cloud services located in Australia. The definition is intended to capture the physical infrastructure or computing platforms used primarily to provide data storing or processing services on a commercial basis. This includes enterprise data centres, managed services data centres, colocation data centres and cloud data centres. The definition is aimed at data storage companies or cloud computing companies that provide data storage or processing as their primary business offering to the critical infrastructure asset, whether that be through infrastructure as a service (IaaS) or platform as a service (PaaS). Software as a service (SaaS) providers may also be captured by the critical data storage or processing asset definition, where the software is relied on to store or process a Government agency’s data or critical infrastructure asset’s business critical data as the primary function of the service .

387.           The definition does not cover instances where data storage or processing is secondary to, an enabler for, or simply a by-product of, the primary service being offered - for example, accounting services. In a scenario where a business has shared business critical data with a SaaS provider, but only for the purposes of the SaaS provider providing its primary service (such as running the business’ payroll), the SaaS provider is not to be considered a critical infrastructure asset.

388.           Subsection (1) provides that an asset is a critical data storage or processing asset if all of the following apply:

·          the asset is owned or operated by an entity that is a data storage or processing provider (paragraph (a))

·          the asset is used wholly or primarily to provide a data storage or processing service that is provided by the entity on a commercial basis to one of the government bodies listed in subparagraphs (i)-(vi) (paragraph (b)), and

·          the entity knows that the asset is used as described in paragraph (b).

389.           A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset.

390.           Data centres and cloud providers that are custodians of Government data are critical due to sensitive nature of Government information that they store or process. Under the Protective Security Policy Framework, the Australian Government is required to safeguard official information and mitigate the risks of cyber attacks. This is because it is likely that a compromise of Government data may lead to the disclosure of highly sensitive information relevant to the operation of the nation, risk foreign relations with key international partners and undermine economic prosperity and social stability. State and Territory Government also hold sensitive data that is critical to the operation of services and other aspects in their jurisdiction.

391.           Subsection (2) also provides that an asset is a critical data storage or processing asset if all of the following apply:

·          the asset is owned or operated by an entity that is a data storage or processing provider (paragraph (a))

·          the asset is used wholly or primarily to provide a data storage or processing service that is provided by the entity on a commercial basis to another critical infrastructure asset and relates to business critical data (paragraph (b)), and

·          the entity knows that the asset is used as described in paragraph (b) (paragraph (c)). 

392.           A note to subsection (2) reminds the reader that the rules, made under section 9, may prescribe that a specified critical data storage or processing asset is not a critical infrastructure.

393.            Data centres and cloud providers captured by this limb of the definition are critical by virtue of the fact that they handle business critical data for other critical infrastructure assets. Business critical data includes bulk holdings of personal information, and information that is crucial to the continued operation and functioning of assets that directly contribute to maintaining Australia’s economic and social stability. Should this data, or the provision of services in relation to it, be impacted, the confidentiality and reliability of the critical infrastructure asset is likely to be affected including, potentially the provision of essential services.

394.           A data storage or processing provider may not always know if they are providing services relating to business critical data of a critical infrastructure asset. For example, data privacy practices typically mean that third party providers do not have visibility over what type of data is being stored or processes through their facilities. In response to these circumstances, the asset will only become a critical data storage or processing asset where the responsible entity knows that it is storing or processing business critical data or a critical infrastructure asset.

 

395.           In support of this requirement, subsection (3) applies if an entity (the first entity) is the responsible entity for a critical infrastructure asset (paragraph (a)), and the first entity becomes aware that a data storage or processing service is provided by another entity on a commercial basis to the first entity and relates to business critical data (paragraph (b)). 

396.           For example, this obligation applies when the responsible entity of a critical banking asset becomes aware that a data storage or processing service is managing its business critical data on a commercial basis. This is likely to be at the point of services commencing following the entering of a contractual arrangement. The responsible entity must then take all reasonable steps to inform the relevant data storage or processing service of these circumstances as soon as practicable after becoming so aware.

397.           If subsection (3) applies, the first entity must:

·          take reasonable steps to inform the other entity that the first entity has become aware that the data storage or processing service is provided by the other entity on a commercial basis, and relates to business critical data (paragraph (c)), and

·          do so as soon as practicable after becoming aware (paragraph (d)). 

398.           Commonwealth, State and Territory Governments will not be required to notify data and cloud service providers that they are critical data storage and processing assets. In these circumstances, it is expected that the relevant data or cloud service provider will be aware that they provide services to a Government client.

399.           Breach of subsection (3) is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the infringement. It is designed to deter non-compliance and to ensure that owners or operators of data storage or processing providers can be notified as soon as practicable that their asset is a critical data storage of processing asset, noting the importance of the service they are providing. The penalty for this notification requirement is commensurate with the penalty for failing to notify of events in relation to the Register of Critical Infrastructure Assets.

Section 12G        Meaning of critical banking asset

400.           New section 12G of the SOCI Act provides the definition of ‘critical banking asset’. This definition recognises the role banking businesses play in the financial system, holding the majority of financial system assets. In addition to retail deposit-taking and lending activities, banks are involved in financial intermediation, including business banking, trading in financial markets, stockbroking and insurance and funds management. A severe compromise of any of Australia’s major banks has the potential for significant and lasting economic and security impacts given their high volume of retail customers as well as important government and business customers.

401.           Subsection (1) provides that an asset is a critical banking asset if it is any of the assets described in paragraphs (a) or (b). Paragraph (a) describes an asset where the following conditions are satisfied:

·          an asset is owned or operated by an authorised deposit-taking institution (subparagraph (i))

·          the authorised deposit-taking institution is an authorised deposit-taking institution that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector (subparagraph (ii)), and

·          the asset is used in connection with the carrying on of banking business (subparagraph (iii)). 

402.           Paragraph (b) described an asset that meets the following conditions:

·          the asset is owned or operated by a body corporate that is a related body corporate of an authorised deposit-taking institution (subparagraph (i))

·          the body corporate is a body corporate that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector (subparagraph (ii)), and

·          the asset is used in connection with the carrying on of banking business (subparagraph (iii)). 

403.           A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical banking asset is not a critical infrastructure asset.

404.           Subsection (2) provides that for the purposes of subparagraph (1)(a)(ii), the rules may prescribe specified authorised deposit-taking institutions that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an authorised deposit-taking institution  to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

405.           For example, following consultation with industry, the Minister may make rules prescribing particular banks as critical to the financial services and markets sector, or establish threshold attributes in the rules for determining criticality such as a minimum quantity of assets held for the bank to be regarded as a critical banking asset.

406.           Subsection (3) provides that, for the purposes of subparagraph (1)(b)(ii), the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)).

Section 12H        Meaning of critical insurance asset

407.           New section 12H of the SOCI Act provides the definition of ‘critical insurance asset’. Insurers play a critical role in the financial system and can act as an important buffer in the Australian economy by softening the potential financial impacts to businesses and individuals as a result of sudden and often uncontrollable shocks. Insurers also play a significant role in assisting communities, industry and the Australian economy to recover from natural disasters and other hazards.

408.           Life insurance plays a vital role in Australia’s social construct, and will continue to provide necessary financial protection noting Australia’s aging population. Life insurers are also significant contributors to Australia’s wealth and prosperity. Life insurance acts as a saving mechanism for Australians and allows for significant volumes of long-term funding for financial markets and other sectors in need of investment, contributing to Australia’s overall economic growth and stability.

409.           Health insurers are not only critical to ensuring Australians can access health services, but they also are important contributors to the country’s wealth and prosperity. Private health insurance provides cover for private hospital services and many out-of-hospital health services not covered by Medicare, such as dentistry. According to the Australian Prudential Regulation Authority (APRA), 43.8 per cent of the Australian population had private hospital cover at 30 September 2020, and 53.2 per cent had cover for ancillary services (‘extras’), such as dentistry and optometry, as at 30 September 2020 [7] .

410.           The critical insurance asset definition recognises the key role that insurers play in the financial system. They act as an important buffer for the Australian economy, softening the financial impact of events on public funds by drawing on private sector funding. For example, failure in a reinsurer could affect operations across a significant number of Australian insurers. 

411.           Subsection (1) provides that an asset that meets the criteria outlined in paragraphs (a) to (f) are a ‘critical insurance asset’. Paragraph (a) outlines the following criteria:

·          the asset is owned or operated by an entity that carries on insurance business

·          the entity is an entity that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector, and

·          the asset is used in connection with the carrying on of insurance business. 

412.           Paragraph (b) outlines the following criteria:

·          the asset is owned or operated by a body corporate that is a related body corporate of an entity that is carrying on insurance business

·          the body corporate is a body corporate that, in accordance with subsection (3), is critical to the security and reliability of the financial services and markets sector, and

·          the asset is used in connection with the carrying on of insurance business. 

413.           Paragraph (c) outlines the following criteria:

·          the asset is owned or operated by an entity that carries on life insurance business

·          the entity is an entity that, in accordance with subsection (4), is critical to the security and reliability of the financial services and markets sector, and

·          the asset is used in connection with the carrying on of insurance business. 

414.           Paragraph (d) outlines the following criteria:

·          the asset is owned or operated by a body corporate that is a related body corporate of an entity that is carrying on life insurance business, and is critical to the carrying on of life insurance business

·          the body corporate is a body corporate that, in accordance with subsection (4), is critical to the security and reliability of the financial services and markets sector, and

·          the asset is used in connection with the carrying on of insurance business. 

415.           Paragraph (e) outlines the following criteria:

·          the asset is owned or operated by an entity that carries on health insurance business

·          the entity is an entity that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector, and

·          the asset is used in connection with the carrying on of insurance business. 

416.           Paragraph (f) outlines the following criteria:

·          the asset is owned or operated by a body corporate that is a related body corporate of an entity that is carrying on health insurance business

·          the entity is an entity that, in accordance with subsection (6), is critical to the security and reliability of the financial services and markets sector, and

·          the asset is used in connection with the carrying on of insurance business. 

417.           A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical insurance asset is not a critical infrastructure asset.

418.           Subsection (2) provides that for the purposes of subparagraph (1)(a)(i) the rules may prescribe specified entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

419.           Subsection (3) provides that for the purposes of subparagraph (1)(b)(ii) the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

420.           Subsection (4) provides that for the purposes of subparagraph (1)(c)(ii) the rules may prescribe specified entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

421.           Subsection (5) provides that for the purposes of subparagraph (1)(d)(ii) the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

422.           Subsection (6) provides that for the purposes of subparagraph (1)(e)(ii) the rules may prescribe specified entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

423.           Subsection (7) provides that for the purposes of subparagraph (1)(f)(ii) the rules may prescribe specified bodies corporate that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for a body corporate to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

424.           The rules will be used to identify those insurance assets that are critical. This may include prescribing that an insurance with assets over a certain monetary threshold would be regarded as critical as its market share would mean that events impacting the assets would have cascading effects across the economy.

Section 12J         Meaning of critical superannuation asset

425.           New section 12J of the SOCI Act provides the definition of ‘critical superannuation asset’. Superannuation represents the largest financial asset for the majority of Australian households. Superannuation savings are the basis for the retirement incomes of millions of Australians. More than 60 per cent of Australians directly contribute to superannuation, with a substantial proportion of that investment used to finance the development of Australian industry. [8] The long-term financial prosperity of Australian retirees is intricately linked to the financial health of the Australian economy.

426.           Subsection (1) provides that an asset is a ‘critical superannuation asset’ if it is owned or operated by a registrable superannuation entity that, in accordance with subsection (2), is critical to the security and reliability of the financial services and markets sector (paragraph (a)) and is used in connection with the operation of a superannuation fund (paragraph (b)). This is not intended to cover self-managed superannuation funds.

427.           A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical superannuation asset is not a critical infrastructure asset.

428.           Subsection (2) provides that for the purpose of paragraph (1)(a) the rules may prescribe registrable superannuation entities that are critical to the security and reliability of the financial services and markets sector (paragraph (a)), or requirements for an a registrable superannuation entity to be critical to the security and reliability of the financial services and markets sector (paragraph (b)). 

429.           The rules will be used to identify those superannuation assets that are critical. This may include prescribing as critical those registrable superannuation entity with assets over a certain monetary threshold as its market share would mean that events impacting the assets would have cascading effects across the population and economy.

Section 12K        Meaning of critical food and grocery asset

430.           New section 12K of the SOCI Act provides the definition of ‘critical food and grocery asset’. The COVID-19 pandemic has placed food and grocery distribution and supply under significant pressure, revealing both the criticality and vulnerability of these networks. The last six months in particular have highlighted how disruptions to distribution networks and other key operations of Australia’s major supermarkets can seriously impact the availability of food and groceries to the community.

431.           Other parts of the sector (for example food manufacturing or packaging) are not considered critical food and grocery assets as they are often disaggregated and, if disrupted, are less likely to have a severe and widespread impact on the availability of food and grocery.

432.           Subsection (1) provides that an asset is a critical food and grocery asset if it is a network that is used for the distribution or supply of food or groceries (paragraph (a)), and is owned or operated by an entity that is declared by the rules to be a critical supermarket retailer, critical food wholesaler or critical grocery wholesaler (paragraph (b)).

433.           A note to subsection (1) reminds the reader that the rules, made under section 9, may prescribe that a specified critical food and grocery asset is not a critical infrastructure asset.

434.           Subsections (2)-(4) provide that the rules may prescribe specified entities that are critical supermarket retailers, critical food wholesalers, or critical grocery wholesalers, or alternatively requirements for an entity to be a critical supermarket retailers, critical food wholesalers, or critical grocery wholesalers.

435.           Following further consultation with industry, the Minister may declare a supermarket retailer, food wholesaler or grocery wholesaler to be critical in the rules through prescribing a specific entity or identifying a qualitative or quantitative threshold for criticality. This is likely to cover the existing significant supermarket retailers.

Section 12KA     Meaning of critical domain name system

436.           New section 12KA of the SOCI Act will provide the definition of ‘critical domain name system’. The domain name system underpins the operation of the internet. The domain name system is the global database that translates website names into computer-readable internet protocol (IP) addresses. For example, ‘.au’ is Australia’s country code domain. The .au namespace plays an important role in supporting the digital economy with over 3.2 million domain names registered as at August 2020. With the online environment becoming increasingly enmeshed with everyday life, a disruption to a critical domain name system could have significant cascading implications for Australian businesses, government and the community. Malicious or criminal exploitation of the domain name system can compromise users’ ability to conduct business, navigate the internet or their data.

437.           This term means a system that is managed by an entity that, in accordance with subsection (2), is critical to the administration of an Australian domain name system and is used in connection with the administration of an Australian domain name system. An ‘Australian domain name system’ means a country code Top Level Domain or a generic Top Level Domain where the administrator of that domain name system is resident in Australia.

438.           The note below subsection (1) explains that under section 9 of this Act the rules may prescribe that a specified ‘critical data domain name system’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

439.           Subsection (2) provides that the rules may prescribe, for the purposes of subsection (1), specified entities that are critical to the administration of an Australian domain name system, or requirements for an entity to be critical to the administration of an Australian domain name system.

Section 12KA     Meaning of critical domain name system

440.           New section 12KA of the SOCI Act will provide the definition of ‘critical domain name system’. The domain name system underpins the operation of the internet. The domain name system is the global database that translates website names into computer-readable internet protocol (IP) addresses. For example, ‘.au’ is Australia’s country code domain. The .au namespace plays an important role in supporting the digital economy with over 3.2 million domain names registered as at August 2020. With the online environment becoming increasingly enmeshed with everyday life, a disruption to a critical domain name system could have significant cascading implications for Australian businesses, government and the community. Malicious or criminal exploitation of the domain name system can compromise users’ ability to conduct business, navigate the internet or their data.

441.           This term means a system that is managed by an entity that, in accordance with subsection (2), is critical to the administration of an Australian domain name system and is used in connection with the administration of an Australian domain name system. An ‘Australian domain name system’ means a country code Top Level Domain or a generic Top Level Domain where the administrator of that domain name system is resident in Australia.

442.           The note below subsection (1) explains that under section 9 of this Act the rules may prescribe that a specified ‘critical data domain name system’ is not a ‘critical infrastructure asset’. This will ensure that assets that are not intended to be captured can be excluded from the operation of the framework and avoid unnecessary impact.

443.           Subsection (2) provides that the rules may prescribe, for the purposes of subsection (1), specified entities that are critical to the administration of an Australian domain name system, or requirements for an entity to be critical to the administration of an Australian domain name system. It is likely that auDA will be specified under subsection (2) as the entity responsible for the .au domain name.

Section 12L        Meaning of responsible entity

444.           New section 12L of the SOCI Act will provide the definition for ‘responsible entity’. The definition has been separated into twenty five subsections representing the twenty two classes of assets listed in the definition of critical infrastructure asset (see subsection 9(1)), as well as assets that are prescribed under paragraph 9(1)(f), assets that are declared under section 51 by the Minister or assets that are systems of national significance.

 

445.           Responsible entities are those entities with ultimate operational responsibility for the asset. These entities have effective control or authority over the operations and functioning of the asset as a whole (even if they do not have direct control over a particular part of the asset), and are in a position to engage the services of contractors and other operators. Given this, these entities are best placed to fulfil the obligations (should they be activated and apply) under existing Part 2 of the SOCI Act, and new Part 2A and 2B of this Bill. Further, due to their ultimate responsibility for the asset, the responsible entity will also serve as the key contact point for consultation in relation to rules that may impact the asset.

 

446.           Importantly, section 12L provides the Minister with the ability to make rules to override the responsible entity for a specific category of critical infrastructure asset identified in this section, and prescribe another entity to be the responsible entity. The purpose of this rule making power is to provide adequate flexibility to ensure the obligations and measures under this Bill continue to apply to the most appropriate entity.

 

Subsection 12L(1)—Critical telecommunications asset

447.           Subsection (1) provides that the responsible entity for a critical telecommunications asset is:

·          if the critical telecommunications asset is owned or operated by a carrier—the carrier (subparagraph (a)(i))

·          if the critical telecommunications asset is owned or operated by a carriage service provider—the carriage service provider (subparagraph (a)(ii)), or

·          another entity if prescribed by the rules (paragraph (b)). 

448.           These entities have been identified as responsible entities for critical telecommunications assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(2)—Critical broadcasting asset

449.           Subsection (2) provides that the responsible entity for a critical broadcasting asset is:

·          the entity referred to in either subparagraph 12E(1)(a)(i), (b)(i) or (1)(c), whichever is applicable (paragraph (a)), or

·          another entity if prescribed by the rules (paragraph (b)). 

450.           This means that the responsible entity for a critical broadcasting asset is the entity that:

·          owns or operates broadcasting transmission assets that are located on a site that is a critical transmission site (subparagraph 12E(1)(a)(i)). The rules will prescribe either specified sites or requirements for sites to be critical

·          owns or operates broadcasting transmission assets located on at least 50 different sites (subparagraph 12E(1)(b)(i)) , or

·          has been prescribed in the rules as critical to the transmission of a broadcasting service.

451.           These entities have been identified as responsible entities for critical broadcasting assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(3)—Critical domain name system

452.           Subsection (3) provides that the responsible entity for a critical domain name system is:

·          an entity referred to in paragraph 12KA(1)(a) (paragraph (a)), or

·          another entity if prescribed by the rules (paragraph (b)). 

453.           This means that the responsible entity for a critical domain name system is an entity that has been specified under subsection 12KA(2). As outlined above for section 12KA, auDA will likely be the entity referred to in paragraph 12KA(1)(a) and therefore would be the responsible entity. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(4)—Critical data storage or processing asset

454.           Subsection (4) provides that the responsible entity for a critical data storage or processing asset is the entity referred to in paragraph 12F(1)(a) (paragraph (a)), 12F(2)(a) (paragraph (a) and (b)) or another entity that has been prescribed by the rules to be the responsible entity (paragraph (c)). 

455.           These entities (essentially the owner or operator of the asset) have been identified as responsible entities for critical data storage or processing assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(5)—Critical banking asset

456.           Subsection (5) provides that the responsible entity for a critical banking asset is the authorised deposit-taking institution referred to in paragraph 12G(1)(a), the body corporate referred to in paragraph 12G(1)(b) (paragraphs (a) and (b)) or an entity been prescribed by the rules to be the responsible entity (paragraph (c)). 

These entities have been identified as responsible entities for critical banking assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on. 

 

Subsection 12L(6)—Critical superannuation asset

457.           Subsection (6) provides that the responsible entity for a critical superannuation asset is the entity registrable superannuation referred to in subsection 12J(1) (paragraph (a)) or an entity has been prescribed by the rules to be the responsible entity (paragraph (b)). 

458.           These entities have been identified as responsible entities for critical superannuation assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.   

Subsection 12L(7)—Critical insurance asset

459.           Subsection (7) provides that the responsible entity for a critical insurance asset is:

·          if the asset is covered by paragraph 12H(1)(a)—the entity that carries on insurance business referred to in subparagraph 12H(1)(a)(i) (paragraph (a))

·          if the asset is covered by paragraph 12H(1)(b)—the body corporate that is a related body corporate of an entity that carries on insurance business referred to in subparagraph 12H(1)(b)(i) (paragraph (b))

·          if the asset is covered by paragraph 12H(1)(c)—the entity that carries on life insurance business referred to in subparagraph 12H(1)(c)(i) (paragraph (c))

·          if the asset is covered by paragraph 12H(1)(d)—the body corporate that is a related body corporate of an entity that carries on life insurance business referred to in subparagraph 12H(1)(d)(i) (paragraph (d))

·          if the asset is covered by paragraph 12H(1)(e)—the entity that carries on health insurance business referred to in subparagraph 12H(1)(e)(i) (paragraph (e))

·          if the asset is covered by paragraph 12H(1)(f)—the body corporate that is a related body corporate of an entity that carries on health insurance business referred to in subparagraph 12H(1)(f)(i) (paragraph (f)), or

·          or any other entity prescribed by the rules (paragraph (g)).

460.           These entities have been identified as responsible entities for each category of critical insurance assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(8)—Critical financial market infrastructure asset

461.           Subsection (8) provides that the responsible entity for a financial market infrastructure asset is:

·          if the asset is covered by paragraph 12D(1)(a)—the body corporate that holds an Australian market licence referred to in subparagraph 12D(1)(a)(i) (paragraph (a))

·          if the asset is covered by paragraph 12D(1)(b)—the associated entity of an Australian body corporate that holds an Australian market licence as mentioned in subparagraph 12D(1)(b)(i) (paragraph (b))

·          if the asset is covered by paragraph 12D(1)(c)—the body corporate that holds an Australian CS facility licence referred to in subparagraph 12D(1)(c)(i) (paragraph (c))

·          if the asset is covered by paragraph 12D(1)(d)—the associated entity of an Australian body corporate that holds an Australian CS facility licence as mentioned in subparagraph 12D(1)(d)(i) (paragraph (d))

·          if the asset is covered by paragraph 12D(1)(e)—the body corporate that holds a benchmark administrator licence referred to in subparagraph 12D(1)(e)(i) (paragraph (e))

·          if the asset is covered by paragraph 12D(1)(f)—the associated entity of a body corporate that holds a benchmark administrator licence as mentioned in subparagraph 12D(1)(f)(i) (paragraph (f))

·          if the asset is covered by paragraph 12D(1)(g)—the body corporate that holds an Australian derivative trade repository licence referred to in subparagraph 12D(1)(g)(i) (paragraph (g))

·          if the asset is covered by paragraph 12D(1)(h)—the associated entity of a body corporate that holds an Australian derivative trade repository licence as mentioned in subparagraph 12D(1)(h)(i) (paragraph (h))

·          if the asset is covered by paragraph 12D(1)(i)—the entity that is used in connection with the operation of a payment system prescribed by the rules (paragraph (i)), or

·          another entity if prescribed by the rules (paragraph (j)). 

462.           These entities have been identified as responsible entities for each category of critical financial market infrastructure assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(9)—Critical water asset

463.           Subsection (9) provides that the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service to be delivered by the asset (paragraph (a)), or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)).

464.           This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical water assets.

Subsection 12L(10)—Critical electricity asset

465.           Subsection (10) provides that the responsible entity for a critical electricity asset is the entity that holds the licence, approval or authorisation to operate the asset to provide the service to be delivered by the asset, or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)).

466.           This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical electricity assets.

Subsection 12L(11)—Critical gas asset

467.           Subsection (11) provides that the responsible entity for a critical gas asset is the entity that holds the licence, approval or authorisation to operate the asset to provide the service to be delivered by the asset, or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)).

468.           This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical gas assets.

Subsection 12L(12)—Critical energy market operator asset

469.           Subsection (12) provides that the responsible entity for a critical energy market operator is:

·          if the asset is used by Australian Energy Market Operator Limited (ACN 072 010 327)—that company (paragraph (a))

·          if the asset is used by Power and Water Corporation—that corporation (paragraph (b))

·          if the asset is used by Regional Power Corporation—that corporation (paragraph (c))

·          if the asset is used by Electricity Networks Corporation—that corporation (paragraph (d)), or

·          if another entity is prescribed by the rules, that entity (paragraph (e)). 

470.           These entities have been identified as responsible entities for each critical energy market operator asset as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(13)—Critical liquid fuel asset

471.           Subsection (13) provides that the responsible entity for a critical liquid fuel asset is:

·          for a liquid fuel refinery, the entity that operates that refinery (paragraph (a))

·          for a liquid fuel pipeline, the entity that operates that pipeline (paragraph (b))

·          for a liquid fuel storage facility, the entity that operates that facility (paragraph (c)), or

·          if another entity is prescribed in the rules, that entity (paragraph (d))

472.           These entities have been identified as responsible entities for each category of critical liquid fuel assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(14)—Critical hospital asset

473.           Subsection (14) provides that the responsible entity for a critical hospital is:

·          if it is a public hospital, the local hospital network that operates the hospital (paragraph (a))

·          if it is a private hospital, the entity that holds the licence, authorisation or approval to operate the hospital (paragraph (b)), or

·          if another entity is prescribed by the rules, that entity (paragraph (c)). 

474.           These entities have been identified as responsible entities for critical hospital assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(15)—Critical education asset

475.           Subsection (15) provides that the responsible entity for a critical education asset is the university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers, or another entity has been prescribed by the rules to be the responsible entity (paragraph (b)).

476.           These entities have been identified as responsible entities for critical education assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(16)—Critical food and grocery asset

477.           Subsection (16) provides that the responsible entity for a critical food and grocery asset is the entity referred to in paragraph 12K(1)(b), or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)).

478.           This means that the responsible entity for a critical food and grocery asset is the critical supermarket retailer, critical food wholesaler or critical grocery wholesaler that has been specified in the rules.

479.           These entities have been identified as responsible entities for each category of critical food and grocery assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(17)—Critical port

480.           Subsection (17) provides that the responsible entity for a critical port is the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA)), unless another entity has been prescribed by the rules to be the responsible entity for the port (paragraph (b)).

481.           This replicates (with the addition of a rule making power) the existing position in the SOCI Act for critical electricity assets.

Subsection 12L(18)—Critical freight infrastructure asset

482.           Subsection (18) provides that the responsible entity for a critical freight infrastructure asset is:

·          if the Commonwealth is responsible for the management of the asset, the Commonwealth (paragraph (a))

·          if the State is responsible for the management of the asset, the State (paragraph (b))

·          if a Territory is responsible for the management of the asset, that Territory (paragraph (c))

·          if a body is established by a law (Commonwealth, State or Territory) and that body is responsible for the management of the asset, then that body (paragraph (d))

·          if none of paragraphs (a)-(d) apply, then the entity prescribed by the rules (paragraph (e)), or

·          if another entity is prescribed by the rules in relation to the asset, then that entity (paragraph (f)).

483.           These entities have been identified as responsible entities for each category of critical freight infrastructure assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(19)—Critical freight services asset

484.           Subsection (19) provides that the responsible entity for a critical freight services asset is the entity referred to in subsection 12C(1), or another entity has been prescribed by the rules to be the responsible entity for the asset (paragraph (b)).

485.            This means the responsible entity for a critical freight services asset is the entity that uses a network that is critical to the transportation of goods.

486.           These entities have been identified as responsible entities for critical freight services assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(20)—Critical public transport asset

487.           Subsection (20) provides that the responsible entity for a critical public transport asset is the entity managing a public transport network or system referred to in paragraph (a) of the definition (in section 5 of the SOCI Act) of critical public transport asset or another entity prescribed by the rules to be the responsible entity for the asset (paragraph (b)).

488.           These entities have been identified as responsible entities for critical public transport assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(21)—Critical aviation asset

489.           Subsection (21) provides that the responsible entity for a critical aviation asset is:

·          if the asset is used in connection with the provision of an air service, and is owned or operated by an aircraft operator, the aircraft operator (paragraph (a))

·          if the asset is used in connection with the provision of an air service and owned or operated by a regulated air cargo agent, the regulated air cargo agent (paragraph (b))

·          if the asset is used by an airport operator in connection with the operation of an airport, the airport operator (paragraph (c)), or

·          if another entity is prescribed by the rules in relation to the asset, that entity (paragraph (d)).

490.           These entities have been identified as responsible entities for each category of critical aviation assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(22)—Critical defence industry asset

491.           Subsection (22) provides that the responsible entity for a critical defence asset is the entity that is supplying or will supply that asset to the Defence Department, or the Australian Defence Force under a contract, as referred to in paragraph (a) of the definition of critical defence asset (see section 5), or another entity is prescribed by the rules to be the responsible entity for the asset (paragraph (b)).

492.           These entities have been identified as responsible entities for critical defence industry assets as they are ultimately responsible for the asset’s continued operation. As such, they are best placed to meet each of the positive security obligations in the event they are turned on.

Subsection 12L(23)—Assets prescribed by the rules

493.           Subsection (23) provides that the responsible entity for an asset that has been prescribed as a critical infrastructure asset under paragraph 9(1)(f), is the entity that is listed in the rules.

Subsection 12L(24)—Assets declared to be a critical infrastructure asset

494.           Subsection (24) provides that the responsible entity for an asset that has been declared as a critical infrastructure asset by the Minister under section 51, is the entity listed in the declaration. It is noted that subsection 51(2) requires that a declaration under section 51 specifies who the responsible entity for the asset is.

Subsection 12L(25)—System of national significance

495.           Subsection (25) provides that if the critical infrastructure asset is a system of national significance then the responsible entity for the system of national significance is the same as for that critical infrastructure asset. Prior to being declared a system of national significance under section 52B the asset must already be defined as a critical infrastructure asset and the responsible entity for the asset will have already been determined under subsections 12L(1)-(24).

Section 12M       Meaning of cyber security incident

496.           New section 12M of the SOCI Act defines the term ‘cyber security incident’. Under the amendments made by the Bill, there will be obligations for certain critical infrastructure assets and systems of national significance in relation to such incidents. Cyber security incidents will also be central to the operation of the powers outlines in new Part 3A.

497.           This section provides that a cyber security incident is one or more acts, events or circumstances involving any of the following:

·          unauthorised access to computer data or a computer program (paragraph (a))

·          unauthorised modification of computer data or a computer program (paragraph (b)),

·          unauthorised impairment of electronic communication to or from a computer (paragraph (c)), or

·          unauthorised impairment of the availability , reliability, security or operation of a computer, computer data or a computer program (paragraph (d)). 

498.           Some common examples of a cyber security incident include:

·          Malware - Any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, trojan horses, ransomware, spyware, adware, and others.

·          Phishing - Fraudulent attempts to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising communications (through emails and other formats) as trustworthy.

·          Denial of service - This form of attack is where a perpetrator seeks to make a machine or network resource unavailable to its intended  users  by temporarily or indefinitely disrupting  services . Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

·          Cross-site scripting - This is where an attacker injects malicious scripts into otherwise benign and trusted websites. The victim’s web browser executes those scripts thinking they are legitimate, allowing the attacker to bypass the victim’s access controls.

Section 12N        Meaning of unauthorised access, modification or impairment

499.           New section 12N of the SOCI Act will provide the definition for ‘unauthorised access, modification or impairment’. Under subsection (1) of this definition, the following conduct is unauthorised if the person is not entitled to cause that access, modification or impairment:

·          access to computer data or a computer program (paragraph (a))

·          modification of computer data or a computer program (paragraph (b))

·          impairment of electronic communications to or from a computer (paragraph (c)), or

·          the impairment of the availability, reliability, security or operation of a computer, computer data or a computer program (paragraph (d)). 

500.           For the conduct to be unauthorised, it must have occurred without authority, irrespective of whether that authority is drawn from for example, legislation or contractual arrangements.

501.           Subsection (2) provides that it is immaterial if the person can be identified or not. Subsection (3) provides circumstances in which a person is entitled to cause the access, modification or impairment. Paragraph (3)(b) provides that if the person does so under the following circumstances, they were entitled to do so:

·          under a warrant issued under a law of the Commonwealth, a State or a Territory (subparagraph (i))

·          under an emergency authorisation given to the person under Part 3 of the Surveillance Devices Act 2004 or under a law of a State or Territory that makes provision to similar effect (subparagraph (ii))

·          under a tracking device authorisation given to the person under section 39 of the Surveillance Devices Act 2004 (subparagraph (iii))

·          in accordance with a technical assistance request (subparagraph (iv))

·          in compliance with a technical assistance notice (subparagraph (v)), or

·          in compliance with a technical capability notice (subparagraph (vi)).

Section 12P         Examples of responding to a cyber security incident

502.           New section 12P of the SOCI Act illustrates types of actions that may be regarded as responses to a cyber security incident. This is particularly relevant for new Part 3A as the Minister in certain circumstances must be satisfied that the responsible entity is unwilling or unable to take all reasonable steps to respond to the incident.

503.           This section of the SOCI Act provides the following as examples of responding to a cyber security incident:

·          if the incident is imminent—preventing the incident (paragraph (a))

·          mitigating a relevant impact of the incident on a critical infrastructure asset or a critical infrastructure sector asset (paragraph (b)), or

·          if a critical infrastructure asset or a critical infrastructure sector asset has been, or is being, affected by the incident—restoring the functionality of the asset (paragraph (c)). 

504.           Due to rapid technological change, it is not possible to foresee all possible ways that a system may be compromised or exploited, or the actions that would be required to respond to the incident. In particular, the methods of compromise and the required responses will change over time alongside technology. Therefore, a non-prescriptive approach has been taken in relation to defining what a response to a cyber security incident would involve. Further, it is important to recognise that a response will be proportionate to the nature of the incident and the system that will, is being, or has been, impact, as well as impacted by the capabilities of the entity responsible for protecting the system.

Item 33                    Paragraph 13(1)(b)

505.           Subsection 13(1) provides that the SOCI Act applies to the types of entities listed in the paragraphs to the subsection. Paragraph 13(1)(b) currently provides that the SOCI Act applies to an entity ‘that is a reporting entity for’ or an operator of one of the assets listed in the subparagraphs.

506.           Item 33 of Schedule 1 to the Bill will repeal ‘that is a reporting entity for’ and replace it with ‘so far as the entity is the responsible entity for, a reporting entity for, a relevant entity for’. This is to reflect the various classes of entities identified in the Act.

Item 34                    At the end of paragraph 13(1)(b)

507.           Item 34 of Schedule 1 to the Bill adds subparagraphs (iv), (v), (vi), (vii) and (viii) to the end of paragraph 13(1)(b). Those subparagraphs provide the following further characteristics of assets to which the SOCI Act applies:

·          used in the course of, or in relation to, banking to which paragraph 51(xiii) of the Constitution applies (subparagraph (iv))

·          used in the course of, or in relation to, insurance to which paragraph 51(xiv) of the constitution applies (subparagraph (v))

·          used to supply a carriage service (subparagraph (vi))

·          used in connection with the provision of a broadcasting service (subparagraph (vii)), or

·          used to administer a domain name system (subparagraph (viii)). 

508.           These amendments reflect the additional classes of critical infrastructure assets that have been added to the Act.

Item 35                    Subsection 13(2)

509.           Subsection 13(2) of the SOCI Act currently provides that Division 3 of Part 4 of the SOCI Act, relating to the use and disclosure of protected information, also applies to any other entity. Item 35 of Schedule 1 to the Bill amends subsection 13(2) of the SOCI Act to also provide that section 60AA of this Act also applies to any other entity. 

Item 36                    Division 1 of Part 2 (heading)

510.           Item 36 of Schedule 1 to the Bill will change the heading of Division 1 of Part 2 from ‘Simplified outline of this Part’ to ‘Introduction’. 

Item 37                    At the end of section 18

511.           Item 37 of Schedule 1 to the Bill inserts a note to section 18 that indicates that the reader should also consider section 18A when considering the simplified outline in that section. 

Item 38                    At the end of Division 1 of Part 2

512.           Item 38 of Schedule 1 to the Bill inserts new section 18A of the SOCI Act, to provide for the application of Part 2.

Section 18A    Application of this Part

513.           New section 18A of the SOCI Act provides for the application of Part 2.  Subsection (1) outlines that subject to subsection (3) (as outlined in subsection (2)), Part 2 applies to a critical infrastructure asset if any of the following apply:

·          the asset is specified in the rules (paragraph (1)(a))

·          the asset is the subject or a declaration under section 51, and the declaration determines that this Part applies to the asset (paragraph (1)(b)), or

·          immediately before the commencement of section 18A, in accordance with item 2 of the Bill, the asset was a critical infrastructure asset (within the meaning of the Act prior to these amendments commencing) (paragraph (1)(c)).

514.           Paragraph 1(a) effectively works as an ‘on switch’ through which the Minister can ensure that this particular aspect of the positive security obligations only applies in appropriate situations. For example, the Minister may choose not to apply Part 2 to a class of critical infrastructure assets, if the information that would be provided under the obligations is already available to government through other means and therefore the desired security objectives are being achieved. Importantly, this will be used to avoid duplicate reporting to Government and thus reduce regulatory burden.

515.           Paragraph 1(b) replicates the intent of paragraph 1(a) for assets declared to be critical infrastructure assets under existing section 51 of the SOCI Act, noting the private nature of those declarations due to the associated security vulnerabilities. Paragraph 18A(b)(ii) requires that a declaration made under existing section 51 must specify if the obligations under Part 2A are ‘activated’ and apply to the declared asset. This ensures responsible entitiesof assets declared under section 51 are aware of their obligations under Part 2 (should they be activated) without disclosing the identity of these sensitive assets.   

516.           Section 1(c) also provides a transitional provision to ensure the obligations in Part 2 will continue to apply, uninterrupted, in relation to those critical infrastructure assets that had existing obligations under the Part immediately prior to the commencement of section 18A.

517.           In addition to the power to make this instrument under section 30AB , subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a power to make, grant or issue any instrument of a legislative or administrative character (including rules, regulations or by-laws), the power shall be construed as including a power exercisable in the like manner and subject to the like conditions (if any) to repeal, rescind, revoke, amend, or vary any such instrument.

518.           A note to subsection (1) indicates that specification by class is permitted by way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to make a legislative instrument specifying a matter may identify the matter by referring to a class or classes of matters.

519.           This note has been included to clarify that the Minister has the discretion to specify in rules that Part 2 applies to:

·          all critical infrastructure assets,

·          a category of critical infrastructure assets such as critical broadcasting assets,

·          a subset of assets within a category of critical infrastructure assets, such as liquid fuel pipelines that are critical liquid fuel assets , or

·          a specific asset that is a critical infrastructure asset.

520.           Subsection (3) outlines that the rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period beginning when the asset became a critical infrastructure asset (paragraph (a)) and ending at a time ascertained in accordance with the rules (paragraph (b)). This is intended to provide the ability to offer a delayed commencement or ‘grace period’ in the future when an entity becomes a critical infrastructure asset to which the Part applies, allowing them a reasonable period to adjust their business. 

Section 18AA Consultation—rules

521.           New section 18AA of the SOCI Act sets out consultation requirements in relation to rules made for the purposes of section 18A, providing that a responsible entity for a critical infrastructure asset must comply with the requirement to adopt and maintain a critical infrastructure risk management program. 

Subsection 18AA(1)—Scope

522.           Subsection (1) provides that section 18AA applies to rules made for the purposes of section 18A of the SOCI Act. 

Subsection 18AA(2)—Consultation

523.           Subsection (2) provides that, before making or amending rules for the purposes of section 18A, the Minister must do all of the following:

·          cause to be published on the Department’s website a notice setting out the draft rules or amendments and inviting persons to make submissions to the Minister about the draft rules or amendments within 28 days of publication of the notice (paragraph (a))

·          give a copy of the notice to each First Minister (paragraph (b)), and

·          consider any submissions received under paragraph (a) (paragraph (c)).

524.           This consultation requirement will ensure that the Part is only activated in appropriate circumstances and allow entities an opportunity to provide the Government with submissions on any delay in the commencement of the Part necessary to allow them to adjust their businesses without undue burden.

 

Item 39                    After Part 2

525.           Item 39 inserts new Parts 2A (critical infrastructure risk management programs), 2B (notification of cyber security incidents) and 2C (enhanced cyber security obligations) into the SOCI Act. 

Part 2A—Critical infrastructure risk management programs

526.           Part 2A will require critical infrastructure assets to develop and comply with a critical infrastructure risk management program - the second limb of the positive security obligation. 

527.           These amendments are intended to uplift core security practices of critical infrastructure assets by ensuring responsible entities take a holistic and proactive approach toward identifying, preventing and mitigating risks from all hazards.

528.           The Bill sets out the overarching obligations for the risk management programs with the more detailed, sector-specific requirements to be contained in rules. Noting that the responsible entity is best placed to understand the risks to an asset and develop appropriate risk practices, this obligation has been designed to be principle based. Combined, the SOCI Act and the proposed rules will ultimately require responsible entities of critical infrastructure assets to manage security risks by meeting the following principles-based outcomes: 

·          Identify material risks - Entities will have a responsibility to take an all-hazards approach when identifying risks that may affect the availability, integrity, reliability and confidentiality of their asset.

·          Mitigate risks to prevent incidents - Entities will be required to understand the identified risks and have appropriate risk mitigations in place to manage those risks.

·          Minimise the impact of realised incidents - Entities will be required to have robust procedures in place to mitigate the impacts in the event a threat has been realised and recover as quickly as possible.

·          Effective governance - Annual reporting requirements will ensure that risk management is considered at an appropriately senior level within the entity.

Section 30AA     Simplified outline of this Part

529.           New section 30AA of the SOCI Act sets out a simplified outline of Part 2A. The obligations in this part are the second element of the positive security obligations for critical infrastructure assets—the others being notification of cyber security incidents (new Part 2B of the SOCI Act) and maintaining the register of critical infrastructure assets (existing Part 2 ). 

Section 30AB     Application of this Part

530.           New section 30AB of the SOCI Act provides that Part 2A applies to a critical infrastructure asset if either of the following apply:

·          the asset is specified in the rules (made by the Minister under section 61 of the SOCI Act, see paragraph (a)), or

·          the asset is subject to a declaration under section 51 of the SOCI Act (being a private declaration that an asset is a critical infrastructure asset) and the declaration made under section 51 determines that Part 2A applies to the asset (paragraph (b)). 

531.           This effectively works as an ‘on switch’ through which the Minister can ensure that this particular aspect of the positive security obligations only applies in appropriate situations.

532.           Similar to new section 18A and new section 30BB, section 30AB allows for a nuanced, sector-specific or asset-specific approach to be taken to the application of the obligations contained in new Part 2A. In determining whether to make rules to apply the obligations to certain critical infrastructure assets, the Minister is likely to consider whether any existing requirements or arrangements appropriately deliver the same outcomes as intended by the critical infrastructure risk management program. This reflects the range of regulatory obligations that exist in relation to the various critical infrastructure assets, as well the obligations that may exist in relation to future critical infrastructure assets that are identified, and the Government’s commitment to avoid duplicating regulation. Should these alternative regimes be found wanting, this mechanism provides a default option to ensure the security objectives can be achieved.

533.           A note to this section indicates that specification by class is permitted by way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to make a legislative instrument specifying a matter may identify the matter by referring to a class or classes of matters.

534.           This note has been included to clarify that the Minister has the discretion to specify in rules that Part 2A applies to:

·          all critical infrastructure assets,

·          a category of critical infrastructure assets such as critical broadcasting assets,

·          a subset of assets within a category of critical infrastructure assets such as liquid fuel pipelines that are critical liquid fuel assets , or

·          a specific asset that is a critical infrastructure asset.

535.           In addition to the power to make this instrument under section 30AB, subsection 33(3) of the Acts Interpretation Act provides that where an Act confers a power to make, grant or issue any instrument of a legislative or administrative character (including rules, regulations or by-laws), the power shall be construed as including a power exercisable in the like manner and subject to the like conditions (if any) to repeal, rescind, revoke, amend, or vary any such instrument.

536.           Subsection (3) outlines that the rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period beginning when the asset became a critical infrastructure asset (paragraph (a)) and ending at a time ascertained in accordance with the rules (paragraph (b)). This is intended to provide the ability to offer a delayed commencement or ‘grace period’ in the future when an entity becomes a critical infrastructure asset to which the Part applies, allowing them a reasonable period to adjust their business. 

Section 30ABA  Consultation—rules

537.           New section 30ABA of the SOCI Act sets out consultation requirements in relation to rules made for the purposes of section 30AB, providing that a responsible entity for a critical infrastructure asset must comply with the requirement to adopt and maintain a critical infrastructure risk management program. 

Subsection 30ABA(1)—Scope

538.           Subsection (1) provides that section 30ABA applies to rules made for the purposes of section 30AB of the SOCI Act. 

Subsection 30ABA(2)—Consultation

539.           Subsection (2) provides that, before making or amending rules for the purposes of section 30AB, the Minister must do all of the following:

·          cause to be published on the Department’s website a notice setting out the draft rules or amendments and inviting persons to make submissions to the Minister about the draft rules or amendments within 28 days of publication of the notice (paragraph (a))

·          give a copy of the notice to each First Minister (paragraph (b)), and

·          consider any submissions received under paragraph (a) (paragraph (c)).

540.           This consultation requirement will ensure that the Part is only activated in appropriate circumstances and allow entities an opportunity to provide the Government with submissions on any delay in the commencement of the Part necessary to allow them to adjust their businesses without undue burden.

Section 30AC     Responsible entity must have a critical infrastructure risk management program

541.           New section 30AC of the SOCI Act provides that an entity that is the responsible entity for one or more critical infrastructure assets, to which this Part applies, must adopt and maintain a critical infrastructure risk management program that applies to the entity. This requirement will ensure responsible entities develop a nuanced, comprehensive understanding of the threat picture that can affect the availability, confidentiality, reliability and integrity of the relevant critical infrastructure asset.

542.           The purpose of section 30AC is to require responsible entities to develop and keep a written program that satisfies the requirements at new section 30AH.

543.           Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This penalty is a proportionate response based on the infringement. It is designed to deter non-compliance and to ensure responsible entities adopt and maintain a critical infrastructure risk management program noting the importance of their role to Australia’s society, economy and defence. This penalty is commensurate with the penalty for non-compliance with the obligation to have security programs under the ATSA and MTOFSA . The penalty reflects the significance of this program in uplifting core security practices of critical infrastructure assets and the onus on responsible entities to proactively identify, prevent and mitigate risks from all hazards. 

544.           To reduce the administrative burden for entities responsible for more than one critical infrastructure asset, it is permissible under this section for entities to have a single written program for all critical infrastructure assets for which they are the responsible entity.

545.           While the purpose and requirements for the critical infrastructure risk management program are outlined at section 30AH, new Part 2A of the SOCI the Act does not mandate how responsible entities should go about developing their program. This is reflective of the wide range of complexity in relation to the scope of critical infrastructure assets as well as the spectrum of risk management maturity. Government’s intention is that responsible entities will have discretion as to how they construct their risk management program. This recognises industry’s expertise and deep knowledge of the unique challenges faced by each critical infrastructure asset and ensures there is no unnecessary regulatory burden. Support and guidance will be provided to industry through non-regulatory processes (such as the ongoing engagement with industry through the Trusted Information Sharing Network) and other guidance.

Section 30AD     Compliance with critical infrastructure risk management program

546.           New section 30AD of the SOCI Act provides that if an entity is the responsible entity for one or more critical infrastructure assets (that are specified for the purposes of section 30AB) and has adopted a critical infrastructure risk management program under section 30AC, the entity must comply with the program, including any variations to the program.

547.           Section 30AD is an extension of section 30AC and is intended to require that responsible entities are not only required to put in place a critical infrastructure risk management program, but that entities must effectively implement that program to actively maintain and, wherever required, uplift the security and resilience of their asset.

548.           Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This penalty is a proportionate response based on the infringement. It is designed to deter non-compliance and to ensure responsible entities comply with their critical infrastructure risk management program. This penalty is commensurate with the penalty for non-compliance with the obligation to comply with security programs under the MTOFSA and the Aviation Transport Security Act 2004. The penalty reflects the importance of applying a program designed to prevent and mitigate risks from harms identified.

Section 30AE     Review of critical infrastructure risk management program

549.           New section 30AE of the SOCI Act provides that if an entity is the responsible entity for one or more critical infrastructure assets (that are specified for the purpose of section 30AB) and has adopted a critical infrastructure risk management program that applies to the entity, then the entity must also review the program on a regular basis. 

550.           A definitive timeframe within which the program must be reviewed is not specified in this section. This is reflective of the different threat environments faced by the various critical infrastructure assets and is intended to allow the responsible entity greater discretion to determine the frequency with which this should occur noting they are best placed to understand the context of the environment in which the asset operates. The frequency may also change over time as the characteristics of the asset, its interdependences, the market, or threats change or fluctuate. This approach is intended to prevent unnecessary burden being placed on industry to review the program in a manner disproportionate to their context. The Department will work closely with industry to develop guidance to assist them in determining the application of the provision to their unique circumstances.

551.           Breach of this obligation is subject to a civil penalty of up to 200 penalty units. This penalty is a proportionate response based on the infringement. It is designed to deter non-compliance to ensure responsible entities review their critical infrastructure risk management program. The penalty reflects the importance of keeping risk management programs up-to-date and accurate.

Section 30AF      Update of critical infrastructure risk management program

552.           New section 30AF of the SOCI Act provides that if an entity is the responsible entity for one or more critical infrastructure assets (that are specified for the purpose of section 30AB) and has adopted a critical infrastructure risk management program that applies to the entity, then the entity must take all reasonable steps to ensure that the program is up to date. This obligation to update the program complements the obligation in section to 30AE regularly review the program.

553.           Meaningful uplift of the security and resilience of critical infrastructure assets will only occur if the risk management programs’ articulation of material risks and mitigation strategies remain current. It is therefore vital that responsible entities review their risk management program on a regular basis and take reasonable steps to ensure it is kept up to date. This ensures risk is being continually assessed and managed by the entity rather than taking a ‘set and forget’ approach to risk management.

554.           The Bill also does not define ‘reasonable steps’ in section 30AF, as it will depend on the individual circumstances of each entity, their security environment and the extent of the updates required. It is intended to ensure risk management programs are regularly reviewed and updated in response to evolving technology, business circumstances and changes in the threat environment.

555.           Collectively, sections 30AD to 30AF of the SOCI Act are designed to reflect the overall life cycle of an effective risk management program.

 

556.           Breach of these obligation is subject to a civil penalty of up to 200 penalty units. This penalty is a proportionate response based on the nature of the infringement. The penalty is designed to deter non-compliance and to ensure responsible entities update their critical infrastructure risk management program. The penalty reflects the importance of keeping risk management programs up-to-date and accurate noting the significant role these programs play in protecting critical infrastructure.

Section 30AG     Responsible entity must submit annual report

557.           New section 30AG of the SOCI Act sets out that a responsible entity that has adopted a critical infrastructure risk management plan under section 30AC must submit an annual report to the Secretary of Home Affairs. 

Subsection 30AG(1)—Scope

558.           Subsection (1) provides that section 30AG applies to an entity if, during a period (known as the ‘relevant period’) that consists of the whole or a part of a financial year:

·          the entity was the responsible entity for one or more critical infrastructure assets (paragraph (a)), and

·          the entity had a critical infrastructure risk management program (paragraph (b)). 

559.           This is intended to capture those entities that were responsible for the asset at any point during the relevant period.

Subsections 30AG(2) and (3)—Annual report

560.           Under subsection (2), an entity that falls within subsection (1) is required to provide an annual report that meets the requirements outlined in paragraphs (c), (d), (e) and (f) within 90 days of the end of the financial year.  This obligation does not require the responsible entity to provide the full critical infrastructure risk management program to the Secretary, but rather a statement that the program remains up to date and providing details about any hazards that have had a significant impact on the asset during the reporting period.

561.           The report must be given to the relevant Commonwealth regulator. A ‘relevant Commonwealth regulator’ will be specified in Ministerial rules, which will be a legislative instrument publicly available on the Federal Register of Legislation. If there is no ‘relevant Commonwealth regulator’ specified, the annual report must be provided to the Secretary (paragraph (2)(b)). 

562.           It is Government’s preference for existing Commonwealth regulatory bodies and authorities to enforce compliance with Part 2A. These regulators are likely to have well-established relationships with industry, and may have an extensive understanding of the threat environment.

563.           For this reason, and to facilitate their oversight role, paragraph (2)(a) ensures these regulatory bodies or authorities have visibility and awareness of the threat environment in the relevant sector and whether entities are complying with the requirements under Part 2A, and can provide assistance and guidance as required.

564.           Where no relevant Commonwealth regulator exists, the Department of Home Affairs will be the default regulator.

565.           An annual report is required, if the entity had a critical infrastructure risk management program at the end of the financial year, to include a statement as to whether or not the program was up to date at the end of the financial year (paragraph (2)(c)). If an entity was responsible for the asset earlier in the period but not at the end of the financial year, this obligation is not applicable. The intention of this provision is to require the entity with overall responsibility for the asset to certify that an effective and up to date risk management program is in place.

566.           Further, if a hazard had a significant relevant impact on one or more assets during the relevant period, the annual report is also required to include a statement that identifies the hazard, evaluates the effectiveness of the program in mitigating the significant relevant impact of the hazard on the assets concerned, and outline any variation to the critical infrastructure risk management program that is made as a result of the occurrence of the hazard (paragraph (2)(d)). Provision of this information to the regulator to engage with the responsible entity to determine if the entity requires further assistance and guidance to update their program. This obligation will allow Government to build a collective picture of the nature of threats impacting on critical infrastructure across all sectors. This will inform and support the sharing of information and expertise on how those threats are best managed by government and industry in partnership.

567.           For the purpose of paragraph (2)(d), a relevant impact is defined in new subsection 8G(1) of the SOCI Act as a direct or indirect impact on the availability, integrity, reliability or confidentiality of the asset. Such an impact could fundamentally undermine the intended operation or functioning of a critical infrastructure asset, or put at risk the sensitive information and personal information held by the asset.

568.           It is not intended that entities will be required to report day-to-day incidents - instead the requirement will be to report incidents that have had a significant relevant impact.

569.           What is regarded as significant for the purpose of paragraph (2)(d) will vary between assets and across sectors and it will be up to the entity to determine when a relevant impact is significant for the purposes of this reporting obligation. It is expected that a significant impact would include one that affected the functioning of the asset or its ability to deliver intended services. In determining the significance of a relevant impact, entities could have regard to whether the impact of the hazard has:

·          a genuine impact on the availability of the asset, or services delivered by the asset (noting that the nature and duration of impact will differ across assets and sectors) such as would occur during a significant ransomware attack.  This type of cyber attack can cripple organisations that rely on computer systems to function, by encrypting all connected electronic devices, folders and files and rendering systems inaccessible  

·          an impact that caused harm to customers or end-users such as a serious cyber attack on a financial institution, rendering customers and businesses unable to access their funds or utilise electronic payment methods impairing their ability to engage in commerce, or

·          a detrimental impact on information security which has undermined the integrity of, or led to the loss, theft or unauthorised access of, sensitive information or personal information such as a significant data breach suffered by Equifax in September 2017 that exposed personal information of 147 million people.

570.           The circumstances listed above are intended to provide illustrative examples of the types of relevant impacts that may be considered to be significant. Entities must undertake their own analysis and consider their particular circumstances and operations to determine what is considered to be a significant relevant impact for their asset. The Department will also work with industry to provide sector specific guidance on what may be considered to be a significant relevant impact for this purpose .

571.           The annual report must also be in the approved form (paragraph (2)(e)). The ‘approved form’ is defined in section 5 of the SOCI Act to be a form approved by the Secretary of the. The approved form will be made publicly available on the Home Affairs website (www.cicentre.gov.au).

572.           If the entity has a board, council or other governing body, the report must be approved by that body (paragraph (2)(f)). Noting the importance of risk management for critical infrastructure assets, this requirement will ensure that there is appropriate visibility and responsibility within the senior management of the entity. Approval must occur in accordance with the respective practices of the body.

573.           Breach of these obligation is subject to a civil penalty of up to 150 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance and to ensure responsible entities comply with their reporting obligation. This penalty is commensurate with the non-compliance for an obligation to comply with reporting obligations under ATSA and MTOFSA . The penalty reflects the importance of governing bodies certifying that appropriate risk management practices are in place and that security is being considered by the most senior officers for these assets.

574.           Subsection (3) provides that a report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of the SOCI Act. This means that the ‘relevant Commonwealth regulator’ (if applicable) or the Department cannot use information provided in the annual report to take compliance action against a responsible entity under the SOCI Act, including the obligations outlined in new sections 30AC, 30AD, 30AE and 30AF, relying upon information provided in the annual report.

575.           This should provide comfort to industry that the annual report will only be used to better understand the threat environment in each sector and for matters related to providing meaningful assistance and advice to entities on ways to further enhance the security and resilience of critical infrastructure assets.

Section 30AH     Critical infrastructure risk management program

576.           New section 30AH of the SOCI Act defines the requirements for a critical infrastructure risk management program. Adoption and compliance with a critical infrastructure risk management program will ensure responsible entities have a comprehensive understanding of the threat environment, and develop processes and procedures to effectively respond to the risk of any hazard impacting the availability, confidentiality, reliability and integrity of their asset.

577.           Under subsection (1), a critical infrastructure risk management program is a written program that applies to the responsible entity for one or more critical infrastructure assets. There is no requirement for this program to be in any specific form, other than in writing. This ensures responsible entities are able to determine the most appropriate form for their risk management program, including building on existing business enterprise risk management practices. It is permissible for a responsible entity for multiple critical infrastructure assets to adopt a combined critical infrastructure risk management program for those assets, noting that the program must address the risks associated with each individual asset to meet the requirements of this section.

578.           The purpose of the critical infrastructure risk management program is threefold:

a)       to identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset (subparagraph (1)(b)(i))

b)       so far as it is reasonably possible to do so, to minimise or eliminate any material risk of such a hazard occurring (subparagraph (1)(b)(ii)), and

c)       to mitigate the relevant impact of such a hazard on the asset (subparagraph (1)(b)(ii)).

579.           Each of these purposes are outlined further under separate heading below.

Identifying each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the hazard (subparagraph 30AH(1)(b)(i))

580.           A hazard in the context of a critical infrastructure risk management program is intended to mean an event which, alone or in combination with other events, has the potential to give rise to risk. This broad interpretation (consistent with best practice international risk management doctrine) reflects the diversity of critical infrastructure assets which may be subject to the obligation. That is to say, a hazard can be human induced (for example, a cyber attack or sabotage) or natural (for example an extreme weather event). This approach is intended to ensure the obligations can evolve effectively in response to change technology and threat environments, by ensuring the focus of a critical infrastructure risk management program is on the impact of a hazard on the asset as opposed to prescriptively listing the source of the hazard.

581.           A relevant impact of a hazard on a critical infrastructure asset is defined in new subsection 8G(1) of the SOCI Act to be the impact  (whether direct or indirect) of the hazard on:

·          the availability of the asset

·          the integrity of the asset

·          the reliability of the asset, or

·          the confidentiality of information about the asset, information stored in the asset, or computer data.

582.           While there may be hazards which impact a critical infrastructure asset in other ways, these impacts are crucial to the secure operating of the asset and its continuous provision of essential services.

583.           Importantly, a critical infrastructure risk management program does not require the entity to identify every single hazard that could pose a risk of having a relevant impact on the hazard. Rather the obligations are limited to those hazards that pose a material risk of having a relevant impact on the hazard. While assessing whether a risk is material must be done on a case by case basis, recognising the unique circumstances of the asset, subsection (7) provides that in making that determination the entity must have regard to the likelihood of the hazard occurring, and the relevant impact of the hazard on the asset if the hazard were to occur. That is, hazards which are incredibly improbable or for which there would be an inconsequential impact are unlikely to be considered material. For example, an asset that is hundreds of kilometres inland would not be required to take steps to mitigate the physical impact of a tsunami on the asset. This is not to say that an unlikely event that would have a substantial impact would not in all circumstances be regarded as a material risk. The impacts of COVID-19 on the availability of workforce and day-to-day operations of an asset are an example of such an unlikely event where there would still be a material risk that would need to be addressed in a critical infrastructure risk management program.

584.           Having had regard to these factors, the entity must ultimately consider which risks may be material. The approach taken to this obligation acknowledges that the entity responsible for the asset will be best placed to understand the operating environment of the asset, and with guidance from Government, the threats it faces. Therefore it is for the responsible entity to undertake this risk identification process in line with existing processes inside the business to determine how to understand and manage risk.

Minimise or eliminate any material risk of such a hazard occurring (subparagraph 30AH(1)(b)(ii))

585.           The purpose of this provision is to ensure that a critical infrastructure risk management program is directed at either minimising or eliminating the material risk of an identified hazard occurring. The provision is qualified to provide that this must occur so far as it is reasonably possible to do so. This qualification is intended to recognise that the responsible entity may not be able to minimise or eliminate the risk of a hazard occurring, for example, no reasonable steps could be taken to prevent a cyclone occurring.

 

586.           This feature of the critical infrastructure risk management program recognises the importance of prevention in risk management. For example, a responsible entity for a critical infrastructure asset may have the ability to dramatically reduce the risk of a cyber security incident from occurring by developing and installing certain software that is designed to uplift information security.

Mitigate the relevant impact of such a hazard on the asset (subparagraph 30AH(1)(b)(iii))

587.           The purpose of this provision is to ensure that a critical infrastructure risk management program is directed at ensuring appropriate procedures are in place to mitigate the relevant impact of a hazard should it occur, noting that minimisation or eliminate efforts may not be foolproof. For example, while a material risk of a cyclone occurring may not be able to be minimised, an entity should be actively taking steps to mitigate the impact should one occur by ensuring any critical buildings are built to an appropriate standard to withstand such an event.

 

588.           An appropriate mitigation will depend on the context of the asset, the relevant impact and the hazard itself. This provision is intended to be flexible and adaptable, while nevertheless requiring the responsible entity to achieve the required security objectives.

 

Critical infrastructure risk management program rules (subparagraph 30AH(1)(c))

589.           Under paragraph (1)(c), the critical infrastructure risk management program must comply with any requirements specified in rules made by the Minister under section 61 of the SOCI Act. Any such rules will be a legislative instrument and publically available on the Federal Register of Legislation (www.legislation.gov.au). Subsection (2) provides that the rules may be of general application or may relate to one or more specified critical infrastructure assets.

 

590.           These rules will be used to provide further requirements on how the principles based obligations set out in subparagraphs (1)(b)(i)-(iii) are to be implemented. Noting the array of critical infrastructure assets that may be subject to the obligation to adopt and maintain a critical infrastructure risk management program, now and into the future, this mechanism will be crucial for ensuring the program is implemented in a risk-based and proportionate manner for each industry sector while still achieving the desired security outcomes and avoiding any unnecessary burden. The Department will co-design these rules with industry and states and territories on a sector-specific basis.

 

591.           The Government recognises that particular risks exist across different threat domains and it is vital that a holistic approach is taken when developing a risk management program. In particular, there may be common issues that inform sector-specific rules. Without prejudicing the co-design process still to occur, the requirements in the rules will set out the approach to be taken in relation to the following domains:

·          Physical security risks: This includes risk of harm to people and damage to physical assets. For example, mechanical failures, natural hazards such as floods and cyclones, as well as human induced hazards such as terrorism.

 

·          Cyber security risks: Malicious cyber activity is one of the most significant threats to Australian critical infrastructure and can range from denial of service attacks, to ransomware and targeted cyber intrusions.

 

·          Personnel security risks: This refers to the ‘insider threat’ or the risk of employees exploiting their legitimate access to an organisations’ assets for unauthorised purposes including corporate espionage and sabotage.

 

·          Supply chain risks: The reliance on supply chains inherently involves dependencies on other assets, or providing other entities with some level of access to, or control of, your asset or business’ deliverables. As is the case for personnel risk, supply chain risks relate to entities exploiting their legitimate access to, or control of, an organisations’ assets for unauthorised purposes or otherwise creating a cascading impact to dependent assets.

 

592.           A note to subsection (2) indicates that specification by class is permitted by way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to make a legislative instrument specifying a matter may identify the matter by referring to a class or classes of matters.

593.           Subsection (3) outlines that subsection (2) of section 30AH does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act. This means that subsection 33(3A) of the Acts Interpretation Act, which generally provides that a power to make a legislative instrument in relation to a matter includes a power to make an instrument with respect to some only of those matters or with respect to a particular class or classes of those matters and to make different provision with respect to different matters or classes of matters, continues to apply.

 

594.           Subsection (4) provides that rules made for the purpose of paragraph (1)(c) may require that a critical infrastructure risk management program include provisions that require background checks of individuals to be conducted under the AusCheck scheme. Subsection (5) clarifies that subsection (4) does not limit paragraph (1)(c).

595.           The amendments to the AusCheck Act 2007 provided in item 3 of Schedule 1 to this Bill, read together these provisions provide the ability for background checks of certain individuals to be required. Any rules made providing for the conduct of background checking will focus on addressing the threat posed by trusted insiders to critical infrastructure assets. Trusted insiders are potential, current or former employees or contractors who have legitimate access to information, techniques, technology, assets or premises. Trusted insiders can intentionally or unknowingly assist external parties in conducting activities against the organisation or can commit malicious acts of self-interest. Such action by a trusted insider can undermine or severely impact the availability, integrity, reliability or confidentiality of critical infrastructure assets and, as a result, may undermine Australia’s social or economic stability, defence and national security.

596.           Subsection (6) sets out the factors that the Minister must have regard to in specifying the rules for the purposes of (1)(c):

·          any existing regulatory system of the Commonwealth, a State or a Territory that imposes obligations on responsible entities;

·          the costs that are likely to be incurred by responsible entities in complying with those rules;

·          the reasonableness and proportionality of the requirements in relation to the purposes referred to in paragraph (1)(b); and

·          such other matters (if any) as the Minister considers relevant.

597.           This requirement is intended to ensure that any rules made for the purposes of the critical infrastructure risk management program are appropriate in all the circumstances and avoid unnecessary duplication.

598.           Subsection (7) outlines that rules made for the purpose of paragraph (1)(c) may provide that a specified risk is taken to be a material risk for the purpose of section 30AH. This means that the rules may deem a particular risk as one that must be addressed in a critical infrastructure risk management program in accordance with paragraph (1)(b). 

599.           Subsections (8) to (11) outline that the rules made under paragraph (1)(c) may provide that the taking of specified action:

·          in relation to a critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset (subsection (8)), which means that the rules can specify matters in relation to critical infrastructure assets generally for the purpose of subparagraph (1)(b)(ii)

·          in relation to a specified critical infrastructure asset is taken to be an action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset (subsection (9)), which means that the rules can specify matters in relation to a specified critical infrastructure asset for the purpose of subparagraph (1)(b)(ii)

·          in relation to a critical infrastructure asset is taken to be an action that mitigates the relevant impact of a specified hazard on the asset (subsection (10)), which means that the rules can specify matters in relation to critical infrastructure assets generally for the purpose of subparagraph (1)(b)(iii), and

·          in relation to a specified critical infrastructure asset is taken to be an action that mitigates the relevant impact of a specified hazard on the asset (subsection (11)), which means that rules can specify matters in relation to a specified critical infrastructure asset for the purpose of subparagraph (1)(b)(iii). 

600.           Notes to subsections (8) to (11) indicate that specification by class is permitted by way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to make a legislative instrument specifying a matter may identify the matter by referring to a class or classes of matters.

601.           Broadly speaking, rules may be made under subsections 30AH(8)-(11) in three circumstances:

·          to mandate the steps responsible entities should be taking through their critical infrastructure risk management program to address material risks. The purpose of this provisions is to ensure that Government can, when appropriate, direct specific action when it is necessary to assist entities with maintaining the security and resilience of their asset,

·          to provide ‘safe harbour’ by specifying that the taking of certain actions will acquit the entity of a specific obligation. This may be used, for example, where duplicate obligations exist in relation to a particular hazard to ensure the entity is not required to take two different courses of action. This could be used to recognise existing industry standards and practices as sufficient to meet aspects of the obligation. The Government intends to work with industry and State and Territory governments to identify and leverage existing regulations, frameworks and guidelines to manage risks to critical infrastructure assets, and to minimise any duplication or unnecessary burden, and

·          to de-conflict requirements for entities with assets which fall within more than one definition of critical infrastructure asset.

 

Section 30AJ      Variation of critical infrastructure risk management program

602.           New section 30AJ of the SOCI Act provides that a critical infrastructure risk management program may be varied, so long as the varied program is a critical infrastructure risk management program. This means that a critical infrastructure risk management program may be amended by a responsible entity, so long as the amended program still has the required characteristics as outlined in new section 30AH—including complying with any sector-specific rules prescribed made for the purpose of paragraph 30AH(1)(c).  

603.           It is intended that a critical infrastructure risk management program may be varied by a responsible entity where changes are required or desirable as a result of:

·          the review of the program on a regular basis under new section 30AE of the SOCI Act

·          changes in the threat environment or an asset’s operating environment

·          new rules made for the purpose of section 30AH, or

·          ensuring the program is up to date under section 30AF. 

Section 30AK     Revocation of adoption of critical infrastructure risk management program

604.           New section 30AK of the SOCI Act outlines that, if an entity has adopted a critical infrastructure risk management program under section 30AC, Part 2A does not prevent the entity from revoking and adopting another critical infrastructure risk management program that applies to the entity.

Section 30AL     Consultation—rules

605.           New section 30AL of the SOCI Act outlines consultation requirements that must be met by the Minister before making rules for the purpose of paragraph 30AH(1)(c).  The purpose of this section is to embed a meaningful and genuine co-design process and to require Government to work with industry to develop any specific requirements for the critical infrastructure risk management program. The co-design process may also be reflected in the commencement of sector-specific rules, taking into account the level of business transformation that may be required, as well as the costs associated with that transformation. The Minister may choose to have an extended period between the making and commencement of rules to allow an industry sector to have time to consider and implement the legal requirements prescribed within. 

606.           It is important to note however that this statutory consultation period will occur after extensive consultation and co-design with industry in the development of requirements to be contained in the rules, and in relation to any future amendment of the rules.

Subsection 30AL(1)—Scope

607.           Subsection (1) provides that section 30AL applies to rules made for the purpose of section 30AH. This means that these requirements will apply in relation to any rules prescribed under paragraph 30AH(1)(c). 

Subsections 30AL(2) and (3)—Consultation

608.           Subsection (2) provides that, before making or amending rules under section 30AH, the Minister must:

·          cause to be published on the Department’s website a notice setting out the draft rules or amendments, inviting persons to make submissions to the Minister about the draft rules or amendments within 28 days after the notice is published (paragraph (a)),

·          give a copy of the notice to each First Minister (paragraph (b)), and

·          consider any submissions received within the 14-day period mentioned in paragraph (a) (paragraph (c)). Nothing in this provision is intended to limit the Minister’s ability to consider responses received after that period

 

609.           Subsection (3) provides that subsection (2) does not apply if:

·          the Minister is satisfied that there is an imminent threat that a hazard will have a significant relevant impact on a critical infrastructure asset (paragraph (a)), or

·          the Minister is satisfied that a hazard has had, or is having, a significant relevant impact on a critical infrastructure asset (paragraph (b)).  

610.           This means that, in the limited circumstances specified in subsection (3), the Minister does not need to meet the notification requirements, and consider submissions received in response to the notice, as outlined in subsection (2). The potential urgency of the situation and the significance of the impact, and the flow on impacts to Australia’s economy, society and defence, warrant this departure from the standard process. However in such circumstances, a review of the rules is required to occur after their commencement as outlined in section 30AM (see further below) to ensure there is an appropriate consultation process and consideration of the impact of imposing the requirements specified in the rules. 

Section 30AM    Review of rules

611.           New section 30AM of the SOCI Act outlines requirements for the Minister and Secretary in relation to rules made for the purpose of section 30AH when consultation was not able to be undertaken due to the emergency circumstances identified in 30AL(3). 

612.           The purpose of section 30AM is to ensure that, in rare circumstances where rules are made without consulting industry, the Secretary conducts a comprehensive review, including industry consultation, of the operation, effectiveness and implications of those rules. A report of the review in turn is then provided for scrutiny by the Minister and Parliament.  

Subsection 30AM(1)—Scope

613.           Subsection (1) provides that section 30AM applies if, because of subsection 30AL(3), subsection 30AL(2) did not apply to the making of rules or amendments. 

Subsections 30AM(2)-(4)—Review of rules

614.           Subsection (2) requires that the Secretary must:

·          review the operation, effectiveness and implications of the rules or amendments (paragraphs (a) and (b) respectively)

·          consider whether any amendments should be made (paragraph (c)), and

·          give the Minister a report of the review and a statement setting out the Secretary’s findings (paragraph (d)). 

615.           Under subsection (3), and for the purpose of completing the review, the Secretary must:

·          publish on the Department’s website a notice setting out the rules or amendments concerned and inviting persons to make submissions to the Secretary within 28 days after publication of the notice (paragraph (a)),

·          give a copy of the notice to each First Minister (paragraph b), and

·          consider any submissions received within the 28-day period (paragraph (c)).  Nothing in this provision is intended to limit the Secretary’s ability to consider responses received after that period, noting however that under subsection (4) the Secretary is required to complete the review within 60 days of the commencement of the rules or amendments concerned.

616.           The measures in subsections (2) to (4) are intended to provide transparency over rules made without consultation and provide an effective mechanism for entities to scrutinise and recommend amendments to the rules, in a similar way that would occur in non-emergency situations. In practice, the Minister for Home Affairs is likely to consider the outcomes of the report and submissions made by industry to determine if the rules should be maintained, amended or repealed. The Minister’s decision is likely to be based on whether the rules:

·          effectively manage or respond to a hazard that has had, or may have a significant relevant impact on a critical infrastructure asset, and 

·          the implications of the rules on industry, including whether the requirements are duplicative, disproportionate or unnecessarily burdensome or costly.

Subsection 30AM(5)—Minister to take statement of findings

617.           Subsection (5) requires the Minister to table a copy of the statement of findings, provided to the Minister by the Secretary under paragraph (2)(d), in each House of Parliament within 15 sitting days of the Minister receiving the statement. 

618.           This ensures that the statement will be publicly available, free of charge from the Australian Parliament House website and available for debate by Members and Senators. It is also noted that any rules made under section 30AH of the SOCI Act will be subject to disallowance by the Parliament under Part 2 of Chapter 3 of the Legislation Act. 

Section 30AN     Application, adoption or incorporation of a law of a State or Territory etc. 

619.           New section 30AN of the SOCI Act modifies the application of subsection 14(2) of the Legislation Act in relation to any rules made under section 30AH (subsection (1)). 

620.           Subsection 14(2) of the Legislation Act generally provides that a legislative instrument, such as rules that may be made by the Minister under new section 30AH of the SOCI Act, may not make provision in relation to a matter by applying, adopting or incorporating any matter contained in an instrument or other writing as in force from time to time. This applies to matters such as State and Territory laws and standards.

Subsection 30AN(2)—Application, adoption or incorporation of a law of a State or Territory

621.           Subsection (2) provides that, despite subsection 14(2) of the Legislation Act, rules made under section 30AH may making provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a law of a State or Territory as in force or existing from time to time.

622.           Noting the potential for obligations to exist in State and Territory laws which would potentially duplicate components of critical infrastructure risk management program, this provision is intended to ensure that the rules can effectively recognise those State and Territory laws to avoid unnecessary and duplicative regulatory burden being placed on industry. For example, the rules may provide that an action done in compliance with a particular State law which sets security requirements for information technology would be taken as the required action under this Part.

Subsection 30AN(3)—Application, adoption or incorporation of a standard

623.           Subsection (3) provides that, despite subsection 14(2) of the Legislation Act, rules made under section 30AH may making provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a standard proposed or approved by Standards Australia as in force or existing from time to time. A note to this subsection indicates that the expression ‘Standards Australia’ is defined in section 2B of the Acts Interpretation Act. 

624.           This provision may be relied upon to recognise accepted and reputable standards in relation to risk management processes, including as those standards change to accommodate best practice.

Part 2B—Notification of cyber security incidents

625.           Industry has emphasised the need for Government and industry to be both providers and consumers of cyber intelligence to inform how networks can be best secured and how cyber resilience can be uplifted. In response to this, notification of cyber security incidents will play a central role to coordinating and delivering an enhanced picture of cyber situational awareness, supported by the provision of cyber information by industry.

626.           The objective of this is to facilitate the development of an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry. Through greater awareness, the Government can better see malicious trends and campaigns which would not be apparent to an individual victim of an attack. In return, the Government will share actionable, anonymised information back out to industry to assist responsible entities improving cyber resilience in relation to their assets or response to particular incidents.

627.           This obligation will not override or displace any other legislative obligations the entity may have in relation to reporting security incidents, for example, the notifiable data breach scheme under the Privacy Act. However, in determining whether to apply this Part to an asset, the consultation process will provide a mechanism to consider any interactions and ensure that the obligations are only applied where the required security objectives are not being met.

Section 30BA     Simplified outline of this Part

628.           New section 30BA of the SOCI Act is a simplified outline of Part 2B, which is intended to aid the reader of the legislation in understanding the operation of this Part. Under Part 2B, responsible entities for certain critical infrastructure assets will be required to notify government about the occurrence of cyber security incidents. This is one element of the positive security obligations for critical infrastructure assets—the others being critical infrastructure risk management plans (new Part 2A of the SOCI Act) and maintaining the register of critical infrastructure assets (existing Part 2 of the SOCI Act). 

Section 30BB      Application of this Part

629.           New section 30BB of the SOCI Act provides that the mandatory notification requirements in Part 2B apply to a critical infrastructure asset if:

·          the asset is specified in rules made by the Minister under section 61 of the SOCI Act (paragraph (a)), or

·          the asset is subject to a declaration under section 51 (which enables the Minister to make a private declaration that an asset is a critical infrastructure asset) and the declaration under section 51 determines that Part 2B applies to the asset (paragraph (b)). 

630.           This effectively works as an ‘on switch’ through which the Minister can ensure that this particular aspect of the positive security obligations only applies in appropriate situations.

631.           Similar to new sections 18A and 30AB the SOCI Act, this section allows for a nuanced, sector-specific or asset-specific approach to be taken on the application of this obligation in new Part 2B. In determining whether to make rules to apply the obligations under Part 2B to certain critical infrastructure assets, the Minister is likely to consider the appropriateness of any existing arrangements or requirements for responsible entities of those assets to report to Government or regulators the occurrence of a cyber security incident or incidents, or other arrangements to provide the required visibility of the threat environment. If existing arrangements are deemed to be appropriate and effective, the Minister is unlikely to activate the reporting requirements in relation to the relevant critical infrastructure assets.

632.           A note to this section indicates that specification by class is permitted by way of subsection 13(3) of the Legislation Act. This subsection relevantly provides that a power to make a legislative instrument specifying a matter may identify the matter by referring to a class or classes of matters.

633.           This note has been included to clarify that the Minister has the discretion to specify in rules that Part 2B applies to:

·          all critical infrastructure assets,

·          a category of critical infrastructure assets such as critical broadcasting assets,

·          a subset of assets within a category of critical infrastructure assets, such as liquid fuel pipelines that are critical liquid fuel assets , or

·          a specific asset that is a critical infrastructure asset.

634.           Subsection (3) outlines that the rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period beginning when the asset became a critical infrastructure asset (paragraph (a)) and ending at a time ascertained in accordance with the rules (paragraph (b)). This is intended to provide the ability to offer a delayed commencement or ‘grace period’ in the future when an entity becomes a critical infrastructure asset to which the Part applies, allowing them a reasonable period to adjust their business. 

Section 30BBA   Consultation—rules

635.           New section 30BBA of the SOCI Act sets out consultation requirements in relation to rules made for the purposes of section 30BB, providing that a responsible entity for a critical infrastructure asset must comply with the requirement to report cyber security incidents. 

Subsection 30BBA(1)—Scope

636.           Subsection (1) provides that section 30BBA applies to rules made for the purposes of section 30BB of the SOCI Act. 

Subsection 30BBA(2)—Consultation

637.           Subsection (2) provides that, before making or amending rules for the purposes of section 30BB, the Minister must do all of the following:

·          cause to be published on the Department’s website a notice setting out the draft rules or amendments and inviting persons to make submissions to the Minister about the draft rules or amendments within 28 days of publication of the notice (paragraph (a))

·          give a copy of the notice to each First Minister (paragraph (b)), and

·          consider any submissions received under paragraph (a) (paragraph (c)) .

638.           This consultation requirement will ensure that the Part is only activated in appropriate circumstances and allow entities an opportunity to provide the Government with submissions on any delay in the commencement of the Part necessary to allow them to adjust their businesses without undue burden.

Section 30BC     Notification of critical cyber security incidents

639.           New section 30BC of the SOCI Act introduces an obligation for responsible entities of critical infrastructure assets captured by section 30BB to report a critical cyber security incident to a relevant Commonwealth regulator.

640.           Under subsection (1), if an entity is a responsible entity for a critical infrastructure asset captured by section 30BB and the entity becomes aware that a cyber security incident is occurring, or has occurred, and the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of the asset, the entity must:

·          give the relevant Commonwealth body (as defined in section 30BF) a report that is about the incident and includes such information, as any, as is prescribed by the rules (paragraph (c)), and

·          do so as soon as practicable, and in any event within 12 hours, after the entity becomes aware that the above circumstances exist (paragraph (d)). 

641.           A cyber security incident is defined in section 12M as one or more acts, events or circumstances involving unauthorised access, modification or impairment of computer data, a computer program or a computer.

642.           Determining whether an incident is having a significant impact on the availability of the asset will be matter of judgment for the responsible entity. The services being provided by the asset, together with the nature and extent of the cyber security incident, will determine the significance of the incident and whether it meets the threshold of being a critical cyber security incident. For example, a cyber security incident which affects the availability of a critical clearing and settlement facility for a very brief period may have significant economic repercussions while an incident that affects the availability of a critical education asset for the same period of time may have a substantially lower impact.

643.           It is not intended that day-to-day incidents, such as the receipt of a single scam email which is easily recognised and addressed through standard security practices without impacting the asset’s operations, are required to be reported under this section as they would not meet the level of significance required. The impact to be considered under this obligation is limited to the impact on the availability of the asset, and therefore incidents which impact confidentiality and integrity which may nevertheless be serious, do not need to be reported within 12 hours (these may be captured, however, under the obligation in relation to reporting other cyber security incidents under section 30BD). The Department will provide further guidance and support to industry to assist with identifying what is a significant impact for the purpose of this section in different sectoral contexts.

644.           The investigation of a system outage may take time to finalise before it can be determined whether the outage is a result of a ‘cyber security incident’ as defined by new section 12M of the SOCI Act. Similarly, determining the significance of the impact of the incident may equally take time. In light of this, paragraph (1)(d) means that the obligation to report within 12 hours is only enlivened when the responsible entity becomes aware that the incident meets the above criteria. In practice, the obligation requires the notification of Government to be one of the first steps in the business’ incident response plan.

645.           The 12 hour time frame for reporting is considered reasonable and proportionate due to the significance of the impact on the critical asset, and the potential for that impact to effect the provision of essential services and have cascading impacts across the economy or the sector. The Government will use the information provided in these reports to proactively engage with the affected entities and provide any support or guidance necessary to respond to the incident. The Government may also proactively engage with affected sectors more broadly, while protecting the information of the reporting entity, if it determines that other entities have been, or will be, subject to the same attack to provide appropriate assistance and guidance as required. 

646.            Alternately, and subject to addition thresholds being satisfied, consideration may be given as to whether the serious cyber incident response powers in Part 3A are required to effectively and appropriately respond to the incident.

647.           Further, the requirement for the entity to be aware an incident is a ‘cyber security incident’ before the obligation is enlivened provides further support for the reasonableness and proportionality of the timeframe.

648.           Breach of this obligation is subject to a civil penalty of up to 50 penalty units . This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure Government is able to engage with the affected entity and provide support or guidance as soon as practicable.   

Subsections 30BC(2)-(4)—Form of report etc. 

649.           Subsection (2) outlines that a report given under subsection (1) may be given orally or in writing.

650.           Subsection (3) provides that, if a report is given orally, then the entity must:

·          make a written record of the report in the ‘approved form’ (subparagraph (a)(i)), being the form approved by the Secretary for the purpose of this subparagraph which will be publicly available on the Department’s website (www.cicentre.gov.au).

·          give a copy of the written record of the report to the relevant Commonwealth body (subparagraph (a)(ii)), and

·          do so within 48 hours of giving the oral report (paragraph (b)). 

651.           Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure a written record of the incident is provided to the relevant Commonwealth body within the shortest delays.

652.           Subsection (4) provides that, if a report is given in writing, the responsible entity must ensure that the report is in the ‘approved form’ (being the form approved by the Secretary for the purpose of this subsection). This approved form will be made publicly available.  

653.           Breach of this obligation is also subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure information provided to the relevant Commonwealth body is done so uniformly. 

Section 30BD     Notification of other cyber security incidents

654.           New section 30BD of the SOCI Act introduces an obligation for responsible entities for critical infrastructure assets captured by section 30BB to report a cyber security incident to the relevant Commonwealth body in certain circumstances. 

655.           Under subsection (1), if an entity is a responsible entity for a critical infrastructure asset captured by section 30BB and the entity becomes aware that a cyber security incident is occurring, has occurred, or is imminent and the incident has had, is having, or is likely to have, a relevant impact (whether direct or indirect) on the asset, the entity must:

·          give the relevant Commonwealth body (as defined in section 30BF) a report that is about the incident and includes such information, as any, as is prescribed by the rules (paragraph (c)), and

·          do so as soon as practicable, and in any event within 72 hours, after the entity becomes aware that the above circumstances exist (paragraph (d)). 

656.           A relevant impact in this context is defined in new subsection 8G(2) of the SOCI Act to mean an impact on the availability, integrity, reliability or confidentiality of the asset.  

657.           This obligation differs to that outlined at section 30BC in the following key ways:

·          section 30BC is concerned with cyber security incidents that have occurred or are occurring, while section 30BD is concerned with cyber security incidents that have occurred, are occurring, or will occur imminently, and

·          section 30BC is focused on significant impact on availability of the asset, while section 30BD is focused on any relevant impact. If an incident has been reported under section 30BC, it does not need to be reported again under section 30BD.

658.           The concept of an imminent cyber security incident seeks to capture situations where, for example, a malicious actor is attempting to exploit a known vulnerability. An example of such a situation is where malicious actors are actively exploiting a specific vulnerability on a system, and that vulnerability has not been patched on the entity’s system.

659.           The impact of these events is not as significant, relatively, and therefore a longer time period is provided for the report to be made - 72 hours. However, it is nevertheless important that these incidents are reported as they may, for example:

·          indicate preparatory actions by a malicious actor ahead of further actions which could have a potentially catastrophic impact on the availability of the asset and the essential services it provides, as well as cascading impacts throughout the economy,

·          involve persistent targeting or attempted access to a network where the entity believes a compromise is imminent. or

·          involve a compromise of sensitive commercial or personal information.

660.           Similarly to section 30BC, this section recognises that an investigation into an event may take time to finalise before it can be determined that its source was a cyber security incident as opposed to, for example, a mechanical failure. In light of this, paragraph (1)(d) means that the obligation to report within 72 hours is only enlivened when the responsible entity becomes aware that the incident meets the above criteria. In practice, the obligation requires the notification of Government to be one of the first steps in the businesses incident response plan.

661.           In light of the above factors, this reporting timeframe is considered reasonable and proportionate. It should also be noted that it aligns with the timeframes for other security reporting obligations such as the European Union’s General Data Protection Regulation (GDPR) and the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234. Article 33 of the former imposes on an entity an obligation to notify the relevant supervisory authority of a personal data breach no later than 72 hours. Under the latter, an APRA-regulated entity must notify APRA as soon as possible and no later than 72 hours after becoming aware of an information security incident if certain conditions have been met.

Subsections 30BD(2)-(4)—Form of report etc. 

662.           Subsection (2) outlines that a report given under subsection (1) may be given orally or in writing.

663.           Subsection (3) provides that, if the report is given orally, then the entity must:

·          make a written record of the report in the approved form (subparagraph (a)(i)),

·          give a copy of the written record of the report to the relevant Commonwealth body (subparagraph (a)(ii)), and

·          do so within 48 hours of giving the oral report (paragraph (b)). 

664.           Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure a written record of the incident is provided to the relevant Commonwealth body without delay.

665.           Subsection (4) provides that, if a report is given in writing, the responsible entity must ensure that the report is in the approved form (being the form approved by the Secretary for the purpose of subparargaph (3)(a)(i)). The approved form will be publicly available on the Department’s website (www.cicentre.gov.au).  

666.           Breach of this obligation is subject to a civil penalty of up to 50 penalty units. This penalty is a proportionate response based on the nature of the infringement and is designed to deter non-compliance to ensure information provided to the relevant Commonwealth body is done so with the requisite detail to make the report effective.

Section 30BE      Liability

667.           New section 30BE of the SOCI Act excludes responsible entities, and their employees etc., from liability when acting in good faith in relation to the obligations to report cyber security incidents as set out in Part 2B. 

668.           Subsection (1) provides that an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with new sections 30BC or 30BD of the SOCI Act.

669.           Subsection (2) provides that an officer, employee or agent of an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (1).

670.           This provision is intended to protect entities from incurring liabilities, such as confidentiality requirements that may exist in contracts with their customers, when complying with these obligations.

Section 30BF      Relevant Commonwealth body

671.           New section 30BF of the SOCI Act defines the term ‘relevant Commonwealth body’ for the purpose of Part 2B to be:

·          a Department that is specified in Ministerial rules made under section 61 (paragraph (a))

·          a body that is established under a law of the Commonwealth and is specified in Ministerial rules (paragraph (b)), or

·          if neither paragraphs (a) or (b) apply, ASD (paragraph (c)). 

672.           This means that, absent any specific Department or Commonwealth body being prescribed in rules under section 61 of the SOCI Act, the relevant Commonwealth body to whom reports are to be made is ASD. Although ASD will be the relevant Commonwealth body to whom reports are made, ASD will not perform a regulatory or compliance role. Cyber incident reports made to ASD will only be used to inform an enhanced cyber threat picture and develop appropriate mitigations and advice.

Part 2C—Enhanced cyber security obligations

Division 1—Simplified outline of this Part

Section 30CA     Simplified outline of this Part

673.           New section 30CA of the SOCI Act includes a simplified outline of Part 2C, which is intended to aid the reader of the legislation in understanding the operation of this Part. This section outlines that Part 2C sets out enhanced cyber security obligations that may relate to systems of national significance (which are a particular sub-set of critical infrastructure assets that are the subject of a declaration under new Part 6A of the Bill, see item 66 of Schedule 1 to the Bill below). 

674.           The critical infrastructure cyber threat environment is worsening, in part, due to an ever-increasing reliance on technology, and increasing interoperability and interdependency between Australia’s most critical assets. This has created a new set of vulnerabilities that can have catastrophic cascading consequences to Australia’s economy and national security. This growing threat necessitates a strengthened relationship between Government and industry, built on enhanced information sharing and activities to prepare for, prevent and mitigate against significant cyber security incidents. 

675.           There are four different legislative mechanisms that implement the enhanced cyber security obligations outlined in new Part 2C of the SOCI Act:

·          statutory incident response planning obligations (new Division 2 of Part 2C),

·          cyber security exercises (Division 3),

·          vulnerability assessments (Division 4), and

·          access to system information (Division 5). 

Division 2—Statutory incident response planning obligations

Subdivision A—Application of statutory incident response planning obligations

Section 30CB     Application of statutory incident response planning obligations—determination by the Secretary

676.           New section 30CB of the SOCI Act provides for the application of the statutory incident response planning obligations to systems of national significance. Subsection (1) provides that the Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, determine that the statutory incident reporting obligations apply to the entity in relation to the system and to cyber security incidents.  

677.           As clarified at paragraph (1)(a), a notice to apply the response planning obligations can only be given to a responsible entity for a system of national significance .

678.           Subsection (2) provides that a determination made by the Secretary under subsection (1) takes effect at the time specified in the determination, which under subsection (3) must not be earlier than the end of the 30-day period that began when the notice was given. This provides responsible entities with a minimum 30 day notice period to make arrangements to meet this obligation. 

679.           Subsection (4) provides a consultation requirement that must be met before a notice is given under this section. The Secretary must consult the entity and, if there is a relevant Commonwealth regulator that has functions relating to the security of that system, the relevant Commonwealth regulator. This will minimise any unnecessary burden being imposed on the entity as a result of the notice not being appropriately adapted to the circumstances of the system of national significance.

680.           Subsection (5) clarifies that a determination under section 30CB is not a legislative instrument. It is reasonable and appropriate that determinations made by the Secretary under this section are not legislative instruments.  A legislative instrument should be implemented where the purpose of the instrument is to determine the content of the law. The Secretary’s determination under subsection (1) of this section applies the law in a particular instance to a particular system of national significance, and does not determine the content of the law that applies—that is set out in this Subdivision.

Section 30CC     Revocation of determination

681.           New section 30CC of the SOCI Act provides for the revocation of determinations made by the Secretary under section 30CB.

Subsection 30CC(1)—Scope

682.           Subsection (1) outlines that section 30CC applies if a determination is in force under section 30CB and notice of the determination was given to a particular entity.

Subsection 30CC(2)—Power to revoke determination

683.           Subsection (2) provides that the Secretary may, by written notice given to the responsible entity for a system of national significance who has been given a determination under subsection 30CB(1), revoke the determination.

Subsection 30CC(3)—Application of Acts Interpretation Act 1901

684.           Subsection (3) outlines that section 30CC does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act to an instrument made under of a provision of the SOCI Act (other than this Division).

685.           This means that subsection 33(3) of the Acts Interpretation Act, which generally provides that a power to make an instrument of legislative or administrative character is construed to include a power to repeal, rescind, revoke, amend, or vary that instrument in the like manner and subject to the like conditions, continues to apply in relation to other instrument-making powers in the SOCI Act.

Subdivision B—Statutory incident response planning obligations

Section 30CD     Responsible entity must have an incident response plan

686.           New section 30CD of the SOCI Act creates an obligation for a responsible entity for a system of national significance that has received a determination under subsection 30CB(1) to adopt and maintain an ‘incident response plan’ that applies to the entity in relation to the system and cyber security incidents. In this regard:

·          ‘incident response plan’ is defined in new section 30CJ of the SOCI Act (see below), and

·          the meaning of ‘cyber security incident’ is outlined in new section 12M (see item 32 of Schedule 1 to the Bill above). 

687.           Cyber incident response plans help an organisation identify the activities and resources needed to respond to malicious cyber activity, and is an essential business continuity process. Incident response plans prepare an organisation to identify and respond to malicious cyber activity on their networks and ensures both internal and external (including relevant government entities) contacts, roles and responsibilities are identified before an incident. Incident response plans also allow organisations, staff and service providers to exercise their roles and responsibilities in before and incident occurs. Rehearsed and exercised incident response plans limit the potential disruption caused by malicious cybe