Home Affairs releases second Critical Infrastructure Bill with leftover obligations

At the start of this month, Australia's Security Legislation Amendment (Critical Infrastructure) Act 2021 became law to give government "last resort" powers to direct an entity to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks.

The laws also introduced a cyber-incident reporting regime for critical infrastructure assets.

Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors.

Provisions seeking to enshrine those obligations were eventually excluded from the Critical Infrastructure Bill, however, after the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended for these "less urgent" aspects to be legislated in another Bill down the road. 

In those recommendations, the PJCIS said legislating those aspects later would give businesses and government additional time to co-design a regulatory framework that receives a broader consensus among stakeholders.

Home Affairs has now released an exposure draft [PDF] of a Bill focusing on those excluded aspects.

In this second Bill, called Security Legislation Amendment (Critical Infrastructure Protection) Bill (SLACI Bill), the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations.

The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in the first Bill. The enhanced cybersecurity obligations, meanwhile, would apply to a smaller subset of entities that hold assets that are classified as systems of national significance.

According to the Bill's exposure draft, the risk management program would have to identify hazards to critical infrastructure assets and likelihood of them occurring. In addition, entities would be required to submit an annual report about the risk management program and if any hazards had a significant impact on critical infrastructure assets.

Looking at the proposed enhanced cybersecurity obligations in the Bill's exposure draft, government is seeking for entities that have systems of national significance to have an incident response plan for addressing cyber attacks. This incident response plan would have to be shared with the Home Affairs secretary.

These entities would also be required to undertake cybersecurity exercises to build cyber preparedness, make vulnerability assessments to identify vulnerabilities for remediation, and provide system information to build Australia's situational awareness. In regards to the proposed requirement to provide system information, the Bill is seeking to give Home Affairs the power to compel relevant entities into installing system information software.

The government has also used this second Bill to amend "key sector and asset definitions" to clarify which entities are deemed to hold critical infrastructure assets.

Among the definitions that would be amended under the Bill is "critical domain name system", which clarifies that an asset is critical if it administers an Australian Domain Name System.

The exposure draft also seeks to amend the definition of "critical data storage or processing asset" to provide clarity to industry about the types of entities that will be captured as responsible entities for critical data storage or processing assets. Under the amended definition, entities are deemed to hold critical infrastructure if they provide any data storage or processing services to government.

Data storage in this instance is defined as a service provided on a commercial basis that enables end-users to store or back-up data or a data processing service provided on a commercial basis that involves the use of one or more computers.

Data processing, meanwhile, includes computerised data actions such as retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal.

Home Affairs will be accepting feedback on this exposure draft until February 1.

Related Coverage

• Home Affairs launches new principles for critical technology supply chain security
• Home Affairs in talks to give telcos more blocking powers against malicious messages
  
• Australia commences work on electronic surveillance law reforms
  
• US and Australia enter CLOUD Act agreement for cross-border access to electronic evidence
  
• Home Affairs asks for a rush on Critical Infrastructure Bill to allow ASD to act lawfully