Australia's critical infrastructure definition to span communications, data storage, space

New Bill introduces a positive security obligation, cybersecurity requirements such as mandatory incident reporting and vulnerability testing, and government assistance.

The federal government on Monday published an exposure draft on the Security Legislation Amendment (Critical Infrastructure) Bill 2020. It seeks to amend the Security of Critical Infrastructure Act 2018 to implement "an enhanced framework to uplift the security and resilience of Australia's critical infrastructure".

The Australian government's Critical Infrastructure Resilience Strategy currently defines critical infrastructure as: "Those physical facilities, supply chains, information technologies, and communication networks, which if destroyed, degraded, or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security".

Within the broad definition of critical infrastructure, the Act currently places regulatory obligations on specific entities in the electricity, gas, water, and maritime ports sectors.

"However, as the security landscape evolves, so must our approach to managing risk across all critical infrastructure sectors," the Bill's explanatory document [PDF] said. 

As such, the amendments in the Bill are aimed at enhancing the obligations in the Act, and expanding its coverage to the communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.

It is proposed that responsible entities for these assets would also fall within the proposed new definition of "national security business". The Minister for Home Affairs would also have the power to declare a critical infrastructure asset as a "system of national significance".

The communications sector is defined in the Bill as those supplying a carriage service; providing a broadcasting service; owning or operating assets that are used in connection with the supply of a carriage service; owning or operating assets that are used in connection with the transmission of a broadcasting service; or administering an Australian domain name system.

The Bill would also introduce definitions for three types of critical infrastructure assets in this sector: Telecommunications, broadcasting transmission, and domain name systems.

The definition of the "data storage or processing sector", according to the Bill, is the sector of the Australian economy that involves providing data storage or processing services on a commercial basis.

This includes enterprise data centres, managed services data centres, colocation data centres, and cloud data centres. The sector definition also includes three types of cloud services: Infrastructure as a service (IaaS), software as a service (SaaS), and platform as a service (PaaS).

According to the document, an asset is a "critical data storage or processing asset" if it is owned or operated by an entity that is a data storage or processing provider; and it is used wholly or primarily in connection with a data storage or processing service that is provided on a commercial basis to an end-user that is the Commonwealth, a state, or a territory, or a body corporate established by a law of the Commonwealth, a state, or a territory.

"The definition covers data centres and cloud service providers that manage data of significance to Australia's national interest," the explanatory document continued. "It is not intended to cover instances where data storage is secondary to, or simply a by-product of, the primary service being offered, for example, accounting services that may result in the storage of some of their client's data."

"Business critical data" would be defined in the Bill as personal information that relates to at least 20,000 individuals; sensitive information; information relating to any research and development in relation to a critical infrastructure asset; information relating to any systems needed to operate a critical infrastructure asset; or information relating to risk management and business continuity in relation to a critical infrastructure asset.

For a "critical data storage or processing asset", the responsible entity is the entity that is a data storage or processing provider to Commonwealth, state or territory government clients, and other critical infrastructure assets.

However, the asset would only become a critical data storage or processing asset where the responsible entity knows that it is storing or processing business critical data of a critical infrastructure asset.

Home Affairs understands that this threshold would capture at least 100 data centre entities, including those entities on the Digital Transformation Agency's Government Supply Panel and at least 30 cloud service providers.

Meanwhile, the space sector would be defined as the sector of the Australian economy that involves the commercial provision of space-related services and reflects those functions that are critical to maintaining the supply and availability of space-related services in Australia.

The Bill also introduces a definition of the financial services and markets sector, the defence industry sector, the food and grocery sector, higher education and research, the healthcare and medical sector, the transport sector, the energy sector, and the water and sewage sector.

Responsibilities for those classed as critical infrastructure

The Bill, if passed, would also introduce a positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements; enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.

This framework would apply to owners and operators of critical infrastructure regardless of ownership arrangements.

"This creates an even playing field for owners and operators of critical infrastructure and maintains Australia's existing open investment settings, ensuring that businesses who apply security measures are not at a commercial disadvantage," the exposure draft [PDF] noted. 

The PSO would build on the existing obligations in the Act to "embed preparation, prevention, and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened". 

The government is hopeful it would also provide greater situational awareness of threats to critical infrastructure assets. 

The PSO involves three aspects: Adopting and maintaining an all-hazards critical infrastructure risk management program; mandatorily reporting serious cybersecurity incidents to the Australian Signals Directorate; and where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.  

Government said it would work alongside industry to design the sector-specific requirements that underpin the risk management program obligation. 

The Bill would also expand the Register of Critical Infrastructure Assets and give the Home Affairs Minister "on switch" powers to ensure that a PSO only applies in appropriate situations.

"The increased range of sectors covered by the Register will enable the government to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary," it wrote.

Under the title of "enhanced cybersecurity obligations", the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more prescribed cybersecurity activities, such as the development of cybersecurity incident response plans, cybersecurity exercises to build cyber-preparedness, vulnerability assessments, and provision of system information.

This Bill also introduces a government assistance regime to respond to serious cybersecurity incidents that applies to all critical infrastructure sector assets.

"Government recognises that industry should and in most cases, will respond to the vast majority of cybersecurity incidents, with the support of government where necessary," it wrote. "However, government maintains ultimate responsibility for protecting Australia's national interests. As a last resort, the Bill provides for government assistance to protect assets during or following a significant cyber attack."

Home Affairs on Monday published 128 of 194 submissions it received prior to distributing its Exposure Draft. Consultation on the Bill continues until Friday 27 November 2020.

RELATED COVERAGE