Government passes critical infrastructure national security Bill

Under the new legislation, the minister will have a 'last resort' power to direct electricity, gas, ports, and water entities to 'do or not do a certain thing' to mitigate national security risks.
Written by Corinne Reichert, Contributor

Australia's Parliament has passed the Security of Critical Infrastructure Bill in what the government called a bid to protect the electricity, gas, ports, and water sectors from "foreign involvement" that could lead to espionage, sabotage, and coercion, and giving ministers the power to direct companies to conduct risk mitigation actions.

The legislation [PDF] was designed for the purpose of increasing the federal government's capacity to manage national security risks arising as a result of offshore and overseas involvement and control over infrastructure.

According to a statement by Minister for Home Affairs Peter Dutton, while foreign involvement has "an important and beneficial role in supporting our national economic growth", it opens up Australia's infrastructure to more risk.

"This legislation establishes a register of Australia's highest-risk critical infrastructure assets, including information on asset ownership, access, and control," Dutton said on Thursday.

"It introduces a ministerial directions power that allows the government to take action where a risk cannot otherwise be mitigated which will significantly enhance the Critical Infrastructure Centre's capacity to assess and manage complex risks."

The latter power will be used to "seek information and issue directions to owners and operators of critical assets in the high-risk sectors when a there is a risk that is prejudicial to security that cannot otherwise be mitigated", the revised explanatory memorandum [PDF] explains.

Under s32(2), the Australian Security Intelligence Organisation (ASIO) can provide advice to the minister in the form of a security assessment, with the minister then able to "direct critical infrastructure owners or operators to do or not do a certain thing to mitigate a risk that has been identified as prejudicial to security".

Such directions would be based on addressing any security risks set out by the ASIO's adverse security assessment.

However, s32(3)(c) provides that the minister not give directions unless "an adverse security assessment in respect of the entity has been given to the minister for the purposes of this section".

"The 'last resort' directions power could be used to direct asset owners and operators to undertake or refrain from certain actions," Finance Minister Mathias Cormann said during the Bill's second reading speech.

"Importantly, this power is limited to instances where: There is a risk identified which is prejudicial to security; through collaboration, the owner or operator does not or cannot implement mitigations to address the risk; and there are no existing regulatory frameworks that can be used to enforce mitigations."

Cormann also pointed to safeguards included in the legislation, including that the minister must give primary consideration to the mandatory ASIO adverse security assessment; be satisfied that "good faith" negotiations have taken place with the entity; consult directly with the first minister and state or territory minister and the entity involved; ensure the direction is "a proportionate response to the risk"; and consider the costs and consequences to the entity.

"The minister's directions power is also subject to judicial review while the ASIO adverse security assessment will be subject to merits review," Cormann added.

The Attorney-General's Department (AGD) had published its exposure draft of the Bill in October, at the time saying the last resort power would be used for "critical assets in the high-risk sectors when a significant national security risk cannot otherwise be mitigated".

The government's Critical Infrastructure Centre (CIC), launched in January last year, already works across electricity, water, ports, and telecommunications to conduct national security risk assessments and make suggestions for mitigation strategies.

Stressing a need for collaboration between industry and government to manage critical infrastructure risks, the legislation therefore also provides for a critical infrastructure assets register to be formed to collect information.

In response to the legislation passing, Macquarie Government MD Aidan Tudehope called the laws "crucial" for protecting national infrastructure from cyber attacks, adding that the government "worked hard to strike an appropriate balance to ensure there is a focus on cyber safety without being overly intrusive".

"The sad reality is that there are individuals, groups, and even nations that have shown a willingness and ability to put the wealth, health, and even lives of innocent Australians at risk by attacking critical infrastructure," Tudehope said.

"Much of the infrastructure that allows us to operate in our day-to-day lives -- power, communications, water, transport systems -- are privately owned, and all are completely dependent on information and communications technologies to work.

"The government is right to step in now, before we have had a major incident, to take a leadership role in overseeing the preparedness of owners and operators of critical infrastructure to address these new challenges."

The government in September last year similarly passed the telecommunications national security Bill, with the Telecommunications Sector Security Reforms (TSSR) to establish a framework for national security threats within the telco industry.

Communications Minister Mitch Fifield and then-Attorney-General George Brandis said in August that the TSSR has an emphasis on "the shared responsibility between government and the telecommunications industry".

Related Coverage

AGD releases critical infrastructure national security Bill

Under the national security draft legislation, the government could direct companies to store data in an ASD-certified cloud services provider and bar them from outsourcing core network operations.

Video: Understanding the increase in cyberattacks against critical infrastructure

From Stuxnet to Ukraine, hackers are ramping up attacks against infrastructure such as energy grids. Forrester's Merritt Maxim explained who is behind the attacks and what weapons they're using.

Boeing confirms malware attack, downplays production impact

After reports emerged that the aerospace giant had fallen victim to the WannaCry ransomware, Boeing downplayed the production impact, labelling it a 'limited intrusion' of malware.

'Fauxpersky' malware steals and sends passwords to an attacker's inbox

Researchers say the malware is "highly efficient," even if it's not very sophisticated.

Cyberattack disrupted Baltimore emergency responders

An attack which lasted 17 hours forced responders to switch to manual methods.

Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

It's one thing for a company to create a cybersecurity strategy, but it's another thing entirely to put strategy into practice. In February 2018, Tech Pro Research surveyed 236 professionals.

5 tips for guarding your company against intellectual property threats (TechRepublic)

Protecting your organization's intellectual property in a global marketplace is a growing challenge. These tips will help make that a little easier.

Smart office security means balancing convenience and risk (TechRepublic)

IoT devices can make work more fun and productive, but they also pose a security risk. It's time for HR, IT, and other departments to come together and create guidelines for using these products.

Editorial standards