At the end of last year, Australia's Security Legislation Amendment (Critical Infrastructure) Act 2021became law to give government "last resort" powers to direct an entity when responding to cyber attacks, which included introducing a cyber-incident reporting regime for critical infrastructure assets.
Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors.
Provisions seeking to enshrine those obligations were eventually set aside, however, with the federal government deciding to follow a recommendation made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to have those omitted aspects introduced under a second Bill.
That second Bill, Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, was introduced into Parliament by Home Affairs Minister Karen Andrews last week.
In this second Bill, the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations, which include providing reports of system information and risk assessments to the Australian Signals Directorate (ASD).
The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in the first Bill. The enhanced cybersecurity obligations, meanwhile, would apply to a smaller subset of entities that hold assets that are classified as systems of national significance.
Appearing before Senate Estimates on Monday morning, Home Affairs Secretary Mike Pezzullo said the Bill before Parliament would create a standardised critical infrastructure framework to enable the ASD to approach cyber attacks in a precautionary fashion due to the additional information it would receive.
"Up until now, we haven't had common nomenclature, we haven't had common reporting cadences, we haven't had common reporting thresholds. Should the second Bill pass, obviously, we're in the hands of the Parliament, what that will do is provide a standardised framework for both regulating and operating across the 11 designated sectors," Pezzullo said.
He also likened the pair of critical infrastructure legislation to being Australia's "defence" against cyber attacks, whereas the national ransomware plan acts as the "offence".
"You've got to go on the offence, which is where the government ransomware action plan takes you. We've also got to play defence, that is to say, you've got to mitigate the risk as much as you can because today the attack vector is ransomware. The criminal and state actors who use ransomware will, once [it's been thwarted], will then find another way," he said.
Home Affairs also made a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which commenced a new inquiry to scrutinise the Bill on the same day it was introduced into Parliament.
In the submission, Home Affairs said the cost for each entity to run the risk management program, on average, would consist of a one-off AU$9.7 million for setting it up and an annual ongoing cost of AU$3.7 million.
Due to the cost and additional regulatory burden that the Bill would place onto these critical infrastructure entities, which includes universities, Home Affairs said it has been working closely with industry experts and stakeholders from across the designated sectors for how best to handle that regulatory burden.
Home Affairs said the program was drafted following over 100 engagement with those experts and stakeholders.
Later in the day, another Home Affairs representative provided Senate Estimates with more information about its search for a vendor to perform work on the country's identity-matching services. Home Affairs National Resilience and Cybersecurity deputy secretary Marc Ablong said his department's search is for a vendor to manage the country's identity-matching services and the underlying infrastructure.
"It's not about moving forward on the identity matching services beyond what we currently have approval for," Ablong said.
"[Home Affairs] does not collect the images, nor do we have a database of those images. They are all kept within the state registry," he added, when explaining the department's remit for these services.
Other Home Affairs movements included confirmation that a version of the Digital Passenger Declaration (DPD) would be released tomorrow, which will be the first use case to be built on the Permissions Capability Platform.
When the DPD was first announced, the federal government said the DPD would replace the current Australia Travel Declaration (ATD) and the paper-based incoming passenger card. For tomorrow's launch, however, the DPD will only replace the COVID-19 ATD for the moment, with the transition of replacing the incoming passenger card to come at a later date.
Functionally, the DPD will link with a person's QR code vaccination certificate and capture essential information up to 72 hours prior to a person boarding a plane. While the DPD will be launched tomorrow, travellers will still have to submit their travel declarations using the ATD until the end of this week with the new form of submission to be available from February 18 onwards.
Updated at 6:23pm AEST, 14 February 2022: added information about DPD release.