Tech industry concerns put aside as Critical Infrastructure Bill enters Parliament

New Bill introduces a positive security obligation, cybersecurity requirements such as mandatory incident reporting and vulnerability testing, and government 'last resort' powers to step in and defend.

dutton.png

Image: APH

Minister for Home Affairs Peter Dutton introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Parliament on Thursday, labelling it as a significant step in the protection of critical infrastructure and essential services that Australians rely upon.

"Critical Infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation's wealth and prosperity, and national security," Dutton said.

"While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune. Australia is facing increasing cybersecurity threats to essential services, businesses, and all levels of government."

While Dutton said owners and operators of critical infrastructure are best placed to deal with such threats, he said it takes a team effort to bring about positive change.

The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement "an enhanced framework to uplift the security and resilience of Australia's critical infrastructure".

It extends the application of the Act to communications, transport, data and the cloud, food and grocery, defence, higher education, research, and health.

The Bill introduces a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD); enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.

Dutton on Thursday said the obligation to adopt and comply with a risk management program is designed to uplift core security practices of critical infrastructure assets by "ensuring entities take a holistic and proactive approach to identifying, preventing, and mitigating risks".

The purpose of the framework requiring ASD reporting, he said, is to establish a "comprehensive understanding of the cybersecurity risks to critical infrastructure assets".

"Through greater awareness, the government can better see malicious trends and campaigns, which would not be apparent to an individual victim of an attack. This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyber attacks," he continued.

Also contained within the Bill are last resort powers, which allow the government to step in to protect assets during or following a significant cyber attack.

Dutton said the Bill was developed through extensive consultation with industry.

See also: Tech giants not convinced Australia's critical infrastructure Bill is currently fit for purpose

"The final Bill reflects the outcomes of the consultation process and ensures we have the right balance between taking effective steps to manage security of our critical infrastructure and appropriate checks and balances," he claimed.

"This is not the end of consultation, the government is committed to continuing the conversation to ensure that the reforms are operationalised in the most appropriate and effective manner."

This includes industry engagement on designing sector-specific requirements and guidance for the laws.

Elsewhere on Thursday, the Governor-General assented to the Foreign Investment Reform (Protecting Australia's National Security) Bill 2020, which updates Australia's foreign investment review framework with the overarching goal of addressing national security risks, strengthening compliance, and streamlining investment in non-sensitive businesses.

While the Bill aims to protect Australia, the country's quantum technology sector, as well as the federal opposition, flagged it was worried about the problems the Bill could create for the nascent industry, mostly around investment opportunities.

Q-CTRL, Australia's first venture capital-backed quantum technology company, previously said the broad definitions of "national security businesses" in the legislation encompass "effectively all emerging quantum technology companies and place our sector at a tremendous disadvantage relative to competitors formed in regions with larger and more mature investor bases including the US and EU".

"Simply put, Australian venture capital is insufficiently mature to support growth in our industry at this stage, meaning that fully realising the potential of quantum technology in Australia necessitates the involvement of foreign investors," Q-CTRL CEO, founder, and professor Michael Biercuk said.

RELATED COVERAGE