Written by Cheng Lim, Kirsten Bowe, Malcolm Brennan, Eveline Kuang and Redwan Hamed
On 2 December 2021 changes to legislation came into force that gives the Government strong powers to take action in relation to cyber security incidents affecting ‘critical infrastructure assets’, including the power to obtain information, give directions and to authorise ASD to take direct action in relation to those assets. While the legislation also contains provisions that require entities that own or operate ‘critical infrastructure assets’ to notify Government of critical cyber security incidents, these will only apply to assets specified in rules which are yet to be made.
The new definitions of critical infrastructure assets also extend the definition of national security business under Australia’s foreign investment review regime, with consequential implications for investors in or owners of those businesses.
The Commonwealth accepted the recommendations of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the original Security Legislation Amendment (Critical Infrastructure) Bill 2020 and has only enacted those elements of the bill that the PJCIS identified as being needed urgently to respond to growing cyber security threats, being:
- the expanded definitions of critical infrastructure sectors and asset,
- the mandatory notifications of cyber security incidents, and
- the introduction of government assistance powers.
All other elements (risk management programs, SONs and enhanced cyber security obligations) that were in the original bill have been removed and will form part of a second bill to be introduced following further consultation with industry.
In conjunction with the amended bill being enacted and coming into force on 2 December 2021 as the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Act), on 8 December 2021, the Commonwealth also made the Security of Critical Infrastructure (Definitions) Rules 2021 that further define various types of critical infrastructure assets for the purposes of the Act. Further rules are expected to be made in due course to apply the reporting obligations and the cyber security incident notifications discussed below.
Our previous alert on the PJCIS’s advisory report and the progression of the original bill is available here. You can also find our other alerts on the critical infrastructure reforms to date here, here and here.
What does it mean for business?
Owners and operators of assets in the key infrastructure sectors outlined below should undertake a review of their assets to determine the extent to which they may be critical infrastructure assets. If so, they need to ensure that they have procedures in place to:
- notify the appropriate Government agency of the occurrence of relevant cyber security incidents affecting their critical infrastructure assets as we expect that these obligations will be implemented through the making of appropriate rules in the not too distant future (and as there will be no grace period for compliance with the obligations) ; and
- comply with any information gathering requests, action directions or intervention requests that are given in respect of their critical infrastructure assets.
Expanded definition of ‘critical infrastructure sector’
With the coming into force of the Act, the Security of Critical Infrastructure Act 2018 (SOCI Act) has now been amended to cover critical infrastructure assets (and their owners and operators – i.e., their responsible entities) in the following 11 sectors:
- Data storage or processing
- Financial services and markets
- Water and sewerage
- Healthcare and medical
- Higher education and research
- Food and grocery
- Space technology
- Defence industry
One consequence of the expanded definitions of ‘critical infrastructure assets’ is that the existing obligations under the SOCI Act to provide operational and interest and control information will now apply to the new critical infrastructure assets and their responsible entities. However, these reporting obligations do not have effect in relation to the new critical infrastructure assets until ‘switched on’ under rules that are yet to be made under the SOCI Act. Once ‘switched on’, a grace period of 6 months will commence before those reporting obligations above apply.
Assets previously classified as “critical infrastructure” are already governed by the legislation and remain subject to their existing obligations.
Notification of cyber security incidents
Responsible entities for critical infrastructure assets will be required to notify Government of cyber security incidents. As is the case with the reporting obligations above, the notification provisions are not yet in force but will be ‘switched on’ in respect of critical infrastructure assets under rules that are yet to be made. There will be no grace period for compliance with the notification provisions.
There are 2 classes of incidents that must be notified:
- Critical cyber security incidents – a critical cyber security incident that has had or is having a significant impact on the availability of an asset that is used in connection with the provision of essential goods and services must be notified within 12 hours (and if notified orally, must be notified in writing within an additional 84 hours), and
- Other cyber security incidents – a cyber security incident that has had or is having or is likely to have an impact on the availability, integrity, reliability or confidentiality of the asset must be notified within 72 hours (and if notified orally, must be notified in writing within an additional 48 hours). This therefore requires notification of incidents, the impact of which has not yet fully materialised or is yet to be fully ascertained.
The government now has ‘assistance’ powers that can be exercised in response to serious cyber security incidents.
When can the Government use its powers?
The Government may use its powers where:
- a cyber security incident has occurred, is occurring or is imminent;
- the incident had, is having or is likely to have a ‘relevant impact’ on the availability, integrity, reliability or confidentiality of a ‘critical infrastructure asset’;
- there is a material risk that the incident has seriously prejudiced, is seriously prejudicing or is likely to seriously prejudice: (i) the social or economic stability of Australia or its people; (ii) the defence of Australia; or (iii) national security; and
- no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
What powers does the Government have?
The new Government assistance powers include the following:
- Information gathering – the Minister for Home Affairs may authorise the Secretary of Home Affairs to give directions for the purposes of gathering information in relation to the incident and the impact on a relevant ‘critical infrastructure asset’ or a specified ‘critical infrastructure sector asset’.
- Action directions – the Minister for Home Affairs may authorise the Secretary of Home Affairs give directions requiring an entity to take a specific action in response to the incident and the relevant ‘critical infrastructure asset’ or a specified ‘critical infrastructure sector asset’.
There are some checks on the exercise of this power – in particular that the Minister must not give such a direction unless the Minister is satisfied that as to certain matters, including that the entity is unwilling or unable to take reasonable steps to respond, and that the direction is reasonably necessary, proportionate and technically feasible.
- Intervention requests – the Minister for Home Affairs may authorise the Secretary of Home Affairs to give an intervention request authorising the Australian Signals Directorate (ASD) to provide specified assistance in response to the incident. The assistance that can be authorised includes accessing or modifying computer systems, installing programs and altering or deleting data. This power is also colloquially known as the government ‘step-in’ power that has been the subject of some controversy.
The same checks that apply in relation to action directions also apply to the exercise of this intervention request power. In addition, the Minister must not authorise an intervention request unless:
- the Minister is satisfied that giving an action direction would not be a practical and effective response to the incident; and
- the Prime Minister and the Defence Minister both agree to the giving of the authorisation.
Importantly, the new Government assistance powers do not include the power to direct or authorise the taking of offensive cyber action against a person responsible for the incident.
Interaction with FIRB
The amendments to the definitions of critical infrastructure assets effected by the Act and the Security of Critical Infrastructure (Definitions) Rules 2021 impact the definition of national security business under the foreign investment review regime. In essence, a reporting entity (owner or operator) for an asset that is a critical infrastructure asset as defined under the Act and the Rules will be a national security business for the foreign investment review regime.
If you want to invest in a national security business
The Foreign Acquisitions and Takeovers Act 1975 (FATA) requires that certain investments are notified to the Australian Treasurer and receive a no objection notification from the Australian Treasurer prior to the investment taking place. An interest of 10% or more in a national security business is a notifiable national security action.
Investors will therefore need to ensure that any proposed acquisition of an interest in an owner or operator of a ‘critical infrastructure asset’ complies with the requirements under the Foreign Acquisitions and Takeovers Act 1975 (FATA) and associated regulations.
We expect that the Foreign Investment Review Board will shortly release further guidance materials on the impact on the FIRB regimes of the amendments effected under the Act.
If your business is a national security business
In addition to considering the obligations under the Act, investors in your business may be subject to notification requirements under the FATA. You will need to ensure that any investment into your business adheres to the requirements under the FATA.
 Amending the Security of Critical Infrastructure Act 2018.