The reforms to federal legislation aimed at mitigating the impact of cyber attacks on critical infrastructure have certainly been stirring up controversy. Microsoft, Amazon Web Services and Cisco, to name a few, voiced concerns in their respective submissions to the discussion and consultation papers on Protecting Critical Infrastructure and Systems of National Significance. Let’s find out why.
The release of the Draft, of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, introduced into Federal Parliament on 10 December, marks the next step in Australia’s Cyber Security Strategy 2020. Part of a package of proposed reforms, the Bill is one in a series of efforts by the Australian Government to strengthen the security posture of critical national infrastructure (CNI).
By amending the Security of Critical Infrastructure Act 2018 (‘SOCI Act’), the Bill is likely to increase the regulatory burden and impact many organisations that have not been regarded as critical infrastructure traditionally.
As a matter of fact, the Bill introduces a revised definition of Critical Infrastructure Sector (and associated definitions of “Critical Infrastructure Sector Assets” and “Systems of National Significance”) that will significantly expand the remit of the SOCI Act. The Australian Government Security of Critical Infrastructure Act 2018 defined critical infrastructure as entities or facilities “which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defense and ensure national security.”
Whereas previously the SOCI Act covered specific assets in the electricity, gas, water and ports sectors only, the Bill expands the coverage to encompass eleven sectors regarded as critical. These are:
- Communications;
- Financial Services and Markets;
- Data Storage or Processing;
- Defence Industry;
- Higher Education and Research;
- Energy;
- Food and Grocery;
- Health Care and Medical;
- Space Technology;
- Transport;
- Water and Sewerage.
The bill does not extend to the government, although Home Affairs Minister – Mike Pezzullo, has previously said that a separate scheme could designate certain assets within government as critical infrastructure.
The key objective of the proposed framework is to protect Australia’s critical infrastructure from all hazards and impacts of catastrophic cyber-attacks. The enhanced framework outlines the need for an uplift in cyber security and resilience in all critical infrastructure sectors, combined with better identification and sharing of threats. The goal is to make Australia’s critical infrastructure – whether private or state owned and operated – more resilient and secure.
But what does this proposal really entail?
At the core of the proposed its initiatives are:
- Positive Security Obligation, which includes baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk.
- Enhanced Cyber Security Obligations that establish the ability for Government to request information to contribute to a near real-time national threat, owner and operator participation in preparatory activities with the Government as well as the co-development of a scenario based ‘playbook’ that sets out response arrangements.
- Government Assistance for entities that are the target or victim of a cyber-attack through the establishment of a Government capability and authorities to disrupt and respond to threats in an emergency.
It is this takeover of power, which requires companies to hand over ownership and operational information, that has alarmed tech giants.
Under the proposal, once a responsible entity becomes aware of a cybersecurity incident, it must be reported within 12 hours if the incident is having a significant impact on the availability of the asset; or 72 hours if the incident is having an impact on the availability, integrity, or reliability of the asset or on the confidentiality of information about, or held by, the asset. In “exceptional circumstances”, the government will be allowed to intervene in a cyber incident classified as serious by the Home Affairs Minister. Furthermore, the powers will allow the Australian Signals Directorate to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from the premises.
Surly, in light of these proposed changes, businesses should start considering whether these reforms could impact their assets or systems and if so, what obligations they will need to comply with if the draft bill becomes law. Seeking involvement in the co-design of related sector-specific rules and watching out for any further Government announcements.
What the new critical national infrastructure legislation will look like in practice, and whether Australia’s security posture will ultimately become overall stronger or weaker as a result, remains to be seen.
Interested in learning more about how cyber security experts around the world are defending against cyber attacks and protecting critical national infrastructure?
Join us at the Cyber Security for Critical Assets World Summit on May 6th 2021.
Find out more and secure your free pass using the code “CNI-VIP” at: world.cs4ca.com
