Last week saw a watershed moment in Australia’s approach to cyber regulation, with the Federal Government introducing a raft of Bills to Parliament as part of a Cyber Security Legislative Package. When introducing the package, Minister for Cyber Security Tony Burke said the reforms were necessary in the face of “an increasingly hostile and complex threat and risk landscape”.
If the package is passed, Australia will have its first standalone Cyber Security Act, introducing mandatory reporting of ransomware payments and mandatory minimum security standards for smart devices. We will cover the proposed Cyber Security Act in a separate article .
The package also includes a proposal to strengthen and expand existing obligations and government powers under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), and that is the subject of this article.
How did we get here?
Since the original passage of the SOCI Act in 2018, the Federal Government has continued to intensify the regulation of critical infrastructure assets . Successive amendments to the Act have expanded its scope to address cyber threats to Australia’s critical infrastructure assets.
In the wake of the 2022 Optus and Medibank incidents, it became apparent the SOCI Act was not providing the tools that either government or industry needed. In 2023 the government sought feedback on further reforms, through its 2023-2030 Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper (Consultation Paper). The Consultation Paper outlined legislative changes focused on implementing the government’s 2023-2030 Australian Cyber Security Action Plan (Action Plan) and associated Cyber Security Strategy (Strategy) (which we cover here).
The proposed reforms
If the proposals pass through Parliament, there will be five major changes to the SOCI Act, intended to bolster Australia’s national cyber defences by addressing issues identified by government and industry in the Consultation Paper. The most notable changes will see entities that are responsible for critical infrastructure assets subject to increased obligations in relation to their data storage systems and give government broader scope to intervene following significant incidents affecting critical assets (even where those incidents are not cyber-related).
Protecting data storage systems and business critical data
Data storage systems that support critical infrastructure assets will now be covered by the SOCI Act and subject to the same suite of obligations that apply to the asset itself. This is a significant shift from the current regime, where the provisions relevant to data storage systems were aimed at data storage and cloud computing service providers.
Under the current SOCI Act, an entity that is responsible for a critical infrastructure asset is not explicitly required to protect all of its data storage systems that hold 'business critical data', despite the great harm and disruption that could be caused by an attack on such systems.
However, secondary systems are often the point of entry for malicious actors. The government has cited the Optus and Medibank data breaches as examples of the need to ensure critical infrastructure entities have adequate protections in place across their ecosystems. Occurring within weeks of each other, in late 2022, those incidents both involved hackers exploiting vulnerabilities in the systems of these companies (on one hand, targeting an unauthenticated API endpoint and, on the other, a misconfigured firewall).
Under the current regime, those systems fell outside the SOCI Act’s wide net, notwithstanding the attacks on them had the potential to cause widespread disruption for the Australian economy and public.
With the passage of the proposed reforms, the definition of critical infrastructure asset would be amended so data storage systems that support critical infrastructure assets, and store or process business critical data (for example, bulk holdings of personal information or operational information relating to the critical asset), would be considered part of a relevant critical infrastructure asset where there is the potential for system vulnerabilities to have certain ‘relevant impacts’ on a critical infrastructure asset (for example, where a hazard would threaten the integrity or availability of such an asset). These systems would then need to be considered holistically, as part of a critical infrastructure entity’s SOCI Act obligations.
If the reforms pass, entities responsible for critical infrastructure assets will need to expand their SOCI compliance activities to cover their data storage systems. This means including those systems in the scope of registrations on the Register of Critical Infrastructure Assets and covering those systems in Critical Infrastructure Risk Management Programs (CIRMP). Importantly, it also means the potential for increased interactions with government following an incident involving their systems (more on this below).
New consequence-management powers for Government
The government is proposing to expand the existing government assistance framework in Part 3A of the SOCI Act. The expansion of the ‘last resort’ directions power for the Secretary of the Department of Home Affairs, when authorised by the minister, is intended to facilitate effective responses to ‘multi-asset incidents’ and the consequences of serious incidents which may have a ‘relevant impact’ on critical infrastructure assets.
These changes recognise the difficulties faced by business in the aftermath of significant data breaches, where uncertainty about their legal position, and limited government powers to direct them to take action, hindered their ability to respond effectively. For example, where past data breaches have left individuals’ financial account exposed, legal restrictions prevented entities from sharing information about affected customers to banks, to help prevent financial fraud, and government was equally without a legal power to direct entities to share this information. Proposed changes (as described in this section and in the following section) seek to facilitate these types of remedial activity.
The changes also seek to significantly broaden the scenarios in which government can intervene. While existing powers focus on the response to serious cyber security incidents, they do not empower the government to give directions in relation to non-cyber incidents (such as terrorist attacks and natural incidents, like floods or bushfires) or to manage consequential impacts of incidents.
The amendments would extend coverage to a broader range of incidents (such as cyber and information hazards, physical and natural hazards, personnel hazards, and supply chain hazards), provided they impact the availability, integrity and reliability of a critical infrastructure asset. This would expand the circumstances in which the government could exercise its existing powers to give ‘information gathering’ and ‘action’ directions. Intervention requests would remain limited to cyber security incidents.
Cross-industry collaboration and intra-government sharing in crisis situations
The SOCI Act currently permits limited uses and disclosures of what is termed ‘protected information’. Protected information has a broad definition, covering a range of information and documents that a person may obtain when exercising powers or performing functions under the Act, or that otherwise were obtained, recorded or produced in connection with certain provisions in the Act.
Feedback obtained from government and industry was that when an incident occurs, the protected information provisions unnecessarily limit the use and disclosure of that information, restricting responses in the event of high risk and time-sensitive events. A new definition is proposed for ‘protected information’ that includes a harms-based assessment. This means that decisions to disclose information must be informed by considering the potential harm or risk to the security of a critical infrastructure asset, commercial interests, the Australian public, and the socioeconomic stability, national security and defence of Australia (where there is no such harm or risk, the disclosure will be permitted).
As an example, the previous definition appeared to prevent an entity from disclosing information in its CIRMP, notwithstanding such information was already publicly disclosed in its annual report. The same entity could now disclose the information, on the basis of a harms-based assessment and noting the entity had already assessed the information as suitable for public disclosure.
Directions power relating to Risk Management Programs
The government proposes to fill a gap in regulatory powers in relation to the existing CIRMP obligations. The Secretary of Home Affairs can currently require an entity to produce its CIRMP and provide a corrective action plan if it is deficient. However, there is no power to direct an entity to take specific actions to improve a CIRMP (for example, where an entity has failed to consider and minimise risks in the threat landscape that pose a potential risk to their asset), without seeking an enforceable undertaking. Under the proposed amendments, the Secretary or regulator would be empowered to give directions to vary a CIRMP which it considers to have a serious deficiency, meaning it poses a risk to socioeconomic stability, national security or defence of Australia.
Other changes
The two other key changes are focused on consolidation and simplification:
SOCI Act obligations that were previously incorporated into the Telecommunications Act 1997 are now being consolidated into the SOCI Act, following industry feedback.
Reporting obligations associated with ‘systems of national significance’ will no longer apply to direct interest holders.
The government’s vision for 2030
These proposed changes, along with the other aspects of the Cyber Security Legislative Package, are designed to enable the government and industry to respond to the current climate of heightened geopolitical and cyber threats. A common thread running through these reforms is the need for close cooperation between government and industry to defend against these threats, empowering businesses to call on government for support and strengthening the government’s ability to respond quickly.
When introducing the legislation Minister for Cyber Security, Tony Burke made the government’s focus clear:
“We know government has to lead the way on cyber, but we also know we can’t do it alone, which is why these new laws have been consulted extensively with business. To achieve Australia’s vision of being a world leader in cyber security by 2030, we need the unified effort of government, industry and the community”.