In 2018, the Critical Infrastructure Act 2018 (Cth) came into force (Act). The Act is part of the Commonwealth government's focus on ensuring the protection of critical infrastructure from cyber threat.
The Act requires the establishment and maintenance of a register setting out the ownership of critical infrastructure assets, a government information request power, and a limited directions power enabling the Home Affairs Minister to direct owners and operators of critical infrastructure assets to take action to mitigate against national security risks if they do not already do so to the government's satisfaction.
Presently, the Act applies only to electricity, gas, ports, and water assets that meet certain criteria.
However, as part of Australia's Cyber Security Strategy 2020, it is proposed to expand the application of the Act to many other sectors, relevantly for our readers including:
- the energy sector – including the production, transmission, distribution or supply of electricity, gas or liquid fuel
- the food and grocery sector – including the manufacturing, processing, packaging, distribution and supplying of groceries
- the health care and medical sector – including the production, distribution or supply of medical supplies
- the transport sector – including owning or operating assets that are used in connection with the transport of goods or passengers on a commercial basis and transporting goods or passengers on a commercial basis
- the water and sewerage sector – including manufacturing or supplying goods, or providing services, for use in connection with the operation of water or sewerage systems or networks.
The proposed amendments will dramatically extend the assets to which the Act applies. The broad reach of the proposed reforms reflects the government's view of the importance of these sectors, and that if such sectors were impacted by a cyber-related incident, this has the potential to significantly impact one or more of the social and economic wellbeing of Australians and national security.
Not all entities that own or operate assets in the expanded range of sectors will be regulated in the same way. The consultation paper suggests that:
- "Critical infrastructure entities" would be all owners and operators in a relevant sector. These entities would have the ability to access government assistance in the event of a cyber-attack, with the government also able to direct such entities to take particular steps if considered necessary in the national interest or to maintain other dependent essential services
- "Regulated critical infrastructure entities" would be a subset of owners and operators in a relevant sector, having an overall perceived greater level of importance, though it has not yet been determined what the criteria for inclusion in this category would be. These would be subject to an additional "positive security obligation," requiring the implementation of baseline cybersecurity (as well as physical, personnel, and supply chain security) and related protections and procedures to rapidly recover from any incidents which do occur
- the third and most important type of entity would be owners and operators of "systems of national significance," which would be the most critical assets. These would be subject to the obligations imposed on regulated critical infrastructure entities but would also be required to comply with a set of enhanced cybersecurity obligations. Those obligations would establish a greater level of partnership with the government, with entities required to share networks and systems information to enable the development of a national close-to-real-time threat picture, work with the government to build cybersecurity capability, and also develop coordinated response arrangements for cyber-attacks.
In addition, the consultation paper speculates about additional powers, including the ability for the government to declare an 'emergency' in the event an immediate and serious cyber threat is identified, as well as the ability to take direct action to protect critical infrastructure in the 'national interest' if an emergency is declared.
Businesses in the above sectors should keep up-to-date with the proposed amendments and consider putting in submissions on the proposed laws, to ensure that any additional regulatory requirements imposed on them are commensurate with the sensitivity of their operations.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.