The federal government has proposed legislation to set up a new framework to protect Australia’s critical infrastructure from cyber threats.
The Morrison government has proposed new cyber security reforms under the Security Legislation Amendment (Critical Infrastructure) Bill 2020).
The proposed reforms outlined in the new bill, includes the introduction of a “Positive Security Obligation” for critical infrastructure entities — those that provide services that are essential for everyday life (i.e. energy, food, water, transport, communications, health, banking and finance, and defence).
Specifically, the proposed framework includes:
- setting up a register of information in relation to critical infrastructure assets (the register will not be made public);
- requiring entities to have, and comply with, a critical infrastructure risk management program;
- requiring notification of cyber security incidents;
- allowing government require entities “to do, or refrain from doing, an act or thing” if the minister is satisfied that there is “a risk of an act or omission that would be prejudicial to security”;
- allowing government to require entities to provide relevant information or documents;
- setting up a regime for the Commonwealth to respond to serious cyber security incidents; and
- allowing the government to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset.
Minister for Home Affairs Peter Dutton stressed the significance of the proposed amendments in advancing Australia’s national security interests.
“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our economy, security and sovereignty and industry will be important to the success of these reforms,” Minister Dutton said.
“We will continue to work closely with industry and other stakeholders to implement our plan to secure essential services [without] imposing an unnecessary regulatory burden.”
The introduction of the draft bill follows an initial round of consultation with industry stakeholders, including Defence, on the ‘Protecting Critical Infrastructure and Systems of National Significance’ package, which forms part of the Cyber Security Strategy 2020.
The second round of consultation has now opened, with stakeholders invited to lodge submissions by 27 November 2020.