There is “compelling evidence” that Australia’s critical infrastructure faces “immediate cyber threats” that, a parliamentary committee has recommended, justify fast-tracking emergency powers while deferring long-promised industry consultation.

Responding to a raft of industry submissions lodged during the review of new critical infrastructure protection laws, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended splitting the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI) into two separate bills.

This approach would, the PJCIS said in handing down its advisory report, “enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design the most effective regulatory framework to ensure long-term security of our critical infrastructure.”

That infrastructure was vulnerable within a “very serious and rapidly deteriorating cyber security environment,” it advised, that “demands both a swift and comprehensive response”.

Industry bodies, trade unions, and critical infrastructure asset owners and operators had expressed “significant disagreement” about the legislation, which expands the number of industry sectors classified as ‘critical infrastructure’ to 11 and imposes a range of new cybersecurity obligations.

Businesses have been concerned that the new legislation would expose them to new liability for cyber attacks, may not have avenues for appeal of penalties, won’t be able to detect and report on cyber incidents quickly enough, and will struggle aligning new obligations with existing best practice.

While those concerns “have been acknowledged by the Department in a general way”, the PJCIS said, they have been largely sidelined by policymakers bent on minimising amendments so that the emergency powers can be passed unmodified, as quickly as possible given a “small and rapidly diminishing window of opportunity to legislate”.

The new, streamlined emergency powers bill would include “urgent” government assistance mechanisms, mandatory notification requirements, and related measures.

Details of the threat were not publicly shared – although in June, Department of Home Affairs (DHA) and Australian Signals Directorate executives provided what committee chair Senator James Paterson had previously called “important evidence… on the scale of the cyber threat from both criminal and state actors.”

Industry welcomes further consultation

Despite widespread recognition of Australia’s ‘mediocre’ security settings, SOCI’s new requirements have raised hackles amongst industry providers, on whom the proposed legislation imposes a range of ‘positive security obligations’ including mandatory risk management programs, reporting obligations, and increased cybersecurity requirements for ‘systems of national significance’ such as power networks and data centres.

“While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune,” DHA previously noted in an explanatory document that outlined the concerns about each sector and also declared that “partnerships with industry sit at the foundation of this measure”.

The new PJCIS recommendation reverses that commitment, delegating industry consultation to the future so the government can address unnamed “looming threats against Australia’s critical infrastructure”.

The push for emergency powers echoes the passage of the controversial Telecommunication and Other Legislation Amendment (Assistance and Access Bill) in Parliament’s last sitting of 2018 – to support, as was recently revealed, an extensive police sting.

Industry bodies welcomed the recommendation, with Business Council of Australia chief executive Jennifer Westacott calling it “a practical way forward to keep Australia secure while maintaining our ability to attract investment, create jobs, and recover from the pandemic.”

The two-stage approach “is critical”, she said, “avoiding unintended consequences by letting business work with government on more complex changes”.

The Group of Eight universities were also positive, with chief executive Vicki Thomson noting that universities “undertake the overwhelming majority of Australia’s national security-sensitive university research”.

Splitting the legislation was a “sensible” solution, the Go8 said, noting that “we need to be very proportionate in how we regulate these types of issues so that we… don’t get overwhelmed with red tape.”

“There’s an opportunity cost in a resource-constrained environment from any kind of regulatory activity, and we want to make sure that we’re doing our best to get the best outcomes from these types of processes.”