Government security agencies now have the power to take over digital assets during a cyber attack following the passage of the controversial Critical Infrastructure Bill.
The bill now names 11 critical infrastructure sectors – from the original four of electricity, gas, water, and ports – that are subject to government takeover or data gathering should a sufficiently serious security incident occur, the severity of which is left to the discretion of the Home Affairs Minister.
The 11 critical infrastrcture sectors are: communications, data storage, financial services, water and sewerage, energy, healthcare, higher education and research, food and grocery, transport, space technology, and defence.
Organisations that are responsible for critical infrastructure assets will have just 12 hours to notify the government of a cyber security if it has significant “direct or indirect” impact on the asset.
Industry had previously raised concerns that the legislation was “problematic”, criticising the short reporting time and regulatory burden it would place on organisations.
In turn, the bill was amended to allow give organisations 84 hours to file a written report if they notified the government about an incident verbally.
Greens Senator Lidia Thorpe was highly critical of the legislation, which passed with bi-partisan support, saying in a speech on Monday that it was developed without support of the stakeholders who would be most affected by it.
“The government, as usual, is introducing even more half-baked legislation that no-one actually wants,” Thorpe said.
“This legislation is a greedy little power grab.
“Many stakeholders reported that this bill would result in the imposition of an excessive regulatory burden on their businesses, including the potential duplication of regulatory systems.
“These stakeholders will now have more regulatory and compliance burdens heaped upon them.”
There have also been concerns that security agencies intervening in proprietary hyperscale cloud environments and fragile operational technology (OT) could accidentally cause further disruptions.
Scott McKinnel, ANZ Manager of security company Tenable, said there remained issues with the legislation as it has passed but welcomed the steps toward “protecting our very way of life”.
“While we still have concerns surrounding mandated government assistance powers granted in the bill, one possible way around this would be for industry to install their own monitoring software that meets government standards instead and share the resulting data with the appropriate government entities,” he said.
“If recent critical infrastructure attacks have taught us anything, it’s that incidents don’t only impact the business, the implications are felt society-wide.
“When it comes down to it, neither government nor industry can tackle this challenge alone, it takes collaboration and cooperation from both sides.”
In a statement, Home Affairs Minister Karen Andrews said the legislation “will better protect the essential services all Australians rely on, such as electricity, water, healthcare or food and groceries”.
Her office noted how the Critical Infrastructure Bill fits in the government’s agenda to further surveil and control Australian digital spaces and described the Identify and Disrupt Bill – which gave law enforcement unprecedented powers to monitor and take over citizens’ online accounts – as part of the government’s efforts to “safeguard our community and economy”.