“Data and the cloud” would be recognised as critical infrastructure in Australia under changes to legislation introduced by the government last week. The proposed amendments would also hand the government coercive powers during a cyber-attack.
On Thursday Home Affairs Minister Peter Dutton revealed his planned legislation changes that would upgrade the status – and regulatory obligations – of large parts of Australia’s critical infrastructure.
The changes would extend the application of the Security of Critical Infrastructure Act 2018 to additional sectors and assets including communications, transport, data and the cloud, food and grocery, defence, higher education, and research and health.
Dutton said the bill will uplift the security posture of the assets by requiring owners to comply with a risk management program and report any cybersecurity incidents to the Australian Signals Directorate. The spy agency would eventually gain a “comprehensive understanding” of the cybersecurity risks to critical infrastructure assets, according to Dutton.
“Through greater awareness, the government can better see malicious trends and campaigns which would not be apparent to an individual victim of an attack,” Dutton told Parliament last week. “This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyberattacks.
The bill would also allow government agencies to enact what Dutton termed “last resort powers” to direct or even take control of infrastructure assets when there is a cyber attack that poses “a material risk to Australia’s national interests”.
Dutton insisted the coercive powers will only be used if an entity is unwilling or unable to resolve a cyber attack that “has or will seriously prejudice,
- the social or economic stability of Australia or its people; or
- the defence of Australia; or
- national security.”
Home Affairs would also need to have the authorisation of the Prime Minister and the Defence Minister to take control.
In consultations on the proposed changes, several companies flagged concern over the contracted consultation process for a regime that created new regulatory burden and handed the government extraordinary new powers.
The proposed laws were first revealed in the government’s 2020 Cyber Security Strategy in August. A consultation paper was released in September, and in five week Home Affairs received just under 200 submissions. A subsequent exposure draft bill attracted 129 further submissions.
Throughout the consultation, universities, tech giants, industry groups and the law council of Australia flagged the process was moving too quickly without considerations proportionate to the nature of the changes.
Last Thursday, less than two weeks later, the bill was introduced to parliament.