The security of critical infrastructure (SOCI) laws are a key measure under the Australian Cyber Security Strategy 2020. They are in response to evidence that well-resourced and persistent state-sponsored actors are maliciously targeting critical infrastructure and stealing intellectual property developed in Australia. While Australia has not suffered a catastrophic attack on critical infrastructure, there have been several high profile cyber attacks in the public and private sectors that have had a significant impact.
You can read more about the history of the SOCI laws in our previous article, Changes to critical infrastructure laws in 2021: is your sector impacted? as well as specifically how these changes are affecting Foreign Investment Review Board processes.
During SOCI laws’ passage through Commonwealth Parliament, the Bill was amended, and then separated into two parts. Only the first part of the Bill is now law.
The Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth) (First Bill) amends the scope of the Security of Critical Infrastructure Act 2018 (Cth) (Act), which underpins a framework for managing cyber risks relating to critical infrastructure. The First Bill extends the obligations in the Act to a broader range of sectors – now eleven in total as compared with the previous four. The sectors that are defined as 'critical infrastructure sectors' are now as follows:
- communications;
- data and storage or processing;
- financial services and markets;
- water and sewerage;
- energy;
- healthcare and medical;
- higher education and research;
- food and grocery;
- transport;
- space technology;
- defence industry;
It also introduces new obligations, empowering the Government to issue information gathering and other directions, as well as request specified agencies to provide support, in certain circumstances, in respect of a cyber security incident (the Government Assistance Measures). In addition, if 'switched on' for a particular sector, the new obligations:
- mandate cyber security incident reporting (the Mandatory Reporting Obligation); and
- require certain entities to maintain a register of critical infrastructure assets containing specified information (the Asset Register Obligation).
Under the First Bill, the Government Assistance Measures apply to all sectors from the date of royal assent (2 December 2021).
An exposure draft for a second Security Legislation Amendment (Critical Infrastructure) Bill is expected to be released in the coming weeks for consultation with impacted sectors. The Department has been engaging with several sectors in relation to the Second Bill, which will introduce comprehensive risk management program obligations, as well as enhanced cyber security obligations.