31 August 2020
So far, 2020 has been dominated by COVID-19. Lockdowns and the consequences of the pandemic have caused us to think about who and what is essential, and different nations have made different decisions (you might remember back to the early arguments about haircuts).
However, in addition to considering essential services from a pandemic perspective, the increasing digitisation of life and the constant risk of cyber-attack means there is a need to reconsider what constitutes critical infrastructure, and what steps need to be taken to protect that infrastructure.
So what has changed?
In 2017, the federal government released a proposal for an act to require certain standards for critical infrastructure to provide resiliency for Australia. The Security of Critical Infrastructure Act was passed in 2018 and covered a number of areas which at the time were considered to be critical such as traditional infrastructure facilities – ports, fuel and cargo hubs, electricity and water assets.
As part of its cyber security strategy launched in August 2020 where the Federal government committed to investing $1.67 billion over 10 years to create a more secure online world for Australians, the Department of Home Affairs has released a consultation paper on protecting critical infrastructure systems of national significance. In a post-pandemic world, the Government is looking at expanding the definition of critical infrastructure and is seeking feedback from a range of sectors that many would not ordinarily think about as being critical in a pre-pandemic world. These include education, energy, food and grocery, health, transport and communications to name a few.
The paper seeks input no only on what industries should be included but how resiliency might be achieved. Input is south on 36 questions.
The paper considers bringing more organisations into the category of critical or of national significance, and considers how organisations can work together to protect Australia and keep it cyber resilient. Major state-based cyber-attacks on organisations such as universities have reinforced the need to actively consider this issue.
The consultation paper considers an enhanced framework for resilience, supported by legislative requirements that "will remain proportionate and collaborative, while avoiding inconsistent application of regulations putting entities at commercial disadvantage".
These requirements include positive security obligations, enhanced cyber obligations and the co-development of a scenario-based "playbook" that sets out response arrangements.
The consultation period closes on 16 September 2020, which is a relatively short six week period to respond to a paper that has no doubt taken some time in preparation.
Major organisations and industry bodies should consider responding to at least some of those questions. The issue around regulatory models which avoid duplication with existing oversight requirements, i.e. tying up in red tape, should as a minimum be addressed.
It may also be an opportunity for currently heavily regulated sectors to demonstrate that no further regulation or little further regulation is needed for those sectors.
It is also an opportunity to raise the issue as to how the cost burden will be born. Creating additional regulatory burdens create a disincentive for industries to be treated as critical.
If you would like any assistance in preparing a submission, our lawyers with their broad backgrounds are well-placed to assist.
Author: Lyn Nicholson
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.