24 November 2021
#Corporate & Commercial Law, #Data & Privacy
Disruptive technologies and geopolitical competition are giving rise to a more intense cyber and physical threat landscape. Globally, we are seeing an increasing number of attacks against and probing of critical infrastructure. Motivations for these attacks vary from financial gain to causing damage and destruction to another nation.
The Security of Critical Infrastructure Act 2018 (SOCI Act) seeks to manage national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Security Legislation Amendment (Critical Infrastructure) Bill 2021 was passed by Parliament on 22 November 2021 (New Bill), substantially increasing the Federal Government’s power to impose obligations in relation to ‘critical infrastructure’ assets.
In this article, we consider the likely impact of the New Bill, which reviews and revises the SOCI Act.
The SOCI Act was passed in 2018 to manage national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The SOCI Act applies to a range of specific assets.
The SOCI Act and its obligations for owners and operators commenced on 11 July 2018 and are about to be expanded under the New Bill.
On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (Committee) published its Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Initial Bill) and statutory review of the SOCI Act.
The Committee recommended that the Initial Bill be split into two separate bills (i.e., the New Bill and a second bill (Second Bill)) to expand the critical infrastructure sectors covered by the SOCI Act, introduce mandatory reporting obligations and prioritise government assistance measures.
On 22 November 2021, the Australian Parliament passed the New Bill setting out these urgent security upgrade measures. Subject to Royal assent, the SOCI Act will be amended accordingly.
Register of Critical Infrastructure Assets
Since 2018, owners and operators of relevant critical infrastructure assets have had six months from the acquisition of critical infrastructure assets, or from the start of the asset operation, to register ownership and operational information on the Register of Critical Infrastructure Assets (Register). The Register is designed to provide the Government with a more detailed understanding of who owns and controls critical infrastructure assets, to support control in high-risk sectors and proactive management of the risks these assets face.
Information gathering power
The Secretary of the Department of Home Affairs has the power to request detailed information from owners and operators of assets in certain circumstances.
Ministerial directions power
The Minister for Home Affairs has the ability to direct an owner or operator of critical infrastructure to do, or not do, specific things to mitigate against a national security risk (where all other mechanisms to mitigate the risk have been exhausted).
Under the New Bill, key amendments to the SOCI Act include:
The New Bill is limited to the topics described above and is expected to be followed by the Second Bill and new rules in 2022.
The intention is for the Second Bill to include a risk management program that will require responsible entities of specified critical infrastructure assets to manage and mitigate natural and human-induced risks. Furthermore, the Second Bill is likely to introduce a ‘System of National Significance’, to which the prescribed ‘Enhanced Cyber Security Obligations’ will likely apply upon the Second Bill becoming law.
The Second Bill will be designed in consultation with industry.
The changes substantially widen the scope of what has been considered to be ‘critical infrastructure’ and increase the Federal Government’s power to impose obligations in relation to ‘critical infrastructure’ assets and sectors.
It is important to understand if the new regime applies to your assets or could apply to your Australian project and how to comply with the new rules.
We assist foreign and Australian-based clients in understanding how these key issues will impact their successful involvement in critical infrastructure projects in Australia and related requirements arising under the Australian Energy Sector Cyber Security Framework (AESCSF) and SOCI Act.
If you have any questions about this article or how the new legislation may impact you, please speak to us or contact us here.
Authors: Carl Hinze & Jeanne Vallade
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.