What to Expect from the Updated Australian Security of Critical Infrastructure Act

Cyberattacks against critical infrastructure on the rise

The COVID-19 moment has seen a surge of illegal cyber activity – already by June 2020, attacks had increased by a staggering 400 percentⁱ  – often perpetrated by opportunistic hackers taking advantage of overwhelmed IT offices as vast swathes of the economy go remote. However, the coordinated, state-backed attacks against “all levels of government”ⁱⁱ, announced in June 2020, were orders of magnitude worse:

Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, natural disasters and the impacts of COVID-19 illustrate that threats to the operation of Australia’s critical infrastructure entities continue to be significant. 

Nor have these coordinated attacks abated. Indeed, Defence Minister Linda Reynolds decries a “new normal” of persistent cyberattacks on Australia, effectively blurring the lines between “peace and war”ⁱⁱⁱ. What’s to be done? In releasing the consultation paper, Protecting Critical Infrastructure and Systems of National Significance, the Government is seeking ways to shore up the security of the country’s critical infrastructure^iv. 

Although a call for feedback from industry, the paper does signpost proposed regulatory enhancements to the existing Security of Critical Infrastructure Act. Nothing is certain at this juncture. But this guide helps clarify what critical infrastructure owners and operators should expect from an updated Security of Critical Infrastructure Act.

What is in the existing Security of Critical Infrastructure Act

Passed by Parliament in March 2018, the Security of Critical Infrastructure Act came into force later the same year, with compliance expected beginning in early 2019. The Act remains operative until amended.

So, what does the existing Act do? The object of the Act is to provide a framework for managing and identifying risks to national security relating to critical infrastructure, by (1) improving the transparency of the ownership and operational control of critical infrastructure and (2) facilitating cooperation and collaboration between all levels of government, regulators, as well as owners and operators of critical infrastructure. 

To do so, it defines critical infrastructure entities as:

• Critical Electricity
• Water
• Gas Assets
• Ports

The Act further establishes the Register of Critical Infrastructure Assets, intended to give the Government visibility into who owns and controls critical infrastructure assets, so as to better focus the state’s risk assessment function. 

The Register itself is a non-public hub, administered by the Government, to which asset owners and operators (either their direct interest holders or responsible entities) report and update relevant ownership, control, and operational information (See more below).

Finally, the Act gives the Commonwealth Minister broad new powers (ministerial last powers) to intervene in an asset’s affairs, whether to seek further information and/ or issue directions, “where a risk cannot otherwise be mitigated.” Those ministerial “last” powers are limited to exceptional circumstances involving significant national security risks.

What operational information are asset owners and operators currently required to report 

The Act classifies the following as operational information, which must be reported to the Register: 

1. An asset’s location
2. A description of the area the asset services
3. Information concerning the responsible entity, including: 
   – Name
   – ABN
   – Address of the entity’s head office or principal place of business
   – The country in which the entity was incorporate, formed, or created
4. Information concerning the chief executive officer, including full name and country of citizenship
5. Description of the arrangements under which each operator operates the asset or a part of the asset
6. Description of the arrangements under which data is maintained

What do the new regulations herald?

The pandemic moment has crystallised a broader conception of critical infrastructure than the one (formally) limited to ports and utilities. Over the course of the public health crisis, healthcare and food and groceries, to name a few, have shown themselves to be every bit as vital to public safety and national resilience as any other industry. Going forward, innovation will also remain a priority sector, as public health researchers seek a COVID-19 vaccine. Because of their importance, these industries have been heavily targeted by cyber criminals, creating the need to redefine critical infrastructure as, 

Those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.

Broader class of critical infrastructure sectors

Who falls into this broader class of critical infrastructure sectors? It is likely that the following industries will see federal security obligations imposed upon them:

• Banking/finance
• Communications
• Data & the cloud
• Defence
• Education
• Research & innovation
• Food & grocery
• Health
• Energy (more broadly)
• Space
• Transport
• Water

The precise nature of the security obligation remains to be seen. However, the tenor of the consultation paper makes abundantly clear that owners and operators in these industries will have to do more than just report operational information – the current standard. 

Indeed, the Government has already stated that beefed-up obligations will be part in parcel of an enhanced security framework. That framework outlines the need for the following:

• An uplift in security and resilience in all critical infrastructure sectors
• Better identification and sharing of threats (i.e. situational awareness) in order to make critical infrastructure more resilience and secure

At present, the framework is vague. Nevertheless, we can probe certain Government assumptions, to understand what might come next.

Firstly, the Government believes one size does not fit all, and that acute sectoral differences exist. After all, only a few industries have already been operating under a critical infrastructure security regime, while the majority have not. 

As the Government argues, a fair balance must be struck between positive security obligations and the realities of existing standards and maturity, as well as differences in human and financial resources, technology, and relative threat level (More later).

3 key elements of the enhanced framework

We also know that the enhanced framework will have three key components. Those three key elements include:

1. Positive Security Obligation (PSO), consisting of: Set and enforced baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk.
2. Enhanced cyber security obligations, establishing: 
   • The ability for the Government to request information  to contribute to a near real-time national threat picture. 
   • Owner and operator participation in preparatory activities with Government. 
   • The co-development of a scenario-based “playbook,”  setting out response arrangements. 
3. Government assistance for entities that are the target or victim of a cyber attack, through the establishment of a Government capability and authorities to disrupt and respond to threats in an emergency.

Not all elements of the enhanced framework will apply to each critical infrastructure entity, though. The Government envisages a sliding scale of obligation, which it will partner with industry to develop. 

What informs that sliding scale? Well, besides an entity’s characteristics (both internal as well as its external operating environment,) factors like the consequences of compromise and interdependences with other functions will affect how critical the Government deems that entity and into which category that entity fits will fit. New categorisations of criticality and their relevant framework element include:

Classes of Entities and Relevant Elements of the Framework. 

What is the Positive Security Obligation (PSO)?

For regulated entities, the enhanced framework elements need to be carefully considered one by one, as they each represent a potential compliance driver. The first is the imposition of a positive security obligation (PSO). That obligation will represent a set of generic (sector-agnostic) and sector-specific guidance and requirements. 

The substance of that obligation will be hashed out by the Government, industry, and relevant regulators. But at minimum, asset owners and operators of regulated entities will be legally obligated to manage risks that may impact their business continuity as well as the country’s economy, security, and sovereignty. 

How to achieve compliance with this element of the enhanced framework? Entities will have to follow certain principles-based outcomes, likely to include:

Principles-based Outcomes of the Positive Security Obligation. 

• Identify & understand risks. 
  Regulated entities will have a responsibility to take an all-hazards approach when identifying and understanding risks, considering both natural and human-induced hazards. Examples include understanding how risks might accumulate throughout the supply chain, understanding the way systems are interacting, and outlining which of these risks may have a significant consequence to core service provision.
• Mitigate risks to prevent incidents. 
  To manage identified risks, regulated entities will be required to have appropriate risk mitigations in place. Here, risk mitigation encompasses both proactive risk management as well as having processes in place for the following: (1) to detect and respond to threats as they are being realised; (2) and plan for disasters and have a way to lessen the negative impact were it to actually occur.
  
  Regulated entities will be responsible for engaging with the relevant regulator (more later) to ensure that identified risks and proposed mitigations are proportionate to risk, while also respecting business, societal, and economic impacts.
• Minimise the impact of realised incidents.
  Regulated entities will be required to have robust procedures in place to recover as quickly as possible from incidents, should threats be realised. Examples of said procedures include ensuring plans are in place for a variety of incidents, whether having back-ups of key systems, adequate stock on hand (such as medicines), redundancies for key inputs, out-of-hours processes and procedures, and the ability to communicate with affected customers.
• Implement effective governance & oversight processes
  Regulated entities will be required to have appropriate risk management oversight and responsibilities in place, with strong governance and clear lines of accountability, demonstrated comprehensive planning, as well as a robust assurance and review process in place proportionate to the identified risks.

These principle-based outcomes don’t cover all manner of risks, though. Instead, the Government is focused on risk to business continuity and to public safety. What specific aspects matter? The following threats will receive priority:

Types of High-level Security Obligation. 

We aren’t certain what substantive obligations will emerge; sectoral regulators are likely to flesh out the substance of those requirements. We do know, however, that regulated incidents will be obligated to report relevant business continuity incidents in a timely manner. 

As for monitoring compliance, sectoral regulators will take the lead. They will also enforce compliance with the PSO, based on a sliding-scale regulatory approach (See below).

PSO Regulatory Approach Model. 

Explaining enhanced cybersecurity obligations

The positive security obligation encompasses a baseline set of responsibilities for regulated critical infrastructure entities. The updated Act will go further for the subset of critical infrastructure entities of highest criticality, so-deemed systems of national significance. On these entities, the Government will impose enhanced cybersecurity obligations. 

What’s likely to be the substance of this obligation? The obligation will go above and beyond what’s proposed by the PSO, specifically addressing the Government’s need to build active partnerships to ensure the flow of near realtime information needed to better understand and address threats (situational awareness). 

In the short term, designated systems of national significance should expect to comply with measures designed to facilitate two-way information sharing, whether that be incident reporting or access to Government intelligence and international feeds.

Longer term, though, updated legislation will obligate these entities to provide information about their own networks and systems (when requested), so as to contribute to the national threat picture. Further, these entities will have to participate in to-be-determined cyber security activities as well as in the co-development of response playbooks. 

Proposed Initiatives for Enhanced Cyber Security Obligations. 

Expect cyber assistance for entities

The existing Security of Critical Infrastructure Act already gives the Government legal precedent, via last ministerial powers, for stepping in and telling critical infrastructure entities what to do in emergencies. Updates to the legislation will likely see greater direct Government involvement in those situations, wielding “its enhanced threat picture and unique capabilities to take direct action to protect a critical infrastructure entity or system in the national interest.”

Beyond that, government will empower itself to instruct entities to conduct necessary, preventative and mitigating activities. What if those actions open entities up to civil suit? The Government will also arrogate the power to immunise entities whose conduct of necessary mitigations might precipitate civil suit.

Response Model for Government and Industry. 

What’s next? The submission deadline for industry stakeholders has come and gone. And so, organisations in the effected industries can expect more government consultation to assess the impact of proposed reforms and refine the development of the enhanced framework. 

Informed by those consultations, legislative amendments to the existing Act will come before Parliament. Then, Government and owners and operators of critical infrastructure entities will have the opportunity to codesign sector-specific security obligations, followed by a window of opportunity to begin implementing enhanced obligations. 

While much remains to be worked out, remediation is likely to be severe: civil penalty, enforceable undertaking, injunctions, not to mention significant reputational damage. The Government has designated security of the nation’s critical infrastructure as a strategic priority, and entities that will now fall into that category need to take the updated Act seriously, as it will soon form an important part of their compliance risk profile.

Citations

i Rick Smith, WRAL Tech Wire: Reports: Cybercrimes surge 400%, teleworkers need to tighten security. Available at https://www.wraltechwire.com/2020/06/25/reports-cybercrimes-surge-400- teleworkers-need-to-tighten-security/.

ii BBC: Australia cyber attacks: PM Morrison wars of ‘sophisticated’ state hack. Available at https://www.bbc.com/news/worldaustralia-46096768.

iii Andrew Probyn and Stephen Dziedzic, ABC News: Cyber attacks on Australia blurring the lines between peace and war, Defence Minister says. Available at https://www.abc.net.au/news/2020- 09-04/cyber attacks-on-australia-peace-war-defenceminister/12626396.

iv Australia Government Department of Home Affairs and Critical Infrastructure Centre: Protecting Infrastructure and Systems of National Significance: Consultation Paper: August 2020. Available at https://www.homeaffairs.gov.au/reports-and-pubs/files/protecting-critical-infrastructure-systems-consultation-paper.pdf