An independent review of an Australian law for securing critical infrastructure sectors has found it “toothless”, with penalties viewed as a “cost of doing business” rather than driving security upgrades.
The review has called on the government to “restructure” the Security of Critical Infrastructure (SoCI) Act, removing duplication or overlap with any other obligations that critical infrastructure operators might be subject to elsewhere.
It also wants the Act to be written in a way that it won’t have to keep being modified “due to emerging technological change or geopolitical threat.”
One of the biggest front-facing changes proposed, however, is to shift the focus from compliance to enforcement.
The review found the current approach with SoCI has produced “documents” and not demonstrations of “effective risk management” at organisations, let alone any real security uplift.
It “found a perception that the Act is ‘toothless’ is pervasive.”
“When compliance is seen as optional or penalties are viewed as merely a cost of doing business, the regulatory regime struggles to drive genuine security uplift,” review leader Jill Slay concluded.
She recommended that SoCI “move from a ‘light touch’ compliance approach focus on admin and documentation to that of a penalty-based risk management process with the real enforcement of penalties.”
The review also found widespread support for SoCI’s coverage “to include AI services, CDNs, hyperscale cloud providers, space assets, and drone detection/response capabilities.”
A concerning aspect of industry consultations is that words like “confusing”, “complex”, and “complicated” were used to describe SoCI, in addition to “toothless”.
This came from an over-emphasis on compliance, and meant that the purpose of SoCI was being lost.
“One major issue that I noted was that respondents were not at all personally analytical of the need to protect Australian critical infrastructure and did not see that compliance with the SoCI Act was the price to pay for protecting this infrastructure,” Slay wrote.
“The majority of those who are deeply immersed in the issue of compliance with the SoCI Act do not seem to have an emotional connection to defending and protecting Australia and its citizens.
“The exceptions to this came from those whose background was Defence and intelligence.
“This issue is worthy of examination by the department [of Home Affairs]."
Slay also called on the government to do any restructure of the SoCI laws properly.
“There will always be a cost in answering the call to respond to threats to our Australian critical infrastructure,” she wrote.
“To do less than completely restructure the SoCI Act at a time of ongoing geophysical and geopolitical disruption, accompanied by all-hazard threats to our infrastructure, would be naïve.”
_(33).jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
iTnews Cloud Covered Breakfast Summit
Huntress _declassified Virtual Event
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
Melbourne Cloud & Datacenter Convention 2026
iTnews Executive Retreat - Data & AI Edition
_(1).jpg&h=140&w=231&c=1&s=0)
