Gov puts forward second critical infrastructure security bill

The federal government has begun consulting with industry on the aspects of its proposed critical infrastructure security laws that it was forced to sideline in order to pass urgent cyber incident intervention powers.

Home Affairs Minister Karen Andrews on Wednesday released an exposure draft [pdf] of the Security Legislation (Critical Infrastructure Protection) Bill, which she described as the “next step” in the government’s critical infrastructure reforms.

The SLCIP bill is the result of a Parliamentary Joint Committee on Intelligence and Security (PJCIS) decision to split the Security Legislation Amendment (Critical Infrastructure) Bill in half in order to “swiftly” legislate the most pressing reforms.

A cut-down version of the bill containing last resort powers that would allow the government to intervene to contain a cyber attack on critical infrastructure passed after being reintroduced to parliament last month.

That bill also expanded the definition of critical infrastructure to a further 11 sectors, including data storage or processing, financial services and healthcare, and introduced cyber incident reporting obligations.

The SLCIP bill now out for consultation captures the “less urgent measures” that were removed from the original bill and also takes into account suggested amendments from both industry and the PJCIS report.

One such reform is the introduction of enhanced cyber security obligations for the “significantly smaller subset critical infrastructure assets” that the government deems as “systems of national significance”.

The bill would give the Home Affairs minister of the day the “ability to privately declare a critical infrastructure asset to be a system of national significance” if Australia’s national interest is likely to be impacted as result of a cyber attack against that operator.

Assets classed as systems of national significant may be required to “undertake more prescribed cyber security activities” such as cyber security exercises and vulnerability assessments to boost preparedness and remediate issues.

If a computer is classed a system of national significance or is needed to operate a system of national significance, there may also be instances where an entity needs to “install software that transmits system information to ASD”.

“Should the parliament legislate this second bill, it would complete the forms for an enhanced all hazards security framework delivered under the Security of Critical Infrastructure Act 2018,” the explanatory paper [pdf] for the new SLCIP bill reads.

Greater clarity over definitions

The government has also used the bill to amend “key sector and asset definitions” in order to “clarify the responsible entities for critical infrastructure assets”, as was recommended in the PJCIS report in September.

The report found that asset definitions in the original bill did not “recognise potential extraterritorial impact”, with the storage and data processing sectors raising specific concerns that related to the horizontal nature of their services during the inquiry.

The bill amends the definition of data storage or processing service to “a service that enables end-users to store or back-up data” and is “provided on a commercial basis”, or alternatively to a “data processing service that “involves the use of one or more computers” and is “provided on a commercial basis”.

In the explanatory memorandum for the exposure draft, the government said the amended definition, which “aligns closely with international definitions and standards” such as NIST, would seek to capture services that:

• Acquire or manage the computing infrastructure required for providing the storage and processing services
• Run the storage or processing software that provides the service of storage or processing of computerised data
• Makes arrangements to deliver the storage or processing services to consumers through network access

The government has also clarified that data processing refers to a “collective set of computerised data actions” such as retention, logging, generation, transformation, use, disclosure, sharing, transmission and disposal.

It has similarly altered the definition of a “critical data storage or processing asset” to “remove reference to ‘wholly or primarily’”.

The Department of Home Affairs will accept submission until the consultation process ends on February 1 2022.