Second critical infrastructure cyber security bill gets PJCIS green light

A parliamentary inquiry has recommended the remainder of the federal government’s critical infrastructure cyber security reforms pass with only minor amendment, despite lingering industry concerns over software installation powers.

The bipartisan Parliamentary Joint Committee on Intelligence and Security (PJCIS) released an advisory report [pdf] on the Security Legislation Amendment (Critical Infrastructure Production) Bill 2022 on Friday, recommending it pass with 10 changes.

The bill contains the elements of the Security Legislation Amendment (Critical Infrastructure) Act that were carved out on the committee’s recommendation last year in order to pass the most pressing cyber incident intervention powers.

Under the legislation, nationally significant critical infrastructure assets would be required to undertake “prescribed cyber security activities”, including cyber security exercises and vulnerability assessments.

The bill also contains new last resort powers that could see entities that operate systems of national significance – as declared by the home affairs minister of the day – required to “install and maintain a specified computer program”.

During the inquiry, the committee heard opposition to the installation of systems software by the Australian Information Industry Association, cyber security firm Palo Alto and the Business Council of Australia (BCA).

The BCA, for instance, said the installation of software could lead to instability, and that the involvement of the Australian Signals Directorate may lead to hesitancy for international businesses.

Despite the concerns, the committee made no recommendations, pointing instead to “assurances” from the Department of Home Affairs and the ASD that the power would only be used as a last resort.

It said it had “received evidence from both the department and ASD that most sophisticated entities would be able to provide... reports through existing or current open source tools”, avoiding the need for intervention.

The committee did, however, make a number of recommendations to boost accountability, including a requirement that it be notified within 30 days when the home affairs minister declares a critical infrastructure asset a system of national significance.

Other recommendations include a “fresh round of consultation... to enable further feedback to be incorporated into the draft rules” and “continue[d] industry roundtables for review and improvement of the rules and guidance materials”.

The committee also noted that “the pace of this inquiry has been a theme of key evidence”, but said that the “deteriorating cyber threat environment... necessitates the passage of this bill in the shortest time possible”.

“This accelerated need has driven perception that the bill may have been rushed, or that the Department has not taken industry concerns seriously, but the committee has ultimately concluded that this is not the case,” it said.

“Fear of the unknown is understandably driving some industry concern, however that fear should not dictate that the government do nothing and leave critical elements of our industry, services and economy exposed to attack.”

The committee similarly said any costs to be borne by industry as a result of the bill would be outweighed by the “resultant security uplift”, which will “offset potential losses were a serious cyber incident to occur”.