Second critical infrastructure cyber security bill passes parliament

The federal government’s second critical infrastructure bill passed parliament yesterday.

First published as an exposure draft in December, the bill was okayed by the powerful Parliamentary Joint Committee on Intelligence and Security four days ago. 

The passing of the Security Legislative Amendment (Critical Infrastructure Protection) Bill follows the passage of the first half of the government’s critical infrastructure legislation, which passed “swiftly” last November.

Under the bill which passed yesterday, critical infrastructure owners and operators must have an industry-designed risk management program which, where possible, builds on existing regulatory frameworks.

Minister for Home Affairs Karen Andrews said in the Covid era, critical infrastructure sectors have been “regularly targeted by malicious cyber actors seeking to exploit victims for profit”.

“Following Russia’s aggression against Ukraine, it is a sad reality that there is a heightened cyber threat environment globally, and the risk of cyberattacks has increased on Australian networks, either directly or inadvertently,” she said.

The SLCIP bill gives the government the power to declare “systems of national significance”, and for those systems, imposes enhanced cyber security obligations on owners. 

There are also provisions in the bill covering information sharing between regulated entities and government.

One of the SLCIP’s more contested provisions, that critical infrastructure owners may be instructed to install software that reports systeem information back to the Australian Signals Directorate (ASD), remained in the bill that passed parliament.

Organisations like the Business Council of Australia (BCA) and Australian Information Industry Association had opposed this provision, with the BCA saying the involvement of the ASD might make international companies hesitant about doing business here.