Legislation that will give Australia’s cyber spooks the power to defend networks and systems of critical infrastructure against cyber attacks - much to the alarm of global tech companies - has been introduced to parliament.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced by Home Affairs Minister Peter Dutton on Thursday, just a month after the release of the exposure draft.
The bill will give effect to an “enhanced regulatory framework” for critical infrastructure and systems of national significance, building on the Security of Critical Infrastructure Act (SOCI) passed back in 2018.
It will apply to not only the electricity, gas, water and port entities currently regulated under the SOCI Act, but communication, “data storage and processing” and financial services and markets.
Defence industry, high education and research, food and grocery, healthcare and medical, space technology, transport, and water and sewerage will now also be recognised as critical infrastructure.
The bill does not extend to government, although Home Affairs boss Mike Pezzullo has previously said that a separate scheme could designate certain assets within government as critical infrastructure.
Under the proposed laws, critical infrastructure operators will be subject to a new “all-hazards positive security obligation” that will see companies required to hand over ownership and operational information.
The legislation also includes “enhanced cyber security obligations” for operators of systems of national significance that could see companies directed to undertake “prescribed” activities.
Activities could include the development of cyber security incident response plans, cyber security exercises, and vulnerability assessments, according to the bill’s explanatory memorandum.
The legislation also includes “last resort” assistance powers that, in “exceptional circumstances”, will allow the governement to intervene in a cyber incident deemed serious by the Home Affairs Minister.
The powers will allow the Australian Signals Directorate to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from the premises.
It is this government assistance power that has drawn the ire of the tech community, with Microsoft, Amazon Web Services, Telstra, Cisco and Salesforce all having raised concerns about the power.
Microsoft called for more checks and balances before government intervention is allowed, while Cisco said it remained unclear how targeted intervention could occur for companies that worked across multiple geographies.
AWS was similarly worried that the powers “may give government overly broad powers to issue directions or act autonomously”.
But introducing the bill on Thursday, Dutton said there was a need for the laws in order to respond to cyber attacks, which are increasingly prevalent.
“Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation's wealth and prosperity, and national security,” he said.
“While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune.
“Australia is facing increasing cyber security threats to essential services, businesses and all levels of government.”
Dutton said that while “owners and operators of critical infrastructure are best placed to deal with such threats”, positive change requires a “team effort”.
He added that the government’s last resort powers would only take effect if the entity is “unwilling or unable to take responsible steps to resolve the cyber security incident”.
Intervention also requires the agreement of the Prime Minister and Defence Minister.
Dutton committed to continue consultations “to ensure the reforms are operationalised in the most appropriate and effective manner” and “impose the least regulatory burden”
Co-design of sector specific standards with industry, as well as economic modelling of sector specific obligations, will begin in January.
If passed, the enhanced cyber security obligations, positive security obligations and governance assistance powers contained in the legislation will commence on 1 July, 2021.