Australian Government legislates to protect critical national infrastructure
By Cameron Abbott, Keely O’Dowd and Sarah Goegan
Protecting Australia’s critical infrastructure from threats is essential to Australia’s national security interests, community safety and the overall quality of life for Australians.
In March 2018, the Australian Parliament passed the Security of Critical Infrastructure Act 2018, which is due to commence on 11 July 2018. The Act imposes new obligations on operators and owners of “critical infrastructure assets” – Australia’s high risk major ports and electricity, water and gas utilities.
It is evident from the Second Reading Speech and the Explanatory Memorandum that the Australian Government is concerned about managing national security risks arising from foreign involvement in Australia’s critical infrastructure.
The Act requires entities that are responsible for, or have an interest in, Australia’s critical infrastructure assets (for example, water utilities that service at least 100,000 connections) to report operational information and information about the asset’s ownership structure to the Critical Infrastructure Register. This information is intended to assist the Australian Government to understand who owns, controls and has the ability to influence Australia’s critical infrastructure.
Whilst the Act is designed to protect critical services from national security threats, the legislation does not provide much detail about its implications for cyber security. According to the Explanatory Memorandum, reporting entities will need to disclose their IT service provider arrangements and how they manage and maintain data, including whether data is stored offshore and onshore. Further, in certain circumstances, the Minister can direct an entity to improve its cyber security practices if the Minister considers the entity’s practices are prejudicial to security.
We wonder whether this legislation will actually have a significant positive impact on managing national security and cyber risks, or just be another reporting obligation for affected infrastructure asset owners or operators? Also, we question whether storing all of this highly sensitive information in a single register is a wise move from a cyber risk perspective. One would hope this register will be very well protected, otherwise security weaknesses in the register would completely undermine this new Act.