Australia publishes consultation paper, proposes changes to cybersecurity legislation to protect critical infrastructure
The Australian government published Tuesday a consultation paper on new cybersecurity legislation, which proposes changes to the Security of Critical Infrastructure (SOCI) Act. Committed to being a world leader in cybersecurity by 2030, the document outlined that the government is looking at introducing a last-resort consequence management power for the Minister for Home Affairs to authorize directions to a critical infrastructure entity, with safeguards in place and where no other powers are available, about the consequences of incidents that may impact the availability, integrity, reliability or confidentiality of critical infrastructure.
The consultation paper outlines two areas of proposed legislative reform – new legislated initiatives to address gaps in existing regulatory frameworks, and amendments to the SOCI Act to strengthen the protection of Australia’s critical infrastructure. These reforms will strengthen the country’s cyber shields and provide better protection to Australian citizens and businesses. Addressing these issues will help to build basic cyber risk mitigations across the economy, apart from helping citizens and businesses engage in the digital economy.
The Australian Government invites written submissions on the Consultation Paper. Written submissions will close at 5.00 PM AEDT, Friday 1 March 2024. Submissions on this Consultation Paper are welcome from all stakeholders including critical infrastructure entities, government, academia, and members of the general public.
The SOCI Act is the primary framework for the regulation and protection of Australia’s critical infrastructure. Amendments to expand the scope of the SOCI Act to better capture the complexities and interconnectedness of Australia’s critical infrastructure occurred in two tranches in December 2021 and April 2022. These amendments expanded its application from four sectors to 11 sectors and 22 asset classes.
“Following recent cyber incidents, stakeholders across industry and the broader Australian community have expressed a strong desire for the Government to have the right tools to respond quickly to cyber incidents,” the Consultation Paper identified. “Recent incidents impacting critical infrastructure highlighted that there are a number of gaps in the SOCI Act that limit our ability to prepare, prevent, and respond to cyber incidents. We cannot delay implementing lessons learned from recent incidents.”
To implement the Strategy and Action Plan, the Australian Government is committed to continuing close consultation with industry and civil society. “We need to work together to enable our citizens and businesses to prosper and bounce back quickly after a cyber incident. This Consultation Paper outlines a number of legislative reforms included in the Action Plan. These legislative reforms aim to strengthen our national cyber defences and build cyber resilience across the Australian economy,” it added.
Additionally, the Consultation paper seeks “your genuine consideration of the proposed reforms and ask for your feedback on the proposed design and implementation of these measures. Your engagement is critical to ensure that these reforms are fit for purpose and address the needs of Australian citizens and businesses.”
Apart from the proposed legislative reforms in the paper, the government will work with industry and civil society to co-design other initiatives in the Strategy and Action Plan. These initiatives are out of the scope of this Consultation Paper but will be consulted through separate processes. Consultation on these initiatives will be closely coordinated with consultation on the proposed reforms in the Consultation Paper. This consultation process will also be coordinated with other adjacent programs of work across the Government, including the Privacy Act Review.
Furthermore, in addition to legislating a limited use obligation for cyber incident information provided to the Australian Signals Directorate (ASD) and the Cyber Coordinator, the government is also exploring options to develop an interim non-legislative mechanism for ASD.
As part of the Cyber Security Strategy discussion paper, the Australian Government considered the viability of a Cyber Security Act that harmonizes a broad spectrum of domestic cybersecurity legislation into a unified instrument. Feedback on the process identified other opportunities to improve cybersecurity regulatory processes.
The consultation paper seeks inputs on legislative options to address gaps in current regulatory frameworks, as identified in the Strategy and Action Plan. These measures are mandating a security standard for consumer-grade Internet of Things (IoT) technology to incorporate basic security features by design and help prevent cyber attacks on Australian consumers; and creating a no-fault, no-liability ransomware reporting obligation to improve our collective understanding of ransomware incidents across Australia.
It also calls for creating a ‘limited use’ obligation to clarify how the ASD and the Cyber Coordinator use information voluntarily disclosed during a cyber incident, to encourage the industry to continue to collaborate with the government on incident response and consequence management; and establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve national cyber resilience.
The Australian government has also committed to consulting on options to reform the SOCI 2018 Act to address gaps identified following recent major cybersecurity incidents. Reviews of these incidents indicated that there are opportunities to clarify and strengthen existing cybersecurity obligations on critical infrastructure sectors captured under the SOCI Act.
This part of the consultation paper will seek views on the clarifying obligations for critical infrastructure entities to protect data storage systems that store ‘business-critical data’, where vulnerabilities in these systems could impact the availability, integrity, reliability, or confidentiality of the critical infrastructure.
It will also look at introducing a last resort consequence management power for the Minister for Home Affairs to authorize directions to a critical infrastructure entity; simplify information sharing to make it easier for critical infrastructure entities to respond to high-risk, time-sensitive incidents, provide a power for the Secretary of Home Affairs or the ‘relevant Commonwealth regulator’ to direct a critical infrastructure entity to address deficiencies in its risk management program; and consolidating security requirements for the telecommunications sector under the SOCI Act.
Recognizing the current heightened geopolitical and cyber threat environment in Australia, it is evident that the nation’s critical infrastructure is increasingly vulnerable. Cyber attacks targeting critical infrastructure have become highly profitable for malicious state actors and cybercriminals. According to ASD’s Annual Cyber Threat Report 2022–23, they have responded to 143 cyber incidents specifically related to critical infrastructure. This accounts for approximately 13 percent of their total cyber incident reporting during this period.
The consultation paper identifies critical infrastructure entities as valuable targets, as they provide essential services to support Australian life and business – including electricity, water, health, transport, logistics, and telecommunication networks.
“While many cyber attacks are focused on exfiltration of data from corporate databases, there is also a risk of lateral transfer to operational technology or network infrastructure,” the paper recognizes. “Large-scale attacks on these systems could cause major outages of essential services, resulting in widespread disruption of the Australian economy and our society. In extreme cases, outages of essential systems could lead to loss of life.”
For the proposals to achieve their goals, the consultation paper “we are committed to ensuring that the benefits outweigh any regulatory impact. We aim to build a full picture of the impacts and will need your detailed input to develop a comprehensive assessment. In addition to the financial impacts, we welcome views on the impacts of measures on affected entities’ ability to utilise and share data.”
It added that it “will shortly release a schedule of sector-specific impact analysis sessions, which we also encourage you to attend. These sessions will include time for questions and answers to discuss the details of the proposals and any other concerns. We will provide you with costing templates before or during these sessions and guide you through them. This will allow us to fully appreciate the impacts of the proposed reforms.”
The government will also run a series of general town hall meetings, and sector-specific meetings, and be available for bilateral discussions during the consultation period. “Feedback from written submissions and face-to-face engagement will be used by the Department to refine the legislative proposals described in this Consultation Paper. Your feedback will help us fully understand the costs and benefits of options to inform the policy development process and advice to Government. Any regulatory burden will be carefully considered alongside the benefit from proposed changes to strengthen our cyber resilience and posture,” it added.
After reviewing the feedback on the proposals in the consultation paper, the department will provide advice to the government on new legislation implementing the proposals to be considered in 2024.
Related
