The Security Legislation Amendment (Critical Infrastructure Bill) 2020 is currently working its way through parliament and has the potential to dramatically change the scope of the security expectations for a wide range of organisations.
The goal of the amendments, according to the Government’s explanatory document (pdf), is to protect “the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure.”
These threats, the document states, range from “natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders).”
The amendments include a widening of the kinds of infrastructure seen as ‘critical’, regulations around reporting times for breaches, and mandates for Governmental involvement in responses.
This is the first of several articles that will outline the parts of the bill that are most relevant to the IT channel, with commentary from experts from cybersecurity consultancy The Secure Board and ASX-listed cybersecurity provider Tesserent.
This piece will cover the expert’s reaction to the bill as a whole and the types of organisations would be included were the bill to pass in its current form.
Tesserent chief information officer Michael McKinnon said the bill “is fairly in line with what we see in other areas of regulation around cybersecurity and related areas.
“[The] Australian government is acknowledging that cyber warfare is an unfolding growth area that needs to be addressed, and the only way to address that is to seek participation from critical infrastructure operators, so that if Australia is ‘under attack’, then we're able to respond as a country in a coordinated and effective way, and the government has the participation of those other parties.”
The Secure Board co-directors Anna Leibel and Clare Pales also both consider the bill to be a good thing for the future of cybersecurity in Australia.
“It's a positive because it's prioritising cyber, and I think that if we need a bill to do that, then we need a bill to do that,” Leibel said.
“It's appropriate for now to make sure that it's going to get the focus that it needs and set a level of standard that's expected, but I don't think it's going to be enough.”
Pales added that the recent spate of cyberattack activity has meant that “it's obviously come to a position where legislation is seen to be required in order to get organisations to take action.
“We see it as a positive, being part of the industry, and hopefully over time other organisations will see it as a positive because they're given some guidance, they're given direction, and they’re helped along the path to becoming more secure.”
While all three of the experts agree that there may be details that need ironing out, they also all state that much of the knee jerk reaction from affected organisations may be down to a fear of the extra costs that compliance will incur.
The orgs now considered critical
Critical infrastructure assets in the law as it stands currently include critical gas, water, electricity assets and critical ports.
The current Security of Critical Infrastructure Act 2018 goes into greater detail about certain thresholds that need to be crossed in order for each of these to be considered ‘critical’.
Under the new bill, this list would be expanded to encompass 11 sectors in total.
In alphabetical order, the new list covers:
- communications, including critical telecommunications, broadcasting and domain name systems;
- data storage or processing;
- financial services and markets, including banking, superannuation, insurance and financial market infrastructure;
- water and sewerage;
- energy sector; including electricity, gas, energy market operators and liquid fuel;
- health care and medical;
- higher education and research;
- food and grocery;
- transport, including port, freight infrastructure, freight services, public transport and aviation;
- space technology, including anything related to the commercial provision of space-related services such as position, navigation and timing services; situational awareness services; weather monitoring and forecasting; communications, tracking and telemetry; remote sensing earth observations from space; and facilitating access to space; and
- defence industry.
Unlike the more specific nature of the descriptions of what constitutes a ‘critical asset’ in the original act, the amendment bill is more vague.
There are some (rather wordy) guidelines, for example a critical domain name system is one that “is managed by an entity that … is critical to the administration of an Australian domain name system.”
According to sections 9 and 51, it will be the Minister for Home Affairs (currently Karen Andrews) who will be responsible for deciding what is or is not critical infrastructure in consultation with state or regional Ministers.
While many of the listed sectors may seem intuitive to include, some may appear to be outliers.
Tesserent’s McKinnon took the example of the grocery sector to highlight why some of these may have been included.
“Woolworths, for example, ... they have so many employees – one of the largest employers in the country. If they were to suffer some disruptive event, it's the livelihoods of their employees, and the supply chain and all those other things. So it's about protecting the nation as a whole.”
McKinnon described these companies as almost being victim of their own success as they have positioned themselves so firmly in the day to day operations of society that threats to them have become threats to the continued safety and health of the country’s population.
“It's almost a critical infrastructure tax in a way – you're so big, so important to the nation that now the government is insisting that you do everything you can to ensure that you remain open and operating in an undisrupted way.”
In the coming articles, the reporting regulations and Government intervention mandates will be looked at, followed by some general advice from the experts on how they can ensure they are prepared if or when this bill becomes law.