Viewing entries tagged
Critical infrastructure

Security Legislation Amendment (Critical Infrastructure) Act 2021

By Mike Trovato

Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) - An Act to amend legislation relating to critical infrastructure, and for other purposes

As of December 2021, SLACI is now law. It was the first of two additions to the Security of Critical Infrastructure Act 2018 (SOCI Act) which initially only included four industry sectors. SLACI expanded the law to apply to 11 industry sectors, plus added notification requirements which do not align with, but are generally supportive of, the Notifiable Data Breaches (NDB) Scheme. 

The second bill will start the consultation process shortly and contains additional requirements which could require significant effort for a regulated entity to comply with. Most of the obligations for the first bill still need to be ‘switched-on’ by the Minister for Home Affairs, with assets already proposed by the Cyber and Infrastructure Security Centre (CISC).

The first bill (SLACI):

  • Extends the definition of critical infrastructure from 4 to 11 sectors and extends the existing reporting requirements to those sectors.

  • Mandates timely cyber incident reporting for specified critical infrastructure.

  • Legislates government assistance measures (i.e., gather information, action requests, invention request) by providing powers to respond to security incidents which seriously prejudice Australia’s prosperity, national security, or defence.

The second bill will arguably have a bigger impact to regulated entities and looks to:

  • Introduce additional Positive Security Obligations and a Risk Management Program, which will be applied to entities responsible for critical infrastructure.

  • Introduce Enhanced Cyber Security Obligations, including vulnerability reporting and cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).

Critical Infrastructure owners and operators are required to report a cyber security incident if they are captured by the critical infrastructure asset definitions:

  • 12 hours if having a significant impact on the availability of the asset (up to 84 hours in writing); or,

  • 72 hours if having a relevant impact on the availability, integrity, reliability, or confidentiality of the asset.

These changes are likely to support better privacy though enhanced data protection and urgent notification, increasing the spotlight on assessment for CI and NDB purposes.

News and notables – November 2021

By Mike Trovato and Chong Shao

In our third newsletter in 2021, we pointed to two recent privacy and security stories of note:

  • The Critical Infrastructure Bill

  • IIS makes submission on DTA Digital Identity Legislation

The Critical Infrastructure Amendment Bill 2020 

The rapidity with which cyber threats are evolving and the stress on the systems created by the COVID-19 crisis have been driving further government response. Following Australia’s Cyber Security Strategy 2020, the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Draft Bill) into Parliament.

The Draft Bill seeks to amend the Security of Critical Infrastructure Act 2018 which currently applies to operators of assets in only four critical infrastructure sectors: electricity, gas, water and ports. It proposes to extend the Act to 11 sectors, including communications, financial services, data storage and processing, defence industry, higher education and research, energy, food and grocery and transports.

The proposed amendments introduce wider powers to the Federal Government, with the ability to intervene and direct organisations to provide information or do specified acts when responding to cyber security. It also puts forward new obligations: ‘positive security obligation’ for critical infrastructure, including mandatory cyber incident reporting and a risk management program, and enhanced cyber security obligations for systems deemed to be of ‘national significance’.

The Draft Bill creates opportunities but also challenges for the concerned sectors, as it increases the complexity of the regulatory landscape applying to information security and creates additional reporting burden. It has also raised concerns across professional cyber security industry in relation to excessive Government powers.

IIS is supportive of the government’s efforts for improving cyber security resilience and hope that numerous submissions offered in November 2020 will be used to improve the legislation so that entities take a primary role in improving their resilience to attacks.

IIS makes submission on Exposure Draft of the DTA’s Trusted Digital Identity Bill

IIS participated in the Digital Transformation Agency’s call for submissions on the DTA Trusted Digital Identity Legislation. IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato drafted an extensive paper addressing the Legislation’s intention to help expand the Australian Government’s Digital Identity system into a whole-of-economy Digital Identity solution by establishing robust governance, strengthening data and consumer protections, and enabling entities in other digital identity systems to apply for Trusted Digital Identity Framework (TDIF) accreditation.

IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato submitted an extensive paper during the consultation process, with an emphasis on respecting and protecting individuals’ interests. IIS subsequently consulted with DTA and provided a submimssion for the Draft Exposure Bill. 

Key to IIS’ position on the design of the Legislation is to recognise that digital identities obtained and verified through TDIF are likely to dominate every aspect the lives of individuals as digital continues to increase its dominance of how lives, business and government are conducted. Indeed, the policy intent is that TDIF facilitates this evolution. 

Overall, IIS identified that more emphasis needs to be placed on the system being respectful of Users as individual people not just economic units and be symmetric in its treatment of the parties. 

We raised the following key points:

  • Ensuring that Users / advocates will have continuing and genuine influence as the system evolves.

  • Effective governance, compliance, enforcement, and remediation/redress for the individual User.

  • Protection from (or genuine oversight of) surveillance by law enforcement and national security agencies.

  • Ensuring that alternatives to using the TDIF system continue to be available for years to come, if not forever. There must be genuine alternatives to the use of digital identities (i.e., practical, available, not cumbersome or coerced); otherwise, any ‘consent’ is rendered meaningless and arguably invalid under law.  

Once again, you can read the full submission here.