"Imagine a day without power or water because the systems that reliably deliver these services to our homes and our businesses have been attacked or deliberately disrupted."
Minister for Home Affairs, Second Reading Speech, Security Legislation Amendment (Critical Infrastructure) Bill 2020
In recent years, Australia has faced extreme challenges and threats including a global pandemic, political uncertainty, ravaging bushfires, extreme weather conditions and destabilising world events.
From unprecedented flooding to ageing coal-fired power stations, the impact on Australia's critical infrastructure - that is, the assets that deliver critical services like water, electricity and other utilities - has been the subject of great consideration.
However, the threat to Australia's critical infrastructure extends far beyond physical events. Cyber attacks represent an increasing threat to critical infrastructure as evidenced by the notable 2021 Colonial Pipeline and JBS Foods ransomware attacks; 2020 Toll data breach; and 2019 Australian Parliament House data breach.
Acknowledging this, in 2020 the Australian Government indicated it would play a greater role in protecting Australia's critical infrastructure in the event of a national emergency, as set out in its Cyber Security Strategy 2020.
The strategy signalled the introduction of new laws that would allow it to provide "reasonable and proportionate directions to businesses to minimise the impact of an incident and take direct action to protect systems during an emergency".1 We note the strategy was released by the former Coalition Government.
In December 2021, the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) came into effect. This amending Act provides the Australian Government with "last resort" powers to respond to a serious cyber security incident relating to critical infrastructure assets in critical infrastructure sectors (see new Part 3A of the Security of Critical Infrastructure Act 2018 (Cth)).
Critical infrastructure sectors are broadly defined as the:
- communications sector;
- data storage or processing sector;
- financial services and markets sector;
- water and sewerage sector;
- energy sector;
- health care and medical sector;
- high education and research sector;
- food and grocery sector;
- transport sector;
- space technology sector; and
- defence industry sector.
Critical infrastructure assets for each sector are also broadly defined.
Last resort government assistance powers
The last resort powers allow the Minister for Home Affairs to authorise the Secretary of Home Affairs to:
- give directions to a specified entity for the purposes of information gathering in respect of a cyber security incident;
- give directions to a specified entity requiring the entity to take certain actions or do certain things in response to a cyber security incident; and
- request an authorised government agency to provide assistance in responding to a cyber security incident.
Penalties for non-compliance
Failure by a specified entity to comply with an authorisation may attract civil penalties or imprisonment in more serious cases.
Conditions to Ministerial powers
The exercise of a Ministerial authorisation is subject the following conditions:
- material risk: the Minister of Home Affairs must be satisfied that there is a material risk that the incident has or will seriously prejudice the social or economic stability of Australia or its people, the defence of Australia or national security;
- reasonably necessary: authorised direction or action must be reasonably necessary and proportionate, and technically feasible to comply with by the specified entity;
- intervention: in the case of an intervention authorisation, the government must only take action if the specified entity is unwilling or unable to take all reasonable steps to resolve the cyber security incident; and
- authorisation: the Minister of Home Affairs must obtain agreement from the Prime Minister and the Defence Minister before authorising a request to directly intervene in relation to a cyber security incident.
If the Secretary of Home Affairs gives an information gathering direction, action direction or makes an intervention request in relation to a cyber security incident, the Secretary must give the Parliamentary Joint Committee on Intelligence and Security a written report about the incident.
Notably, exercise of the government assistance powers in Part 3A of the Security of Critical Infrastructure Act 1977 (Cth) are not subject to judicial review under the Administrative Decisions (Judicial Review) Act 1977 (Cth).
New Part 3A of the Security of Critical Infrastructure Act 2018 (Cth) significantly enhances the government's powers to intervene in the event of a serious cyber security incident affecting an Australian critical infrastructure asset.
It is anticipated that the new powers will be carefully and judicially used, particularly in the case of the Minister of Home Affairs authorising an intervention request. The lawful exercise of the new powers is a complex exercise, requiring a technical and legal assessment in a high-risk situation. Prescriptive procedural steps must also be followed by the Minister to give a lawful authorisation.
Consequently, it is expected that the exercise of the Ministerial authorisation powers will be reserved for cyber security incidents that have serious social or economic, national security or defence implications and be used as a last resort measure.
For assistance with reviewing your organisation’s frameworks for minimising and responding to cyber attacks, contact our team of experienced legal experts.
Photo by Thomas Despeyroux on Unsplash.
1 Commonwealth of Australia, Australia's Cyber Security Strategy 2020, p 39.
2 Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth), section 21.
3 Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth), section 21 (adding section 8D to the Security of Infrastructure Act 2018 (Cth)).
4 Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth), section 21 (adding section 8E to the Security of Infrastructure Act 2018 (Cth)).
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.