Security Legislation Amendment (Critical Infrastructure) Bill 2020; and Review of the Security of Critical Infrastructure Act 2018 (Cth)
The submission to the Parliamentary Joint Committee on Intelligence and Security (Committee) in response to the review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Bill), which proposes to amend the Security of Critical Infrastructure Act 2018 (Cth) (SCI Act) was prepared by the Law Council of Australia. The Bill is substantially the same as an exposure draft version of the Bill (ED Bill) released by the Department of Home Affairs (Department) in November 2020.
The Committee is concurrently undertaking a statutory review of the SCI Act. While the Law Council’s submission focuses on the Bill, the issues raised about secrecy provisions and oversight arrangements are equally relevant to the existing SCI regime. The issues raised in the Law Council’s submission of 3 December 2020 to the Committee’s statutory review of the telecommunications sector security regime (TSSR) in Part 14 of the Telecommunications Act 1997 (Cth) (Telecommunications Act) are also relevant, with respect to risks of duplication and inconsistency between the SCI regime and the TSSR.
The Law Council acknowledges the policy objective to create a national regulatory framework for the security of privately or State or Territory owned critical infrastructure. The Law Council also welcomes the stated intent to ensure that the regulatory burden of the new regime is proportionate. It supports the government’s stated commitment to taking a risk-based and measured approach to enforcement and intervention in responding to cyber security incidents affecting critical infrastructure assets.
The Law Council seeks to ensure that these objectives are given full legislative expression, and to avoid unintended consequences. The SCI Act should contain safeguards which require the scheme to operate in a proportionate and accountable way, rather than this outcome being reliant on executive discretion. Key issues include:
- expanded security obligations: proposed Parts 2A, 2B and 2C of the SCI Act, together with the expanded definition of a ‘critical infrastructure asset’, confer overly broad delegations of legislative power to determine the application and substance of regulatory obligations. This will have flow-on effects for foreign investment laws;
- ministerial authorisation regime for governmental intervention in serious cyber security incidents affecting private critical infrastructure assets: there are several instances of overbreadth and imprecision in provisions of new Part 3A of the SCI Act, which prescribe the scope, thresholds and authorisation process for this significant and novel intervention power, and associated legal immunities;
- independent review and oversight arrangements: there are limitations in the availability and effectiveness of review and oversight mechanisms for the expanded regulatory regime. This includes the impact of secrecy provisions; inadequate review rights; and the lack of an inspection function for the Commonwealth Ombudsman in relation to the Department’s activities;
- expanded enforcement powers: the necessity and proportionality of the proposed monitoring and investigation powers has not been established, and there is overbreadth in the classes of persons who are authorised to exercise them;
- immunities: there are inadequate safeguards in the immunities for staff members of the Australian Signals Directorate (ASD) under the SCI Act, and the amendments to the Criminal Code Act 1995 (Cth) (Criminal Code). There are also limitations in the scope of the proposed immunities for the personnel of regulated entities; and
- implications for cyber insurance contracts: the Bill does not clearly provide for the interaction of entities’ obligations under the expanded SCI regime with their existing contractual obligations, especially under cyber insurance contracts. An owner or operator of an asset may be obliged under their cyber insurance contract to undertake certain risk-management activities, and disclose certain information to their insurer, which could conflict with the entity’s obligations under the SCI regime. In the worst-case scenario, this could invalidate their insurance cover. The extrinsic materials do not advert to this risk or detail the intended approach to managing it.
You can read the full submission below.