New security obligations for Australian Critical Infrastructure Providers: Why?

Rushed, imprecise and unlikely to be enforced? And most importantly, why? 

In November 2020, the Australian government through the Department of Home Affairs released an exposure draft of new security legislation for critical infrastructure providers. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 builds on existing requirements under the Security of Critical Infrastructure Act 2018 (SOCI).   The new legislation is expected to be passed quickly, with late 2020/early 2021 the targeted timeframe.

Background

Australia’ 2020 Cyber Security Strategy released in August 2020 introduced the idea of legislating security requirements for Australia’s critical infrastructure owners and operators. Shortly after that, in mid-September 2020, a discussion paper was released for a 5-week consultation period. Home Affairs received just under 200 submissions during the period.

Notwithstanding the extensive feedback, draft legislation implementing the changes proposed in the Discussion Paper was released in November 2020, less than two months after the end of the consultation period.  Continuing with the aggressive timeframe, around three weeks of consultation is given for the draft legislation, with the federal government seeking to get the final Bill through both Houses of parliament this year.

Security Legislation Amendment (Critical Infrastructure) Bill 2020

The current Security of Critical Infrastructure Act:

• creates a register of information in relation to critical infrastructure assets (the register will not be made public);
• requires relevant bodies to provide information in relation to the asset, and to notify of events of concern;
• allows the Minister for Home Affairs to require the relevant bodies to do, or not do, things there is a risk to security;
• allows the Secretary to assess the risk to national security for each asset.

The main objectives of the amending legislation, other than to extend the definition of what is critical infrastructure, are to:

• require critical infrastructure providers to identify and manage risks relating to critical infrastructure assets; and
• provide a regime for the government to respond to serious cyber security incidents; and
• impose enhanced cyber security obligations on responsible entities for systems of national significance in order to improve their preparedness for, and ability to respond to, cyber security incidents.

Exactly how the newly expanded scope of obligations will apply in a sector-specific manner and how those obligations interact with existing regulatory oversight is left for sector specific rules which are intended to be the subject of consultation in the first half of 2021.

What is critical infrastructure?

The short answer is almost everything …. The draft legislation defines critical infrastructure as the following sectors: communications, data storage or processing, financial services and markets, water and sewerage, energy, healthcare and medical, higher education and research, food and grocery, transportation, space technology, and the defense industry. In addition, the Minister may privately declare an asset to be a critical infrastructure asset or a critical infrastructure asset to be a system of national significance (which brings with it additional obligations).

The extension of critical infrastructure reflects how interconnected Australia’s critical infrastructure is, and the risk introduced by the supply chain.  However, it has not been met with unqualified support.  One higher education and research organisation suggested that proactive, co-operative action would have been preferred ahead of an enforced regulatory framework, perhaps involving a sector-wide working group.[1]

Example: Data storage or processing service providers

Any organisation that operates in the data storage or processing sector (which is defined as ‘the sector of the Australian economy that involves providing data storage or processing services on a commercial basis’[2]) will be covered.  According to the Explanatory Memorandum, the sector definition aims to reflect the assets that are critical to maintaining the commercial supply and availability of data and cloud services located in Australia.[3] This includes enterprise data centres, managed services data centres, colocation data centres, and cloud data centres.

Covered organisations must take steps to protect the critical infrastructure sector assets they own or operate.  Things get more complicated here as ‘critical infrastructure sector assets’ held by the organisation must be identified.  An asset is a critical data storage or processing asset if it is owned by a data storage or processing provider and is used wholly or primarily in connection with a data storage or processing service that is provided on a commercial basis to either:

• A State or Commonwealth government agency or wholly owned corporation; or [4]
• A critical infrastructure end user for the storage or processing of business-critical data. [5]

In addition, the service provider must be aware that the service is being used in this way.  The owner of the critical infrastructure asset must advise the service provider where the service is being used on a commercial basis and in relation to the processing of business-critical data.[6] Penalties apply to failure to do so.  However, Commonwealth, State and Territory Governments will not be required to notify data and cloud service providers that they are critical data storage and processing assets. In these circumstances, it is expected that the relevant data or cloud service provider will already be aware that they provide services to a Government client. Nevertheless, the Department of Home Affairs will work across the Commonwealth, State and Territory governments to encourage notification as a matter of course.[7]

The Explanatory Memorandum provides that the definition of critical assets aims to capture the physical infrastructure or computing platforms used primarily for storing or processing data on a commercial basis, where the entity knows that it is a direct supplier to specified entities. It covers data centres and cloud service providers that manage data of significance to Australia’s national interest. It is not intended to cover instances where data storage is secondary to, or simply a by-product of, the primary service being offered, for example, accounting services that may result in the storage of some of their client’s data.[8]

Home Affairs has indicated that this threshold would capture at least 100 data centre entities, including those entities on the Digital Transformation Agency’s Government Supply Panel and at least 30 cloud service providers.[9]  I suspect the number is much, much higher.

What is required from Australian critical infrastructure providers?

Risk Management[13]

Under the terms of the draft legislation, critical infrastructure operators must adopt and maintain a risk management program to include the threat from cyber-attacks.  The program must include minimisation or elimination of material risks and mitigation of the impact on assets and must be reviewed on a regular basis.  Penalties apply to non-compliance (at the rate of 200 penalty units for each section which equates to $44,400 at the current penalty unit amount of $222.)

Entities must also report annually in their critical infrastructure risk management program.[14]

The draft legislation gives little indication of what might need to be done to meet these requirements.  This will be determined by rules to be issued, following consultation, which will specify requirements for any risk management program, including risks to be included and mitigation actions to be taken.[15]

As an indication, the Issues Paper that preceded the legislation suggested the following in regard to identifying and minimising risk and mitigating harm:

Identify and understand risks	Entities will have a responsibility to take an all-hazards approach when identifying and understanding risks. This will consider both natural and human induced hazards. This may include understanding how these risks might accumulate throughout the supply chain, understanding the way systems are interacting, and outlining which of these risks may have a significant consequence to core service provision
Mitigate risks to prevent incidents	Entities will be required to have appropriate risk mitigations in place to manage identified risks applicable to their sector. Risk mitigation should consider both proactive risk management as well as having processes in place: to detect and respond to threats as they are being realised; and plan for disasters and have a way to lessen the negative impact were it to actually occur.   The regulated entity will be responsible for engaging with the regulator to ensure that identified risks and proposed mitigations are proportionate to the risks, while also considering the business, societal and economic impacts
Minimise the impact of realised incidents	Entities will be required to have robust procedures in place to recover as quickly as possible in the event a threat has been realised. This may include ensuring plans are in place for a variety of incidents, such as having back-ups of key systems, adequate stock on hand (such as medicines), redundancies for key inputs, out-of-hours processes and procedures, and the ability to communicate with affected customers.

 

Notification of cyber security incidents[16]

Cyber security incidents impacting on specified assets may need to be reported to relevant Commonwealth regulators.

A cyber security incident is any act that involves the unauthorised access to, modification or impairment of the availability, reliability, security or operation of a computer, computer data or a computer program or the unauthorised impairment of electronic communications to or from a computer.[17]

Notice must be given as soon as practicable and in any event within 12 hours after the organisation becomes aware of a cyber security incident that may have a significant impact.[18]   For less serious incidents, notice must be given as soon as practicable and in any event within 24 hours.[19] Notice can be given orally or n writing.  If given orally, written notice is required within 48 hours after the verbal notice.[20]

Notice must be given to the Commonwealth regulator responsible for the particular sector involved.[21]Penalties for non-compliance are lower than for the risk management sections, limited to 50 penalty units (or $11,100 at the current unit rate). There is no organisational or personal liability for giving or failing to give notice provided it is done in good faith.

The Commonwealth is given a series of additional powers in responding to serious cyber security incidents (which are those where the incident is likely to seriously prejudice the social or economic stability of Australia or its people, the defence of Australia or national security). The Issues Paper referred to the government having enhanced powers to step in and take control of a company in the event of a significant cyberattack The draft legislation hands the power to the government to take control of a company in the event of cyberattack as a last resort, or to direct the firm to do or not do something.[22]  This includes the ability to direct that an organisation do or refrain from doing specified acts or things within a specified period.[23] This might also involve providing the government with access to a computer, the analysis of computer data or the alteration of computer data or the functioning of a computer.

Cyber security obligations for systems of national significance[24]

Stricter security obligations apply to systems of national significance. These additional obligations include:

• Incident response planning (including drafting, reviewing and updating incident response plans and providing a copy to the Secretary);[25]
• Undertaking cyber security exercises (including preparing and delivering an evaluation report).[26]If the regulator is not happy with the internal evaluation report, an external report can be commissioned;[27]
• Undertaking vulnerability assessments;[28]
• Providing periodic reporting of system information and event-based reporting. [29] The government may also require the organisation to install system information software to support the preparing of reports[30] and send data directly to ASD (to be required via a System Information Software Notice).

What else?

In addition to their statutory powers, it is reported that government assistance will be provided to industry in response to immediate and serious cyber attacks on Australian systems.  The Minister of Home Affairs stated that “We will continue to work closely with industry and other stakeholders to implement our plan to secure essential services – electricity, water, groceries and so on – without imposing an unnecessary regulatory burden.”

Consultation on Sector-specific rules

After the legislation is passed, a series of further consultations will take place with each impacted sector to inform the develop of the sector-specific rules. These rules are critical to the implementation of the reforms, and will determine, among other things:

• the critical infrastructure assets covered, and
• the way in which the new positive security obligations will be switched “on or off”.

What are the consequences of non-compliance?

The Act will include civil penalty provisions which may be enforced using civil penalty orders, injunctions or infringement notices.  Enforceable undertakings may also be accepted in relation to compliance with civil penalty provisions.

The Department of Home Affairs will be responsible for managing compliance and is given regulatory powers under the Regulatory Powers

Some issues

Rushed?

Submissions made during the consultation period of the initial issues paper raised numerous concerns, particularly around the large number of companies that would now be subject to them, as well as with the government’s new powers to intervene and take control of a company as a last resort.

For example, Amazon Web Services (AWS) called for a “robust” consultation process, including a regulatory impact statement and a review by the Parliamentary Joint Committee on Intelligence and Security.  “Given the significant changes to the scope, application and content of the laws, it is important that the government, and the Parliament, work methodically through the new framework and the regulatory regime,” AWS said in the submission.

It seems unlikely that full consideration could have been given to these submissions prior to the issuing of the draft legislation.  All indications are that the legislation is to be passed by early 2021 at the latest.  It is not clear why the legislation is being pushed through so quickly or the benefits to be gained from the curtailed consultation periods.

Enforcement of principle based regulation?

The explanatory memorandum  provides that regulators will enforce the \ requirements through flexible administrative measures and graduated enforcement powers (set out in the Act or enabling legislation, in addition to existing powers they may hold).

Recognising that a ‘one-size-fits-all’ approach is not appropriate for the diverse organisations covered, the legislation is built around principles-based obligations (high-level requirements rather than ‘bright line’ or precise, detailed rules), with many matters left to regulations for further clarification.  By design, principle-based legislation is are focused on outcomes and the flexible application of solutions to meet those identified outcomes.  The government has announced that the legislation will be underpinned by sector-specific guidance and advice, proportionate to the risks and circumstances faced by each sector.

Historically, principle based regulation has raised issues and has been largely dis-credited.  Many commentators point to the global financial crisis as an example of the consequences of the failure of a principles based regulator system.[32]  Given the spotlight on regulatory failures by even the most prominent of the Australian regulators, it is not clear how the enforcement of this regulation will fare any better, particularly given that the regulators responsible for the different regulated sectors have not been identified.[33]

Extended Application

Although the application of the legislation will be tempered by the regulations to be issued, the starting point for the definitions of sectors that are covered are very broad. The extension to higher education and research; food and grocery; health care and medical, and data services providers in particular may be problematic, particularly for smaller service providers.

One consequence may be that cloud service providers stop providing services to government agencies or government owned organisations, as that will bring them within the application of the legislation.

Double reporting of cyber incidents?

There does not seem to be provision for multiple reporting of incidents, for example, where a data processor has a cyber security incident, do they report or does the agency they support report?

Will the same incident be reported to different agencies, for example where the data processing organisation supports multiple critical infrastructure organisations?

Given the definition of Business Critical Data, it’s likely that a cyber security incident will also be reportable to the Office of the Australian Information Commissioner.  How is that agency to work with other government bodies who may be receiving notice of the same incident.

Similar issues may apply to the operation of other sector specific legislation that imposes security obligations, such as the APRA guidance under CPS 234 or the TSSR provisions applying to telecommunication providers in the Telecommunications Act 1997 (Cth).

Penalties

The penalty regime is weak.  Civil penalties are between 50 and 200 units (approximately $10,000 – $44,000).  These do not seem to be of a level likely to have a significant impact on the revenues of many of the organisations covered.

Why?

Perhaps the biggest question remains over the reason for the legislation.  The Explanatory Memorandum refers to potential a catastrophic attacks on critical infrastructure, and refers to ‘near misses’ including:

• over the last two years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network, as the transport and education sectors;
• malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities; and
• key supply chain businesses transporting groceries and medical supplies have also been targeted.

Although no-one argues that the threat landscape is increasingly hostile, and Australian organisations have not been world leaders in implementing security protections, there is no evidence that the Federal Government is going to be able to do a better job in managing the risk or responding to cyber security incidents.  Generally, Federal Government agencies could not be regarded as setting

[1] Security Legislation Amendment (Critical Infrastructure) Bill 2020 – IRU submission

[2] Section 5 Amended Legislation

[3] Explanatory Memorandum, 15.

[4] Section 12F(1) Amended Legislation

[5] Section 12F(2) Amended Legislation.

[6] Business critical data is any sensitive information or personal information relating to at least 20,000 individuals. Section 5.

[7] Explanatory Memorandum, 16.

[8] Explanatory Memorandum, 16.

[9] https://www.zdnet.com/article/critical-infrastructure-definition-to-span-communications-data-storage-and-space/

[10] Explanatory Memorandum, 19.

[11] Explanatory Memorandum, 19.

[12] Explanatory Memorandum, 22.

[13] Part 2A Critical infrastructure risk management programs.

[14] Part 2A Critical infrastructure risk management programs.

[15] Section 30 AL Amended Legislation.

[16] Part 2B Critical infrastructure risk management programs.

[17] Section 12M Amended Legislation.

[18] Section 30BC Amended Legislation.

[19] Section 30BD Amended Legislation.

[20] Section 30BC and Section 30BD Amended Legislation.

[21] Section 30BF Amended Legislation.

[22] Part 3A Responding to serious cyber security incidents

[23] Part 3A Responding to serious cyber security incidents – Division 4 – Action Directions

[24] Part 2C Enhanced cyber security obligations

[25] Part 2C Enhanced cyber security obligations Division 2 – Statutory incident response planning obligations

[26] Part 2C Enhanced cyber security obligations Division 3 – Cyber security exercises

[27] Section 30 CR Amended Legislation

[28] Part 2C Enhanced cyber security obligations Division 4 – Vulnerability assessments

[29] Part 2C Enhanced cyber security obligations Division 5 – Access to system information

[30] Section 30 DJ Amended Legislation.

[31] KWM | Exposure draft of the Critical Infrastructure Bill 2020 provides some answers, questions remain.

[32] The Rise, Fall and Fate of Principles Based Regulation by Julia Black :: SSRN

[33] Royal commission cooks up a regulatory failure | Investment Magazine