Protecting critical infrastructure from cyber-threats is on the Federal Government’s agenda. It has released a consultation paper, “Protecting Critical Infrastructure and Systems of National Significance”. The government hopes to have change legislated before the end of this year.
Noting that there have been a variety of cyber security incidents of late, such as compromises of the Australian parliamentary network, university networks and key corporate entities, the consultation paper argues that: “We must work together now to ensure Australia’s security practices, policies and laws bolster the security and resilience of our critical infrastructure and position us to act in any future emergency.”
There are 11 sectors that are being examined by Canberra are banking and finance; communications; data and the cloud; defence industry; education; research and innovation; energy; food and grocery; health; space; transport; and water. Clearly, as shown throughout the Covid-19 crisis, our ports and harbours are key to maintaining continuity of the transport and logistics chain.
The Commonwealth plans to introduce an enhanced regulatory framework, building on the Security of Critical Infrastructure Act 2018. In a series of consultations, federal officials have also verbally indicated that the government seeks to build upon the work of any existing sector regulators.
The new framework will be just that: a framework. It will consist of legislated principles-based obligations that will be underpinned by sector-specific guidance and advice.
The key, top-level, elements of the reform include:
- a positive security obligation for critical infrastructure entities, supported by sector-specific requirements;
- enhanced cyber security obligations for those entities most important to the nation; and
- Government help to entities in response to significant cyber-attacks on Australian systems.
The enhanced cyber security obligations will establish the ability of the government to request information that contributes to a near real-time national threat picture along wither owner/operator participation in preparatory activities with government. A scenario-based playbook will set out the response.
Government help for entities will include the set-up of government capability that will enable the authorities to respond to, and disrupt, cyber-attacks. In most cases, it is envisaged that the attacked entity or sector will detect and act on threats. However, there will be an escalating level of government involvement ranging from advice and information provisions, through directing action up to taking over the response when there is a serious threat to Australia’s economy, sovereignty, or security.
Regulated critical transport infrastructure assets will include security regulated or controlled ports, airports, and Australian-regulated ships. Seaports currently identified as “critical” under the Security of Controlled Infrastructure Act are Broome, Gladstone, Adelaide, Hay Point, Brisbane, Hobart, Cairns, Melbourne, Christmas Island, Botany, Darwin, Port Hedland, Eden, Rockhampton, Fremantle, Sydney (i.e. Port Jackson), Geelong and Townsville.
Federal officials have indicated in public consultations that they are interested in hearing submissions as to how to regulate in respect of the international freight task.
Overseas, the International Maritime Organization has already produced guidelines on tackling cyber security threats and it has passed a resolution requiring maritime administrations to ensure that the cyber security threat is appropriately addressed in safety management systems in accordance with the in accordance with the objectives and functional requirements of the International Ship Management Code.
The Federal Government is calling for industry input into the review. Legislation is expected to be introduced during this year with sector-specific workshops next year. Obligations will come into effect in mid-2021.
Further details of the cyber security review, including a copy of the consultation paper, can be found at the website of the Critical Infrastructure Centre.
Submissions can be made by way of a submissions form and the deadline is 5:00pm AEDT on 16 September 2020.