Home | Databases | WorldLII | Search | Feedback Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests

Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 [2022] AUSStaCSBSD 52 (30 March 2022)

Security Legislation Amendment
(Critical Infrastructure Protection) Bill 2022

Significant matters in delegated legislation^[1]

2.35 In Scrutiny Digest 2 of 2022 the committee requested the minister's advice as to why it is considered necessary and appropriate to leave each of the above matters to delegated legislation.^[2]

Minister's response^[3]

2.36 The minister advised:

A disruption to critical infrastructure could have serious implications for business, governments and the community, affecting supply and service continuity, and damaging economic growth.
The reforms in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the SLACIP Bill) will uplift the security and resilience of Australia's critical infrastructure by requiring industry to identify and mitigate security risks. These reforms are a key action under Australia's Cyber Security Strategy 2020 and are part of a range of measures the Australian Government is putting in place to strengthen Australia's ability to manage and respond to security risks across critical infrastructure sectors.
The reforms will enhance the security and resilience of Australia's critical infrastructure, in line with the threats posed in the world today and be better prepared to tackle those into the future, by requiring certain responsible entities to adopt and maintain a critical infrastructure risk management program. This will strengthen the resilience of essential services by embedding preparation, prevention and mitigation activities into ongoing business practices.
The regulatory framework that would be established by the SLACIP Bill relies on delegated legislation where necessary to ensure that the statutory framework remains appropriately flexible and adjustable, with a focus on minimising the regulatory impact on entities. With technologies and industries constantly evolving, the proposed rule-making powers in the Bill would enable the Minster to ensure all critical infrastructure assets are included, now and into the future. The rule-making powers provided for in the Bill are essential to ensure the framework is flexible and responsive.
The Government has consulted extensively in the development of this Bill, and will continue to engage across critical infrastructure sectors on the requirements that will underpin the Risk Management Program. Consistent with this approach, and in line with recommendation 9 of the Parliamentary Joint Committee on Intelligence and Security's Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (the PJCIS Advisory Report), the draft Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022 (the draft Rules) have been included at Attachment C to the SLACIP Bill's Explanatory Memorandum.
Following commencement of the amendments in the Bill, the Minister would be required to undertake a period of mandatory consultation of no· less than 28 days on the proposed draft rules. The Minister will consider any submissions and may then choose to make a rule that will commence at a time of my choosing following mandatory consultation. This will allow the obligation to apply only to those sectors without appropriate existing Commonwealth regulations to ensure implementation does not impose any unnecessary burden.
Relevantly, the Minister is not permitted, when making rules, to exceed the principles set out in the primary legislation, and all rules are appropriately subject to parliamentary scrutiny and disallowance.
Additional comments specific to each of the matters identified by the Committee at paragraph 1.150 of Digest 2 of 2022 are set out below, for the Committee's consideration.
...amend section 5 to repeal and replace the definition of 'data storage or processing service' and provide that this can include a service specified in the rules and that the rules may also prescribe that a service is not a data storage or processing service
In line with recommendation 7 of the PJCIS Advisory Report, the definition of 'data storage or processing service' in the Bill has been informed by extensive consultation across sectors, to ensure it appropriately captures relevant assets. Paragraphs (a) and (b) of the definition provide for certain services expressly in the legislation; however, it is necessary to include a rule-making power alongside this to ensure that the framework is sufficiently flexible to encompass future developments in relation to data storage and processing services, and to incorporate services that are not already covered by paragraphs (a) and (b) but might be identified in the course of ongoing consultation with stakeholders after the amendments in the SLACIP Bill are enacted.
As noted at paragraph 43 of the Bill's Explanatory Memorandum, the rule-making power in paragraph (c) of the new definition of 'data storage or processing service' will allow the Minister to make rules specifying additional services as data storage or processing services to ensure that technical advancements in this field, which are occurring rapidly, can also be appropriately included in the scope of the definition.
Relevantly, the new definition also provides that the rules may prescribe that a specified service is not a 'data storage or processing service'. This provides for the Minister to carve-out a service from the scope of the definition, if required.
...amend section 8 to provide an exemption to when an entity will be a direct interest holder in circumstances specified in the rules
The Security of Critical Infrastructure Act 2018 (SOCI Act) currently exempts moneylenders from responsibilities under the legislation, in circumstances where that moneylender or the custodial or depository services are not in a position to influence or control a critical infrastructure asset.
However, consultation on the reforms has revealed that there is a risk that the current provision does not operate as intended - that is, for the moneylenders and custodial or depository services exemption to only apply prior to a moneylender and custodial or depository services enforcing a security over the critical infrastructure assets and thereby gaining influence or control over that asset. In those circumstances, it is considered appropriate that a moneylender or custodial or depository services should be treated the same as any other direct interest holder.
The SLACIP Bill will ensure that the moneylenders and custodial or depository services exemptions operates as originally intended. Consultation on the reforms has also revealed that custodial services and other similar entities should also be exempt from responsibilities under the legislation where those entities are in a position to directly or indirectly influence or control a critical infrastructure asset. The SLACIP Bill therefore includes a new rule-making power to future-proof the legislation and provide the Minister with sufficient flexibility to respond to developments in this area of law.
...amend section 12KA to provide that the rules may prescribe specified assets that are critical to the administration of an Australian domain name system or requirements for an asset to be critical to the administration of an Australian domain name system...
An asset is a 'critical domain name system' under section 12KA of the SOCI Act where it meets the following criteria:
• the asset is managed by an entity that is that is critical to the administration of an Australian domain name system (see subsection 12KA(2) and section 16 of the Security of Critical Infrastructure (Definitions) Rules 2021 (the Definitions Rules)): paragraph (1)(a) of the definition; and
• the asset is used in connection with an Australian domain name system: paragraph (1)(b) of the definition.
As noted at paragraph 117 of the Bill's Explanatory Memorandum, this amendment follows consultation with .au Domain Administration Limited (auDA), the entity responsible for the administration of the '.au' country code Top Level Domain, and the Department of Infrastructure, Regional Development, Transport and Communications. These entities raised concerns that the construction of the current definition may capture irrelevant assets used in connection with the administration of an Australian domain name system (e.g. accounting software or event management systems).
In this context, the purpose of the new rule-making power in the SLACIP Bill is to provide greater certainty on what assets are 'critical to the administration of an Australian domain name system'. A rule-making power currently exists under subsection 12KA(2) of the SOCI Act to prescribe the entities that are critical to the administration of an Australian domain name system. Section 16 of the Definitions Rules currently prescribe Domain Administration Ltd (ABN 38 079 009 340) and the entity that administers the '.au' country code Top Level Domain for this purpose.
With the amendment to section 12KA in the SLACIP Bill, an asset used by these entities in connection with an Australian domain name system will need to be prescribed in rules made by the Minister to be a critical domain name system.
...insert proposed section 30AB to provide that Part 2A of the bill applies to assets specified in the rules and that the rules may exempt assets from Part 2A for a certain period of time
Proposed section 30AB allows for a nuanced, sector- or asset-specific approach to be taken to the application of the obligations contained in new Part 2A. In determining whether to make rules to apply the obligations to certain critical infrastructure assets, the Minister is likely to consider whether any existing requirements or arrangements appropriately deliver the same outcomes as intended by the critical infrastructure risk management program.
The assets that are critical education assets are an example of a class of critical infrastructure asset with appropriate regulatory requirements or arrangements in place. The Australian Government and Australia's higher education providers have jointly formed the University Foreign Interference Taskforce (UFIT) to enhance safeguards against the risk of foreign interference. The UFIT will deliver the same outcomes as intended by the critical infrastructure risk management program obligation for critical education assets. The Government does not intend to 'switch on' any of the positive security obligations (including Part 2A) for critical education assets.
As noted at paragraph 135 of the Explanatory Memorandum, this reflects the range of regulatory obligations that already exist in relation to some classes of critical infrastructure assets, and the obligations that may exist in relation to future critical infrastructure assets that are identified, and the Government's commitment to avoid duplicating regulation. In the event that any of these alternative regulatory regimes were to be found wanting, the Government will reserve the ability to 'switch on' any or all of the positive security obligations, including the critical infrastructure risk management program (Part 2A), to address any gaps and ensure that entities are subject to suitable and reasonable regulation.
...insert proposed section 30AH, which leaves a number of elements in relation to critical infrastructure risk management programs to the rules
Proposed section 30AH would define the requirements for a critical infrastructure risk management program. Adoption and compliance with a critical infrastructure risk management program will ensure responsible entities have a comprehensive understanding of the threat environment and develop processes and procedures to respond effectively to the risk of any hazard impacting the availability, confidentiality, reliability and integrity of their asset. This is central to the reforms proposed in the SLACIP Bill.
Under proposed paragraph 30AH(1)(c), the critical infrastructure risk management program must comply with any requirements specified in rules made by the Minister under section 61 of the SOCI Act. Any such rules will be a legislative instrument, appropriately subject to parliamentary scrutiny, and publicly available on the Federal Register of Legislation (https://www.legislation.gov.au).
The rules will be used to provide further requirements on how the principles based obligations set out in subparagraphs (1)(b)(i)-(iii) are to be implemented. Given the array of critical infrastructure assets that may be subject to the obligation to adopt and maintain a critical infrastructure risk management program, now and into the future, this mechanism will be crucial for ensuring the program is implemented in a risk-based and proportionate manner while still achieving the desired security outcomes and avoiding any unnecessary burden.
Importantly, proposed subsections 30AH(2)-(12) provide further clarity as to the scope of the rule-making power. The rules may be of general application or may relate to one or more specified critical infrastructure assets, allowing appropriately for a flexible, nuanced approach (subsection 30AH(2)). It is also important to note that proposed subsection 30AH(6) sets out factors the Minister must have regard to in specifying rules under proposed subsection 30AH(1)(c). This would ensure that any rules made for the purposes of the critical infrastructure risk management program are appropriate in all the circumstances, while avoiding unnecessary duplication and regulatory burden for responsible entities.
...insert proposed section 30AKA which provides that entities must have regard to matters set out in the rules when determining to adopt, review or vary a critical infrastructure risk management program
As noted at paragraph 237 of the Explanatory Memorandum, a key theme of the information received from industry stakeholders during consultation was that the critical infrastructure risk management program obligation needs to be flexible and adaptable to the business processes and environment of an individual responsible entity.
In this context, it is appropriate that proposed section 30AKA provides for matters relevant to adopting, reviewing or varying a critical infrastructure risk management program to be set out in the rules.
Proposed subsection 30AKA(7) provides that rules made for subsections 30AKA(1), (3) or (5) may be of general application, or relate to one or more specified critical infrastructure assets. These provisions would allow for varying matters to be specified for different types of critical infrastructure assets and industry sectors.
The amendments in the SLACIP Bill dealing with the critical infrastructure risk management program would require responsible entities of critical infrastructure assets to adopt and maintain a written critical infrastructure risk management program. This is intended to uplift core security practices in relation to the management of critical infrastructure assets by ensuring responsible entities take a holistic and proactive approach toward identifying, preventing and mitigating risks from all hazards.
The Department has worked closely with industry to develop sector-agnostic, principles-based rules which will provide guidance for developing risk management programs, and the specific risks and hazards that should be considered. Where possible, the requirements under the risk management program would recognise or build on existing regulatory frameworks, seeking to minimise the regulatory burden on industry. This would ensure that if an existing regulation already exceeds the relevant risk management program requirement, there is not a duplicative set of obligations in place. This approach reflects clear feedback from industry that the responsible entity is best placed to understand the risks to an asset, and to develop appropriate risk practices.
Importantly, proposed section 30AKA does not act to limit the matters to which the responsible entity may have regard - and that the matters an entity may have regard when adopting, reviewing or varying a critical infrastructure risk management program are not restricted to matters specified in the rules.
...require that incident response plans, cyber security exercises, evaluation reports and vulnerability assessments all comply with requirements set out in the rules
There are four different legislative mechanisms that would implement the enhanced cyber security obligations outlined in proposed Part 2C of the SOCI Act, as provided for in the SLACIP Bill:
• incident response planning obligations (proposed Division 2 of Part 2C);
• cyber security exercises (proposed Division 3);
• vulnerability assessments (proposed Division 4); and
• access to system information (proposed Division 5).

Committee comment

2.37 The committee thanks the minister for this response. The committee notes the minister's advice that the regulatory framework that would be established by the bill relies on delegated legislation where necessary to ensure that the statutory framework remains appropriately flexible and adjustable, with a focus on minimising the regulatory impact on entities. The minister has also provided more specific information for each of the provisions raised by the committee. This further information generally reiterates the desire for flexibility and notes the consultation that has, or will, occur in relation to the making of delegated legislation.

2.38 The committee reiterates its consistent scrutiny view that matters which may be significant to the operation of a legislative scheme should be included in primary legislation unless sound justification for the use of delegated legislation is provided. The committee has generally not accepted a desire for administrative flexibility of itself to be a sufficient justification for leaving significant matters to delegated legislation. It remains unclear to the committee why at least high-level guidance regarding these matters could not be included in the primary legislation.

2.39 The committee requests that an addendum to the explanatory memorandum containing the key information provided by the minister be tabled in the Parliament as soon as practicable, noting the importance of these explanatory materials as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation (see section 15AB of the Acts Interpretation Act 1901).

2.40 The committee draws this matter to the attention of senators and leaves to the Senate as a whole the appropriateness of leaving a number of significant elements of the proposed enhanced regulatory framework for Australian critical infrastructure assets to delegated legislation.

2.41 The committee also draws this matter to the attention of the Senate Standing Committee for the Scrutiny of Delegated Legislation.

[1] Schedule 1, items 13, 29, 43 and 49, proposed sections 5, 8, 12AKA, 30AB, 30AH, 30AKA, 30CJ, 30CN, 30CS, 30CY. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(iv).

[2] Senate Scrutiny of Bills Committee, Scrutiny Digest 2 of 2022, pp. 42-44.

[3] The minister responded to the committee's comments in a letter dated 28 March 2022. A copy of the letter is available on the committee's website: see correspondence relating to Scrutiny Digest 3 of 2022 available at: www.aph.gov.au/senate_scrutiny_digest.