“The new laws are a critical tool that will bring together government and industry to strengthen our defences against significant threats from nation state adversaries and criminal actors,” Liberal Senator and Parliamentary Joint Committee on Intelligence and Security (PJCIS) committee chair James Paterson said. The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the committee for the cyber laws to be enshrined in two phases. Among these outstanding elements are requirements for entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software. It also seeks to introduce risk management programs that would apply to entities within the 11 sectors classified as critical infrastructure sectors. During the PJCIS’ review of the law, the committee heard from critical infrastructure industry representatives who criticised the software installation scheme as they believed it would introduce unnecessary security risks into those types of environments. Despite hearing these concerns, the PJCIS has supported the enshrinement of the requirement in its advisory report [PDF], saying it believes the Australian Signals Directorate (ASD) would enforce that requirement carefully. “The committee sought assurances from the Department [of Home Affairs] and ASD that the installation of system software would be used only as a ‘provision of last resort’, and received evidence from both the Department and ASD that most sophisticated entities would be able to provide section 30DB and 30DC reports through existing or current open-source tools,” the PJCIS wrote. It added that, in theory, the ASD would already be collaborating with organisations that have systems of national significance and have an understanding of their cybersecurity posture when making any calls for third-party software to be installed. Acknowledging that the Bill’s requirement are a work in progress, the committee recommended for the Department of Home Affairs and the Cyber and Infrastructure Security Centre to establish further consultation with critical infrastructure industry representatives, relevant employee representative bodies, and trade unions for further feedback about the Bill’s risk management programs. Similarly, the committee wants industry roundtables to continue for the same purpose. “The threat to Australia is increasing in scale and sophistication, and so it’s never been more important to harden our systems. That requires a collaborative effort from government and industry to identify and counter cyber threats targeted at our critical infrastructure, many of which are currently regarded as soft targets by our adversaries,” Paterson said. These recommendations came along with nine others, including for the federal government to commission an independent review of the operation of Australia’s critical infrastructure cyber laws one year after the SLACIP Bill receives Royal Assent. “To ensure the laws achieve this critical objective, the committee has recommended that their effectiveness be reviewed once fully implemented to ensure they remain fit for purpose and proportionate to the threat environment,” Paterson said. The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture. Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second tranche of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies.
RELATED COVERAGE
Australia’s cyber laws potentially harmful to security: Critical Infrastructure communityPezzullo frames Critical Infrastructure Bills as ‘defence’ and ransomware plan as ‘offence’MacTel warns critical infrastructure reforms create gaps in government data protectionHome Affairs releases second Critical Infrastructure Bill with leftover obligations