The rapid escalation in cyber attacks, particularly against key infrastructure assets domestically and abroad, has forced an urgent push from the Australian Government for sweeping new laws. The Government will split the Critical Infrastructure Bill by passing what it sees as the most urgent of the reforms with a view to address the ‘serious and rapidly deteriorating cyber security environment’.
The Security Legislation Amendment (Critical Infrastructure Bill 2020) (Bill) which was introduced into Parliament in December 2020, has been split into two bills in order to fast track the passing of the first tranche through the House of Representatives on 20 October 2021. In the decision to split the legislative change into two Bills, and fast track “Bill One”, the Australian Government has cited the ‘serious and rapidly deteriorating cyber security environment’, and in particular the escalation in cyber attacks and threats to critical infrastructure here and abroad.
Bill One brings forward urgent elements of the reforms including: mandatory notification requirements for critical infrastructure operators; as well as last resort ‘step in powers’ for Australian Signals Directorate (ASD) to take control of critical infrastructure in the event of serious cyber threats.
The Bill was introduced to create a regime for the Australian Government to counter serious cyber security incidents. In response, on 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) published an advisory report (Report) on the Bill with 14 recommendations, including that the Government split the Bill into two parts.
Given the proposed mechanisms in the original Bill confer ‘step-in’ powers upon the Government to enable intervention against cyber-attacks, and to direct businesses to gather information and undertake certain actions, the PJCIS recommended that the Bill be separated into two parts to ensure thorough consideration is given to the proposed measures, and their implications for business and industry.
The split has enabled the prioritisation of ‘urgent elements of the reforms’ through the enactment of Bill One, including importantly:
- mandatory notification requirements for an expanded list of critical infrastructure which now include communications, banking & financial services, healthcare, and food and grocery businesses;
- ‘step in’ powers for the ASD to engage directly inside critical infrastructure to fend off cyber criminals, including providing assistance ‘immediately prior, during or following a significant cyber attack’ to ensure the continued provision of essential services; and
- government assistance measures.
The remainder of the original Bill is considered to be less urgent and covers initiatives such as risk management programs and declaration of Systems of National Significance. These measures are planned to be revisited and amended in a ‘consultative and collaborative’ process with affected industries and entities, and later introduced as ‘Bill Two’.
WHAT DOES THIS MEAN FOR ORGANISATIONS NOW?
Entities responsible for assets in the expanded sectors should prepare to comply with Bill One, by reviewing their systems and processes. There are enhanced reporting obligations requiring input from across the supply chain, as well as an enterprise-wide view of critical assets. Mandatory cyber incident reporting processes must also be complied with.
Organisations should also remain engaged with the consultation process, and potential regulated entities are invited to participate in an online discussion regarding next steps on 19 October.
What about the Government’s newly released Ransomware Action Plan
On 13 October 2021, the federal government announced its Ransomware Action Plan (Plan). The Plan builds upon existing mechanisms in place to strengthen cyber security across Australia’s digital economy.
The Plan, which is still subject to industry consultation, outlines new offences for cyber criminals, and a mandatory ransomware incident reporting regime for large Australian businesses, and reflects the Government’s desire to more effectively safeguard individuals, businesses and critical infrastructure across Australia against ransomware attacks. We’ve summarised the key features below:
1. KEY LEGISLATIVE CHANGES
- Mandatory reporting of ransomware incidents for businesses with an annual turnover exceeding $10 million.
- The new mandatory reporting regime will include civil penalties, such as fines, for businesses that do not alert authorities to attacks, however, the Government has said that such penalties would be used as a last resort.
- Creation of a new standalone offence targeting all forms of cyber extortion.
- An aggravated offence and harsher penalties for cybercriminals who target ‘critical infrastructure.’
- Further policy reform to enable law enforcement to track, seize or freeze proceeds of cyber crimes.
2. ADDITIONAL OPERATIONAL CAPABILITY, including:
- A multi-agency, offensive capable Ransomware Taskforce led by the Australian Federal Police targeting cyber criminals.
- Coordinated international operations to detect, investigate, disrupt and prosecute individuals involved in exploiting ransomware.
- Awareness raising and clear advice for critical infrastructure and business of all sizes.
- Active calling out of those who provide safe haven to cyber criminals.
The Plan also reinforces the decisive policy position of the Australian Government regarding the payment of ransoms, that is, that
the Commonwealth does not condone the payment of ransoms to cybercriminals.
If you have any questions regarding the matters discussed in this insight, please don’t hesitate to contact Hugh Griffin at firstname.lastname@example.org.
Material in this article is available for information purposes only and is a high-level summary of the subject matter. It is not, and is not intended to be, legal advice. You should first obtain professional legal advice prior to taking any action on the basis of any information contained in this article. This article is copyright. For permission to reproduce this article please email Hazelbrook Legal: email@example.com