Enhancing response and prevention powers in relation to critical infrastructure assets

Following repeated data breaches across Australian organisations, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (Amending Act) aims to enhance the prevention of and response to a broader range of threats and attacks on critical infrastructure assets. The final amendments relating to security regulation of critical telecommunications assets took effect on 4 April.

Prior amendments relating to data storage systems, management of impacts on incidents on critical infrastructure assets, use and disclosure of protected information, and new directions powers to manage Critical Infrastructure Risk Management Programs took effect in late 2024.

The SOCI reforms at a glance

The Amending Act is a product of industry feedback on the 2023-2030 Australian Cyber Security Strategy Discussion Paper. It implements five key reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) by:

• deeming data storage systems owned or operated by a responsible entity that are used in relation to a critical infrastructure asset to form part of that critical infrastructure asset in certain circumstances, making those systems subject to the same SOCI Act obligations;

• expanding the Government’s powers to obtain information and to issue directions to a broader range of incidents, not only "cyber incidents";

• clarifying what is "protected information" and when this information may be disclosed;

• empowering the Regulator to issue written directions for responsible entities to vary their Critical Infrastructure Risk Management Program (CIRMP) to address "serious deficiencies"; and

• enhancing security obligations for critical telecommunications assets, to bring them into line with the Telecommunications Act 1997 (Cth).

Expanding the "data storage systems" to which the SOCI Act applies

Currently, the SOCI Act imposes positive obligations on data storage or processing assets, where the storage or processing of data is the primary function of the asset (for example, data centres used to process “business critical data” of a government entity or provided to a third party that is the responsible entity for a separate critical infrastructure asset). Schedule 1 of the Amending Act expands the scope of critical infrastructure assets under the SOCI Act to include certain non-operational systems that hold business critical data which may, if compromised, have an impact on critical infrastructure assets (but which to date have not formed part of a critical infrastructure asset themselves). A data storage system will now be deemed to be part of a critical infrastructure asset if all of the following criteria are met:

• a responsible entity for a critical infrastructure asset owns or operates the data storage system;

• the data storage system is used, or is to be used, in connection with the critical infrastructure asset;

• business critical data is stored or processed by that system; and

• material risks of a hazard impacting the operation of that system could also have a “relevant impact” on the critical infrastructure asset (eg. impacts on the availability, integrity or reliability of the asset or confidentiality of information about or stored in the asset).

This reform will require entities to fulfil the same obligations in relation to these non-operational data storage systems that are a part of a critical infrastructure asset, as they do for the critical asset itself. In particular, entities will be required to include these data storage systems within their CIRMP to identify any related risks, minimise or eliminate them, and then mitigate their impact.

In practice, the reforms will also expand the Government’s assistance powers under the SOCI Act to apply to secondary data storage systems where there has been a threat or attack. This is a particular area of concern highlighted in the Explanatory Memorandum for the Amending Act, which describes how non-operational systems that were affected by the Optus and Medibank attacks both fell outside the scope of the SOCI Act, notwithstanding the widespread harm and disruption caused to the economy and individuals by those incidents.

Expansion of Government powers to gather information, give directions and intervene

The Amending Act also expands the types of incidents in relation to which the Government may exercise powers to gather information or issue directions under Part 3A of the SOCI Act.

Previously, only "serious cyber security incidents" enlivened these powers. However, they may now be triggered by any "serious incident that has had, is having, or is likely to have, one or more relevant impacts on one or more critical infrastructure assets". This expands the Government’s powers so that it may respond to incidents whether they are naturally occurring or man-made, and regardless of whether they involve a cyber attack, so long as the incident impacts the availability, integrity or reliability of the critical infrastructure asset or affects the confidentiality of information about or stored within the asset.

However, other limitations on the Government’s powers continue to apply (eg. directions must be a reasonably necessary, proportionate and technically feasible response to the incident, and the responsible entity must be otherwise unwilling or unable to adequately respond to the incident). The Government’s power to intervene (through the Australian Signals Directorate) also remains confined to cyber security incidents.

Clarifying the scope of, and rights to use and disclose, protected information

Following consultation and feedback from government and industry, the Government concluded that the existing restrictions on the disclosure of "protected information" hampers the ability of Government and responsible entities to mitigate risk effectively. Before the Amending Act was passed, that concept encompassed any information obtained or generated in the course of exercising powers, or performing duties or functions, under the SOCI Act, or for the purpose of complying with the SOCI Act, including information concerning the declaration of an asset as an asset of national significant and various reports and notices required to be prepared or issued under the SOCI Act.

The Amending Act has narrowed this concept through a new "harms based" definition, so that information which was previously the subject of disclosure restrictions will only be "protected information" if:

• its disclosure would or could reasonably be expected to prejudice national security, the defence of Australia, or the social or economic stability of Australia or its people;

• it contains, or is, confidential commercial information; or

• its disclosure would or could reasonably be expected to prejudice the availability, integrity, reliability or security of a critical infrastructure asset.

The Act also clarifies that the use and disclosure of protected information will be authorised where that use or disclosure is:

• by a relevant entity (other than the Commonwealth) for a purpose relating to the continued operation of their critical infrastructure asset, or to mitigate a risk to the availability, integrity, reliability or security of the asset;

• by a relevant entity for the purpose of their business, professional, commercial or financial affairs, where the information has been obtained, generated or adopted by the entity for the purposes of complying with the SOCI Act; or

• by an authorised Australian public service employee for certain purposes, including to make a record of the protected information for those permitted disclosures.

This will facilitate a greater ability to exchange relevant information, for example, to exchange information in the context of due diligence exercises in the context of infrastructure investment, in the performance of services contracts, and in responding to specific incidents.

New power to direct variations to critical infrastructure risk management programs

The Secretary for the Department of Home Affairs or any other authorised Commonwealth regulator may now issue a written direction to a responsible entity to vary its critical infrastructure risk management program to address any "serious deficiency". A "serious deficiency" is one that poses a material risk to national security, the defence of Australia, or the social or economic stability of Australia or its people.

Before issuing a written direction, the Secretary or relevant regulatory must notify the responsible entity of the deficiencies concerned and its intention to issue a direction, and give the responsible entity 14 days to make a submission in response (which must be taken into account in deciding whether to issue a formal direction). The Secretary or relevant regulator may then issue a formal direction requiring the responsible entity to vary its CIRMP to address specified deficiencies, within a period of at least 14 days after the date of the direction.

Failures to comply with a direction will incur a civil penalty of up to 250 penalty units (which for corporates may be up to a maximum of $391,250).

A responsible entity must report receipt of any such directions and its response to them in its CIRMP annual report.

Enhanced security obligations for critical telecommunications assets

A new Part 2D enhances the security obligations that apply in relation to critical telecommunications assets, and expands the nature of risks required to be addressed beyond security risks (such as espionage and sabotage) to include all hazards. The amendments will bring the SOCI Act in line with security obligations introduced under the Telecommunications and Other Legislation Amendment Act 2017 (Cth).

Responsible entities for critical telecommunications assets must, as far as reasonably practicable, protect a critical telecommunications asset from any hazard which poses a material risk to the availability, integrity, and reliability of the asset or confidentiality of information about or stored in the asset. Notably, responsible entities for critical telecommunications assets must protect:

• the confidentiality of communications (as defined in the Telecommunications Act 1997 (Cth)) carried on, and of information contained on, the asset; and

• the availability and integrity of the asset.

Failure to do so carries a civil penalty of 1,500 penalty units (which for corporates may be up to a maximum of $2.3 million). However, responsible entities are not liable for things done in good faith in performing those obligations.

Responsible entities must also notify the Secretary of Home Affairs of actual or proposed changes to a telecommunications service or system which are likely to have a material adverse effect on the entity’s capacity to comply with these obligations to protect the asset. Failure to do so carries a civil penalty of 300 penalty units (which for corporates may be up to a maximum of $469,000).

If the responsible entity provides a notification in relation to an actual or proposed change, and the Secretary requires further information to determine if there is a risk to the asset that would be prejudicial to security, the Secretary may, by written notice, require the responsible entity to give the Secretary specified further information. The Secretary may continue to give notices requiring further information until they are satisfied in their assessment. Failure to comply with a notice carries a civil penalty of 150 penalty units (which for corporates may be up to a maximum of $234,750).

Where the Secretary is satisfied that an actual or proposed change poses a risk to the asset that would be prejudicial to security, the Secretary must give a written notice to the responsible entity advising the entity of that risk, setting out the entity’s obligations and setting out the consequences for not complying with that obligation (being 1,500 penalty units, which for corporates may be up to a maximum of $2.3 million). The Secretary may also set out in this notice any measures that the Secretary considers the entity could adopt to eliminate or reduce that risk.

The Secretary may also direct a responsible entity not to use or supply a carriage service if they consider that it would be prejudicial to security. If the responsible entity fails to comply with this direction, the civil penalty is 2,000 penalty units, which for corporates may be up to a maximum of $3.3 million.

Failures to comply with these requirements within the required timeframe may also be considered to be a continuing contravention, and attract further penalties.