Australia's hardcore critical infrastructure laws open to challenge

States, industry lodge their concerns

Australia’s Department of Home Affairs has yielded to pressure from industry and state governments to publish an exposure draft of the bill that underpins its plan to directly intervene in the cyber security of the country’s critical infrastructure.

The draft of the “Critical Infrastructure” bill gives the Australian Government unprecedented powers over the cyber security of assets owned and operated by private companies and state governments.

The scope is genuinely enormous. It encompasses all telcos and ISPs, defence and space industry, maritime ports, power generation, water utilities, freight and passenger transport, operators of broadcast transmission equipment and submarine cables, domain registrars, banks (at least 10), wealth managers (at least 30), insurers (at least 35), an undisclosed number of trading, stockbroking and payment providers, food and grocery companies (at least 6), and hundreds of hospitals, universities and research organisations. It also includes 30 cloud service providers and at least 100 data centre providers, based on whether their clients are government or critical infrastructure systems or whether they hold significant volumes of PII data.*

They will all be required to:

  • Maintain and submit to the regulator an up-to-date register of critical assets;
  • Report security incidents within 24 hours of discovery, and those deemed ‘critical’ incidents within 12 hours of discovery;
  • Act on the Minister’s demands during a national security event, such as providing information, installing forensics/logging software or making changes to systems.
  • In extreme cases, provide direct system access to the Australian Signals Directorate, and permit ASD to remove/alter files and install “host-based sensors” to collect telemetry.

Organisations can also be asked, at the Minister’s discretion, to submit to ongoing “enhanced security obligations” including:

  • Providing reports from third-party vulnerability assessments;
  • Providing on-demand access to system logs, in an ASD-stipulated format
  • Maintaining and submitting to Home Affairs incident response plans
  • Participating in government-led tabletop exercises.

Home Affairs intended to proceed straight from a consultation paper to putting legislation before parliament. That plan met stiff opposition: most of the 194 organisations that provided public submissions expressed concerns about a lack of transparency, regulatory overreach and anxiety about compliance costs.

Some of its biggest critics were Australia’s states and territories. Submissions from New South Wales [pdf], Queensland [pdf], South Australia [pdf] and Victoria [pdf] suggested that the laws might be open to constitutional challenge. Australia’s states lead emergency response, for the most part, and don’t take kindly to being ordered around. Federal bullying during Australia’s responses to the 2019/2020 bushfire crisis and the COVID-19 response has hardened the states against Canberra’s meddling.

“It would not be appropriate for the Commonwealth to intervene, even in the extremely unlikely instance where a state refuses to act to mitigate a security threat,” noted the Victorian Government’s submission. “Ultimately, decisions regarding the functions of state-owned and operated critical infrastructure assets should remain a matter for the states.”

Representatives from financial services and other regulated industries argued against duplicating existing cyber security regulations. Others, like food and grocery, don’t want to be in the critical infrastructure bucket at all.

Legal scholars, meanwhile, expressed concerns [pdf] that the powers were overly broad and lacked sufficient oversight. Most requirements seem to be at the discretion of the Minister for Home Affairs. It’s only when the ASD gets sent in (an “intervention request”) that Home Affairs must seek authorisation from the Prime Minister and Defence Minister and notify the Inspector General for Intelligence and Security. The draft bill permits the use of force and powers of arrest if a service provider doesn’t provide the required access, and the officers exerting that force will be immune from civil or criminal liabilities. The bill also assumes that intervention requests are to be based on input of the intelligence services, so affected entities wouldn’t be allowed to appeal to the Federal Court under the ADJR Act.

Our view is that these powers would undoubtedly make Australia a harder target if it were subject to a broad, state-directed attack. The problem with the draft is that those same powers could also be abused at the discretion of a Minister and triggered by events that most of these industries absorb every other day.

The intent is right, the execution needs some work.

* Correction: An earlier version of this story incorrectly stated that “any organisation that holds PII (personal data) on more than 20,000 Australians” would be subject to the amended laws. This threshold applies only to commercial providers of data storage services (cloud service providers, data centres etc,) and specifically “is not intended to cover instances where data storage is secondary to, or simply a by-product of, the primary service being offered.” We apologise for the error.