Australia seeks to bolster security of critical infrastructure with new legislation

The Security of Critical Infrastructure Bill would provide ministers with a "last resort" power to issue a direction to businesses to take certain actions to address national security risks, according to the proposals.

"To issue a direction, the minister needs to be satisfied that there is a risk of any act or omission," an explanatory document (84-page / 4MB PDF) published alongside the draft legislation said. "This essentially means that there is a risk of an entity doing an active thing that would be prejudicial to security; or alternatively, a risk of an entity not doing something that would be prejudicial to security."

"The minister must be satisfied that the identified risk of an act or omission (that exists in connection with the operation or delivery of service of a critical infrastructure asset) is, or would be, prejudicial to security," it said.

The Australian government said the power would only be used "where it is the only option available to manage a significant national security risk" and after existing mechanisms have been explored.

"An example of a direction may be that the minister directs a critical infrastructure asset operator to move currently stored offshore corporate and operating data to a more secure data storage provider," the government said. "The direction will provide a specific timeframe within which the entity must comply."

"A further example of a direction is the minister may direct a critical infrastructure asset owner to not outsource operations of its core network to certain providers. This direction may specify that the condition exists in perpetuity. Alternatively, the minister may specify in the direction that the entity must consult the government before entering into future outsourcing arrangements," it said.

Under the proposed new laws, a new register of who owns, operates and has access to critical national infrastructure would also be established.

"The register will provide a deeper understanding of who owns, controls and has access to the highest-risk assets by requiring interest and control information and operational information to be provided to government," the explanatory document said. "While the government works closely with owners, operators and investors to obtain this information, some stakeholders may be reluctant to share this information unless legally required to do so."

New cybersecurity laws were finalised in the EU in 2016 and are set to take effect next year in central sectors of the economy, such as energy, transport and health, where critical infrastructure is operated. The UK government opened a consultation on its implementation of the Network and Information Security Directive in August.