“While private industry is best placed to protect critical infrastructure, some threats are too sophisticated or disruptive to be handled alone,” the Minister for Home Affairs, Peter Dutton, told Parliament.
“This bill provides government with last-resort powers to respond to a serious cyber incident that is having, has had or may have an impact on a critical infrastructure asset and there is a material risk to Australia’s national interests. “
During consultation, Amazon Web Services reflected industry concerns stating: “[W]e are concerned that the proposal for government ‘assistance’ or ‘intervention’ powers may give government overly broad powers to issue directions or act autonomously.”
The new bill expands the reach of Commonwealth requirements from four sectors to 11, many of which have been areas traditionally regulated by the states.
Industries that will be required to report cyber breaches, major assets and risk management details to the Department of Home Affairs are communications, data, defence, research, energy, food and grocery, health and medical, space, transport, and water and sewage sectors.
These sectors are defined widely to include supply chains where the suppliers or operators undertake key facilities or services that if impacted could undermine the reliability of key infrastructure.
Taking food and groceries as an example, the explanatory memorandum notes “the definition recognises that the reliable and secure access to food and grocery are key components for the sustainment of life for all Australians”.
“As such, the definition captures those entities that are integral to the supply chain of the food and groceries in Australia.
“While supermarkets are often the most visible point for consumers within the supply chain, when it comes to the purchasing and acquiring of food and groceries, there are numerous suppliers and components that are required in order for food and groceries to make it onto the shelves of supermarkets throughout each part of the large and diverse supply chain.”
The bill enables the Minister for Home Affairs to declare a supermarket retailer, food wholesaler or grocery wholesaler to be critical.
Primary producers and agriculture are not included in the definition of critical food and grocery providers.
Introducing the bill, Mr Dutton noted the broader impact of failures of key infrastructure.
“A prolonged and widespread failure in the energy sector, for example, could have catastrophic and far-reaching consequences.
“Such an incident may lead to shortages or destruction of essential medical supplies; impact food, groceries, water supply and telecommunications networks; disrupt transport, traffic management systems and fuel; reduce or shutdown banking, finance and retail services; and leave businesses and governments unable to function.”
“While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune.”
Mr Dutton noted that in the past two years there had been cyber attacks on federal parliamentary networks, logistics, the medical sector and universities.
“Internationally, we have seen cyber attacks on critical infrastructure, including water services and airports.
“COVID-19 has also strained the ability of critical infrastructure to deliver essential services. These disruptions show how quickly events can cause widespread physical, financial and indeed psychological damage.”
