Critical infrastructure reforms to protect essential infrastructure we all rely

​The Morrison Government has today introduced amendments to urgently protect Australia’s critical infrastructure in the event of a major cyber-attack.

Minister for Home Affairs Karen Andrews said the amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would ensure the most urgent reforms could be made while the Government continues to consider other recommendations to the Bill made by the bipartisan Parliamentary Joint Committee on Intelligence and Security.

“The Morrison Government is committed to protecting Australia’s critical infrastructure to secure the essential infrastructure and services all Australian’s rely on – everything from electricity and water, to healthcare and groceries,” Minister Andrews said.

“Recent cyber-attacks and security threats to critical infrastructure, both in Australia and overseas, make these reforms critically important. They will bring our response to cyber threats more into line with the Government’s response to threats in the physical world.”

The reforms outlined in the amended Bill will strengthen Australia’s ability to respond to serious cyber-attacks on critical infrastructure by:

  • making Government assistance available to industry as a last resort and subject to appropriate limitations;
  • introducing a cyber-incident reporting regime for critical infrastructure assets; ​
  • expanding the definition of critical infrastructure to include energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors.

The reforms form one part of the Morrison Government’s cyber security agenda, along with efforts to protect Australians from ransomware. Just last week Minister Andrews released the Government’s Ransomware Action Plan. The Plan introduced a raft of new offences for ransomware attacks, many of which are aimed at Australia’s critical infrastructure.

“Importantly, the legislation will enable the Government to provide emergency assistance or directions immediately before, during or after a significant cyber security incident to mitigate and restore essential services,” Minister Andrews said.

“These emergency measures will only apply in circumstances where a cyber-attack is so serious it impacts the social or economic stability of Australia or its people, the defence of Australia or national security, and industry is unable to respond to the incident.

“Attacks on our critical infrastructure require a joint response, involving Government, business, and individuals, which is why we are asking critical infrastructure owners and operators to help us help them by reporting cyber incidents to the Australian Cyber Security Centre.

“Implementing these reforms now will allow the Government to continue to work with critical infrastructure entities to develop supporting rules to ensure that the second phase of reforms is implemented in a manner that secures appropriate outcomes without imposing unnecessary or disproportionate regulatory burden.”

/Public Release. View in full here.