I welcome the opportunity to provide comment on the exposure draft of the Security of Critical Infrastructure Bill as Shadow Assistant Minister for Cyber Security and Defence.
Disruption of critical infrastructure from physical or cyber threats can have a serious impact on our national and economic security. The evolving threat environment means Australia needs to constantly assess how we can best protect our critical infrastructure.
This submission identifies deficiencies in the draft Bill regarding scope, consistency and coordination. It also raises concerns about the resourcing of the department or agencies administering the Bill.
The draft Bill identifies electricity, water and ports as the “highest-risk sectors”. Yet there are other equally important critical infrastructure sectors overlooked by the draft Bill.
The Trusted Information Sharing Network, also operating within the Attorney-General’s portfolio, identifies eight critical infrastructure sectors, as:
“Those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.”
- Banking and finance
- Food and grocery
- Water services
- Commonwealth Government.
The TISN maintains these critical infrastructure sectors are vital to “Australia's social cohesion, economic prosperity and public safety”. So why aren’t all eight included in the draft Bill? And why does the draft Bill only include sea ports, and not airports?
Each of the eight TISN sectors has experienced some form of cyber threat in the past 12 months, at the national or international level. Given the importance of these sectors to our nation’s security and economy, consideration should be given to including all eight in the draft Bill.
Consideration should also be given to increasing the number of sectors covered by TISN and the draft Bill. Compared with other nations, the TISN’s eight sectors are conservative.
The United States critical infrastructure security and resilience strategy identifies 16 sectors. The United Kingdom identifies 13 sectors. Canada identifies 10 sectors. Singapore identifies 11 sectors.
The sectors recognised by these nations include:
- Emergency services
- Information technology infrastructure
Consistency and coordination
Experience of the cyber security portfolio suggests dispersed authority between government agencies can lead to confusion among stakeholders, stifle clear and effective communication and impede results.
Multiple government agencies are involved in protecting critical infrastructure and all are working with myriad private sector operators.
The draft Bill does not clearly outline which Minister is responsible for making decisions or which government department is the lead agency in this process.
An assumption could be made that the responsibility will be with the Attorney-General and the Critical Infrastructure Centre. However, the Department of Industry, Innovation and Science could also have a role, as could the new homeland security agency, when it is created.
A centralised point in government is vital to effective policy development, implementation and coordination and clear and consistent engagement between government and critical infrastructure operators.
The responsible Minister and lead government agency needs to be clarified in the draft Bill.
It is understood the Critical Infrastructure Centre, which is less than 12 months old, is already feeling the strain of under-resourcing. Consideration needs to be given to appropriately resourcing the lead government agency and those administering the Bill.
Once again, I welcome the opportunity to contribute to the consultation on the exposure draft of this Bill.