COVID-19 has brought with it a rash of illegal cyber activity against high-profile targets. The worst part is there’s no end in sight. What’s to be done? In Australia, for one, policymakers are honing in on revisions to the Security of Critical Infrastructure Act 2018.
What to expect in this new year, and what broader lessons will there be for the global security sector?
What to expect from the revised Security of Critical Infrastructure Act
Besides precipitating a rise in cyber threats, the pandemic has also contributed to a broader understanding of critical infrastructure sectors than one (formally) limited to ports and utilities. Healthcare and food and groceries, to name a few, have shown themselves to be every bit as vital to public safety and national resilience as any other industry.
The reality has created the need to redefine the contours of critical infrastructure. Policymakers have agreed. And so, revisions to the Security of Critical Infrastructure Act, now wending their way through the Australian Parliament, will see the following sectors classed as critical infrastructure sectors:
- Data and the cloud
- Research and innovation
- Food and grocery
- Energy (more broadly)
What security obligations will the amended Security of Critical Infrastructure Act bring
What’s the effect of bundling these diverse sectors together? Policymakers are signaling to owners and operators in these industries that they will have to do more than just report operational information – the current standard.
That’s not all. Beefed up security obligations will also be part of an enhanced security framework once Parliament signs off on amendments. What might the new framework look like? So far, outlines suggest:
- An uplift in security and resilience in all critical infrastructure sectors
- Better identification and sharing of threats (i.e. situational awareness) in order to make critical infrastructure more resilient and secure
Positive security obligations, however, must be balanced against the realities of existing standards and maturity, as well as differences in human and financial resources, technology, and relative threat level.
Three key components to the amended Australian Security of Critical Infrastructure Act
Delving deeper, we also know that the enhanced framework will have three key components. Those three key elements include:
- Positive Security Obligation (PSO), consisting of:
- Set and enforce baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk.
- Enhanced cyber security obligations, establishing:
- The ability for the Government to request information to contribute to a near real-time national threat picture.
- Owner and operator participation in preparatory activities with Government.
- The co-development of a scenario-based “playbook,” setting out response arrangements.
- Government assistance for entities that are the target or victim of a cyber attack, through the establishment of a Government capability and authorities to disrupt and respond to threats in an emergency.
We aren’t yet certain what substantive obligations will emerge from the framework. We do know, though, that regulated industries will be obligated to report relevant business continuity incidents in a timely manner.
As for monitoring compliance, sectoral regulators will take the lead. They will also enforce compliance with the PSO, based on a sliding-scale regulatory approach.
What else? Well, the intent of these amendments to the Security of Critical Infrastructure Act is to bump up preparedness beyond the level set in the original Act.
That Act, still on the books, is no slouch, especially when it comes to improving transparency of ownership and operational control. It might even provide a useful global benchmark for the critical infrastructure sector beyond Australia.
To find out what it prescribes, download our Overview Guide to the Security of Critical Infrastructure Act 2018: