In March 2018, the Australian Parliament passed the Security of Critical Infrastructure Act. As you probably know, the Act majorly ramps up state scrutiny of so-called critical infrastructure assets (ports, as well as electricity, gas, and water entities), by attempting to improve cooperation and collaboration between government bodies and the owners and operators of those assets. To do so, the Act compels asset operators and owners to relay detailed operational information (as well as relevant updates) to a government authority.
But that’s not the only measure the government can take. Oft-unremarked upon is the fact that the Act also grants broad, new “ministerial last” powers of intervention to the Commonwealth Minister. What do these ministerial last powers comprise of? Well, when a risk cannot otherwise be mitigated, the Minister can now intercede in an operator’s affairs to seek further information or even issue directions should the situation demand it.
There are caveats. Indeed, policymakers took the “last” in ministerial last powers seriously. For one, these powers are only meant to be exercised in exceptional circumstances involving significant national security risks. Also, the Minister can only exercise last powers if there is no other regulatory fix available.
As a further check on this last resort power, the Act instructs the Minister to first consider the findings of a mandatory ASIO (Australian Security Intelligence Organisation) security assessment, which is itself subject to a merits review. The Minister must also wait for “good faith” negotiation with the entity to expire, before consulting directly with the First Minister and State or Territory Minister where the entity is located. The asset operator must then show itself to be unable or unwilling to implement security risk mitigation actions on its own. And the eventual actions prescribed by the Minister must be “proportionate” to the risk.
There are a lot of checks to ministerial last powers, but that doesn’t mean that asset owners should take the Critical Infrastructure Act less seriously. Penalties for contravening provisions of the Act can be severe: civil penalty, enforceable undertaking, injunctions, not to mention significant reputational damage.
If you haven’t read the Act in its entirety, do so now, many of its provisions have already come into force, with the final date to report information to the Register set at January 2019. Looking for a shortcut? Then download our brief overview guide to the Security of Critical Infrastructure Act.
ZDNet: Government passes critical infrastructure national security bill
For more content like you just read, follow @teamnoggin Twitter