Critical infrastructure protection: is everyone ready?

Some watershed changes have been announced across our national security domain this year. A home affairs department is being established to act as a ‘portfolio agency’ for ASIO, the AFP, the Australian Border Force, the Australian Criminal Intelligence Commission, AUSTRAC and the Office of Transport Security. We’re also getting a new Office of National Intelligence (maybe better badged as the Office of Surprise Management), headed by a director-general who will be the prime minister’s principal adviser on matters relating to the national intelligence community.

But one national security development has largely flown under the radar. In January, a Critical Infrastructure Centre was set up in the Attorney-General’s Department to assess the risk of sabotage, espionage and coercion on telecommunications, electricity, water and maritime ports arising from foreign involvement in those sectors.

While media attention has been elsewhere, there’s been a flurry of legislation—newly enacted, drafts released for comment, and new pieces to be put before parliament—all with relevance to the new centre.

One of those is a recently released draft bill on the security of critical infrastructure. It aims to strengthen the government’s capacity to manage the national security issues that arise from foreign ownership of key categories of infrastructure, while minimising the regulatory impact and maintaining an open investment policy.

The bill provides for two central measures. The first is the development of a register of critical infrastructure assets covering maritime ports, electricity and water in the states and territories. Owners and operators will be required to provide information about the groups and individuals that have a direct interest (legal, equitable, lease or licensing) in an asset, including the level of control they have over the asset.

The second measure provides for a federal minister to issue a ‘last resort’ directive to the owner or operator of a critical asset if security vulnerabilities are detected and aren’t corrected or if there are no existing regulatory frameworks that can be used to enforce risk mitigation. Unaddressed vulnerabilities such as gaps in the quality of institutional security policies (including data and physical security); the effectiveness of security audit regimes; and the adequacy of emergency management plans, regulatory regimes and control systems may be the sorts of conditions that would trigger a ‘last resort’ directive.

In addition, last month the government passed legislation that will oblige telecommunications service providers and intermediaries to protect the networks and facilities they own, operate or use from unauthorised interference or access. The aim is to ensure the availability and integrity of facilities and their control networks, and so protect the confidentiality of information stored in or carried on them.

Allied with the protective focus of these legislative steps are a series of sanctions soon to be introduced into parliament targeting the ‘so-called “sub-espionage” level of foreign interference such as individuals covertly lobbying, infiltrating or donating to political parties on behalf of foreign governments’.

While the logic of this trifecta of legislation seems sound, implementation may not be straightforward. At least one state has noted that ‘significant details in the design and implementation of the proposed reforms are still being developed’ and that ‘the best result will be achieved through ongoing and structured consultation with the states and territories’. This view suggests that federal intent is moving faster than state readiness currently allows.

But are there instances where a ‘last resort’ federal intervention is warranted? A recent Queensland Audit Office assessment of the adequacy of cybersecurity controls in potable water and wastewater services suggests that there are. The Audit Office concluded that while infrastructure operators were able to self-assess their capability to respond to information security incidents, they weren’t well prepared to effectively respond to, or recover from, intentional cyberattacks.

Those findings raise concerns about a repeat of an incident more than a decade ago when an intentional cyber disruption of a waste treatment plant’s control systems in the Maroochy Shire in southern Queensland resulted in a significant release of raw sewage into the community.

However, coercive federal intervention with state-based water-related utilities might not be a simple step because most local government water assets are incorporated as regional statutory bodies with local councils as shareholders. Thus, governance across three levels of government may add complexity if federal intervention into local-government-controlled assets is questioned.

The federal government has begun a very busy legislative phase and the policy agenda aligned to the work of the Critical Infrastructure Centre is progressing quickly. The many moving parts in Australia’s national security community create the potential for uncertainty in the application and interpretation of the suite of new and proposed legislation.

It’s also unclear whether the Critical Infrastructure Centre, as a new entity, has the expertise and capacity to both inform foreign investment review decisions and protect infrastructure from intentional disruption. Those are two very different tasks.  The Critical Infrastructure Centre can’t be expected to cover all bases.