Level 4, 10 Moore St, Canberra ACT 2601
+61 2 5123 6700

Go8 Response: Exposure Draft Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022

1 February 2022

Department of Home Affairs

Thank you for the opportunity to respond to the Department’s consultation on the Exposure Draft Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.

As the group of universities which undertake 70 percent of all university based research in Australia, we remain committed to safeguarding our critical infrastructure assets and to ensuring we have the necessary cybersecurity protections for our research as well as that of the partners with whom we interact.

We acknowledge the further time afforded to consider and respond to the non-urgent aspects (via this second Bill) following representations by the Go8 to the Department and the Parliamentary Joint Committee on Intelligence and Security of the risk management program (Part 2A), Systems of National Significance (SONS) (Part 2C) and the enhanced cybersecurity obligations that accrue to identified SONS (Part 6A).

The Go8 also appreciates the opportunity to relay our views at the roundtable with the Minister for Home Affairs on 1 February 2022.

Recommendations

The Go8 recommends:

  • That the proposed amendment of the definition of the higher education and research sector be further refined.
  • That the intent to not duplicate existing regulatory frameworks[1] relevant to the higher education and research sector be a strong feature of implementation
  • That the concept and parameters of a System of National Significance be further clarified for the higher education and research sector, or that consideration be given to relying on the higher education and research sector to identify the sector’s possible SONS to the Government
  • That the risk management program element of the proposed reforms is not turned on for the higher education and research sector, reflecting Go8 and wider sector discussions in 2021 with the Department, and the increased role of the University Foreign Interference Taskforce (UFIT) and the refreshed Guidelines to Counter Foreign Interference in the Australian university sector (UFIT Guidelines) in addressing related risks
  • That additional clarity and further discussion occur on the proposed enhanced cyber security obligations, with sufficient and appropriate guidance provided to the regulated sectors for the avoidance of doubt as far as possible
  • That the term and condition ‘defence of Australia’ be removed from the proposed definition, given it is duplicative to ‘national security’

Discussion

The consultation process undertaken by government has been welcomed and we would urge that it be ongoing for the reforms to succeed. Even at this stage of engagement, approximately 18 months from the start of the Government’s launch of its reform process, some key concepts remain nebulous or create uncertainty, including what a SONS and what the mechanism to identify it may be.

How the higher education and sector should be defined for the purposes of the regulation continues to present challenges. Specific feedback is below.

Definition of higher education and research sector

[Existing Security of Critical Infrastructure Act 2018 definition]
higher education and research sector means the sector of the Australian economy that involves:

(a) being a higher education provider; or

(b) undertaking a program of research that:

(i) is supported financially (in whole or in part) by the Commonwealth; or

(ii) is relevant to a critical infrastructure sector (other than the higher education and research sector).

[Exposure Draft Proposed new definition]
higher education and research sector means the sector of the Australian economy that involves undertaking a program of research that is: 

(a) supported financially (in whole or in part) by the Commonwealth; or

(b) critical to: 

(i) a critical infrastructure sector (other than the higher education and research sector); or

(ii) national security; or

(iii) the defence of Australia.

The intent in the proposed amendment to narrow the definition from the whole university (implied by the existing definition including reference to being a higher education provider) is supported. The Go8 specifically welcomes the narrowing of the definition to focus on that component that undertakes research given the importance and significance of research to social and economic stability, defence and national security as the key considerations under the legislation.

However we would suggest an additional amendment to the proposed definition to ensure absolute clarity as there are remaining questions regarding its parameters

  • What specific entities are proposed to be captured is still unclear.
    • The proposed new definition would still capture all Go8 universities who we would assert all conduct programs of research in part or in whole funded by the Commonwealth, that are critical to (i), (ii) and (iii) in the proposed definition, especially since (i) extends coverage very widely given that critical infrastructure sectors capture a majority of the economic and social activity in the country
  • What ‘critical to’ means in this context, and how that characteristic might be determined, should also be articulated, noting the change from ‘relevant to’ in the current definition.
  • Commonwealth financial support for non-research activities in universities may be argued to still support programs of research; given academics often have a dual teaching and research role.
    • The definition may be improved by further honing into research activity that is directly funded by the Commonwealth
  • The scope of the definition would be narrowed appreciably if it required the meeting of both condition (a) and condition (b) – that is by replacing ‘or’ (highlighted in red above) with ‘and’

Clarification is needed regarding the flow-on effects of amending the definition, including on

  • the definition of ‘critical education asset’ which in the SOCI Act 2018 ‘is taken to relate to the higher education and research sector’ though also ‘means a university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers’
  • implementing existing and future obligations such as reporting of cyber security incidents. For example, the proposed definition may suggest that obligations accrue in relation to research systems rather than enterprise or teaching and learning systems

Systems of National Significance (SONS)

The concept of a System of National Significance (SONS) was introduced in 2020, however since then there has been no public identification of any such asset for any sector and no identification at all for the higher education and research sector. The Go8 membership has yet to identify what may be a SONS among its assets, despite repeated consideration.

SONS are still proposed to be ‘a significantly smaller subset of critical infrastructure assets that, by virtue of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors, are crucial to the nation’[2]

The ‘lived experience’ of what a SONS is in Australia seems limited, yet it is necessary to at least identify one such critical infrastructure asset if industries and sectors throughout Australia are to become familiar with the term and its implications.

The Go8 suggests the following steps:

  • More detailed discourse occurs to establish what a SONS might be for the higher education and research sector.
  • The Government consider that the higher education and research sector be asked to identify its SONS and that in the absence of any candidate, the provision on SONS not be switched on for the sector.
  • Considered discussion with the higher education and research sector around what may be possible candidates for a SONS in advance of the Minister declaring a specific SONS and the ensuing 28-day consultation.

Risk Management Program

The Go8 understands that the education asset class is not currently proposed to be covered by the risk management program element of the proposed Bill.

The Go8 strongly supports that the RMP not be switched on for the education asset class and that as much certainty be provided to the higher education and research sector that this will remain the case.

If this were to change at any point in future, the Go8 recommends prior detailed discussion and a far longer period than the 28 days consultation on any proposed rule to apply the RMP to the education asset class, given the expectations that it would be exempt.

Enhanced cyber security obligations

In view of the extensiveness of enhanced cyber security obligations that may be imposed on a responsible entity for a system of national significance, the Go8 recommends that the Government provide sufficient leeway and the necessary tools and guidance to assist with compliance with the four key obligations. This may include templates for incident response plans, sufficient warning of and advice regarding the nature of cyber security exercises and vulnerability assessments, and how the Secretary of Home Affairs may determine if a responsible entity is technically capable of providing specified system information. Training and capability building should also be provided where possible.

‘Defence of Australia’ versus ‘national security’

While ‘defence of Australia’ occurs as one of the possible conditions for Ministerial decision on what may be a ‘critical infrastructure asset’ or a ‘system of national significance’, or Ministerial authorisation relating to a cyber security incident, the Go8 contends that it is largely redundant and duplicates the definition condition of ‘national security’. Therefore we recommend the term ‘defence of Australia’ be removed from the definition of the higher education and research sector.

Yours sincerely
VICKI THOMSON
CHIEF EXECUTIVE


[1] The Introductory remarks in the ED to Bill Two notes ‘Government will work in partnership with responsible entities of critical infrastructure assets to ensure the new requirements build on and do not duplicate existing regulatory frameworks.’
[2] Explanatory document to SLACI Bill 2022 (Para 14)