Level 4, 10 Moore St, Canberra ACT 2601
+61 2 5123 6700

Go8 Submission to the PJCIS Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018

12 February 2021

Parliamentary Joint Committee on Intelligence and Security
PO Box 6021
Parliament House
Canberra ACT 2600

The Group of Eight (Go8), as Australia’s leading research-intensive universities (responsible for 70 per cent of the sector’s research) and with seven of its eight members ranked in the world’s top 100 universities, is pleased to provide evidence to the Committee’s Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.

Please note that this submission represents the views of the Go8 as a whole. Individual Go8 members may also choose to provide a submission, focusing on their specific circumstances.

The Go8 focuses its comments in this submission to the Committee’s Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, rather than on the Review of the existing Security of Critical Infrastructure Act 2018.

Recommendation

  • The Government should set out a detailed and compelling case for including higher education and research as a critical infrastructure sector, given the regulatory ramifications. The Go8 urges the Committee to seek and include this rationale in the report of the Review.
  • If there is a need for universities to meet a Positive Security Obligation under the terms of the Bill, the Go8 recommends that already established and existing mechanisms, such as the Guidelines to Counter Foreign Interference in the Australian University Sector (the Guidelines), be leveraged as a way of meeting this obligation. This will help to reduce the burden on the sector while retaining the assurances required.

Key points

  1. The Go8 is committed to upholding a sound national security environment in Australia. This is firmly supported by our member institutions’ innovative and updated measures and strategies to prepare for and respond to security threats, detailed at length in the Go8 submission to this Committee’s current Inquiry into national security risks affecting the Australian higher education and research sector (see Appendix 3).
  2. The Go8 recognises that universities host, own, manage or are otherwise custodians of important infrastructure assets that may be of interest to the Government as potential critical infrastructure assets that if compromised may significantly impact the social or economic wellbeing of the nation, or – in a less likely scenario – affect Australia’s ability to conduct national defence and ensure national security. That this may be the case does not however form a sufficient basis to include the entire sector under the SOCI Act nor to denote entire universities, rather than parts thereof as a critical education asset.
  3. The Australian Government has in fact not yet identified any critical infrastructure assets in the higher education and research sector. In late November 2020, the Department of Home Affairs indicated to the Go8 that it is yet to be established where the Act needs to be turned on for the sector[1]. The Go8 urges the Committee to examine, as part of its Review, specifically why the higher education and research sector and its infrastructure assets need to be subject to the provisions of the Security of Critical Infrastructure Act 2018 (SOCI Act 2018) as proposed to be amended by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 – when to date no other Five Eye nation lists higher education and/or research among its critical infrastructure sectors.
  4. The proposed amendments are extensive and so far beyond the provisions of the SOCI Act that a more prolonged and detailed consultation, including of individual sectors, would have been desirable prior to the amendments being considered by Parliament. Indeed, a Bill for a replacement Act might have been more appropriate given the extent of change to the SOCI Act. Even those sectors currently subject to the SOCI Act are likely to be grappling with the ramifications of the extended requirements and provisions being put forward.
  5. The Go8 is deeply concerned that the regulatory impact and costs that may accrue to the sector and its members because of this legislation will be significant, and far greater than so far estimated by the Government, especially when added to the costs of regulation already being borne by the sector for compliance with the Foreign Influence Transparency Scheme Act 2018 and the Australia’s Foreign Relations (State and Territory Arrangements) Act 2020 and significant disruptions experienced as a result of the 2020 pandemic year
  6. The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector. Should the higher education and research sector continue to be a sector for the purposes of the legislation, the Go8 seeks that the Review discuss and/or determine:
    1. The degree of overlap of this legislation with other regulatory requirements and how duplication and overlap can be minimised to reduce confusion, inappropriate implementation and regulatory burden
    2. How the meaning of critical education assets can be fine-tuned further from the all-encompassing definition currently present in the Bill, such that subsets of critical education assets – rather than everything in a university – would be subject to the legislation
    3. Detailed criteria for identifying critical infrastructure assets that, among those critical education assets, would be subject to the key requirements of the legislation
    4. Detailed criteria for identifying systems of national significance, noting that there is confusion regarding whether the sector has any infrastructure that may qualify. There is uncertainty particularly regarding national research infrastructure assets that span institutions, sectors – including Government –  and are used by industry.
    5. What the total estimated regulatory costs would be per sector including for the higher education and research sector should the sector attract lesser requirements under the legislation for reporting cyber security incidents for incidents with lesser expected impact
    6. The Go8 appreciates that consultation to date with the Department of Home Affairs has led to some welcome changes to the draft Bill, including extended consultation periods, provision of more time for reporting and other requirements, for a responsible entity to be consulted in relation to systems of national significance, and provision of an avenue for appeal concerning Ministerial decisions on whether an asset is a system of national significance. The Go8 would support further extension of consultation periods from 28 days to 60 days for new rules, and any additional mechanisms to ensure that sufficient communication and consideration occurs during implementation.

Additional

Inclusion of higher education and research sector as a Critical infrastructure sector

Australia appears to be the only Five Eye country to identify the higher education and research sector as a critical infrastructure sector. In the United Kingdom, there are 13 Critical National Infrastructure sectors[2] while in the United States, there are 16[3]. Neither the United Kingdom, the United States nor Canada[4] includes higher education and/or research as a critical infrastructure sector. New Zealand does not appear to have a current public listing of critical infrastructure sectors.

A 2014 paper published by the Critical Five countries ‘Forging a Common Understanding for Critical Infrastructure’ representing the shared views of the five member nations (Australia, Canada, New Zealand, the United Kingdom, and the United States)[5]did not list higher education and research as possible critical infrastructure. The paper noted all Critical Five members as having identified the following sectors as critical:

  • Communications
  • Energy
  • Healthcare and Public Health
  • Transportation Systems
  • Water (to include Wastewater and Storm Water Systems)

The paper notes that several members highlight these:

  • Banking and Financial Services
  • Critical Manufacturing
  • Emergency Services
  • Food and Agriculture
  • Government Facilities
  • Information Technology

The Government’s logic so far for including the higher education and research sector seems to be that it is a sector whose demise will have significant economic and social ramifications. The same however could be said of many sectors, including schools, which have not been identified as a relevant sector. The Government may also point to cyber-attacks on the sector such as at the ANU in 2018 as a reason for including the sector – however this is not consistent with the treatment of the government sector which has also been subject to significant cyber-attack yet is excluded from the legislation, contrary to its inclusion in other Five Eye lists of critical infrastructure sectors.

At a minimum, it would seem necessary and beneficial for the Government to set out a detailed and compelling case for including higher education and research as a critical infrastructure sector, given the regulatory ramifications. The Go8 urges the Committee to seek and include this rationale in the report of the Review.

Regulatory impost and costs

The Go8 notes that the Regulatory Impact Statement included with the Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduced by the Home Affairs Minister in Parliament on 10 December 2021 estimates costs to all sectors of $2.19 million a year from the Register of Critical Infrastructure Assets and the mandatory cyber reporting.

  • This estimate represents but a fraction of expected regulatory costs given the other significant requirements under the legislation are not yet costed in terms of impact, and it is expected that total regulatory costs would be significantly higher [6].
  • The Go8 urges that the Review seek further detail and greater transparency regarding the total costs, including for the Enhanced Cyber Security Obligations or the Ministerial Directions power and the risk management program component of the Positive Security Obligation.

If there is a need for universities to meet a Positive Security Obligation under the terms of the Bill, the Go8 recommends that already established and existing mechanisms, such as the Guidelines to Counter Foreign Interference in the Australian University Sector (the Guidelines), be leveraged as a way of meeting this obligation. This will help to reduce the burden on the sector while retaining the assurances required.

The Go8 notes that the findings of the Regulatory Impact Statement (RIS) were not shared or discussed with the Go8 in meetings with the Department of Home Affairs. These figures have not been validated by our institutions.

  • It is notable that the Office of Best Practice Regulation itself noted that ‘for the RIS to achieve good practice, given the significance of the package of reforms, the RIS would have benefited from being released for consultation which would allow stakeholders to verify the accuracy of the regulatory costings and assumptions, as well as the broader impact analysis’ [7]

The Go8 recommends that a breakdown per sector of these costs be reported via the Committee’s Review. The Review would also benefit from further detail regarding the cost of inaction estimated for each sector for a single week, being reported under the RIS as $1.6 billion for the higher education and research sector. This is the third highest cost for a sector after the Financial Services and Market Sector and the Energy Sector.

Relative importance of higher education and research sector as a critical infrastructure sector

As noted previously, it has been unclear from the consultations and both the exposure draft and introduced Bills including explanatory memoranda, what the specific importance of the higher education and research sector is.

The Exposure Draft consultation paper does not rationalise the inclusion of education and research in any way other than to state ‘Malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber-attacks on health organisations and medical research facilities.’

The Minister’s second reading speech upon introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 refers to compromises of university networks, repeating this from the explanatory memoranda to the Exposure Draft Bill and the introduced bill. All three refer too to compromises of the Australian parliamentary network – however the legislation is not being extended to parliament or government.

If the higher education and research sector continues to be included when the Bill becomes law, some recognition that there may be varying levels of criticality between the 11 sectors is needed – with requirements adjusted accordingly.

The Go8 would advocate that the expectations of the sector under the bill be reduced commensurate to the level of importance and criticality of its relevant infrastructure. Given the lack of specificity of definitions for the sector[8], versus some of the other 11 sectors to be included under the legislation, the higher education and research sector would seem to present a lesser risk. Indeed, the Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 notes as an example:

‘Determining whether an incident is having a significant impact on the availability of the asset will be matter of judgment for the responsible entity. For example, a cyber security incident which affects the availability of a critical clearing and settlement facility for a very brief period may have significant economic repercussions while an incident that affects the availability of a critical education asset for the same period of time may have a substantially lower impact’ (para 642).

Previous submissions

The Go8 respectfully refers the Committee to its submission responding to the Committee’s Inquiry into national security risks affecting the Australian higher education and research sector for broader context regarding the Go8’s commitment to national security.

The Go8 also refers the Committee to its three submissions so far to the Department of Home Affairs on the extension of the SOCI Act to the higher education and research sector, and draws the Committee’s attention to the Go8’s recommendations in its latest (November 2020) submission in response to the Exposure Draft of the Bill:

  1. That the extension of the Security of Critical Infrastructure Act 2018 to the higher education sector be nuanced and targeted, informed by a comprehensive understanding of university operations and relationships, and the potential ramifications of regulatory approaches.
    1. In order to achieve this, far more time is needed than the 14 days’ timeframe for consultation on draft rules proposed in the Bill (30AL). The Go8 proposes a minimum of 60 days consultation for new rules and 30 days for amended rules.
  2. That the parameters be more tightly defined – after the Department of Home Affairs reaches an understanding of universities – rather than as currently suggested by the Department, as for utilities such as gas, water, and electricity, and our ports, all of which are quite different in structure.
    1. As a principle, the definition – or at minimum, the interpretation – of critical education asset should be framed by exclusion rather than inclusion of assets. That is, the definition should specifically name assets or groups of assets to be included rather that assigning the label to the entire university. Distinction should be possible for instance between buildings and open spaces, research laboratories and university pubs, and indeed it should be possible to assign levels of criticality to critical assets on the basis of immediate versus longer term impact[9].
    2. That systems of national importance are more tightly defined in the Bill, with examples provided to stakeholders of what such systems can be – if and where already identified and agreed with sectors.
  3. That a pilot focusing on specific purposes or infrastructure to begin, such as cyber, may assist to better establish the parameters, ramifications and approach to be extended more broadly across other purposes or infrastructure.
    1. Such a pilot should focus on specific assets or groups of assets that may be considered for inclusion in the definition as per Go8’s Recommendation 2a.
  4. That all efforts be taken to minimise overlap and duplication with other regulatory measures currently in place to secure university operations.
  5. That a concerted effort be taken by Government to avoid over-reach and the distinct potential for unintended consequences in developing its approach.
    1. There must be stronger parameters around the Ministerial discretion to declare ‘systems of national importance’ and to prescribe or declare additional assets for sectors – to avoid the possibility of misapplication of the legislation.
    2. The relevance of the Positive Security Obligation and each of its three aspects to areas of the higher and research sector needs to be more specifically defined; and the Positive Security Obligation required only for those specific assets or groups of assets under a revised definition of critical education asset
  6. That there be an emphasis on minimising the regulatory burden on universities (already extensive) and that the methodology and results of the Government’s own inquiries into the regulatory cost be made available to the sector as soon as possible.
  7. That Government be open and transparent regarding the potential consequences for the sector, including the extent and nature of its ‘assistance’ in situations of cyber-attack.
    1. There should be an independent review of the legislation’s operation to ensure it is fit-for-purpose, effective, and has no unintended negative consequences; in addition to the proposed processes to review the operation, effectiveness and implications of sector-specific rules.
  8. That Government seriously consider that a positive way to align with existing regulatory requirements as well as ensuring limited cost and impost would be to use an existing mechanism to oversee the implementation of future agreed measures. Further discussion is needed to determine which existing body or mechanism may be best suited.
  9. For reforms under the Security of Critical Infrastructure Act 2018 to be effective, they must be both consistent in intent across sectors, and tailored to each sector’s operational and risk profile; while also making provisions for the interconnectedness of sectors.

Yours sincerely
VICKI THOMSON
CHIEF EXECUTIVE


[1] Meeting between Department of Home Affairs and Go8, 26 November 2020.

[2] https://www.cpni.gov.uk/critical-national-infrastructure-0; https://www.ncsc.gov.uk/section/private-sector-cni/cni

[3] https://www.cisa.gov/critical-infrastructure-sectors

[4] https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx

[5] Paper accessed at https://www.treasury.govt.nz/sites/default/files/2017-12/crit5-narrative-v2.pdf and https://www.cisa.gov/publication/critical-five-shared-narrative-2014

[6] The introduction of the Security of Critical Infrastructure Bill 2017 encountered similar issues with stakeholders from the electricity, gas and water sectors reportedly concerned that the Government had underestimated the costs of the measures to industry in the estimates released with the Exposure Draft (https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd1718a/18bd089)

[7] Noted on Department of Prime Minister and Cabinet’s listing of the RIS for this Bill at https://ris.pmc.gov.au/2020/12/11/protecting-critical-infrastructure-and-systems-national-significance-regulatory-reforms

[8] The Go8 would suggest that the higher education and research sector has been less of a priority than some of the other 11 sectors as the Bill has been developed, with the Bill’s treatment of this sector less evolved precisely because it is less of a concern.

[9] For example one could consider degrees of criticality in regards to the facilities on which the development of a vital vaccine candidate relied (with shorter term immediate impacts) versus the computational modelling equipment supporting long term Bureau of Meteorology forecasts (and response to future weather events).