May 29, 2020

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

Australian Government Legislates to Protect Critical National Infrastructure

Protecting Australia’s critical infrastructure from threats is essential to Australia’s national security interests, community safety and the overall quality of life for Australians.

In March 2018, the Australian Parliament passed the Security of Critical Infrastructure Act 2018, which is due to commence on 11 July 2018. The Act imposes new obligations on operators and owners of “critical infrastructure assets” – Australia’s high risk major ports and electricity, water and gas utilities.

It is evident from the Second Reading Speech and the Explanatory Memorandum that the Australian Government is concerned about managing national security risks arising from foreign involvement in Australia’s critical infrastructure.

The Act requires entities that are responsible for, or have an interest in, Australia’s critical infrastructure assets (for example, water utilities that service at least 100,000 connections) to report operational information and information about the asset’s ownership structure to the Critical Infrastructure Register. This information is intended to assist the Australian Government to understand who owns, controls and has the ability to influence Australia’s critical infrastructure.

Whilst the Act is designed to protect critical services from national security threats, the legislation does not provide much detail about its implications for cyber security. According to the Explanatory Memorandum, reporting entities will need to disclose their IT service provider arrangements and how they manage and maintain data, including whether data is stored offshore and onshore. Further, in certain circumstances, the Minister can direct an entity to improve its cyber security practices if the Minister considers the entity’s practices are prejudicial to security.

We wonder whether this legislation will actually have a significant positive impact on managing national security and cyber risks, or just be another reporting obligation for affected infrastructure asset owners or operators? Also, we question whether storing all of this highly sensitive information in a single register is a wise move from a cyber risk perspective. One would hope this register will be very well protected, otherwise security weaknesses in the register would completely undermine this new Act.

This post was also written by Sarah Goegan.

Copyright 2020 K & L Gates


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Keely O'Dowd, K&L Gates, attorney, Melbourne

Ms. O'Dowd is an experienced lawyer with a focus on technology and sourcing projects. She advises on a broad range of technology transactions, including procurement, outsourcing and software licensing. This work includes drafting and advising on a range of IT procurement and supply agreements. Ms. O'Dowd advises a range of corporations on privacy and cybersecurity.