How Australia’s critical infrastructure operators procure and outsource their IT services, and from whom, may come under increased scrutiny by the Federal Government, if new proposed legislation becomes law.
The Government’s proposed Security of Critical Infrastructure Bill 2017 contains two new measures to better manage the purported national security risks associated with foreign involvement in Australia's critical infrastructure.
The proposed legislation has a particular focus on potential foreign espionage, sabotage and coercion in the local critical infrastructure sub sectors.
Australia’s Attorney-General, George Brandis, released an exposure draft of the Bill on 10 October, and is calling for industry feedback on the proposed legislation.
“Foreign involvement in Australia's critical infrastructure is essential to Australia's economy,” Brandis said in a statement. “However with increased foreign involvement, through ownership, offshoring, outsourcing and supply chain arrangements, Australia's national critical infrastructure is more exposed than ever to sabotage, espionage and coercion.”
The draft Bill, if passed into law, will create a “last resort power” which will allow the appropriate Government minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate significant national security risks.
The second measure involves the creation of a critical assets register providing the Government greater visibility of which entities own, control and have access to critical infrastructure assets.
This information will inform the Government's assessments of assets most at risk from espionage, sabotage and coercion.
The proposed measures come off the back of the Government’s Critical Infrastructure Centre, which was established in January this year to bring together expertise and capability from across the Federal Government to manage the potential risks outlined by Brandis.
Indeed, Brandis said that the Centre is delivering more coordinated national security assessments to inform foreign investment decisions in significant and complex cases.
The Centre works in close consultation with state and territory governments, regulators, and critical infrastructure owners and operators, with an initial focus on the national security risks to four high-risk sectors: telecommunications; electricity; water; and ports – the four main areas of focus for the proposed legislation.
Among the legislative measures already taken by the Government to bolster the country’s critical infrastructure resilience is the somewhat controversial Telecommunications and Other Legislation Amendment Bill 2017, which amends the Telecommunications Act 1997 to establish a security framework to “better manage national security threats to telecommunications networks”.
The telecommunications security legislation was approved by the House of Representatives on 14 September, almost exactly a month after it passed in the Senate with a number of amendments.
While the proposed legislation released on 10 October refers only to providers in the electricity, water and ports sectors, rather than the telco sector, which is covered by the telecommunications sector security reforms (TSSR) already passed by Parliament, it does raise the prospect of increased Government oversight in relation to outsourced IT and technology services.
It is likely that such oversight would be heavily-focused on overseas suppliers. However, suppliers that operate in the local market but also happen to be headquartered overseas may come under the watchful gaze of the Government.
The Government is accepting feedback submissions about the proposed legislation until 10 November.