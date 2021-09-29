Committee recommends splitting controversial critical infrastructure bill in order to rush through step-in and mandatory reporting powers.

A parliamentary committee has urged the federal government to pass emergency powers allowing it to take control of an organisation's infrastructure during significant cyber attacks.

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended the proposed critical infrastructure security laws be split into two, giving the government powers to step in and provide "assistance" to entities hit by hackers.

This would also provide the government and industry with time to continue consulting on the other issues surrounding the controversial bill.

However, these so-called "last resort" powers, which will compel besieged entities to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene, have proved a hard-sell to much of Australia's tech industry.

These included Amazon Web Services (AWS) and Microsoft, alongside the likes of Salesforce and Cisco.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was first presented to the House of Representatives in December 2020.

As well as granting the government direct intervention powers, the bill also proposed to recognise data centres and telecommunications as critical infrastructure.

The emergency powers relate to parts 3A and 2B of the existing bill, with the former giving the government powers to gather information, issue directions, or act autonomously to directly intervene in an asset, while the latter refers to the notification of cyber security incidents.

Meanwhile, the second bill is set to include anything untouched by bill one, including declarations of systems of national significance, enhanced cyber security obligations and positive security obligations, which are to be defined in legislation.



According to the committee's report, the bill needs to be rushed because of the limited time remaining in the parliament sitting calendar during 2021 — 12 days for the House of Representatives and 16 for the Senate.

The committee also acknowledged the controversial nature of the proposal, with the report referencing “significant disagreement between industry and government on the exact response required”.

Committee chair Senator James Paterson also said many businesses have asked for the government to pause the bill during the ongoing COVID-19 pandemic as there are some elements of the bill still being developed.



“While sympathetic to the concerns of industry leaders, the Committee does not believe that pausing the entire bill is in Australia’s national interests given the immediate cyber threats that our nation faces," he said.

“The Committee’s recommended solution allows for the urgent measures to pass now to equip the government with the emergency powers it needs while allowing additional time for co-design to overcome the concerns of industry about the regulatory impact."

“The passage of both bills is essential because cyber security is not just the government’s job. Industry has a role to play too and the second bill which imposes obligations on businesses is an important part of a comprehensive response to the serious challenges we face,” Paterson added.