What do new critical infrastructure laws mean for Australian businesses?
Under tough new critical infrastructure legislation, anyone who refuses to allow Australia’s cybersecurity forces to access their business computers can be jailed for up to two years.
Parliament recently passed amendments to the Security of Critical Infrastructure Act 2018. This gives government authorities increased power to take action against those in the private sector who do not cooperate with their efforts to tighten up security against cyberattacks.
These new powers are among the toughest cybersecurity laws in the world.
Critical infrastructure laws now extend across more industries
The Security Legislation Amendment (Critical Infrastructure) Bill significantly expands the number of sectors classified as critical infrastructure.
Companies operating in communications, financial services, data storage and processing, as well as higher education, will now fall under critical infrastructure laws and be subject to mandatory reporting of cyberattacks. The legislation also extends to the healthcare, food and space technology sectors.
These industries join essential infrastructure sectors such as transport, aviation, gas, ports, water, fuel, electricity, hospitals, research and defence under the cybersecurity regime.
Harsh consequences for non-compliance
The expanded powers authorise the Australian Federal Police to force entry into a business and arrest individuals if they do not provide access to their business computer systems. It also makes reporting of cyberattacks mandatory and gives “last resort” powers to the Australian Signals Directorate to intervene.
People in critical infrastructure businesses who do not respond to an Australian Signals Directorate order (for it to take control of their company’s computer systems) face two year jail terms and fines up to $26,640. Corporations face fines up to $133,200.
Failure to report a cyberattack on business computers can result in a fine of $11,100.
Law reforms intended to protect Australians from cyberattacks
Home Affairs Minister Karen Andrews said the extra powers were needed to protect critical infrastructure from cyberattacks and to impose cybersecurity obligations on assets most important to the nation. (See Critical infrastructure reforms to protect the essential infrastructure we all rely on, Minister for Home Affairs, October 2021.)
Ms Andrews likened the new powers to fire codes and building regulations, designed to protect Australians from the growing threat of cyberattacks.
Concerns around government powers to access business data
While investigating cyberattacks, government authorities now have the power to “access, add, restore, copy, alter or delete data” on a business computer.
This is causing unease among businesses, which may have to install government software on their networks. This, in turn, could allow government agencies to gain access to their internal communications and data and even direct the company to take certain actions.
Given the tough penalties in this new legislation, it’s important for businesses to understand whether the new laws apply to them, and if so, how to comply with the new rules.