| University Operations

Security Legislation Amendment (Critical Infrastructure) Bill 2020 – IRU submission

The IRU has submitted its views on the exposure draft of the Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020.

The Government’s recognition that higher education and research infrastructure is vital to the Australian economy is positive. Universities stand to benefit from a stable and secure national asset portfolio. For international collaborative research, such security will only strengthen Australia’s position as a leading partner and host of research.

The emphasis on cyber security rightly targets an area of great concern where the university commitment to openness and sharing of information to advance knowledge, runs against actors which would disrupt our operations.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) is a cumbersome means to achieve this end, for universities and likely for other sectors to be included.

Fundamentally it ignores that universities are just as keen as the Federal Government that their operations are not put at risk.  Universities are active in working with the Government to reduce risks and to act when incidents occur.  The major challenge is the plethora of government agencies requiring action from universities with no coherence to these requirements.

The detail of how the proposed security arrangements would work is yet to be explicated. The overall sense is that the Bill enforces action to ensure universities, as part of national infrastructure, are protected. However, it is clear that universities already respond to government information and requests and take advantage of all advice provided.

Recommendations

The IRU recommends:

  1. universities be removed from the Bill and that the Government instead work collaboratively with existing bodies such as UFIT and AHECS to establish a proportionate response based on the level of individual institution risk to attacks on critical infrastructure.

If universities are not removed from the Bill:

  1. the Government should, in advance of the Bill being tabled, agree with the university sector how the requirements will be implemented. The process should emphasise proactive cooperative action, ahead of enforced regulatory action, and a realistic timeframe. A sector-wide working group, building on the existing mechanisms is the appropriate means to do this; and
  2. the Government should only take direct action over a university’s assets in a case of extreme risk, with consent from the Vice-Chancellor.

What the bill proposes

The Bill proposes changes to the Security of Critical Infrastructure (SOCI) Act 2018.

The current Act:

  • creates a register of information in relation to critical infrastructure assets (the register will not be made public);
  • requires relevant bodies to provide information in relation to the asset, and to notify of events of concern;
  • allows the Minister to require the relevant bodies to do, or not do, things there is a risk to security;
  • allows the Secretary to assess the risk to national security for each asset.

The Bill will extend the coverage of the Act to higher education and research as one of eleven new sectors. It greatly extends the array of requirements under the Act.  In addition to those listed for the current Act the amendment Bill:

  • requires relevant organisations to have, and comply with, a criticalinfrastructure risk management program;
  • requires notification of cyber security incidents and imposes enhanced cyber security obligations;
  • sets up a regime for the Commonwealth to respond to serious cyber security incidents.

The current Act is 62 pages long, the sections in the Bill amending the current Act are 128 pages, such that the Act will be more than twice the size if the Bill is passed.  The emphasis on responding to cyber security makes sense against the evidence of several serious cyber-attacks in recent years, at least one involving a university (ANU). However more information is needed to show why the current requirements of the Act are insufficient for it to achieve its purposes – for the sectors currently covered or for those proposed to be included.

Impact on universities

Is the Bill necessary?

The IRU questions whether universities need to be included in this bill to achieve the intended outcome of institutions well prepared for actions against them and able to respond in concert with government should incidents happen.

It is not clear what has happened since the passage of the Security of Critical Infrastructure (SOCI) Act 2018 to suggest that universities are not responding effectively to advice and warnings concerning potential actions against them.

Existing mechanisms that could be used to strengthen arrangements

There are several existing relevant vehicles that could lead development and implementation of protective actions.

  • The Government’s University Foreign Interference Taskforce (UFIT), which includes representation of 10 government agencies and 13 universities, is the high-level body able to deal with the threat environment in a co-ordinated and meaningful way. It is possible that membership will need to be expanded to include those universities with major critical infrastructure, which would involve the Government being specific about which pieces of critical infrastructure it is most concerned about. An expanded UFIT would be a far better, less costly and more successful solution than the current bill.
  • The Council of Australasian University Directors of Information Technology (CAUDIT) has partnered with Australia’s Academic and Research Network (AARNet), AusCERT, Research and Education Advanced Network New Zealand (REANNZ) and the Australian Access Federation (AAF), to establish the Australasian Higher Education Cybersecurity Service (AHECS).

AHECS is already working to support universities to continue to operate in the face of cyber disruptions. This includes awareness raising training, benchmarking, maturity assessments, coordinated threat intelligence and a sector-specific SOC provided by AARNet. These actions will help safeguard the intellectual property, digital assets, people, and hence reputation of Australia’s universities.

Designed to suit the breadth of the university and research sector

It is not appropriate that all universities, whether small and based in a regional area or city based with large numbers of international students, and the different sets of research infrastructure be treated in the same way.

To work out with universities an effective strategy and its implementation would provide the risk-based and proportionate approach Universities Australia argued for in the initial round of consultation on this issue.  This should be a cooperative venture without legislation but could be a system backed by a legislative framework.

New government powers for intervention

There are new powers in the Bill for the Government to “provide direct assistance to industry in the event of a serious cyber security incident.”  The earlier round of consultation in September 2020 raised concerns about the extent of these proposed new government assistance powers that could involve an extensive intervention in university operations.

With an effective scheme of response worked out with the sector, as proposed above, there should be little need to order actions. Rather there will be effective joint action by university and security agencies.

This means that direct government action should be used only for an extreme risk and require the approval of the relevant executive authority, most likely the Vice-Chancellor.

Linked to a whole of government approach to universities and national security

The Bill is one of several government interventions with universities as part of its response to external threats to national security.  However, there is little evidence that a joined up, whole of government approach, with communication between government agencies, has been applied in this bill.

| Funding, Students, University Operations

National priorities and industry linkage fund (NPILF) consultation – IRU response

The IRU has submitted its response to the Government’s consultation on the National Priorities and Industry Linkage Fund (NPILF), a fund introduced under the Job-Ready Graduate package to support enhanced engagement between universities and industry.

Over the past decade, universities have strengthened work-driven learning and activities across all degrees. This has extended work-based learning from the traditional professions that have previously included placements through to the full suite of courses on offer. Doing so has transformed the large generalist degrees like arts and commerce and business.

Universities have done this to ensure degrees prepare students better for their careers (that they are job-ready graduates). Government has encouraged universities to do by supporting industry partnership initiatives and measuring graduate employment outcomes.

The National Priorities and Industry Linkage Fund (NPILF) will be resourced by funds moved from the annual Commonwealth Grant Scheme payment per student.

The risk for NPILF is that universities are subjected to a time consuming and administratively cumbersome mix of performance metrics and a need to highlight certain projects. Taken together this could distract from, rather than enhance, the focus universities already have on improving future workplace outcomes for graduates.

NPILF needs an effective means to bring employers into active engagement with universities, with sufficient time to test out and identify the better practices that all can consider.

It also requires a more detailed discussion about how indicators are used to assess performance in ways that lead to better outcomes and avoids discouraging diverse approaches with potentially less predictable outcomes.

The IRU response addresses:

• NPILF aims, principles and approach;
• ensuring that employers want to be involved;
• best practice approaches – development and sharing;
• future allocation of funding;
• equity and work-driven learning; and
• using performance metrics more effectively.

It concludes with highlight examples of existing IRU work driven learning including an innovative suite of eWIL (e-Work Integrated Learning) projects across three government departments.

IRU Recommendations

To ensure the best return from the new program the IRU recommends eight improvements:

1. The STEM priority should remain focused at the STEM degrees and units that provide the broader generalist skills at issue and which current do not lead consistently to the desired economic outcome.

2. The program should focus on nine core indicators only, removing the need for three additional choices.3. Financial incentives for industry to partner with universities under NPILF, through additional funding for an industry incentives payment.

4. The program structure be altered such that:
− the pilot phase be organised as a three-year assessment with annual feedback, with the three-year approach to be routine once the NPILF model is implemented in 2024;
− the entire process be greatly simplified from 2024 with less emphasis on multiple reporting indicators to remove the considerable administrative burden on universities for the initial 2021 to 2023 period;
− the concept of withholding funds from universities which do not meet their stated NPILF goals be removed. Publication of each university’s outcomes would be sufficient.

5. Support for universities to expand and adopt good practices highlighted through NPILF agreements.

6. That the banded allocation of funding based on CSP EFTSL used between 2021 and 2023 should be continued from 2024 and beyond to provide the most realistic support, taking account of institutional needs and the spread of students across universities.

7. The metric indicators should be contextualised for the different composition of the student group at each university.

8. The following revisions to indicator performance measurement:
− universities can meet the NPILF metric requirements if successful on any metric within a priority;
− an ongoing discussion between the Department of Education Skills and Employment and university representative bodies about the use of performance indicators to ensure they are well suited both to encouraging improvement and recognise currently high-level performance that need not be the focus for immediate improvement.

Read the full IRU response