The IRU has made a submission to the Government’s consultation on its proposed changes to the Security of Critical Infrastructure (SOCI) Act 2018.
The current Act:
- creates a register of information in relation to critical infrastructure assets (the register will not be made public);
- requires relevant bodies to provide information in relation to the asset, and to notify of events of concern;
- allows the Minister to require the relevant bodies to do, or not do, things there is a risk to security;
- allows the Secretary to assess the risk to national security for each asset.
The Bill will extend the coverage of the Act to higher education and research as one of eleven new sectors. It greatly extends the array of requirements under the Act. In addition to those listed for the current Act the amendment Bill:
- requires relevant organisations to have, and comply with, a critical infrastructure risk management program;
- requires notification of cybersecurity incidents and imposes enhanced cybersecurity obligations;
- sets up a regime for the Commonwealth to respond to serious cybersecurity incidents.
The Government’s recognition that higher education and research infrastructure is vital to the Australian economy is positive. Universities stand to benefit from a stable and secure national asset portfolio. For international collaborative research, such security will only strengthen Australia’s position as a leading partner and host of research.
The emphasis on cybersecurity rightly targets an area of great concern where the university commitment to openness and sharing of information to advance knowledge, runs against actors which would disrupt our operations.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) is a cumbersome means to achieve this end, for universities and likely for other sectors to be included.
Fundamentally it ignores that universities are just as keen as the Federal Government that their operations are not put at risk. Universities are active in working with the Government to reduce risks and to act when incidents occur. The major challenge is the plethora of government agencies requiring action from universities with no coherence to these requirements.
The detail of how the proposed security arrangements would work is yet to be explicated. The overall sense is that the Bill enforces action to ensure universities, as part of national infrastructure, are protected. However, it is clear that universities already respond to government information and requests and take advantage of all advice provided.
The IRU recommends:
- universities be removed from the Bill and that the Government instead work collaboratively with existing bodies such as UFIT and AHECS to establish a proportionate response based on the level of individual institution risk to attacks on critical infrastructure. Universities have established a good working relationship with the Home Affairs Department and the UFIT process should be allowed to work in a positive and collaborative way.
If universities are not removed from the Bill:
- the Government should, in advance of the Bill being tabled, agree with the university sector how the requirements will be implemented. The process should emphasise proactive cooperative action, ahead of enforced regulatory action, and a realistic timeframe. A sector-wide working group, building on the existing mechanisms is the appropriate means to do this; and
- the Government should only take direct action over a university’s assets in a case of extreme risk, with consent from the Vice-Chancellor.