The federal government in November published an exposure draft on the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which seeks to amend the Security of Critical Infrastructure Act 2018 (SOCI) to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
If passed, SOCI would create a new class of regulated entities known as “systems of national significance“, which Secretary for the Department of Home Affairs Mike Pezzullo has labelled the most profoundly important segments of national infrastructure: Gas, water, power, and banking.
It would create mandatory reporting loops between the sector and the Australian Cyber Security Centre, allowing the responsible minister to designate a sector as being so sensitive that the Australian Signals Directorate (ASD) would be on the network and perform monitoring.
But not everyone, Pezzullo noted, would get that ASD-level protection under SOCI as the economy is just too large.
Facing the Legal and Constitutional Affairs Legislation Committee on Friday, Pezzullo was asked if looking after the “top tier” would result in the needs of the “middle tier” being neglected. He was also asked to expand on what the government’s view of its responsibility is.
“There are two strands here. It’s like general crime. Governments frame insurance markets — people take out insurance — but they also fight crime,” he said.
“Right down to the household level, you’re expected as part of your household insurance to secure your property with alarms and locks et cetera — and that affects the premium, but that doesn’t prevent the police — in fact, the police actively go after the criminals who might be doing break-and-enter. Cyber is no different.”
The element that’s missing, he said, continuing the insurance metaphor, is what the cost is, in an actuarial sense, that both households and firms would be willing to bear in order to provide a certain level of protection.
“Then the government strikes at the attacker, or strikes at…