Skip to content

Why the amended Critical Infrastructure Protection Act is an important step in Australia’s cyber-security battle

Jul 4, 2023

Blog Security

Imagine a world where unforeseen threats are constantly lurking in the shadows of the digital world, targeting essential services, businesses, and even government institutions. It sounds like something out of a sci-fi movie, right? But the reality is, it’s a pressing concern that countries around the world, including Australia, have previously been and are still grappling with to this day. Consequently, the Australian government has taken a critical step in controlling these cyber-attack risks, with the implementation of the updated Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, which came into effect on April 2, 2022.

The Dark Past

Let’s take a moment to reflect on a time when cyber-attacks were just starting to gain momentum. Fast forward to today, and the numbers are astonishing! Cyber-attacks have surged, and in doing so have wreaked havoc on federal parliamentary networks, government agencies, lawyers, logistics systems, medical facilities, and even universities. It’s a virtual battleground out there and it’s a scary one! However, among all this chaos, there is a silver lining. The recurrence and severity of these incidents have served as a stark wake-up call, highlighting the urgent need for robust security measures.

As if dealing with a health crisis in 2019/2020 wasn’t enough; cyber attackers used this time as the perfect opportunity to intensify their efforts. Australians were reporting a cybersecurity incident every 10 minutes! Phishing attacks seemed to be cyber attackers’ weapon of choice. What started out as government impersonators and financial service scammers quickly led to fraudulent cure peddlers and purveyors of counterfeit medical equipment – the digital landscape was swarming with adversaries. Remote workers and online services in particular became prime targets in this cyber battlefield.

The Call to Action

Why are new obligations so important now? You may wonder, “What’s the urgency? Why the need for new obligations?” Well, the answer clearly lies in the shared responsibility between government and the owners and operators of the infrastructure. The Australian Government understands that protecting critical infrastructure is not a one-man job. The Security Legislation Amendment Act represents the initial steps in uniting this dynamic force. The objective is simple yet crucial: to fortify the existing framework and effectively manage risks. We cannot afford to simply stand by any longer and allow these cyber criminals to continue to attack.

Introducing the New Obligations

Now, let’s look further into the new details that have emerged from the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. Get ready, because we’re about to embark on a journey that will reshape how critical infrastructure is protected. In a nutshell, responsible entities overseeing critical infrastructure assets are now required to establish, maintain, and comply with robust risk management programs. It’s all about implementing proactive measures to minimise the number of and the effect of these cyber-attacks occurring. But wait, there’s more! The term Systems of National Significance (SoNS) will become familiar to you. These are the crème de la crème of critical infrastructure assets—essential to Australia’s social, economic, defence, and national security. These prized assets face additional cybersecurity obligations, adding an extra layer of armour to shield them from the malicious attackers that may be lurking.

Who’s in the Hot Seat?

Now, let’s address the burning question of who exactly is affected by these obligations. Essentially, it’s a supply chain issue – responsible entities overseeing critical infrastructure assets, this one’s for you! What used to be four sectors has now turned to 11 critical infrastructure sectors under the amendment. These include health service providers, finance (including superannuation), legal, accounting, and management services, and even insurance. Let’s not forget the Australian government itself—it’s leading by example and actively participating in this collective effort to strengthen our critical infrastructure.

What are the changes?

The Amended Act has expanded and now applies to 11 critical infrastructure sectors and contains significant measures to uplift the security and resilience of critical infrastructure, keeping it safe from physical, supply chain, cyber and personnel threats. 

The Amended Act has introduced a new obligation for responsible entities to create and maintain a critical infrastructure risk management program, as well as a new framework for enhanced cyber security obligations required for operators of SoNS.

On top of these obligations, we also have Government Assistant Measures. Now these measures enable the Government, as a last resort, to help industry respond to those cyber security incidents that seriously prejudice Australia’s prosperity, national security, or defence.

All in all, it’s not just a government initiative – it’s a shared responsibility. By staying informed, implementing robust security measures, and fostering a culture of cyber security, we can collectively combat the forces that seek to disrupt and undermine our nation’s critical infrastructure.