Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
The Security of Critical Infrastructure Bill 2017 (Cth) and its associated draft Security of Critical Infrastructure Rules 2017 (Cth) propose the establishment of a register of ownership interests and key control and operational information for critical infrastructure assets.
The Register will be used by the Foreign Investment Review Board to assess national security risks in assessing applications for foreign ownership of critical infrastructure assets.
The Act and Rules (once enacted) will also allow the Government to identify threats of sabotage, espionage and coercion and require owners and operators to develop mitigation measures to address those threats.
The draft legislation comes after the Federal Government established the Critical Infrastructure Centre in January 2017. The Bill is still a draft and stakeholders are able to provide feedback on the Bill until 10 November 2017.
The Bill and draft Rules are accompanied by an 83-page Explanatory Document issued by the Government and Critical Infrastructure Centre.
The Act will apply to “critical infrastructure assets” in the electricity, ports and water sectors. According to the Explanatory Document, these sectors have been identified because “their existing regulatory regimes do not directly manage security risks of sabotage, espionage and coercion”. The Act will create obligations on “direct interest holders” and “responsible entities” of these critical infrastructure assets.
Critical infrastructure assets comprise:
Most of the assets affected by the Minister’s declaration rights will be made public. However, the Minister may privately declare an asset to be a critical infrastructure asset where the Minister assesses there to be a risk to national security if it were publically known that the asset is critical infrastructure.
The Bill is estimated to apply to approximately 100 assets in the electricity, ports and water sectors.
The telecommunications sector is also referred to in the Explanatory Document but is not mentioned in the Bill and Rules. Telecommunications are separately managed under the recent Telecommunications and Other Legislation Amendment Act 2017, which amends the Telecommunications Act 1997.
A direct interest holder is any person:
Direct interest holders are required to report their interest and control information, which includes information about the control the direct interest holder has over decisions relating to the running of the asset (eg. voting and veto rights and the ability to appoint persons to the board), information about any person they have appointed to the body that governs the asset and the access that they have to operating systems.
The Bill contains specific provisions regarding the interests of superannuation funds and the treatment of trustees. It also includes provisions dealing with the compliance obligations of partnerships.
A responsible entity is the person with operational control of the relevant critical infrastructure asset. The Bill specifies that the responsible person:
Responsible entities are required to report their operational information, which includes information about the location of the asset, a description of the area the asset services, information about the entity that is responsible for the asset, information about the chief operating officer of the asset, and a description of any operator arrangements for the asset. Operational information includes information in relation to systems access and the offshoring or outsourcing of controls and key operational matters.
The Register is intended to provide a deeper understanding of who owns, controls and has access to critical infrastructure assets. It requires interest and control information and operational information to be provided to the Government:
Direct interest holders and responsible entities will have six months to report, and are then obliged to notify the Government within 30 days of any change in this information or the occurrence of a “notifiable event”. The Centre also has the power to require a reporting entity or operator to provide any other information considered relevant to its functions.
The Register will not be made public.
The Act will include a power for the Minister to require direct interest holders and responsible entities to do, or refrain from doing, anything that the Minister considers to be a risk to security. This direction right will only apply if the Minister is satisfied that reasonable steps have been taken to negotiate in good faith with the relevant owner or operator to eliminate or reduce the security risk and other mechanisms, such as State or Territory powers, are unlikely to be effective.
The Minister must consult with the relevant State or Territory ministers having responsibility for the regulation or oversight of the relevant industry in which the critical infrastructure asset is located before this power is exercised.
The Bill provides for civil penalty provisions and the use of civil penalty orders or injunctions and enforceable undertakings. Certain provisions may attract criminal penalties.
The Explanatory Document includes the Government’s assessment of the likely annual compliance costs associated with the Act.
The Bill includes an obligation on “reporting parties” to report annually on their compliance with the Act. Direct interest holders and responsible entities are both reporting parties.
Separately, the Minister is required to report annually to the Federal Parliament on the use of the Minister’s various powers under the Act. This is intended to ensure the appropriate use of those power and oversight and accountability.
The Explanatory Document very clearly states that the Bill is “designed to strengthen the Government’s capacity to manage the national security risks of espionage, sabotage and coercion arising from foreign investment in Australia’s critical infrastructure”.
The linkage to foreign ownership in the Explanatory Document is interesting, as the Bill and Rules are of general application and barely mention foreign ownership (other than allowing access to the Register for the purposes of the FIRB process). The wording of the Explanatory Document is not likely to be helpful to already damaged foreign perceptions of Australia’s foreign investment regime in the wake of the Ausgrid decision.
The resilience of a critical infrastructure asset is not necessarily determined by foreign ownership or control of that asset. Emergency powers already exist under most State and Territory legislation for the Government to assume control of infrastructure assets in emergency situations. It is also interesting that the scope of the critical risk and resilience assessment does not at this stage include resilience of critical infrastructure assets in the face of other challenges such as natural disasters or climate change.
We noted in our article in February that the proposals differ from the equivalent critical infrastructure policies administered by the United States Department of Homeland Security. The US policies apply to 16 different industry sectors and are focussed on a broader range of events or circumstances that may affect the resilience and reliability of critical infrastructure. The US policies are not specifically linked to foreign ownership of the relevant critical infrastructure.
While obviously a relevant consideration to national security, the direct linkage to foreign ownership appears unnecessary. For example, why would a foreign party want to expend significant amounts of money to acquire an asset just to have the opportunity to then cripple it? Opportunities for cyber-terrorism and sabotage do not require ownership of the target assets. Further, domestic ownership of a critical asset does not make the relevant asset more resilient to external attack. On the other hand, the government does appear to be focussed on the access to data which ownership or control of some assets might provide.
However, the information in the Register regarding the sensitivities associated with critical infrastructure will be a valuable tool for the Foreign Investment Review Board in assessing foreign ownership applications. As seen in FIRB’s rejection of the foreign ownership of the Ausgrid electricity distribution network, a late appreciation of these sensitivities caused significant disruption to the New South Wales privatisation process and also caused significant concerns from foreign investors in Australian infrastructure assets. Pre-emptory understanding of risk issues should help streamline the FIRB process.
For investors:
For businesses/operators:
The exposure draft of the Bill is available here.
Please contact us if you require further information or if you would like to provide any feedback to include in a submission on the Bill and Rules. Submission must be made by 10 November 2017.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024
We’ll send you the latest insights and briefings tailored to your needs