Share this article on:
While the new reforms to the Security of Critical Infrastructure Act are extensive, they put Australia ahead of the rest of the world in terms of cyber security, said this law firm partner.
Editor’s note: This story originally appeared on Cyber Security Connect’s sister brand, Lawyers Weekly.
Melissa Tan is a partner and head of cyber insurance at Lander & Rogers. Speaking recently on The Lawyers Weekly Show, she discussed the state of affairs within the cyber security sector — and unpacked the full package of reforms to the Security of Critical Infrastructure Act.
Reforms to the act were flagged about 18 months ago — and have now been implemented, first in December 2021, and then a second tranche in April 2022 with a number of key changes, which Tan spoke about on the show.
From a legal perspective, Tan said that these reforms are more required than ever before as the world becomes more digital and higher tech.
“We definitely need reforms that bring in a cyber element to our critical infrastructure, simply because of the world we’re currently living in. They were introduced by the government because there has been a realisation and a recognition in the last three to four years that really the geopolitical tensions, not only in our region but globally, and this heightened cyber threat environment that we have, have really placed critical infrastructure all around the world, as well as in Australia, increasingly under threat with potentially disastrous consequences.
“The reality is, it’s such an overwhelming thing because it’s so extensive, the cyber threat, no critical infrastructure owner or operator can do it on their own. The government actually has resources to assist, and this act actually gives an ability for that kind of collaboration and the kind of support that the government can give to these operators. So, in my view, I think it is definitely necessary and it’s definitely not something that’s unique to Australia. Just look at the US, just look at Canada, just look at even China, look at Singapore, all of them, every single nation, I think out there, have a recognition that there is a need to protect the critical infrastructure and that there’s a need for these laws with a cyber element,” she explained.
“The only difference really is how extensive can the intervention be by the government? And how extensive should the reach of these obligations be, trying to balance the commerciality of running a business or running a critical infrastructure, and secondly, the cost of compliance. Short answer is you need them, but I think from my perspective, there needs to be a bit more work through the details of how these obligations are going to be complied with, without being overly burdensome or costly for our operators.”
In terms of how Australia compares to the rest of the world, these reforms put us in a “leading position”, according to Tan.
“It does put us in a better place. Without these reforms, we definitely were lagging behind, so that’s why there’s a need for them. But there’s definitely, not only just Australia but also in the other key jurisdictions, I think everyone is going through a process of now working through how to give practical effect to these reforms, because one of the things about these reforms is what I would call principle-based rules.
“Principle-based rules are really, it gives a general idea of what the outcome that the government is looking for, or what the industry should be working towards, without overly too much specific details of compliance as to very, very specific steps that needs to be taken to comply. For example, having a risk management program that has to deal with, for example, personnel hazards, right? One of the issues is you need to ensure that your critical workers are suitable to operate critical infrastructure, but how you determine what is suitable or not, there is not that much of a prescriptive way of saying you have to do A, B, C, D, and only A, B, C, D, there’s actually some scope for flexibility,” she said.
“That’s where I think it can be good and bad, only because it’s good to allow flexibility so that lawyers like us can advise around compliance with a bit of flexibility with it. But on the other hand, there can be a situation where there is a bit of uncertainty, I think. With flexibility, there’s always uncertainty as to whether or not we are really complying or have we, in a sense, not done enough to comply? I think these are the key issues legal practitioners like us, who are going to advise clients on this new piece of legislation, need to be really aware of and alive to.”
But particularly as Australia becomes a global leader in this space, there is little precedent for legal practitioners to follow — and Tan said there are a number of ways to mitigate this challenge.
“One of the things about the Security of Critical Infrastructure Act is that they have legislative instruments that actually give effect to a lot of these obligations. For example, a lot of these three positive security obligations, they actually work on a switch-on basis. So, within the act itself, you can’t see which obligation is currently switched on for which sector, you actually need to look through to make sure that you find the right legislative instrument that determines for you the timeline as to when these obligations are turned on and switched on for that particular sector or that particular client that you’re advising on.
“What this means for lawyers is that we need to understand that, very often, a lot of what we do is, we might have a piece of legislation and we just have to keep looking at the case law around it, or certain legislative commentary around it. But with the Security of Critical Infrastructure Act there, it’s so new and there’s no case law or precedent to look at; you really need to look around for further resources, both from the government, as well as industry discussion,” she explained.
“A committee that I’m on at the moment is cyber risk and governance committee with the AUSCL, and within that, with people like us within the industry, it’s not just lawyers, but also cyber security experts, we come together in a group, we have discussions as to these reforms. We talk through the changes; we talk through the guidance that the government has produced. We try to organise events where we get to have industry consultation with the Department of Home Affairs. I think it’s important; as a legal practitioner in this new area, you need to be proactive, I think in going out there, to have the conversations around these free forms in order to better advise your clients.”
[Related: SpaceX offers $25k bug bounty for white hats to hack Starlink]