how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Transcription

1

2 Contents Introduction... 2 Purpose of this paper... 2 Critical Infrastructure Security and Resilience... 3 The National Security Environment... 5 A Proactive and Collaborative Approach... 7 Critical Infrastructure Centre... 7 Critical Infrastructure Asset Register... 9 When risks can t be mitigated through existing frameworks

3 Introduction On the 23 rd of January 2017, the Australian Government launched the Critical Infrastructure Centre (the Centre) in response to the complex and evolving national security risks to critical infrastructure. The Centre will work across all levels of government and with critical infrastructure owners and operators to identify and manage national security risks to our most critical assets in the face of espionage, sabotage and coercion risks we are exposed to now more than ever. It forms part of the Government s broader strategy to build the resilience of our critical infrastructure in the face of all hazards. The Centre will seek to leverage existing state, territory and industry mechanisms where possible. Purpose of this paper This discussion paper provides an overview of the Australian Government s approach to critical infrastructure resilience, and identifies the more complex and evolving national security risks that need to be addressed. The paper seeks your views on how the Australian Government can work together with state and territory governments, industry and investors to best manage these risks, including seeking views on: how the Centre can best work with owners, operators and regulators of critical infrastructure and leverage their existing mitigation mechanisms; how a Critical Infrastructure Asset Register could be used to capture and track ownership and company information to better understand who owns and controls our most critical assets; and how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical. Submissions in response to this discussion paper are welcomed by no later than 11:59 PM AEDT 21 March 2017 to cicentre@ag.gov.au. Submissions may be made public, unless otherwise requested. Submissions will inform the ongoing operation of the Centre, and the development of other measures to support its key functions. 2

4 Critical Infrastructure Security and Resilience Critical infrastructure underpins the functioning of Australia s society and economy and is integral to the prosperity of the nation. It enables the provision of essential services such as food, water, medical care, energy, communications, transportation and banking. Secure and resilient infrastructure supports productivity and helps to drive the business activity that underpins economic growth. The availability of reliable critical infrastructure promotes market confidence and economic stability, and increases the attractiveness of Australia as a place to invest. The Australian, state and territory governments share the following definition of critical infrastructure: those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia s ability to conduct national defence and ensure national security. Foreign involvement in Australia s critical infrastructure is essential to support Australia s economic and social prosperity. Foreign investment in critical infrastructure assets ensures Australia can deliver, maintain and upgrade critical infrastructure services. Owners and operators of critical infrastructure rely on global capability and technology to manage assets effectively, for the ultimate benefit of Australian consumers. Most critical infrastructure in Australia is either privately owned and operated, or run on a commercial basis by government. The responsibility for ensuring the continuity of operations and the provision of essential services to the 3

5 Australian economy and community is shared between owners and operators of critical infrastructure, state and territory governments and the Australian Government. The Australian Government s Critical Infrastructure Resilience Strategy (the Strategy) recognises that: critical infrastructure is essential to Australia s economic and social prosperity; resilient critical infrastructure plays an essential role in supporting broader community resilience; businesses and governments have a shared responsibility for the resilience of our critical infrastructure, requiring strong partnerships; and all states and territories have their own critical infrastructure programs that best fit the operating environments and arrangements in each jurisdiction. The Strategy has four key outcomes: a strong and effective business-government partnership; enhanced risk management of the operating environment; effective understanding and management of strategic issues; and a mature understanding and application of organisational resilience. While owners and operators understand and manage many of the risks to the continuity of their operations as a core part of their businesses, the Australian Government is seeking to ensure they have a more detailed understanding of the national security risks of sabotage, espionage and coercion. The Government wants to ensure that effective arrangements are established to develop and implement mitigation strategies which leverage existing mitigation mechanisms. 4

6 The National Security Environment The national security risks to critical infrastructure are complex and have continued to evolve over recent years. In addition, critical infrastructure assets are subject to rapid technological change with increased cyber connectivity, and increasingly engaged in global supply chains with services being outsourced and offshored. The Australian Government remains committed to ensuring the national security of critical infrastructure, including from the threat of sabotage, espionage or coercion. Espionage: Certain critical infrastructure sectors may present opportunities for the collection of information which is not publicly available. Foreign intelligence services will target commercial as well as government-related organisations for this data. For example, a telecommunications operator or contractor could monitor customers voice or data traffic to gather information on behalf of a foreign intelligence service. Sabotage: A hostile foreign actor could use access gained through investment or commercial involvement to conduct a deliberate disruption to supply for strategic or economic gain. For example, the deliberate interruption or destruction of operations at a port could result in economic and reputational damage for the Government. Coercion: In extreme cases, a foreign actor could use access to critical infrastructure to apply coercive power against the Australian Government to influence decision-making or policy. While the more extreme examples of risks are unlikely outside a significant shift in regional or global strategic relationships or imminent armed conflict, we need to account for the full range of national security risks in a way that provides flexibility to address changes in the geopolitical landscape as it evolves over time. Recent analysis indicates those risks are highest in our telecommunications, electricity, and water sectors and the ports sub-sector. 5

7 Telecommunications Australian telecommunications systems and networks are part of our national critical infrastructure and form the backbone for many other critical infrastructure sectors and services. These networks and systems could be attractive to those who wish to harm Australian interests. On 9 November 2016, the Government introduced comprehensive Telecommunications Sector Security Reforms into Parliament, to manage these risks. The Centre will support these reforms. Electricity Electricity is fundamental to every facet of Australian society, underpinning just about everything we do in the digital age. A prolonged disruption to Australia s electricity networks would have a significant impact on communities, businesses and national security capabilities. Some electricity providers also hold large data sets about customers and their electricity usage, which needs to be appropriately protected. Overseas experience has demonstrated that these networks can be the target of malicious actions. Water A clean and reliable supply of water is essential to all Australians, and many of our other critical infrastructure sectors and businesses. A disruption to Australia s water supply or water treatment facilities could have major consequences for the health of citizens and impact the diverse range of businesses that rely on water from the cooling towers used at power stations, to food processing. Water providers also hold large data sets about customers and their water usage, which need to be appropriately protected. Ports Australia relies heavily on its commercial ports to trade goods with the world, with one third of GDP facilitated through seaborne trade. Ports support Australia s prosperity, our supply of liquid fuels and the supply chains for other critical infrastructure. Disruption to our most critical ports could have wide-reaching impacts on the economy. The Australian Government is looking to work collaboratively with state and territory governments, existing regulators, and industry to best manage these risks, with an initial focus on the specific risks from foreign involvement, including sabotage, espionage and coercion, in these high-risk sectors. 6

8 A Proactive and Collaborative Approach Australia s Critical Infrastructure Resilience Strategy recognises that in most cases, neither business nor government in isolation have access to all the information they need to understand and appropriately mitigate risks, nor the ability to influence their operating environments to the extent required to ensure the continuity of essential services. While Australian intelligence agencies have a well-developed understanding of the security threats and vulnerabilities, the expertise of industry and state and territory governments who own, operate and regulate our critical infrastructure, is essential to better understand existing risk management controls, and to develop mitigation strategies which leverage existing regimes where possible. That is why the Australian Government has established the Centre to ensure we are working closely and collaboratively with experts from states, territories and industry through the mechanisms set out below. Critical Infrastructure Centre The Centre is based within the Australian Government s Attorney-General s Department and comprises staff with expertise from across Australian Government agencies. The Centre will work cooperatively across Australian Government agencies, and with states and territories, regulators and private owners and operators to proactively identify and manage national security risks from foreign involvement in Australian critical infrastructure, leveraging existing regimes wherever possible. Key functions Identify key critical infrastructure assets within the high risk infrastructure sectors. o o This will provide greater certainty and clarity to investors and industry on the types of assets that will attract national security scrutiny. A criticality methodology will be developed to guide identification of assets. This will align with work currently being undertaken with the Trusted Information Sharing Network for critical infrastructure. Develop a register of critical infrastructure assets, which captures and tracks information about who owns and operates critical assets (discussed further below). Undertake strategic risk assessments on our most critical assets to determine the national security risks from foreign involvement. 7

9 o o o A risk assessment methodology will be developed to guide assessments. A risk profile will be developed for assets, detailing current and emerging threats, their vulnerabilities and the consequences of a risk being realised. Assessments will drive the Centre s outreach, allowing Government to provide guidance on trends and to support prioritisation of its work with owners and operators on strategies to improve national security within sectors. Develop national security risk assessments, which will be targeted risk assessments in response to requests from stakeholders, such as the Foreign Investment Review Board. o National security risk assessments will directly assess threat, vulnerability and consequence in the face of a specific circumstance (e.g. the sale of a critical asset) and will drive decision making processes within Government by identifying and communicating the residual risk of a particular event/incident. Develop risk management strategies based on determined risk profiles. o Strategies will leverage existing state, territory and industry mechanisms. Support national security compliance activities. Undertake horizon scanning to detect and monitor new, unknown, existing and potential national security risks, issues and opportunities. The Centre will support the Australian Government s Telecommunication Sector Security Reforms (TSSR), which were introduced into Parliament on 9 November 2016, and work closely with other agencies under Australia s Cyber Security Strategy. Question: Are the proposed functions of the Centre adequate to better manage the national security risks to our critical infrastructure? Question: What role could you play in assisting the Centre to undertake these key functions? Question: How should the Centre work with owners and operators when performing its functions, including understanding existing mitigation mechanisms? 8

10 Critical Infrastructure Asset Register The Critical Infrastructure Asset Register (Register) will capture and track information about who owns and operates our most critical assets in high risk sectors (currently water, ports and electricity). The need to provide information for the Register will apply to all asset owners, both domestic and foreign, in high risk sectors. The Centre will engage with asset owners in high risk sectors to assist them to meet registration requirements. Using the information collected on the Register, the Centre will undertake proactive national security risk assessments of assets and work with all levels of government, regulators, and owners and operators as appropriate during the risk assessment process to identify and manage risks. The Centre will also consider relevant existing government information holdings. Information to be collected The Register seeks to allow the identification of asset ownership and to track changes over time. It is intended to provide information that may otherwise be difficult to obtain. The Register could collect the following information: details of the owner including legal name, address of companies or persons and Australian Business Number (ABN) if applicable; name and location of the critical infrastructure asset; level of ownership interest in the asset; organisational management structure, including key operational decision-making bodies and individuals; and details of operational access and control of the asset. Question: What other type of information would be important for the Register to collect and why? Question: What other types of information would improve our understanding of foreign involvement in outsourcing, offshoring and supply chain arrangements? 9

11 Registration requirements It is proposed that the Register be post-acquisition, which would give owners 30 days to provide the relevant information from the acquisition date of a critical infrastructure asset. To ensure the Register is effective, there would be an obligation for owners to advise of divestments of interests in a high risk critical infrastructure asset as soon as the intent to divest is made. Owners would also be required to update their details when changes occur, for example if the ownership composition of the asset changes. Question: Does the 30 day period provide sufficient time for owners to register their interest in a critical infrastructure asset? If not, what alternative(s) do you propose and why? Initial registration period A six-month transition period is proposed to give owners an opportunity to register their existing interests. The Australian Government would announce the date that the transition period would commence. Capturing existing interests will provide a baseline against which changing levels of ownership can be assessed. To reduce compliance costs, the Centre could engage known owners and undertake an information campaign designed to notify existing and potential owners of the requirement to register. Question: Is a six-month transition period appropriate? If not, what alternative(s) do you propose and why? Implementation approach An Australian Government administered register is considered the most appropriate approach to meet the Centre s objectives. While some information may currently be provided to industry regulators in a limited number of the high-risk sectors (for example owners of assets in the electricity sector), and other information is publicly available such as the ABN of public companies, there is currently not a comprehensive list of ownership information of critical infrastructure assets. A Register administered by the Australian Government can be established at a lower cost than altering registration requirements for each of the sector regulators. This is particularly the case where there is no single national regulator or where a regulator does not already exist. To ensure a comprehensive collection of information can be obtained, it is proposed legislation will be introduced requiring owners to register their interests. Question: What are the main advantages and disadvantages of a register administered by the Australian Government? 10

12 When risks can t be mitigated through existing frameworks Despite the existence of the Centre, the Critical Assets Register, and the best efforts and good will of owners and operators, there may be instances where certain national security risks cannot be appropriately mitigated. Wherever possible, the Australian Government will seek to mitigate identified risks in consultation with industry and regulators, or through existing regulatory frameworks, such as licensing schemes that already require critical infrastructure owners to comply with a range of operating conditions. However, as noted above, in rare cases, there may be instances where these existing mechanisms are insufficient or impractical. In recognition of the limitations of current mechanisms to manage national security risks in the telecommunications sector, the Government has introduced the TSSR. These reforms will establish a legislative security framework to better manage threats, such as sabotage, espionage, and unauthorised access and interference in the telecommunications sector. The TSSR will allow the Attorney-General to issue a direction to do or refrain from doing a specified act or thing. The Attorney-General is only able to make a direction: if satisfied that there is a risk of unauthorised access or interference to telecommunications networks or facilities that would be prejudicial to security; after an adverse security assessment by ASIO; after consulting with the relevant industry member and the Minister for Communications and the Arts; the requirements imposed by the direction are reasonably necessary to eliminate or reduce the risk; and reasonable steps have been taken to negotiate in good faith with the owner. Further information about these reforms can be found at The Australian Government is considering whether similar powers to TSSR would be appropriate to ensure that risk mitigations can be put in place for a limited number of high risk assets in the other high risk critical sectors. The Attorney-General could be given the authority to direct specific risk mitigation actions, where significant risks are present and all other risk management avenues have been exhausted. If implemented, this power would only be used as a last resort and would be subject to similar safeguards proposed for TSSR including where the Attorney-General is satisfied: 11

13 there is a significant risk to national security; the requirements imposed by the direction are reasonably necessary to eliminate or reduce the risk; and reasonable steps had been taken to negotiate in good faith with the owner. Before issuing a direction, the Attorney-General would consult the owner and consider the costs that would be incurred by the owner and the consequences for the operation of the asset. The decision to issue a direction would be subject to judicial review. The power would be consistent with Australia s international law obligations. In particular, each individual use of the last resort power would be considered on a case-by-case basis to determine whether the action the Attorney-General is proposing to take in relation to the specific asset owner would be consistent with Australia s trade and investment law obligations. Question: What are your views on the introduction of a last resort power to address significant risks where all other risk management avenues have been exhausted? Question: What other protective measures or safeguards could be applied to enhance national security risk mitigation in those rare cases where risk cannot be appropriately mitigated via current mechanisms? 12