The
Security of Critical Infrastructure Act 2018 (SOCI Act) includes government assistance powers used for serious cyber security threats or attacks. They can be used as a last resort when the government determines a critical infrastructure owner or operator requires assistance to respond. This will only happen if the attack seriously risks Australia’s national interests.
They allow the Minister for Home Affairs to authorise the Secretary of Home Affairs (the Secretary) to:
- gather information
- direct certain actions
- authorise agencies of the Australian Government to step in to protect a network or system (following agreement from the Prime Minister and the Minister for Defence)
- provide advice and assistance on mitigating damage and restoring services in response to the following circumstances:
- a cyber security incident is, has or will imminently impact a critical infrastructure asset
- there is a material risk that the incident has, is, or will seriously impact Australia’s social or economic stability, defence or national security
- there are no other regulatory systems to practically and effectively respond to the incident.
The government has included oversight measures to ensure that these measures are used appropriately.
Information gathering directions
The Secretary can give a direction to a responsible entity to provide specific information about a cyber security incident. They can only request information that is needed to determine whether other powers should be exercised. An effective response to a serious cyber security incident requires a strong understanding of the nature and extent of the incident. This can include the asset’s:
- maturity
- vulnerabilities
- interdependencies.
This information will inform decisions on the need for any further Ministerial authorisations.
Action directions
The Secretary can direct a responsible entity to do an authorised act or thing. Prior to doing so, the Minister for Home Affairs must:
- consult the entity
- be satisfied that the entity is unwilling or unable to take all reasonable steps to respond to the incident
- be satisfied that the direction is reasonably necessary, proportionate and technically feasible.
An entity will be provided civil immunities for any actions taken in compliance with a direction.
Intervention request
The Secretary may request the authorised agency do a specified act or thing. Prior to doing so, the Minister for Home Affairs must:
- obtain the agreement of the Prime Minister and the Minister for Defence
- consult the entity
- be satisfied that an action direction would not be practical or effective
- be satisfied that the entity is unwilling or unable to take all reasonable steps to respond to the incident
- that the request is reasonably necessary, proportionate and technically feasible.
This form of Ministerial authorisation is of absolute last resort. It may only relate to computer-related activities. Any actions taken in response to a request will be subject to oversight by the Inspector-General of Intelligence and Security.
The Minister for Home Affairs must present an annual report to Parliament which includes statistical information on the use of these powers. This is to ensure transparency and accountability to Parliament and the Australian public. Go to the Department of Home Affairs website to access these
annual reports.
Request assistance
Asset owners and operators can always request help and advice from government to implement cyber mitigation and risk reduction strategies. You can also request assistance in the event of a cyber security incident.
For more detail about Government Assistance, read the
Government Assistance Factsheet.
You can see the processes, responsibilities, and safeguards that govern the Government Assistance Measures in the
Critical Infrastructure - Government Assistance in practice diagram (113KB PDF).