NSW submission in response to Discussion Paper Strengthening the National Security of Australia’s Critical Infrastructure

Overview

The critical importance of addressing national security and associated risks in protecting critical infrastructure is acknowledged. The contribution and importance of critical infrastructure to the NSW and Australian economies also cannot be understated. Accordingly, the management and protection of critical infrastructure (including tangible and intangible assets) is of vital importance to our State.

NSW has extensive measures in place to safeguard our infrastructure, but welcomes opportunities to explore new mechanisms that prepare us for evolving risks. However, the key to management of critical infrastructure is striking a balance between protecting our assets from national security and disaster perspectives, while ensuring we can still unleash the full economic benefit of our assets.

In working with the Commonwealth to develop the architecture for the Critical Infrastructure Centre, NSW seeks to ensure that critical infrastructure is not predominately viewed through either a security or economic lens, but that both security and economic needs are considered together in a balanced approach to infrastructure management.

NSW notes the importance of ensuring that mechanisms designed to protect critical infrastructure are transparent, and genuinely consultative in both their design and use, and looks forward to working with the Commonwealth Government on this important work.

Introduction

NSW Government agencies welcome the opportunity to provide input to the Commonwealth Critical Infrastructure Centre (CIC) based on the discussion paper, Strengthening the National Security of Australia’s Critical Infrastructure.

This submission has been prepared at officer level within NSW Government agencies for the purposes of assisting the CIC to develop and clarify its work at this early stage, and also for the purposes of further consultation with the States and Territories. The submission does not represent a settled NSW Government position.

NSW Government agencies look forward to future opportunities to engage with the CIC on this important work. We request that the CIC develop and provide a plan as to how it proposes to consult States and Territories as the CIC’s scope and processes are developed. NSW requests an interjurisdictional working group be established to facilitate future consultation. The working group could include representation from central agencies and relevant parties to work through the issues below.

NSW also requests that the CIC seeks and provides to States and Territories independent legal advice as to the interplay between State and Commonwealth last resort powers, and commercial advice on how the proposed CIC framework will affect asset valuations.

In NSW, the Department of Premier and Cabinet will be the central point of contact for the Commonwealth Government on matters relating to the CIC and its work program.

Critical Infrastructure Centre

Question 1: Are the proposed functions of the Centre adequate to better manage the national security risks to our critical infrastructure?

NSW Government agencies recognise and support the need to secure Australia’s critical infrastructure from national security threats, and acknowledge the potential benefits of having a national register with consistent information across all States and Territories. However, more information is required in order to assess the adequacy of the functions proposed for the CIC in the Discussion Paper.

In particular clarity is required regarding:

·  What will be the methodology for identifying critical infrastructure?

o  There is a vast range of infrastructure that could be considered ‘critical’ and captured under this work. It is also important to note that infrastructure is a dynamic concept including both tangible and intangible assets.

o  Without a settled and well understood understanding of what is or is not critical infrastructure, it is not possible to assess the scope of work being proposed for the CIC and the extent to which this would be necessary to perform its functions.

o  For example, in the Telecommunications sector, there are challenges in defining assets in discrete locations as critical infrastructure, as the critical element from a protection perspective can be a number of sites, geographically separated but linked by underground cable.

o  Utilities in the electricity and water sectors will have a significant number of assets that could individually be identified as critical and it is unclear how extensive the scope of the register will be. While it seems likely dams, water processing plants, and wastewater treatment plants would be captured, the definition used in the discussion paper would cover thousands of kilometres of water mains, upper canals and high voltage power lines and it is not clear whether the CIC intends to include these on the register.

o  NSW agencies recommend the CIC lists categories of assets (in more detail than is currently provided) it is intending to assess in accordance with a transparent protocol such as the one already used in the electricity sector.

·  Will the proposed register only cover critical infrastructure that falls within the target sectors (telecommunications, electricity and water sectors and the ports sub-sector), or whether it will be expanded beyond those sectors?

·  Where does the CIC fit in the current regulatory landscape?

o  The Port of Newcastle is concerned about the regulatory burden, as ports already have two federal security regulators and two Federal acts to comply with – being Australian Boarder Force and Office of Transport Security (OTS) and their respective Acts. These two bodies and Acts already contradict each other, so that complying with one can mean being non-compliant with another. OTS has been undertaking a Red Tape reduction program for the last three years to reduce the regulatory burden on compliance by ports, yet the establishment of the CIC could add an additional layer of regulation.

·  What is the source of authority and what will its exact powers be? Would the CIC be able to compel owner/operators to provide information for the register and if so how?

·  How might the CIC potentially intersect, contradict or overlap with State legislation, such as the Essential Services Act (noting that this potential intersection or overlap is particularly relevant to the proposed ‘last resort power’)?

·  What will the relationship be between the CIC and the Foreign Investment Review Board?

·  How will the CIC monitor compliance or the extent of disclosure and the accuracy of the information provided by the lessee/operator?

o  It is unclear how the CIC proposes to track the creation of new critical assets and whether it seeks to review the creation process, which will almost certainly involve offshore delivery of major technological components.

·  How does the CIC intend to define an owner, where reporting obligations fall, and who will be subject to compliance obligations?

o  This is particularly the case where there are multiple parties who have ownership, operation and/or control rights – which cover many of the assets managed by the NSW Government.

o  The CIC framework could also potentially result in NSW playing multiple roles in relation to an asset such as Ausgrid: that of joint asset owner, sector regulator and then, with the establishment of the CIC, a potential new role relating to monitoring and reporting to the Commonwealth on ownership arrangements (e.g. directors, holding companies, changes in foreign ownership arrangements).

o  NSW agencies are of the view that reporting and compliance obligations should sit with the lessees/operators/management of critical infrastructure assets.

·  Who will bear compliance costs?

o  NSW Treasury is concerned with the potential financial/compliance burden on the State and/or the lessee/operator, both for establishment of the CIC and its recurring compliance costs. Will these be significant and therefore require funding from the Commonwealth (e.g. in the form of a new National Partnership/Project Agreement) and would this create an additional red tape/regulatory barrier?

o  Furthermore, it is unclear who will bear the costs of alterations to infrastructure such as modifications to enhance redundancy, hardening or extra security, when such changes are requested by the Commonwealth. If the businesses have to pay, will the costs be recoverable through consumer price settings? It is also unclear what directive power (if any) the CIC will have to ensure implementation of requested alterations.

The name of the CIC implies it is an overarching organisation at the Commonwealth level that supports all aspects of critical infrastructure management and protection, rather than focusing only on some classes of infrastructure and the risks of sabotage, espionage and coercion. This has caused some confusion to Government and private sector stakeholders, and also risks resulting in complicating an already complex governance and regulatory environment.

The CIC should consider providing clarity (whether through rebranding or clear communications) to clearly communicate its functions and objectives key stakeholders the broader environment to prevent further confusion.

Question 2: What role could you play in assisting the Centre to undertake these key functions?

NSW agencies are of the view that a standalone and transparent regulatory regime should stand behind the CIC and that there should be clear demarcation of jurisdictional powers between the Commonwealth and the States.

Under the National Guidelines for Protecting Critical Infrastructure from Terrorism, NSW is responsible for maintaining a database of critical infrastructure assets within the State.

The Office for Police within the NSW Department of Justice works closely with owners and operators of critical infrastructure to maintain this database. The Office for Police could assist the CIC with standardising CI information in line with NSW critical infrastructure initiatives.

Determining the role of other NSW agencies could play in assisting the CIC in undertaking its key functions depends upon clarifying how the CIC will identify critical infrastructure, and how it will arrive at a risk profile of identified critical infrastructure.

It is likely NSW agencies could only provide relevant information where the State is the asset operator. Information on investment, outsourcing, offshoring and supply chain can only be provided by the operator/lessee/management. NSW Treasury therefore believes it would be preferable if the Commonwealth regulated the lessees/operator/management directly rather than the State-owned lessor entities.

From a telecommunications perspective, the Telco Authority is a NSW Government agency that has responsibility for managing the Government Radio Network (GRN). The Telco Authority is not a regulator and has no powers to collect information from, monitor risk mitigation measures by or direct telecommunications infrastructure operators. Regulation of the telecommunications sector is the responsibility of the Commonwealth.

The Telco Authority is also the Telecommunication Functional Area Coordinator (TELCOFAC) established under the State Emergency and Rescue Management Act 1989. The TELCOFAC is tasked with coordinating the provision of telecommunication services in support of emergency response and recovery operations. The TELCOFAC leads the work of the TELCOFAC Subcommittee, which is made up of government representatives and a number of telecommunications carriers who participate on a voluntary and cooperative basis.

Question 3: How should the Centre work with owners and operators when performing its functions, including understanding existing mitigation mechanisms?

The CIC should clarify the methodology it intends to use to assess risks to critical assets. This will provide owners and operators of infrastructure in the identified high risk sectors with some measure by which they may compare their own risk assessment and mitigation measures for addressing national security risks. Without an understanding of the risk assessment methodology that the CIC intends to use, NSW agencies are unable to assess how the CIC intends to perform its functions in relation to existing mitigation mechanisms, including state and territory mechanisms.

In addition to ensuring that CIC and operator risk assessment methodologies are harmonised, if the CIC will be collecting information from owners and operators of critical infrastructure, then the methods by which the operator will secure, access and update critical infrastructure information needs clarification. Careful consideration will need to be given to the appropriate classification/treatment of information, as industry and most jurisdictions do not obtain security clearances with the frequency that Commonwealth’s agencies do. While acknowledging the need for security, creating unworkable information security mechanisms will jeopardise the efficacy of the collaborative information sharing objective of the CIC.

It should be noted that NSW agencies already engage closely with owners and operators of critical infrastructure, and the NSW Office for Police are concerned that the announcement of the CIC has already resulted in some confusion with stakeholders about which level of Government should be the contact point. From an emergency services and law enforcement perspective, using existing state and territory networks as the entry point for engagement with owners and operators, rather than going to them directly, would avoid this confusion.

In determining mechanisms for engagement in future it is important that care is taken to avoid duplication and confusion, and the good working relationships NSW currently has with stakeholders are preserved. It is also important that the CIC remains consultative and transparent in how it develops and applies its processes.

Critical Infrastructure Asset Register

Question 4: What other type of information would be important for the Register to collect and why?

While we acknowledge that the CIC serves a slightly different purpose than State based Critical Infrastructure collection methodologies, the CIC’s register should draw on existing State and Territory information to avoid duplication of effort. One approach could be to develop a standard framework for the maintenance of consistent state and territory databases to improve information sharing and coordination.

Baseline data for critical infrastructure should be standard across all critical infrastructure domains, and much of the required data for this initiative already exists. If CIC approaches owner operators for additional / duplicate information, it will likely result in confusion and further add to the regulatory burden.

In previous discussions with the Commonwealth the Telco Authority has been led to understand that most if not all of the information that the CIC collects about the telecommunications sector will be derived from existing Commonwealth sources. Any additional information that the CIC seeks to collect should have regard to the organisational resources that would be required to support owners and operators to collect, secure and provide the information to the CIC. In addition, for any additional information being sought there should be a strong correlation between the types of threats being considered and the type and class of infrastructure likely to be at threat for which information is being sought.