This submission focuses on the fourth question raised by the Independent Reviewer, namely “are there new or emergent threats the SOCI Act is unable to manage in its current form?”. Our review has identified four key areas in which the SOCI Act regime needs to adapt to keep pace with modern threats and hazards.
First, the effective implementation ofthe SOCI Act requires a national and systemic assessment of critical infrastructure risk. As such, a new statutory requirement to prepare and publish a regular National Critical Infrastructure Risk Assessment should be added to the SOCI Act. The Assessment should focus on systemic, catastrophic and cascading threats and hazards to Australia’s critical infrastructure.
Second, the SOCI Act’s most serious powers and authorities (the so-called ‘last resort’ powers) are untested and need to be made operationally ready. This requires investment in comprehensive planning around when and how these powers would be used, communicating this planning to industry, and undertaking regular testing of the powers through exercises with industry and across government.
Third, the SOCI Act regime needs to be modernised for the AI-era. Data centres hosting AI models need to be effectively covered by SOCI, risk management program requirements need to be clarified or updated to capture AI hazards as material risks, and a pathway to covering AI models once they become critical infrastructure in their own right is needed.
Fourth, the Systems of National Significance (SoNS) regime must evolve to an all-hazards footing in line with the 2024 reforms to the SOCI Act. Enhanced resilience obligations for SoNS should be added to the Act in addition to the existing enhanced cyber security obligations.
Given the expanded scope of the SOCI Act and Critical Infrastructure Security Centre’s (CISC) growing responsibilities, including its shift in regulatory posture towards compliance activities, adequately supporting industry to meet its obligations will also require a corresponding increase in CISC’s budget and resourcing.
These recommendations are intended to preserve the SOCI Act’s core strengths while ensuring it remains fit for purpose as Australia’s critical infrastructure becomes more interconnected, integrated with AI systems, and the risk environment deteriorates.
We would welcome the opportunity to further brief the Independent Reviewer or Department on these matters in more detail.
