Audit Reveals Home Affairs’ Administration of Critical Infrastructure Protection Only “Partly Effective”
The Australian National Audit Office (ANAO) released its report on the Department of Home Affairs’ administration and regulation of critical infrastructure protection policies on 21 June 2022, and we’d have to say their assessment isn’t particularly positive. The report made seven recommendations, identifying improvements needed in the Department’s engagement of stakeholders, risk assessments and reporting obligations, performance measurement, and compliance management.
Regulation of critical infrastructure has been a great focus for the Department in recent years with ‘critical infrastructure’ expanded to include more sectors, and they have been granted greater powers, even including direct intervention with an entity’s systems in certain circumstances.
IAA has been actively involved in the consultation process for the implementation of critical infrastructure legislation. In our submissions, we consistently called for greater meaningful stakeholder engagement, including sector specific consultation. We also raised concerns that the implementation of the new powers and obligations was premature, and required greater review and thorough analysis to ensure the legislative reforms would ensure real benefits and outcomes.
ANAO has since found the Department to lack an engagement strategy, and that despite sector specific strategies being developed prior to legislative reforms, “these strategies were discontinued before the reform engagement had concluded.”
In addition, the Department’s performance measure was found inadequate, due to the measure not establishing targets supported by a verifiable method, not free from bias, and lacking detail on how performance against the standards contribute to achieving their purpose.
The Department has accepted all seven recommendations to address the issues raised by the audit.
Telecommunications is one of the sectors newly captured as critical infrastructure as of 2021. In addition to the critical infrastructure legislation, telecommunications is also regulated through the Telecommunication Sector Security Reforms (TSSR) as part of the Telecommunications Act 1997. As such, while the Systems of National Significance declaration power and enhanced cyber security obligations apply to the telecommunications sector under the critical infrastructure legislation, the Department of Communications is developing specific rules and obligations for the telecommunications sector. The sector can also anticipate a review into the TSSR later this year.
IAA will continue to participate in consultation with government to ensure the implementation of rules for the telecommunications sector that are measured, effective and fit for purpose.