An exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill, released on Monday, includes new step-in powers allowing national security agencies to actively disrupt and repel cyber attacks.

The critical infrastructure framework will also extend regulatory security obligations outside the electricity, gas, water and maritime sectors.

An enhanced definition of critical infrastructure will cover the banking and finance, food and grocery, health, transport, energy, water, communications, space, data and the cloud, higher education, research and defence industry sectors.

Queensland Department of Premier and Cabinet director-general Dave Stewart told the Department of Home Affairs he was “concerned that the compressed federal government timeframes … has limited opportunities for broader in-depth consultation including with the industries most directly affected”.

“I am also concerned that there will be no opportunity for the states and territories to consider and comment on the draft bill, particularly when the consultation paper suggests that the jurisdictions may be asked to undertake some of the proposed regulatory and compliance responsibilities on behalf of the federal government,” Mr Stewart wrote.

Mr Stewart said: “Given the current fiscal environment, concerns have also been raised with the possible cost implications for the owners and operators of critical infrastructure to address and mitigate risks that they might identify while discharging their positive security obligation”.

Home Affairs Minister Peter Dutton has told The Australian the government will work closely with impacted industries to implement its plan to secure essential services “without imposing an unnecessary regulatory burden”.

Universities Australia’s submission called for the bill’s oversight of universities to be narrowed, saying it should only focus on some higher education assets – rather than the entire sector – and suggesting it was being treated differently to research undertaken in the finance and mining sectors.

“This would impose a significant, inappropriate burden … Imposing an entity level obligation would be onerous, resource intensive and badly targeted,” the UA submission states.

“Universities Australia strongly advocates. for the scope of the Education, Research and Innovation sector, as applied to universities, to be narrowed to focus on critical capabilities and assets.”

The Group of Eight – representing the nation’s top research institutions including the University of Sydney and the University of Melbourne – warned the new laws could negatively impact research.

“The proposed Departmental definition, to include universities as critical infrastructure assets in their entirety, has significant potential for overreach, given that … it implies almost no exclusions,” the Go8 submission states.

“There is the potential for unintended consequences too if the nation’s reliance on university R&D is slowed or compromised by the complexity of over-regulation.”

Microsoft said while it acknowledged “there may be emergency scenarios where the government may consider the need for direction action with critical infrastructure operators … such actions must only occur as a last resort under a framework that incorporate robust checks and balances”.

“The use of such powers should be subject to a significant threshold, time limited and require independent authorisation,” the Microsoft submission said.

Telstra, which wants the critical infrastructure reforms to be reviewed after a “period of operation”, said under any emergency declaration, the government’s approach to assistance “should be collaborative and reserved to limited and unique circumstances”.

“We also recommend that the government take reasonable steps to negotiate with the entity a time limit on its use of the power to take direct action and that exercise of this power be subject to independent authorisation,” the Telstra submission said.

The Australian Banking Association, representing the big banks, endorsed the government providing “direct assistance to private sector entities on critical cyber matters”.

“We also strongly support the government’s desire to avoid duplication of regulation. A harmonised approach, where a single regulator has a clear mandate and a transparent system in place for regulatory co-ordination, is critical to the success of any direct assistance regime,” the ABA submission said.

The Business Council of Australia, which supports the “goal of protecting essential services”, made six recommendations in relation to narrowing the scope of the reforms and putting in place oversight measures.

“The listed sectors are a substantial expansion of the existing definition of what constitutes ‘critical infrastructure’ and could capture most businesses within the economy,” the BCA said.

“We recommend appropriately targeting the definition of ‘critical infrastructure’ to account for whether legislation and regulation are the best way to achieve security uplift.”

More related stories

Nation

Super tax an existential threat, say farmers

The National Farmers Federation warns that thousands of farms are threatened by the proposed super tax on unrealised capital gains.

Read more

Nation

Ley of the land for Liberal leader’s long-term rebuild: start at the Dutton epicentre

Murrumba Downs was the epicentre of the Liberals’ election calamity, making it a good place to start winning back voters.

Read more