Introduction

1.1 Australian society and its economy are supported by a network of interconnected infrastructure assets across a broad range of industry sectors. The Australian Government defines critical infrastructure as:

those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly¹ impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.²

1.2 Threats such as natural disasters, pandemics, sabotage, and espionage have the potential to significantly disrupt critical infrastructure. Secure and resilient infrastructure ensures continuous access to services that are essential for everyday life, such as food, water, health, energy, communications, transport, and banking. A disruption to any of these critical infrastructure sectors could have serious implications for business, government, and the community.

1.3 The Commonwealth, state and territory governments have different responsibilities for critical infrastructure depending on the sector or nature of the threats being mitigated. Responses to a threat can involve the asset owner and operator, technical and operational lead for that jurisdiction, and emergency services or law enforcement. Coordination among entities is therefore required to prepare and respond to critical infrastructure threats.

1.4 The Department of Home Affairs (the department) is the lead Australian Government agency responsible for the administration of critical infrastructure policy and regulation.

Critical infrastructure policy and regulation

Regulatory options

1.5 Governments may approach regulation through either legislative or non-legislative models. Non-legislative models involve achieving regulatory ends through non-legislative means, such as guidelines on market participants³, and can include light touch or principles-based regulation⁴, self-regulation⁵ and quasi-regulation.⁶ Legislated approaches involve either co-regulation⁷ or explicit government regulation, which is used where ‘there is a high perceived risk or public interest and achieving compliance is seen as critically important’.⁸

1.6 Australian Government regulators are empowered by, and subject to, a range of legal and other requirements including the following.

• Legislation that establishes the regulatory powers of an entity, and underpinning policies and relevant directions.
• The Public Governance, Performance and Accountability Act 2013 along with delegated legislation such as the Public Governance, Performance and Accountability Rule 2014, the Commonwealth Procurement Rules, and the Commonwealth Risk Management Policy.
• The Australian Government Regulator Performance Framework — introduced in October 2014 — to encourage regulators to achieve their objectives while minimising their impact on regulated entities. On 1 July 2021, the Regulator Performance Guide⁹ replaced the 2014 Framework and included a transition year for regulators to assess their approach to complying with its requirements.

1.7 The Australian Government’s critical infrastructure regime is comprised of a combination of light touch, co-regulation and explicit government regulation.

Overview of the Australian Government critical infrastructure regime

1.8 Terrorist attacks in the United States in 2001, and Indonesia in 2002, were the catalyst for formal engagement between the Commonwealth, state and territory governments, and industry on how to prepare for and respond to threats against critical infrastructure assets. In 2003, the Australian Government established a Trusted Information Sharing Network as the primary engagement mechanism for business and government information sharing, and resilience building initiatives on critical infrastructure.

1.9 Prior to the introduction of critical infrastructure focussed policy and legislation in 2018¹⁰, national security threats to assets were primarily assessed under the Foreign Investment and Takeovers Act 1975 (FATA). Under the FATA, certain proposed foreign investments, including those related to critical infrastructure assets require approval from the Treasurer. Conditions may be imposed, existing conditions may be varied, or a divestment from an approved investment may be required where a national security risk emerges.

1.10 The Treasury remains the lead entity for assessments under the FATA. The department provides national security advice to support decisions made under the FATA, and may impose and enforce conditions on approved applications. In 2020–21, the department received 943 applications for review from the Treasury, an increase from the 640 received during 2019–20.

Critical Infrastructure Resilience Strategy

1.11 The Australian Government Critical Infrastructure Resilience Strategy was released in May 2015.¹¹ The strategy comprises a policy statement and plan, and sets out the Australian Government’s policy position that:

• critical infrastructure is essential to Australia’s economic and social prosperity;
• resilient critical infrastructure plays an essential role in supporting broader community and disaster resilience;
• businesses and governments have a shared responsibility for the resilience of critical infrastructure, requiring strong partnerships; and
• all states and territories have their own critical infrastructure programs that best fit the operating environments and arrangements in each jurisdiction.

1.12 The policy statement sets out an approach based on non-regulatory business–government partnerships, mature risk management, and effective information sharing. The policy statement required the strategy to be reviewed in 2020.

1.13 The Critical Infrastructure Centre was established in 2017 to coordinate the management of risks to Australia’s critical infrastructure and deliver more coordinated national security assessments to inform foreign investment decisions in significant and complex cases. In December 2017, critical infrastructure policy, regulatory and strategy functions were transferred to the department and the Critical Infrastructure Centre became a division within the department.

Critical infrastructure legislation

1.14 In 2018, legislative coverage of the security of critical infrastructure expanded from the FATA to include:

• the Security of Critical Infrastructure Act 2018 (SoCI Act), which commenced on 11 July 2018; and
• the amendments to Part 14 of the Telecommunications Act 1997, or Telecommunications Sector Security Reforms (TSSR), which commenced on 18 September 2018.

1.15 The legislation in paragraph 1.14 enables the government to obtain information to undertake risk assessments in relation to critical infrastructure, and gives government the power to issue directions to address national security risks if necessary.

Security of Critical Infrastructure Act 2018

1.16 The SoCI Act was introduced to ‘strengthen the Government’s capacity to manage the national security risks of espionage, sabotage and coercion arising from foreign involvement in Australia’s critical infrastructure’.¹² The SoCI Act defines a critical infrastructure asset¹³, and what assets can¹⁴, and must not be prescribed as being ‘critical’.¹⁵ The SoCI Act has three measures to manage national security risks related to critical infrastructure.

• The Register of Critical Infrastructure Assets (the Register), provides the government visibility of who owns and controls the assets.¹⁶
• The information gathering power, provides the ability to obtain more detailed information from owners and operators of assets in certain circumstances.
• The Ministerial directions powers, provide the ability to intervene and issue directions in cases where there are significant national security concerns that cannot be addressed through other means.

1.17 In 2020, the Australian Government approved changes to the critical infrastructure regulatory regime on the basis that the SoCI Act did not enable it to impose requirements on entities to protect their assets, and an over-reliance on the FATA to manage risks arising from foreign ownership. In 2020, the department sought public contributions on the design of ‘an enhanced regulatory framework, building on existing requirements under the SoCI Act’.¹⁷

1.18 In December 2020, the Australian Government introduced a Bill that included amendments to the SoCI Act. These amendments would enact the regulatory framework that was the subject of public consultation. The Bill proposed mandatory incident reporting, an expanded application of the register of critical infrastructure sectors and assets, powers to obtain ownership, operational and risk management information, and powers to respond to serious cyber incidents. The amendments to the SoCI Act were described when they were introduced, as being ‘underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy’.¹⁸

1.19 In December 2020, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) commenced an inquiry into the Bill that would amend the SoCI Act, as well as a statutory review into the Act.¹⁹ In September 2021 the PJCIS published an Advisory Report on the concurrent reviews of the Bill and statutory review of the SoCI Act and made 14 recommendations. Among the recommendations was that the Bill be split in two so that government assistance²⁰ and an expanded definition of critical infrastructure sectors and assets could be legislated in the shortest time possible.

1.20 An additional $42.4 million over two years from 2021–22²¹ was included in the 2021–22 Budget for ‘Protecting Critical Infrastructure and Systems of National Significance’.

• In September 2021, the Critical Infrastructure Centre was re-branded as the Cyber and Infrastructure Security Centre.
• In December 2021, amendments to the SoCI Act expanded the asset classes covered from four to 22 across 11 sectors to include: communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.²² The department estimated that it would have ten times the number of assets on its Register under the SoCI Act as a result of this change.
• Also in December 2021, the Australian Government commenced consultations on further amendments to the SoCI Act.²³
• In March 2022, the PJCIS published an Advisory Report on the proposed further amendments to the SoCI Act and made 11 recommendations.²⁴

1.21 In March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 was passed by the Parliament. Details of changes to Australian Government critical infrastructure legislation are in Appendix 3.

Telecommunications Sector Security Reforms

1.22 The TSSR established a regulatory framework ‘to better manage the national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities’.²⁵ The purpose of the TSSR is to:

• introduce a comprehensive risk-based regulatory framework to better manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities; and
• better protect networks, and the confidential information stored on and carried across them, from unauthorised interference and access.

1.23 The aim of the TSSR is to encourage early engagement on proposed changes to networks and services that could give rise to national security risks, and to facilitate collaboration on the management of those risks. Key elements of the TSSR include:

• a security obligation that requires all carriers, carriage service providers and carriage service intermediaries to do their best to protect networks and facilities from unauthorised access or interference²⁶;
• a notification obligation that requires carriers and nominated carriage service providers to notify the Australian Government of planned changes to their networks and services that are likely to have a material adverse effect on their capacity to comply with the security obligation;
• that the Secretary of the department can obtain information and documents for the purpose of assessing carriers and carriage service providers compliance with their security obligations; and
• that the Minister for Home Affairs can direct a carrier, carriage service provider or carriage service intermediary to:
  • not use or supply carriage services if the Minister considers the use or supply prejudicial to national security; and
  • do, or not do, a specified thing that is reasonably necessary to protect networks and facilities from national security risks.

1.24 In September 2020, the PJCIS commenced a statutory review of the operation of the TSSR.²⁷ The PJCIS published its report on the statutory review in February 2022 and made six recommendations.²⁸

1.25 Figure 1.1 illustrates the sectors covered by Australian Government critical infrastructure policy and legislation.

Figure 1.1: Australian Government critical infrastructure policy and legislation sector coverage

 

 

Note: Sectors illustrated in the figure as being relevant to particular legislation may not represent all asset classes within them. For example, while the transport sector consists of public transport, aviation, maritime ports, freight infrastructure, and freight services, only specific maritime ports were captured under the 2018 SoCI Act and may be subject to an expanded number of transport asset types under the register following 2021 amendments to the SoCI Act.

Source: ANAO analysis of departmental documentation.

Critical infrastructure security and resilience roles

1.26 The Commonwealth, state and territory governments, and industry, have a shared responsibility to ensure the security and resilience of critical infrastructure, and to prevent, prepare, respond to, and recover from all hazards. Each participant has different roles as shown in Table 1.1. Further detail of the entities involved, and key policies and legislation is in Appendix 3.

Table 1.1: Critical infrastructure roles

Key: ✔ = role exists. ✘ = role does not exist.

Note a: For example, weather forecasting and cyber protection advisory notice provision.

Note b: For example, managing threats to life and property, preparing, and responding to emergencies, ensuring law and order, and delivery services such as health care and water.

Source: ANAO analysis of departmental documentation.

1.27 The department, as the lead agency for ensuring the protection of critical infrastructure, must coordinate, complement, and support the programs and activities of all these participants. When the Critical Infrastructure Centre and SoCI Act were established, it was recognised that the Australian Government would have limited powers to implement risk management strategies, and monitor and enforce compliance, and should first leverage existing state and territory regimes to conduct these activities.

Rationale for undertaking the audit

1.28 The potential for an attack²⁹ that degrades or disables a critical infrastructure asset has been identified by industry and governments in Australia and abroad. This audit provides assurance to the Parliament on whether the department, as policy and regulatory lead for critical infrastructure protection coordination, has an effective approach to protecting Australia’s assets of national significance, and supporting asset owners and operators to improve their resilience to attacks.

Audit approach

Audit objective, criteria and scope

1.29 The audit objective was to assess the effectiveness of the department’s administration and regulation of critical infrastructure protection policy. To form a conclusion against this objective, the following high-level criteria were applied.

• Has the department established effective governance arrangements to administer critical infrastructure protection policy?
• Does the department effectively administer compliance activities consistent with critical infrastructure protection requirements?

Audit methodology

1.30 The following actions were done to address the audit objective.

• The audit team examined departmental documentation with a focus on:
  • risk inputs, including systems and review of risk ratings and products;
  • processes, procedures, guidance and documentation developed to support, or as a result of, compliance activities;
  • departmental data used to inform reporting on compliance activities; and
  • arrangements with partner agencies.
• The audit team undertook system mapping and control testing over key systems, including a review of departmental assurance over the quality and integrity of inputs from other entities.
• The audit team undertook case studies into instances of non-compliance involving the use of enforcement activities.
• The audit team conducted meetings with relevant departmental staff and stakeholders.

1.31 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $349,000.

1.32 The team members for this audit were Glen Ewers, Rebecca Helgeby, Jessica Kanikula, Edwin Apoderado, Ji Young Kim, and Alex Wilkinson.

2.1 Critical infrastructure policy, regulatory and strategy functions have been the responsibility of the Department of Home Affairs (the department) since December 2017. The Australian Government’s Critical Infrastructure Resilience Strategy³⁰ outlines how the department will support asset owners and operators to effectively manage reasonably foreseeable and unforeseeable risks to the continuity of their operations.

2.2 Implementation of the government’s critical infrastructure policy objectives requires effective governance arrangements that reflect the risk environment, and the importance of coordination between the different levels of government and asset owners. To assess the extent to which the department had effective governance arrangements to administer critical infrastructure protection policy, the ANAO examined the material components of the department’s critical infrastructure related governance arrangements, which comprise its risk identification and management processes, stakeholder engagement coordination, and performance framework.

Are risks to critical infrastructure assets identified and managed effectively?

2.3 Regulators with clear and comprehensive processes to assess risk are positioned to allocate their resources towards those areas of greatest impact. The department’s enterprise risk management framework aims to fully integrate risk management in planning and decision-making activities. Critical infrastructure risk is addressed by the department through:

• enterprise level risks;
• business area annual planning;
• informing draft legislation to address national security risks associated with Australia’s critical infrastructure; and
• critical infrastructure protection coordination in the:
  • provision of advice to the Treasury on foreign investment an acquisition applications; and
  • engagement with the critical infrastructure industry and government stakeholders to support and understand asset resilience and incident response.

Enterprise level

Assessment and reporting alignment

2.4 In 2020–21, the department identified and assessed three enterprise level risks that addressed critical infrastructure.³¹ The main enterprise risk is ‘critical infrastructure’, which is ‘[a]n attack on critical infrastructure [that] significantly disrupts national operations, causing damage to the economy, public safety, and national security.’³² The other two enterprise risks address cyber and disasters.

2.5 Enterprise risk governance arrangements include reporting to the following internal governance forums:

• annual updates and a dashboard of all enterprise risks to the Executive Committee;
• quarterly updates and a dashboard, and three detailed reviews to the Enterprise Operations Committee and the Risk Committee; and
• enterprise risk update as a standing item for the department Audit and Risk Committee.

2.6 In 2020–21, reporting on enterprise risks and controls provided the accountable authority with visibility of critical infrastructure enterprise risks, and was consistent with the arrangements outlined above in paragraph 2.5.

2.7 Updates to the department’s Audit and Risk Committee on enterprise level risks included information on risk ratings, threats, consequences, related risks, the effectiveness of controls, and collaboration with key stakeholders. Each enterprise risk is assigned a risk owner. Controls for each risk are rated according to their effectiveness at mitigating the risk after the control has been applied. These ‘control effectiveness ratings’ are also included in quarterly reporting, and represent the last assessed performance of the control. Figure 2.1 illustrates key components of the department’s enterprise level risk management framework and how it has been applied to its critical infrastructure risk.

Figure 2.1: The department’s enterprise risk management framework and critical infrastructure strategic risk management in 2020–21

 

 

Source: ANAO analysis of departmental documentation.

2.8 In November 2021, the Executive Committee requested that quarter four reporting be reviewed to ensure it presents an accurate and realistic picture, and the outcomes of the review are reported to the Secretary. Subsequently, revisions made to the critical infrastructure enterprise risk report took the number of ineffective control ratings for the enterprise level critical infrastructure risk from one to seven of the eleven ratings³³, and the critical infrastructure risk was rated as ineffective.³⁴

2.9 While the department had identified the risk to critical infrastructure at the enterprise level, supporting documentation did not effectively address the risk.

• Controls did not align with activities or risk ratings listed against them.³⁵
• There was no reporting against the 36 measures of control effectiveness in each quarter, or for the reporting period.
• Most of the 11 control effectiveness ratings were inconsistent with the rating matrix in the Strategic and Enterprise Risk Management Plan and Reporting Handbook and not substantiated by reporting against each control.

2.10 Risk information submitted to governance bodies is dependent on the quality and maintenance of information included in risk reporting. Inconsistent and unsubstantiated content in risk reports reduces the department’s effectiveness in informing critical infrastructure related policy, or regulatory decisions.

Shared risk

2.11 The Commonwealth, state and territory governments, and industry have a shared responsibility to address the risks to critical infrastructure.³⁶ The Commonwealth Risk Management Policy requires the department to implement arrangements to understand and contribute to the management of shared risks.³⁷ The department’s risk management framework considers shared risks to include:

• ensuring visibility of risk through proactive information exchange;
• designing, deploying, and monitoring and reporting effectiveness of controls and risk treatments; and
• establishing mechanisms to share the burden of risk when it is realised.

2.12 The department’s processes for addressing the shared risk relating to critical infrastructure did not include a number of aspects of its risk framework. Internal reporting for quarter four 2020–21 addressing the critical infrastructure enterprise level risk:

• identified only two operational stakeholders as external shared risk owners;
• contained no reference to state or territory governments, or other operational and regulatory bodies; and
• referred to the department having limited visibility of information held by one of the shared risk owners as a basis for assessing the overall risk rating for the critical infrastructure enterprise level risk as ineffective.

2.13 Engagement in different fora and with specific stakeholders to achieve departmental objectives is referred to in enterprise level critical infrastructure related risk assessments. Critical infrastructure related risk reporting also refers to activities that assess or manage shared risks. Reporting that relates to critical infrastructure regulatory or policy responsibilities is limited to legislative and policy reform, and foreign investment and acquisition assessments, and excludes:

• other Australian Government regulatory bodies in critical infrastructure sectors;
• state and territory government agencies with critical infrastructure policy, operational or regulatory responsibilities; and
• critical infrastructure asset owners and operators.

Business planning

2.14 Management of risk at the operational level should effectively integrate with the enterprise level risk framework. The Cyber and Infrastructure Security Centre (CISC) of the department is responsible for the administration and regulation of critical infrastructure policy. The 2020–21 and 2021–22 business plans for the CISC³⁸ included:

• key risks that aligned with enterprise level critical infrastructure strategic risk documentation; and
• controls that aligned with the enterprise level critical infrastructure risk.

2.15 Management meetings were used to progress business plan outputs and did not consider the impact activities were having on mitigating identified risks.

Advice on the legislative framework

2.16 The department’s risk framework should inform its policy advice related to critical infrastructure regulation. The Security of Critical Infrastructure Act 2018 (SoCI Act) is designed to manage national security risks arising from foreign involvement in Australia’s critical infrastructure. It initially covered the electricity, gas, water, and ports sectors on the basis that the degradation or disruption of assets in these sectors was most likely to have a negative impact on the Australian economy or security.

2.17 The department is also required under the Telecommunications Security Sector Reforms (TSSR) to assess national security risks to critical telecommunications infrastructure arising from proposed changes notified by providers (use of these powers is discussed further in chapter 3, paragraphs 3.23 to 3.29). The department has provided advice and reported on the use of regulatory powers under the SoCI Act and TSSR. The assessed risks and advice did not result in adjustments to critical infrastructure risk assessment at the enterprise level, in business planning or in any other risk assessment.

Policy lead activities

2.18 The department has adopted a risk-based approach to prioritising compliance activities and allocating resources under both the SoCI Act and the TSSR (see paragraphs 3.31 and 3.32). Activities conducted under the compliance model did not result in adjustments to enterprise or business plan risk assessments and ratings based on the outcome of these activities. Outcomes of these activities were not integrated into the enterprise level critical infrastructure strategic risk summary reporting, or its supporting documentation.

2.19 Under the Foreign Investment and Takeovers Act 1975 (FATA) arrangements, the department is required to support the management of risk to critical assets. The department provides advice on foreign investment and acquisition applications. Departmental advice is based on the application of a risk assessment procedure, which supports the consistent assessment of the threat, vulnerability, and consequences of what was proposed in the applications, to the continued operation of critical infrastructure assets and services.

2.20 A review of a sample of FATA assessments by the ANAO found that the department was consistent with its procedural requirements. The department also provided advice, through the Foreign Investment Strategic Analysis Team, on national security risks associated with applications.

2.21 Advice provided by the department on critical infrastructure risks included in individual foreign investment assessments was not used to inform adjustments to overall assessments of related enterprise risks or the effectiveness of controls. For example, reporting provided to the governance forums outlined above in paragraph 2.5 on the critical infrastructure enterprise risk, did not reflect intelligence gained from individual foreign investment assessments, or trends that would inform the management of potential national security concerns.

2.22 The 2015 Critical Infrastructure Resilience Strategy includes two core policy objectives that relate to the department’s role in overseeing industry risk management. These are for critical infrastructure owners and operators to be effective in managing:

• reasonably foreseeable risks to the continuity of their operations, through a mature, risk-based approach; and
• unforeseen risks to the continuity of their operations through an organisational resilience approach.³⁹

2.23 The department provides the Organisational Resilience Health Check on its website⁴⁰ as a tool for industry to self-assess organisational resilience capability. Responses are confidential and are not recorded by the department. The tool is not referred to in any enterprise risk documentation as a means by which threat preparedness or responsiveness could be improved. Use of the health check is not monitored by the business area responsible for critical infrastructure.

Have effective coordination arrangements with key stakeholders been established?

2.26 The department’s management of critical infrastructure protection relies on coordination with other Commonwealth entities, state and territory governments, asset owners and operators (see paragraph 1.26). The 2015 Critical Infrastructure Resilience Strategy includes the following Australian Government policy positions:

• businesses and governments have a shared responsibility for the resilience of our critical infrastructure, requiring strong partnerships; and
• all states and territories have their own critical infrastructure programs that best fit the operating environments and arrangements in each jurisdiction.

2.27 The department has stated that the update⁴¹ to the 2015 Critical Infrastructure Resilience Strategy will:

• bring disparate work across government together. This helps create a consistent approach to improving critical infrastructure security and resilience. It will give holistic support to owners and operators across the threat spectrum; and
• provide a framework for how we work with state and territory governments and industry.⁴²

Engagement approach

2.28 The department does not have an engagement strategy in place for critical infrastructure that identifies the purpose and means for engagement, relevant stakeholders, or distinguishes when the department is undertaking a policy or regulatory role. Sector specific strategies were developed for four sectors to inform engagement on legislative reforms. These strategies were discontinued before the reform engagement had concluded and replaced with an engagement approach that was not industry specific. The sector specific strategies did not relate to the department’s engagement on its legislated regulatory functions.

2.29 The department participates in key forums to engage with government and industry stakeholders listed in Table 2.1.

Table 2.1: Summary descriptions of key critical infrastructure-related engagement

Source: ANAO analysis of departmental documentation.

2.30 The engagements listed in Table 2.1 focussed on sharing information on issues such as cyber, natural hazard forecasting, and supply chain updates. The meetings did not provide a strategic approach to ensuring critical infrastructure policy outcomes were met, or provide a platform for the sharing of better practice, setting sector expectations, or distributing information to assist other Australian Government, state or territory critical infrastructure regulators to pursue possible instances of non-compliance under their regulatory powers. While components of existing policy and forum terms of reference covered some aspects of the department’s critical infrastructure related responsibilities, they did not represent an engagement strategy that comprehensively covers:

• when engagement is in a policy or regulatory capacity;
• how the department will support other regulatory bodies and industry to improve critical infrastructure resilience and security; or
• information sharing arrangements with relevant regulatory bodies.

2.31 The CIAC and seven of eight TISN sector groups have terms of reference that align with the matters covered in meetings held since 2017. In 2021, a TISN online platform was established, and membership reset to align with the expanded sectors covered under the SoCI Act. The TISN was described as still being a forum for the department to engage in a non-regulatory capacity with:

stakeholders from across the critical infrastructure community, including critical infrastructure owners and operators, supply chain entities, peak bodies, industry specialists and all levels of government who are responding to the increasingly interconnected and interdependent nature of Australia’s critical infrastructure.⁴³

2.32 In addition to the forums listed in Table 2.1, the department engages on an as needed basis with other regulators, particularly with the:

• Treasury to provide advice on the national security implications of applications made under the FATA; and
• Australian Communications and Media Authority about the issuing of carrier licences that requires approval from the Communications Access Coordinator (CAC)⁴⁴ under the TSSR.

Information sharing

2.33 Effective communication arrangements ensure agencies receive information they need to undertake their functions. It also enables agencies to coordinate with, and benefit from, activities undertaken by other agencies. The SoCI Act allows the department to share information that it has obtained with relevant entities responsible for the regulation, or oversight of critical infrastructure assets.⁴⁵

2.34 Regulatory and non-regulatory arrangements apply to the collection of information by the department relating to critical infrastructure. Under the SoCI Act, asset owners have an obligation to report specific information to the department’s Register of Critical Infrastructure Assets. Under the TSSR, entities that are carriers and nominated carriage service providers may advise of changes with potential security risks.⁴⁶

2.35 Other Commonwealth, state and territory regulators obtain critical infrastructure asset information under their respective functions (see Appendix 4). The department does not use arrangements in Table 2.1 to obtain or share threat prevention and preparedness related information with these regulators.⁴⁷ While the department informed the ANAO it shares information with states and territories, and other Australian Government regulatory bodies, the ANAO did not identify a consistent or risk-based approach. Consequently, more established information-sharing arrangements exist with some key stakeholders⁴⁸ and not others.⁴⁹

Has an effective performance framework been established?

2.38 A key element of regulatory governance is the establishment of an appropriate performance framework that provides information about whether the regulator is achieving its intended results. This should include external performance measures to provide information about the achievement of its purpose to the Parliament and other stakeholders, and internal performance measures to inform officials about the efficiency, effectiveness, economy and ethics of their regulatory and policy approach.

Performance framework

Performance measure adequacy

2.39 Under the Commonwealth Performance Framework, an entity must report on how its performance in achieving its purposes and key activities will be measured and assessed.⁵⁰ To provide accountability to the Parliament and the public, the results against these measures are required to be provided in annual performance statements.⁵¹

2.40 In 2020–21 and 2021–22, the performance measure relating to critical infrastructure contained in department’s Portfolio Budget Statements and corporate plan were broadly consistent.

• The department’s 2020–21 and 2021–22 Portfolio Budget Statements each included a single program, purpose and performance measure, with one target that relates to its critical infrastructure responsibilities.
• The department’s 2020–21 and 2021–22 corporate plans each included three purposes, with critical infrastructure responsibilities falling under purpose 1 on national security.⁵² The 2020–21 corporate plan also stated that ‘ownership of critical infrastructure must continue to be managed and resilience will need to be enhanced to ensure it cannot be compromised by natural hazards, organised criminals, or foreign actors’.⁵³
• The 2020–21 and 2021–22 corporate plans each include one key activity, one composite measure and four targets that related to the department’s critical infrastructure responsibilities.

2.41 The ANAO assessed the department’s 2020–21 critical infrastructure performance measure against the requirements of the Commonwealth Performance Framework and accompanying guidance.⁵⁴ The ANAO did not assess the appropriateness of the department’s entity-wide set of performance measures, and reviewed only the measure directly relating to the critical infrastructure program.

2.42 Section 16EA of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires an entity’s performance measures, in the context of the entity’s purposes or key activities, to:

1. relate directly to one or more of those purposes or key activities;
2. use sources of information and methodologies that are reliable and verifiable;
3. provide an unbiased basis for the measurement and assessment of the entity’s performance;
4. where reasonably practicable, comprise a mix of qualitative and quantitative measures;
5. include measures of the entity’s outputs, efficiency and effectiveness if those things are appropriate measures of the entity’s performance; and
6. provide a basis for an assessment of the entity’s performance over time.⁵⁵

2.43 Table 2.2 below, details the ANAO’s assessment of the department’s performance measure.

Table 2.2: Assessment of the department’s external critical infrastructure related performance statement measure

Key: ◆ = Fully meets the requirements of section 16EA of the PGPA Rule. ■ = Does not meet the requirements of section 16EA of the PGPA Rule.

Note a: Related refers to the requirement of subsection 16EA(a) of the PGPA Rule, as amended. In applying the related criterion, the ANAO assessed whether the entity’s performance measure relate directly to one or more of the entity’s purposes or key activities.

Note b: In applying the ‘measurable’ criterion, the ANAO assessed whether the entity’s performance measure was:

• reliable and verifiable — use sources of information and methodologies that are reliable and verifiable; and
• free from bias — provide an unbiased basis for the measurement and assessment of the entity’s performance.

Source: ANAO analysis based on Department of Finance’s Resource Management Guide No.131.

2.44 The department’s critical infrastructure related performance measure is not adequate. The measure:

• relates directly to the department’s purposes⁵⁶;
• is not measurable on the basis that targets are not supported by a verifiable method⁵⁷ (see Table 2.3), are not free from bias, and do not include details about how performance against them contribute to achieving the purpose⁵⁸; and
• has targets that relate to outputs.⁵⁹

Table 2.3: Department and ANAO performance target assessments

Source: ANAO analysis based on Department of Finance’s Resource Management Guide No.131.

Regulatory performance framework self-assessment

2.45 The Regulator Performance Framework, released in October 2014, requires Australian Government regulators to publish annual self-assessments of their performance against six performance indicators. The Regulatory Performance Framework notes that ‘for a small number of regulators, issues concerning national security and operational details to achieve regulatory objectives may require published report(s) to be less detailed.’ The department advised the ANAO that it had interpreted this as meaning that the appropriate minister could decide to exempt certain regulatory functions from reporting on national security grounds.

2.46 A ministerial decision approved reporting content, and noted that some functions were excluded on national security grounds, though it did not list critical infrastructure functions as exempt. Rather, the Minister for Home Affairs was advised by the department that ‘exemptions on national security grounds would cover a range of departmental functions’. Although the exemption was only for public reporting of assessments against the framework, the department did not complete any self-assessment of its critical infrastructure related regulatory responsibilities for internal use.

2.47 In July 2021, the Regulator Performance Guide superseded the 2014 Framework. In October 2021, the department advised the ANAO that ‘from 2020–21 it will report directly against the Regulator Performance Framework’. The 2020–21⁶⁰ report for the department did not refer to critical infrastructure related regulatory functions. Annual reporting on the use of powers under the SoCI Act and TSSR does not include performance measurement information.

Legislative reform

2.48 Reform of critical infrastructure related legislation has provided the department with an opportunity to review its performance internally and through external processes. These reforms have allowed the department to review its performance by drawing on external feedback sources in the form of parliamentary activity and stakeholder consultations. Reforms to the SoCI Act in 2021 were developed after consultation processes that are summarised in Appendix 3. The department used content from submissions by its stakeholders to the Parliamentary Joint Committee on Intelligence and Security (PJCIS)⁶¹, and its own consultations to analyse the policy issues associated with the proposed legislative reforms. Submissions to the PJCIS by the department referred to a number of changes made to the Bill following receipt of stakeholder feedback ‘to ensure that the Bill appropriately meets the needs of both Government and owners and operators of critical infrastructure’.⁶²

2.49 In its advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and statutory review of the SoCI Act 2018, the PJCIS recognised these processes and their intent, as well as negative feedback on the lack of action or acknowledgement of input submitted as part of consultations, or sufficient promotion of the opportunity to engage the department on the reforms.⁶³ Notwithstanding a diversity of views on whether engagement provided genuine opportunity to influence legislative reforms, the department provided policy advice to the government on regulatory changes after undertaking consultative processes.

Internal performance information

2.50 Internal monitoring of performance using well-defined measures can be a valuable source of information for a regulator on the effectiveness of its strategies and areas for improvement. The department has established reporting to internal governance bodies on the performance against its business plan and the implementation of government objectives. Measures are well defined and provide updates on the extent to which activities have been implemented or further action is required.

2.51 Performance measures are also included in the Critical Infrastructure Resilience Strategy plan. An internal assessment of progress against activities in the Critical Infrastructure Resilience Strategy did not provide assurance of the progress made, had few references to outputs delivered by activities, and did not assess progress against outcomes.

3.1 Effective critical infrastructure regulation is important because a disruption ‘could have serious implications for business, governments and the community, impacting supply security and service continuity’.64 To assess whether the Department of Home Affairs (the department) effectively administered compliance activities consistent with critical infrastructure protection requirements, the ANAO examined: the department’s compliance framework; compliance procedures; and compliance activities.

Has an effective framework been established to manage compliance with critical infrastructure requirements?

3.2 A compliance framework is a set of plans, policies, or procedures that set the approach taken to manage compliance. Establishing and implementing appropriate plans supports regulators to achieve desired regulatory outcomes. The framework for the department’s compliance approach is summarised in Table 3.1.

Table 3.1: Summary of critical infrastructure compliance framework

Note a: Australian Government, Critical Infrastructure Resilience Strategy: Policy Statement [Internet], Department of Home Affairs, 2015, available from https://www.cisc.gov.au/help-and-support-subsite/Files/critical_infrastructure_resilience_strategy_policy_statement.pdf [accessed 5 January 2022].

Note b: Australian Government, Critical Infrastructure Resilience Strategy: Plan [Internet], Department of Home Affairs, 2015, available from https://www.cisc.gov.au/help-and-support-subsite/Files/critical_infrastructure_resilience_strategy_plan.pdf [accessed 5 January 2022].

Note c: Department of Home Affairs, Telecommunications Sector Security Reforms (TSSR) Administrative Guidelines [Internet], Department of Home Affairs, 2015, available from www.cisc.gov.au/help-and-support-subsite/Files/tss_administrative_guidelines.pdf [accessed on 5 January 2022].

Source: ANAO analysis of departmental documentation.

3.3 The department’s compliance framework outlined in Table 3.1 does not reflect its current compliance requirements. The Critical Infrastructure Resilience Strategy, which guides the work of the Cyber and Infrastructure Security Centre, has not been updated since 2015, despite including a review point in 2020, and plans by the department to update it since at least 2019. Consequently, the Critical Infrastructure Resilience Strategy does not:

• reflect machinery of government changes in 2017 that moved responsibility for critical infrastructure protection coordination to the department;
• delineate the department’s policy and regulatory responsibilities from those of other Commonwealth, state and territory regulatory bodies, or set out how these responsibilities will be applied; or
• align with current powers to regulate critical infrastructure, or the increased scale and sophistication of threats that have been used as the basis for legislative changes but not reflected in the compliance framework.

3.4 Figure 3.1 illustrates the compliance model included in the compliance strategy, with the following tools listed under each of the four tiers in the model.

• Support voluntary compliance: information exchange, guidance and advice, validation of compliance activities.
• Assist entity to maintain compliance: education and training, threat advice, sharing best practice information, set clear expectations and standards.
• Correct entity: formal warnings, ministerial directions, injunctions, enforceable undertakings, civil penalties, prosecution.
• Remove entity: cancel licence to operate, divestment order, regulator step-in, ministerial directions.

Figure 3.1: Critical Infrastructure Centre compliance model

 

 

Source: Department of Home Affairs, Critical Infrastructure Centre Compliance Strategy, DHA, 2019, p.6, available from: https://www.cisc.gov.au/help-and-support-subsite/Files/critical-infrastructure-centre-compliance-strategy.pdf [accessed on 5 January 2022].

3.5 The compliance framework includes actionable activities that are tracked over time and publicly reported. The Critical Infrastructure Centre Compliance Strategy states that the department

‘will conduct monitoring activities to assess entity compliance with their obligations under the [SoCI] Act, the TSSR and to support Treasury’s compliance activities under the [Foreign Investment and Takeovers Act 1975 (FATA)]’.

3.6 The strategy states that monitoring activities for the three Acts may include: entity reporting requirements, information gathering, inspection and retention of documents, audits by the Centre or authorised representatives and assessing compliance.

3.7 Compliance framework documents do not specify the circumstances that would trigger or inform decisions to undertake compliance activities. There is also no reference to situations where the powers of other stakeholders would be supported or used instead of those of the department or the Minister for Home Affairs (such as in section 32 or section 51 of the SoCI Act).⁶⁵

Are effective procedures and systems in place to support the use of regulatory tools?

3.10 Australian Government policy requires regulators ‘to weigh the efficiency and cost-effectiveness of their regulatory actions, seeking to impose the least burden on those that are regulated while maintaining essential safeguards’.⁶⁶

Procedures

3.11 Establishing appropriate procedures and systems helps ensure regulatory tools can be used as intended, achieve desired outcomes, and are used in a legally sound and defensible manner. This includes implementing policies, procedures and supporting documentation, establishing appropriate information systems, ensuring staff are appropriately trained and qualified, and ensuring regulatory powers have been legally delegated to officials.

3.12 The department has:

• thirteen draft procedures relating to regulatory powers under the SoCI Act. None have been finalised, approved or included on the department’s policy and procedural repository; and
• nine policies and procedures that relate to regulatory powers under the TSSR, two of which have not been finalised, approved and included on the department’s policy and procedural repository.

3.13 Most of the unapproved SoCI Act procedures were drafted in 2019 and 2020. The ANAO was advised that procedures are in use despite not being finalised and some having drafting comments in them.

3.14 The department’s Critical Infrastructure Compliance Strategy identifies its ‘correct’ compliance model tier as applying injunction, civil penalty, and enforceable undertaking powers in instances where:

engagement, negotiation, or mediation are unsuccessful, or where the Centre believes the entity is not acting in good faith, the Centre will escalate to enforcement measures to achieve compliance and mitigate the identified risk.⁶⁷

3.15 Application of these enforcement measures may involve conducting investigations as a process of seeking information relevant to an alleged, apparent or potential breach of the law, involving possible judicial proceedings.⁶⁸ The department does not have established procedures to manage circumstances where an investigation may be required. This procedure should specify how investigations will be conducted and identify minimum training or qualifications standards required by Australian Government agencies for investigations staff.⁶⁹

3.16 The department’s delegation of powers to apply the enforcement measures was consistent with legislative requirements.

Information systems

3.17 The department uses a secure information technology platform to store classified material that relates to critical infrastructure assets. Procedures exist that outline how information is transferred from a webform portal to the secure platform. Controls and classification during this transfer were applied appropriately.

3.18 A core group of personnel are relied on to administer, update and use the secure database in response to more diverse and increasing requests for asset information. There would be merit in the department establishing records, controls, or contingency plans to manage, or respond to advice requests based on critical infrastructure data in circumstances where this core group of personnel are unavailable.

3.19 The department has appropriate information technology systems controls to ensure that critical infrastructure administration is conducted in accordance with protective security requirements. The systems and their controls rely on manual processes to remove users when they no longer occupy roles that require access to secure systems, or undertake analysis that underpins critical infrastructure advice.

3.20 A classified system is used to store critical infrastructure related information. While the department has technical security design, procedures and risk assessment documents relating to the network and systems, two security controls established for the classified network and critical infrastructure systems were not implemented in accordance with Protective Security Policy Framework and Information Security Manual requirements. This increases the risk of unauthorised access to classified systems and information.

Is the use of regulatory tools consistent with legislative and procedural requirements?

3.23 Australian Government regulators draw authority from, and are subject to, a range of legal and other requirements. Effectively implementing a compliance program requires that a regulator act on identified instances of non-compliance. If actions are not escalated in accordance with regulatory powers, the impact of the regulator and the achievement of regulatory outcomes may be diminished.

3.24 The department’s critical infrastructure related regulatory functions and powers under the SoCI Act and TSSR are summarised in Table 3.2.

Table 3.2: Summary of regulatory functions and powers under critical infrastructure-related legislation

Key: ✔ = power is legislated. ✘ = power not legislated.

Note a: The Communications Access Coordinator (CAC) is the Secretary of the department or a person, or body specified by the Minister as set out in section 6R of the Telecommunications (Interception and Access) Act 1979. The CAC liaises between security and law enforcement agencies and the telecommunications industry.

Note b: The Minister for Home Affairs added privately declared assets to the register using a direction power under the SoCI Act. This power was used in 2018.

Source: ANAO analysis.

3.25 The powers under the TSSR with approved and finalised procedures had been consistently applied.⁷⁰

3.26 The Critical Infrastructure Centre Compliance Strategy lists tools that will be used against the four tiers of non-compliance ranging from support, assist, correct, to remove. The strategy describes seeking compliance outcomes through a non-regulatory approach for entities covered under both Acts. Table 3.3 shows the use of critical infrastructure related regulatory tools available under both Acts against each tier of the compliance model.

Table 3.3: Use of regulatory tools to respond to potential non-compliance

Key: ◆ = Tool used to manage compliance. ▲ = Tool used in some compliance activity. ■ = Tool used and potential non-compliance not managed.

Note a: This includes the activity measured under performance statement target 1.1.3.1 listed in Table 2.3.

Note b: In 2018, the Minister for Home Affairs added privately declared assets to the register using a direction power under the SoCI Act. This is not the direction power referred to under the compliance model.

Source: ANAO analysis of departmental documentation.

3.27 Consistent with the department’s regulatory posture, the focus of regulatory activity has been to support voluntary compliance and assist entities to maintain compliance. This approach was identified in the annual reporting of powers under the TSSR and SoCI Act to:

• achieve ‘national security outcomes on a cooperative basis rather than through the formal exercise of regulatory powers’⁷¹; and
• enable government ‘to better assess the extent of vulnerability across our high priority assets … while maintaining open economic settings and imposing only a minimal and targeted regulatory burden’.⁷²

3.28 In its submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) statutory review of Part 14 of the Telecommunications Act, the department noted that while its:

primary focus is to achieve national security outcomes on a cooperative basis, the Act allows the Minister for Home Affairs to seek an injunction requiring a notification, accept an enforceable undertaking or pursue civil penalties in relation to non-compliance with s314A(3) of the Act. However, there is significant administrative and financial burden associated with these enforcement measures and may not be the most appropriate mechanism to achieve an appropriate security outcome.

3.29 While the statements in the department’s submission are also consistent with its compliance posture, it has not measured the administrative or financial burden of using tools available in the higher tiers of its compliance model.

Is there an effective process to identify non-compliance?

3.30 Risk-based regulation is important in ensuring that the burden of regulation is appropriate. It is successful when available evidence is used to develop a strategic, diligent and risk-based regulatory compliance approach, and this approach is consistently implemented. Too strong a focus on ‘red tape’ reduction, including through not utilising the full range of regulatory powers provided by the Parliament, can be at the expense of effective outcomes.

Risk-based compliance

3.31 The department’s enterprise risk management framework aims to fully integrate risk management in planning and decision-making activities. The Regulator Performance Guide, sets out the benefits of regulators properly assessing and responding proportionately to risks of non-compliance, stating that:

[s]trategic management of risk can also improve efficiency by prioritising resources to the areas of highest risk, and increase compliance by focusing limited resources on the areas of the greatest risk of non-compliance. It can also reduce the overall compliance and cost burden by minimising Government intervention where the risks are relatively low.⁷³

3.32 Table 3.3 shows that the department adopted a risk-based approach to prioritise its compliance activities and use of resources. Support for voluntary compliance activities included a high proportion of entities covered under the TSSR and SoCI Act, and high priority entities were identified and engaged in follow-up activities to validate compliance or encourage further information to be submitted to ensure compliance. The process for identifying high priority entities was limited by the absence of a defined non-compliance risk assessment process, and adjustments to this process based on factors such as compliance activity outcomes or the threat environment in which the activity is being undertaken.

Compliance actions

3.33 The Critical Infrastructure Centre Compliance Strategy states that the Centre ‘will facilitate full compliance by critical infrastructure owners and operators with their obligations under legislation and, where applicable, FATA conditions’. The Centre’s website also states that it ‘works closely with industry, states and territories, regulators and technical advisers’.

3.34 The department has not measured whether full compliance has been achieved because it has not confirmed all entities covered by the SoCI Act and the TSSR are compliant. The department’s records did not identify when decisions were made to:

• not engage with some entities about their compliance with relevant legislation until two years after it had commenced (see Case study 1); or
• not finalise compliance activities that commenced in 2019 for all SoCI Act assets (see Case study 2).

Note a: The department advised the ANAO that ‘due to resourcing constraints and other high priority tasks at the time, compliance actions were not escalated’.

3.35 The department does not have an established system to monitor existing critical infrastructure related compliance activity to inform decisions to consistently trigger, triage and manage cases. An established system should document decisions made to:

• use a power, or to not use it where a circumstance arises where it could be used;
• escalate, or not escalate a case to a higher compliance model tier; or
• not pursue further activity, or close a case.

3.36 Between October 2018 and September 2021, the department recorded receipt of 161 TSSR notifications lodged by entities covered under the TSSR. Of these 161 notifications, 57 (35 per cent) were assessed as requiring further information about the proposed change before a security assessment could be completed. A review of 12 (21 per cent) notification cases where further information was sought found that the department’s handling under the TSSR was consistent with legislative and procedural requirements.

• None of the cases sampled, that were subject to requests for further information from an entity, resulted in a final assessment of residual concerns being made by the appropriate delegate in the department that documented the decision to use or not use further regulatory tools available to them, or that concerns had been addressed.
• All requests had a 30-day timeframe for the information to be provided, and a warning that the information gathering power may be used if there was no response. For one example, where a change submitted under the TSSR had raised national security concerns, the department had not concluded its compliance activity or used its regulatory tools in the higher tiers of its compliance model 18 months after the change was submitted.

3.37 In its submission to the PJCIS statutory review of Part 14 of the Telecommunications Act, the department noted challenges in ensuring changes made by carriers were appropriately notified or that risks were mitigated.⁷⁴ The department’s submission did not substantiate why the information gathering power under the TSSR is not used in those instances where further information was required to complete notification assessments. A procedure to use the information gathering power was drafted but not finalised or approved.

3.38 While draft procedures exist on regulatory powers at higher tiers of the department’s compliance model, they did not set out circumstances when no further action was necessary or when it would be appropriate to escalate matters from business-as-usual monitoring to compliance activity, or to higher tiers. A documented triage process would support the department to document compliance outcomes and escalate the most important matters for further action and resolution. The Australian Government Investigation Standards states that agencies should have written procedures that outline how the initial evaluation and actioning of matters will occur.⁷⁵

Measuring the achievement of outcomes

3.41 Clearly defined, measurable and achievable outcomes are critical to the effective delivery of risk-based regulation.⁷⁶ While the department reports on its use of regulatory tools in annual reporting, it does not report on achievement of its policy statements about how it will support other Commonwealth, state, and territory regulators to ensure the security of critical infrastructure. The Critical Infrastructure Resilience Strategy includes outcomes and activities related to the department working with other regulators.⁷⁷ The department has not reported on the achievement of these outcomes and activities.

3.42 The Critical Infrastructure Centre Compliance Strategy also states that ‘information sharing between government and industry, and across industry, has proven to be an effective mechanism to build organisational and sectoral resilience with minimal government intervention’.⁷⁸ The department’s information sharing is limited to its regulatory functions and does not extend to achieving broader strategic policy outcomes. For example, the NSW Independent and Pricing Regulatory Tribunal (IPART) has included in its licencing conditions that information can be shared with the department, and IPART can receive risk advice from the department to support regulatory activities under the operating licence conditions. The department does not have broader strategic information sharing arrangements in place with similar regulatory bodies in other jurisdictions (see Appendix 4, Table A.6).

3.43 Information sharing that is limited to the department’s regulatory functions prevents the department from anticipating and adapting to a wide range of information. It also reduces the visibility of threats and incidents. The department has not established a process to formalise information sharing arrangements between the department and its stakeholders to inform critical infrastructure related regulatory activities of either or both parties.

3.44 In December 2021, the department ran an exercise with state and territory representatives to familiarise them with government assistance measures contained in the SoCI Act as it was amended by the Security Legislation Amendment (Critical Infrastructure) Bill 2021. The purpose was also to identify issues to be considered as part of standard operating procedures for government assistance measures. For example, powers to gather information, to direct an entity to do or refrain from an action, or to request an authorised agency to provide support. The department has not used similar exercises to test whether existing policy outcomes have been achieved.

Has the use of regulatory tools been effectively reviewed?

3.45 When regulators measure performance, they should incorporate them into an appropriate monitoring, reporting and evaluation framework that provides assurance over its achievement of objectives, as set out in relevant legislation. Compliance information collected by the regulator will also assist in determining performance against expectations and the impact of regulatory activities over time. Effective review of regulations is a critical element in establishing accountability for program performance, ensuring ongoing improvement, and is an appropriate justification for any regulatory changes.

3.46 The department’s Critical Infrastructure Centre Compliance Strategy states that the centre will ‘continually review its activities based on the results and impact on industry’. The department has not established a process of reviewing its use of regulatory tools under the SoCI Act or TSSR for measuring the impact on industry of its use of regulatory tools. The performance framework components referred to in paragraphs 2.38 to 2.51 presented opportunities for the department to review the effectiveness and lessons learned from its use of regulatory tools.

Appendix 1 Entity response

 

 

 

 

Appendix 2 Improvements observed by the ANAO

1. The fact that independent external audit exists, and the accompanying potential for scrutiny, improves performance. Program-level improvements usually occur: in anticipation of ANAO audit activity; during an audit engagement as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• initiating reviews or investigations; and
• introducing or revising policies or guidelines.

4. In this context, the below improvements were observed by the ANAO during the course of the audit. It is not clear if these actions and/or the timing of these actions were already planned before this audit commenced. The ANAO has not sought to obtain reasonable assurance over the source of these improvements or whether they have been appropriately implemented.

5. Performance improvements observed by the ANAO during the course of this audit were:

• In September 2021, the Critical Infrastructure Centre was re-branded as the Cyber and Infrastructure Security Centre (see paragraph 1.20);
• In December 2021, amendments to the Security of Critical Infrastructure Act 2018 (SoCI Act) expanded the asset classes covered from four to 22 across 11 sectors, and in December 2021 the department commenced consultations on further amendments to the SoCI Act. In March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Bill Act 2022 was passed by the Parliament (see paragraph 1.20);
• In November 2021, the department revised quarter four 2020–21 assessments of its enterprise risk, including its critical infrastructure risk (see paragraph 2.8); and
• In December 2021, the department ran an exercise with state and territory representatives to familiarise them with government assistance measures contained in the SoCI Act (see paragraph 3.44).

Appendix 3 Timeline of critical infrastructure reform events and implications

Table A.1: Key dates and consequences of changes to Australian Government legislation

Note a: Available from https://www.homeaffairs.gov.au/cyber-security-subsite/files/2020-cyber-… [accessed on 4 January 2022].

Note b: Department of Home Affairs, Australia’s Cyber Security Strategy 2020 [Internet], DHA, 2020, pp.28–29, Available from https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/s… [accessed on 20 December 2021].

Note c: Parliament of Australia, Review of Part 14 of the Telecommunications Act 1997 – Telecommunications Sector Security Reforms [internet], APH, available from Review of Part 14 of the Telecommunications Act 1997 – Telecommunications Sector Security Reforms (aph.gov.au) [accessed on 21 March 2022].

Note d: ibid., p.44.

Source: ANAO analysis of departmental documentation.

Appendix 4 Other jurisdiction critical infrastructure arrangements

1. Tables A.2 to A.6 provide non-exhaustive comparisons of key characteristics of the critical infrastructure programs in Australian jurisdictions.

Table A.2: Key enabling legislation for critical infrastructure programs in Australian jurisdictions

Source: ANAO analysis of information available in the public domain.

Table A.3: Key critical infrastructure program policies in Australian jurisdictions

Source: ANAO analysis of information available in the public domain.

Table A.4: Critical infrastructure policy leads in Australian jurisdictions

Source: ANAO analysis of information available in the public domain.

Table A.5: Key critical infrastructure-related incident response entities in Australian jurisdictions

Source: ANAO analysis of information available in the public domain.

Table A.6: Key critical infrastructure government regulators in Australian jurisdictions

Source: ANAO analysis of information available in the public domain