Explainer: Intervention Requests and Australian Critical Infrastructure

By Ravi Nayyar

23 min readJun 10, 2022

In a galaxy far, far away,

Called Canberra,

On the recommendation of the Parliamentary Joint Committee on Intelligence and Security (‘PJCIS’),

The Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’) was reformed by the Commonwealth of Australia in two stages:

Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (‘SLACI Act’); and
Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (‘SLACIP Act’).[1]

Why were the reforms split in two?

Well, the SLACI Act contained measures that couldn’t wait, that is, they needed to be ‘legislated in the shortest time possible’ so that the Department of Home Affairs (‘the Department’) and Australian Signals Directorate (‘ASD’) were given the authority:

to work with entities [running critical infrastructure assets] to ensure that cyber security incidents can be responded to in the most expeditious fashion, to ensure that critical infrastructure assets (and associated functions) are secured.[2]

Note that ASD is Australia’s signals intelligence and offensive cyber operations agency.[3] The Australian Cyber Security Centre is a component of ASD.[4]

But what are these measures?

Well, they sit within part 3A of the SOCI Act and comprise a suite of powers for the Commonwealth to deal with ‘serious cyber security incidents’ affecting Australian critical infrastructure assets.[5]

Powers for the Secretary for the Department of Home Affairs (‘the Secretary’) to, on authorisation by the Minister for Home Affairs (‘the Minister’), collect relevant information from the entity in charge of the asset as well as direct the entity to take or refrain from taking specified action.[6]

Pt 3A also includes a regime under which the Secretary can give ‘intervention requests’ to ASD.[7] Requests that ASD take (a) certain type(s) of action as a last resort ‘only… in extraordinary circumstances… where Australia’s national interests are at risk of serious prejudice and industry is unable to respond’, such that the expertise and capabilities of ASD are required to bring serious cyber security incidents to a close or nip such incidents that are imminent in the bud.[8]

To use a television analogy, the intervention request regime is to be used in a scenario quite similar to what was defined by Sir Humphrey Appleby as follows:

If and when, you know what.[9]

So, what’s the point of this piece?

While this piece will be about the intervention request regime, it will not be a critical analysis thereof.

Rather, an explainer of the:

threat environment which was used to justify the regime’s enactment;
policy genesis of the regime;
conditions under which it can be engaged;
sorts of action ASD can be authorised to take and for how long;
nature of compliance with an intervention request by ASD and accompanying liability protections; and
oversight mechanisms for the regime.

It seeks to function as a primer, especially for folks not following the critical infrastructure policy process over here in Australia.

It does not have a thesis to defend, rather will seek to do some myth busting in the process of detailing how the regime is intended to function.

So let’s get on with the critical infrastructure law nerdistry, shall we?

Starting with the threat environment during which the regime was brought onto the statute books.

The Threat Environment

The enactment of the intervention request regime occurred amid an increasingly serious threat environment for the relevant entities — as defined by the SOCI Act s 5 — for Australian critical infrastructure assets. I will not go into that environment in much detail because we are well aware of it.

The PJCIS referred to ‘a very serious and rapidly deteriorating cyber security environment’ and how:

the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate.[10]

As above, the PJCIS recommended that part 3A of the SOCI Act be enacted as part of a ‘rapid response’ to that threat environment, especially cognisant of how the parliamentary calendar at the time provided ‘a small and rapidly diminishing window of opportunity to [enact the regime]’.[11]

The Secretary had in fact called on the Commonwealth Parliament to consider regulating cyberspace like any other commons, home to malicious cyber actors akin to ‘pirates’ on the ‘lawless ocean[s]’ from the 17th to the 19th centuries.[12] Given our research and work, we all see how the analogy can apply.

It was all the more important, from the Commonwealth’s perspective, to thus bolster the cyber resilience of Australian critical infrastructure by enacting the intervention request regime, which helps the Commonwealth fulfil its ‘ultimate responsibility for protecting Australia’s national interests’ in a major emergency by ‘address[ing] the risk of a particularly serious cyber attack’; an attack otherwise having ‘cascading catastrophic, life threatening consequences’ for the country.[13]

The degree to which the Commonwealth wanted the regime to get onto the statute books was seen in the Secretary’s testimony to the PJCIS in July 2021:

We’re already past time. The clock is ticking. The possibility of us waking up tomorrow and being in the grip of such an attack was already last year or the year before. The urgency of this legislation, frankly, is I would think self-evident, particularly for those who have seen the intelligence that is relevant here, and I know the committee has had the opportunity to have private hearings.[14]

And his saying that:

… the government assistance measures [now in part 3A of the SOCI Act] are the ones that… certainly keep me awake at night. All of the powers and capabilities that the ASD have… cannot by law be deployed onto our networks as we speak right now. That is the pressing urgency…
It is the lack of that ability — some people say to ‘step in’; we say to ‘provide an emergency response’… That is the matter that is most strategically imperative.[15]

‘Nuff said, eh?

Alrighty, let’s move on to the specific policy genesis of the intervention request regime before diving into the legal nuts and bolts of how this thing is intended to function.

The Intervention Request Regime

Policy Genesis

The SLACI Act and SLACIP Act find their policy roots in Australia’s national cyber security strategy.[16]

Seeking to ‘uplift security and resilience’ of Australian critical infrastructure assets via the strategy, the Commonwealth defined its approach by: proactivity, that is, ‘acting ahead of a… [cyber security] incident wherever possible’; and collaboration with ‘[critical infrastructure] owners and operators to uplift their cyber security and to actively defend networks’.[17]

The Commonwealth pointed to the ‘worsening’ threat landscape to justify the insertion of ‘an enhanced regulatory framework’ via amendments to the SOCI Act, a reference to what became the SLACI Act and SLACIP Act.[18]

That framework was foreshadowed to include the intervention request regime, as part of an overarching framework for ‘Australian Government assistance for businesses in response to the most significant cyber attacks to Australian systems’.[19]

The stated objective for what was later enacted as part 3A of the SOCI Act was ‘to make sure Australia can recover quickly from a cyber security emergency’, including the authorisation of ‘direct action to protect systems during an emergency’.[20]

Okay, so when can the Commonwealth use the suite of powers contained in part 3A of the SOCI Act?

When can the intervention request regime come into play?

Conditions for Engagement

As above, part 3A of the SOCI Act contains a suite of ‘Government Assistance’ powers to enable ‘the Commonwealth to respond to serious cyber security incidents’, with ‘cyber security incident’ defined by section 12M.[21]

The suite as a whole is triggered when the Minister for Home Affairs (‘Minister’) is satisfied that conditions specified by either SOCI Act s 35AB(1) or s 35AB(1A) are met by the facts.

The conditions specified by SOCI Act s 35AB(1) are as follows (emphasis added):

Adapted from the Federal Register of Legislation.

The conditions specified by SOCI Act s 35AB(1A) are as follows (emphasis added):

To engage, however, the intervention request regime specifically, conditions listed in SOCI Act s 35AB(10) need to be met as well (emphasis added):

The intervention request regime also cannot be engaged without the agreement of the Commonwealth Prime Minister and Defence Ministers.[22]

For assessing the proportionality of the proposed intervention request, SOCI Act s 35AB(11) provides an inclusive list of factors for the Minister to consider (emphasis added):

So, the conditions specified by SOCI Act ss 35AB(1), (1A), (10), (13) — particularly the words in bold — make clear that the intervention request regime is statutorily confined to deployment in relation to critical infrastructure assets under emergency situations where Australian national security and societal wellbeing is under threat.[23]

The nature of the regime as one of last resort is especially evident in how the Minister must be satisfied that:

the regime is the only regulatory framework ‘which can be used to provide a practical and effective response to the incident’;[24]
authorising the giving of action directions would not provide that response;[25] and
the relevant entity or entities for the asset in question are unwilling or unable to reasonably provide that response.[26]

These factors suggest that the regime’s raison d’être is preventing ‘serious prejudice to Australia’s national interest’ by resolving a cyber security incident as a matter of priority, that is, only intervening after industry has failed to uphold its primary responsibility of responding to said incident.[27] This condition is borne from the Commonwealth’s preference and record of leveraging its mature relationships with critical infrastructure entities to resolve cyber security incidents through ‘close cooperation’ with the latter, but also the need for the Commonwealth to fall back on an explicit legislative framework where an entity refuses to swiftly cooperate with ASD — as was the case with Toll Group and an unnamed health care provider — and when time is of the essence.[28]

The narrow nature of the circumstances under which the regime can operate is also seen in how the Minister cannot authorise an intervention request in relation to a category of critical infrastructure (sector) assets or cyber security incidents, rather every Ministerial authorisation must be in relation to a specific asset and incident.[29] This characteristic of the regime as enabling the Commonwealth to execute an incident- and asset-specific response is also evident in the requirements that the Minister be satisfied of the intervention request will be a reasonably necessary, proportionate and technically feasible response to the incident.[30]

These criteria combine to suggest that:

the intervention request regime cannot authorise far-reaching activity by the Commonwealth which is unrelated to the need to respond to a major cyber security incident with national security implications; rather
the regime is limited to the scenarios where ASD’s capabilities ‘surpass those of industry’ and require deployment in the national interest.[31]

Even if the conditions under SOCI Act ss 35AB(1) or 35AB(1A), in addition to those under sections 35AB(10), (13), are satisfied and the Secretary makes an application for an intervention request, per section 35AF, the Minister must consult:

the responsible entity — defined by section 12L — for the critical infrastructure asset (if the authorisation is proposed to be given under section 35AB(2)(e)); or
the entities specified by section 35AD(2)(b) (if the authorisation is proposed to be given under section 35AB(2)(f)); unless
the resultant delay in giving the authorisation ‘would frustrate the effectiveness of the [authorisation]’.[32]

Any required consultation will have the entity receive a draft of the authorisation and invited to make a submission to the Minister on the draft within 24 hours of receiving it.[33]

The Commonwealth justified this consultation requirement with the need for ensure that the acts or things to be authorised by the Minister are ‘informed and appropriate’ in the circumstances, with the Minister required to consider any information gained through this consultation.[34] That information can help the Minister determine if the prerequisites in section 35AB(10) are satisfied to render the authorisation legally valid.

This is because the entity being consulted would have an understanding of:

the implications of what ASD is being proposed to do in relation to the former’s assets for the functioning of those assets;
whether the proposed acts or things are technically feasible; and
whether those acts or things constitute a proportionate, reasonably necessary response to the cyber relevant cyber security incident.[35]

The Commonwealth itself realises this, given ASD’s existing mode of collaboration with companies that suffer serious cyber security incidents and how the giving of an intervention request would be informed by advice from ASD which is ‘already working with the entity [for the asset which the request relates to]’ and understanding the entity’s views on how ASD should respond to the relevant cyber security incident.[36]

It should be noted that the giving of a Ministerial authorisation and intervention request are purely conducted by the executive and do not involve a federal judicial officer — that is, one sitting on a court with federal jurisdiction under Chapter 3 of the Australian Constitution — or a member of the Administrative Appeals Tribunal.

Concern was expressed about this depriving the process, of giving an authorisation and request, of independent external oversight:

As for the level of external scrutiny, … we think it’s too in-house, as it presently sits with the secretary and the Minister for Home Affairs.[37]

In response, the Commonwealth pointed to the:

high thresholds that need to be satisfied before a Ministerial authorisation for an intervention request, and thus the request, can be given;
need for the Commonwealth to swiftly respond to resolve a cyber security incident where ‘time is always of the essence’;
requirement for the Minister to consult the responsible entity for the relevant asset prior to giving the authorisation;
the envisaged operational reality that ASD would work in partnership with the responsible entity to identify what acts or things under a proposed intervention request would be technically feasible and of least risk to the latter’s networks; and
uncertainty about whether an independent third party would add value as an oversight mechanism, given that the responsible entity ‘is often the best expert on its network’, and the arguably low chance of there being any independent third party:

that could operate in an explicit 12-hour framework with an instant understanding of complex OT [operational technology] networks, let alone a contemporaneous understanding of the… top secret, environment [which ASD operates in].[38]

Scope of an Intervention Request

Following the satisfaction of the above conditions and completion of required consultation, the Minister can give a Ministerial authorisation under SOCI Act ss 35AB(2)(e) or (f).

That is, the Minister can authorise the Secretary to provide Director-General ASD an intervention request under SOCI Act s 35AX(1) in relation to:

the cyber security incident; and
if the Ministerial authorisation was given under section 35AB(2)(e) — the primary asset; or
if the Ministerial authorisation was given under section 35AB(2)(f) — a specified critical infrastructure sector asset.[39]

SOCI Act s 8E defines a ‘critical infrastructure sector asset’. The Commonwealth created this type of asset to limit the assets in relation to which the Part 3A powers of the Commonwealth can apply, but also having recognised that the:

[pervasive interdependencies in] the Australian economy and through supply chains mean… that actions in relation to an asset in a [critical infrastructure] sector identified in new section 8D may be required to respond to a serious cyber security incident.[40]

Note that a Ministerial authorisation is not a legislative instrument, per SOCI Act s 35AB(16). The Commonwealth justified this caveat with the need to maintain the operational security of ASD’s assistance to the relevant entity for the asset in question but also with the need to prevent the tipping off of malicious cyber actors about a (potential) vulnerability in any asset through public disclosure of the authorisation as a legislative instrument.[41]

But wait, what is an intervention request?

Essentially, it is a request for ASD to ‘do one or more specified acts or things within the period specified in the request’, with ASD’s authority to do those acts or things stemming from SOCI Act s 35AZ(1).[42]

Any act or thing done by ASD in compliance with an intervention request is ‘taken to be done in the performance of the function conferred on [ASD by Intelligence Services Act 2001 (Cth) s 7(1)(f)]’, that is, ASD’s function to ‘cooperate with and assist bodies’ designated in accordance with the Intelligence Services Act 2001 (Cth) s 13A, namely the Department.[43]

Okay, so what can an intervention request get ASD to do?

First things first, an intervention request must match the request specified in a Ministerial authorisation.[44] And, per SOCI Act s 35AB(10)(g) (as above), that authorisation must be limited to acts or things within the scope of section 35AC.

Section 35AC contains a general list of categories of acts of things that ASD can be authorised to perform through an intervention request, such as: access to or modification of computers; analysis of computers, data and software; installation of software; access to or modification of data; alteration of the operation of computers; removal or addition of computers from or to networks; and removal of computers from premises.

The Commonwealth provides examples of these acts or things, such as ASD:

accessing system logs and telemetry to define the cyber security incident;
installing ‘host-based sensors or network monitoring capabilities’ to help gauge the effect of incident response;
uninstalling malware from the entity’s computers, including offsite, which would necessitate the removal of said computers from the entity’s premises;
blocking malicious domains; and/or
directing the patching of software.[45]

Therefore, SOCI Act s 35AC limits the intervention request regime to only involve ‘the computer related actions for which the Australian Signals Directorate has expertise in and must not extend more broadly’.[46]

As above, the Commonwealth imagined this regime to involve ASD deploying its ‘unique expertise… to prevent an incident, mitigate its impact, or restore the functioning of an asset following an incident’.[47]

This expertise stems from ASD’s:

continuing experience in prosecuting activity of malicious state and criminal cyber actors;
access to intelligence from international partners (including the Five Eyes countries);
capacity, built over 75 years, to analyse signals intelligence; and
situational awareness regarding Australian networks through partnerships with telecommunications providers.[48]

The Commonwealth argued that ASD’s access to such intelligence alone justified the intervention request regime, given that no industry stakeholder would have the same intelligence picture of threat actors as ASD, a situational awareness defined as the ‘Marvel superpower’ of the Commonwealth.[49]

The nature of ASD’s capabilities underlines the nature of the intervention request regime as one of genuine last resort, per this metaphor from the Secretary:

You hope that all the fire prevention strategies have worked, but if the fire brigade has to turn up, they have hoses that the company doesn’t have, we can assure you.[50]

Reference to ASD as the ‘fire brigade’ is accurate, given their technical resources versus the relevant entity for the asset— the victim of the ‘fire’ or cyber security incident — being unable to respond to the serious cyber security incident on their own.[51]

The Commonwealth plans to grow those resources under a nearly $10 billion investment in ASD’s ‘cyber and intelligence capabilities’ under the REDSPICE package.[52] REDSPICE constitutes the ‘most significant single investment’ in ASD of its history.[53] Part of that funding is dedicated to growing Australia’s capacity to defend its networks via:

improvement in the ‘resilience of critical infrastructure against sophisticated cyber actors’;
greater visibility of the threat environment facing critical infrastructure;
better machine-time sharing of threat intelligence across the public and private sectors; and
the doubling of proactive threat hunting and national incident response by the Commonwealth.[54]

One should note that any action taken by ASD under the intervention request regime is purely defensive: an intervention request cannot authorise ASD to engage in offensive cyber operations against a person directly or indirectly responsible for the cyber security incident which triggered the proposal for an intervention request.[55]

ASD also cannot engage in conduct prohibited by Telecommunications (Interception and Access) Act 1979 (Cth) ss 7 (interception of telecommunications), 108 (access to stored communications) or Telecommunications Act 1997 (Cth) ss 276, 277, 278 (disclosure of certain types of telecommunications information).[56]

Duration

An intervention request can only be in force while the Ministerial authorisation is in force.[57] This means that an intervention request can only be in force for ≤ 20 days, per SOCI Act s 35AG.

Revocation of a Ministerial authorisation, including the Minister’s duty to revoke an authorisation which the Minister is satisfied is not required any more, is regulated by SOCI Act s 35AH.

Revocation of an intervention request, including the Secretary’s duty to revoke an intervention request which the Secretary is satisfied is not required any more, is regulated by SOCI Act s 35BA.

Compliance by ASD + Liability Protections

During compliance with an intervention request by ASD, the relevant entity for the asset to which the intervention request relates must assist ASD personnel if required by the latter.[58] Each of those ASD personnel must be declared in writing by Director-General ASD to be ‘an approved staff member of the authorised agency [ASD] for the purposes of [the SOCI Act]’ for them to be able to comply with the intervention request on ASD’s behalf.[59]

If the relevant entity fails to comply with said requirement of assistance (such as giving access to premises or certain information) from ASD personnel, members of the Australian Federal Police, or the police force or police service of a State or Territory, can assist said ASD personnel in gaining access to the premises and complying with the intervention request with the use of reasonable force against property (located on the premises), but not against any individual.[60]

That said, there are liability protections for both ASD and personnel of the entity for the asset which is the subject of the intervention request.

Neither Director-General ASD, the mentioned ASD personnel nor the mentioned police personnel are liable ‘for, or in relation to, an act or matter done or omitted to be done in the exercise of any power or authority’ under the intervention request regime.[61]

An entity is not liable in damages for an act or omission in good faith in compliance with a requirement of assistance from ASD personnel.[62] The entity’s officers, employees and agents are not liable in damages for acts or omissions in good faith connected with the mentioned acts or omissions of the entity.[63]

A contractor and any other member of the corporate group, which the entity is a member of, are not liable in damages for acts or omissions in good faith ‘for ensuring or facilitating compliance with the requirement [for assistance]’.[64] Any officer, employee or agent of that contractor or other member of the corporate group are not liable in damages for an act or omission in good faith ‘for ensuring or facilitating compliance with the requirement’.[65]

Oversight

There are a number of oversight measures in place for the intervention request regime.

Firstly, the Commonwealth Ombudsman remains competent to act on complaints about how powers under the intervention request regime are exercised by the Department and Australian Federal Police.[66]

Secondly, since any action taken by ASD under an intervention request is action conducted under the Intelligence Services Act 2001 (Cth) s 7(1)(f), per SOCI Act s 35AZ(2), the Inspector-General of Intelligence and Security (‘IGIS’) has oversight of that action.[67]

That oversight includes checking ASD’s compliance with the Rules to Protect the Privacy of Australians 2021 (Cth) if, acting under an intervention request, ASD collects intelligence information concerning Australian persons.

I believe that ASD is unlikely to collect such information, at least intentionally, in the process of complying with an intervention request, given that an intervention request can only be issued if what ASD is proposed to do would be ‘reasonably necessary for the purposes of responding to the [cyber security] incident’ and constitute a ‘proportionate response to the incident’.[68] The collection of intelligence on Australian persons, as opposed to collection of technical information on the functioning of information technology and operational technology deployed by entities for critical infrastructure assets about to suffer or suffering a serious cyber security incident, seems unlikely to satisfy these criteria.

ASD has also neither suggested in its submission nor testimony to the PJCIS on the then-proposed intervention request regime that it was specifically interested in collecting intelligence on Australian persons while complying with an intervention request.

SOCI Act ss 43B-43C enable IGIS officials and Ombudsman officials to share ‘protected information’ with each other, including information which is ‘obtained by a person in the course of exercising powers, or performing duties or functions, under [the SOCI Act]’, and which records Ministerial authorisations and intervention requests.[69]

Such information sharing between the regulators can bolster the level of oversight of the regime because as they say, better to have two pairs of eyes looking at a problem than just one.

Thirdly, the Commonwealth has reporting obligations with respect to intervention requests.

The Minister must provide a copy of any Ministerial authorisation of an intervention request to the IGIS within 48 hours of giving that authorisation.[70]

After ASD does at least one act or thing in compliance with an intervention request, Director-General ASD must prepare a written report on what ASD did and which ‘explains the extent to which doing those acts or things has amounted to an effective response to the cyber security incident to which the Ministerial authorisation relates’.[71] Director-General ASD must provide that report to the Minister and to the Commonwealth Defence Minister ‘as soon as practicable after the end of the period specified in the [intervention] request and, in any event, within 3 months after the end of the period specified in the request’.[72]

The Secretary must also report in writing every cyber security incident which is followed by an intervention request to the PJCIS as well as describe every request which is given in each such report.[73]

Fourthly, the PJCIS, and thus the Commonwealth Parliament, has an oversight role of the intervention request regime through the PJCIS’s oversight of ASD under the Intelligence Services Act 2001 (Cth) s 29(1).

Fifthly, the entity in charge of the asset which is the subject of an intervention request can judicially review the giving of a Ministerial authorisation and ‘administrative decisions made in accordance with that authorisation’, under the Australian Constitution s 75(v) and the Judiciary Act 1903 (Cth) s 39B, including on the basis of the bias rule in terms of a denial of procedural fairness.[74]

Conclusion

All in all, this is a high-stakes regime meant for high-stakes times.

‘If and when, you know what’, to return to Sir Humphrey’s line.[75]

And this piece went through the ‘if’, ‘when’ and ‘what’ of the intervention request regime. It was intended to be a primer on the context of the regime and how it is supposed to work per the law.

Not defend a thesis.

It merely sought to explain why the regime was brought in, when it can be triggered, what stuff it can allow and for how long, and what liability protections and oversight controls are in place.

If anything, it sought to bust some myths about the regime.

I hope it managed to do so.

[1] Commonwealth, Parliamentary Debates, House of Representatives, 10 February 2022, 315 (Karen Andrews, Minister for Home Affairs); Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Advisory Report on the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Report, March 2022) 2; Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (Report, September 2021) xvii (‘PJCIS SLACI Report’).

[2] PJCIS SLACI Report (n 1) 39–40.

[3] Intelligence Services Act 2001 (Cth) s 7(1); ‘About’, Australian Signals Directorate (Web Page, 9 October 2013) <https://www.asd.gov.au/about>.

[4] ‘Cyber Security’, Australian Signals Directorate (Web Page, 1 July 2018) [1] <https://www.asd.gov.au/cyber-security>.

[5] SOCI Act s 35AA.

[6] Ibid.

[7] Ibid ss 5 (definition of ‘authorised agency’), 35AA.

[8] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 116 [626].

[9] ‘The Economy Drive’, Yes Minister (British Broadcasting Corporation, 1980) 00:12:07–00:12:09.

[10] PJCIS SLACI Report (n 1) iii.

[11] Ibid iii-iv.

[12] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 26, 28, 42 (Michael Pezzullo, Secretary, Department of Home Affairs).

[13] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 106 [584]-[585].

[14] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 29 July 2021, 6 (Michael Pezzullo, Secretary, Department of Home Affairs).

[15] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 29 July 2021, 10 (Michael Pezzullo, Secretary, Department of Home Affairs).

[16] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 29 July 2021, 22 (Michael Pezzullo, Secretary, Department of Home Affairs).

[17] Commonwealth, Australia’s Cyber Security Strategy 2020 (Report, 6 August 2020) 28.

[18] Ibid 28–9.

[19] Ibid 29.

[20] Ibid 39.

[21] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 5; SOCI Act s 35AA.

[22] SOCI Act s 35AB(13).

[23] See, eg, Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 107–109.

[24] SOCI Act ss 35AB(1)(d), (1A)(d); Ibid 110.

[25] SOCI Act s 35AB(10)(a).

[26] Ibid ss 35AB(10)(b)-(c); Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 116.

[27] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 117.

[28] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 29 July 2021, 2 (Michael Pezzullo, Secretary, Department of Home Affairs); Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 14 February 2022, 28 (Michael Pezzullo, Secretary, Department of Home Affairs); Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 31 March 2022, 54–5 (Michael Pezzullo, Secretary, Department of Home Affairs); Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 28, 35 (Rachel Noble, Director-General, Australian Signals Directorate); Toll Group, Submission No 86 to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (30 July 2021) 1; Anthony Galloway, ‘Toll Concedes it May not Have Worked with Cyber Spy Agency Fast Enough during Major Hack’, The Sydney Morning Herald (online, 2 August 2021) [1], [8]-[9] <https://www.smh.com.au/politics/federal/toll-concedes-may-not-have-worked-with-australia-s-cyber-spy-agency-fast-enough-during-major-hack-20210802-p58f59.html>; Australian Signals Directorate, Commonwealth, Submission No 9 to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (12 February 2021) 5, 8.

[29] SOCI Act ss 35AB(4); Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 111–12.

[30] SOCI Act ss 35AB(10)(d)-(f).

[31] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 119.

[32] SOCI Act s 35AD(2).

[33] Ibid s 35AD(3).

[34] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 122.

[35] Ibid 116, 117, 122; Commonwealth, Parliamentary Debates, House of Representatives, 10 December 2020, 11263–4 (Peter Dutton, Minister for Home Affairs).

[36] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 32 (Rachel Noble, Director-General, Australian Signals Directorate); Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 34 (Abigail Bradshaw, Head, Australian Cyber Security Centre).

[37] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 3 (David Neal, Co-Chair, National Criminal Law Committee, Law Council of Australia).

[38] See, eg, Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 33–4 (Hamish Hansford, First Assistant Secretary, Cyber, Digital and Technology Policy, Department of Home Affairs); Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 34 (Abigail Bradshaw, Head, Australian Cyber Security Centre); Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 34 (Michael Pezzullo, Secretary, Department of Home Affairs).

[39] SOCI Act ss 5 (definition of ‘authorised agency’), 5 (definition of ‘chief executive of the authorised agency’).

[40] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 50.

[41] Ibid 120.

[42] SOCI Act s 35AX(1).

[43] Ibid s 35AZ(2); Intelligence Services Act 2001 (Cth) ss 7(1)(f), 13A(1)(c); Intelligence Services Regulations 2021(Cth) ss 4 (definition of ‘Home Affairs Department’), 5.

[44] SOCI Act s 35AX(2)(a).

[45] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 116, 120.

[46] Ibid 119.

[47] Ibid.

[48] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 27, 32 (Rachel Noble, Director-General, Australian Signals Directorate).

[49] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 11 June 2021, 33 (Michael Pezzullo, Secretary, Department of Home Affairs); Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 31 March 2022, 54 (Michael Pezzullo, Secretary, Department of Home Affairs).

[50] Evidence to Parliamentary Joint Committee on Intelligence and Security, Parliament of Australia, Canberra, 29 July 2021, 14 (Michael Pezzullo, Secretary, Department of Home Affairs).

[51] Ibid.

[52] Australian Signals Directorate, Commonwealth, REDSPICE: A Blueprint for Growing ASD’s Capabilities (Report) 14.

[53] Ibid 4.

[54] Ibid 15.

[55] SOCI Act s 35AB(12).

[56] Ibid s 35AX(5).

[57] Ibid s 35AX(3).

[58] Ibid ss 5 (definition of ‘approved staff member of the authorised agency’), 35BB.

[59] Ibid ss 5 (definition of ‘chief executive of the authorised agency’), 35BJ(1).

[60] Ibid ss 5 (definition of ‘constable’), 35BB(1)(c)-(d), 35BC, 35BE; Crimes Act 1914 (Cth) s 3(1) (definition of ‘constable’).

[61] SOCI Act s 30BF.

[62] Ibid s 35BB(4).

[63] Ibid s 35BB(5).

[64] Ibid ss 35BB(6)(a), (7)(c).

[65] Ibid ss 35BB(6)(b), (7)(d).

[66] Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), 143; Department of Home Affairs, Commonwealth, Security Legislation Amendment (Critical Infrastructure) Bill 2020(Regulatory Impact Statement, 2020) 20 (‘SLACI RIS’); Ombudsman Act 1976 (Cth) ss 5(1), (4).

[67] Inspector-General of Intelligence and Security Act 1986 (Cth) ss 7, 9, 9A.

[68] SOCI Act ss 35AB(10)(d)-(e).

[69] Ibid ss 5(a), (bb), (bl) (definition of ‘protected information’).

[70] Ibid ss 35AE(3), (6).

[71] Ibid ss 5 (definition of ‘chief executive of the authorised agency’), 35BH(1)(a)-(c).

[72] Ibid s 35BH(2).

[73] Ibid s 35BK.

[74] SLACI RIS (n 66) 20.

[75] ‘The Economy Drive’, Yes Minister (British Broadcasting Corporation, 1980) 00:12:07–00:12:09.