Security Legislation Amendment (Critical Infrastructure) Act 2021 (124 of 2021)
Schedule 1 Security of critical infrastructure
Part 1 General amendments
Security of Critical Infrastructure Act 2018
45 After Part 3
Insert:
Part 3A - Responding to serious cyber security incidents
Division 1 - Simplified outline of this Part
35AA Simplified outline of this Part
This Part sets up a regime for the Commonwealth to respond to serious cyber security incidents.
If a cyber security incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset, the Minister may, in order to respond to the incident, do any or all of the following things:
(a) authorise the Secretary to give information-gathering directions to a relevant entity for the asset;
(b) authorise the Secretary to give an action direction to a relevant entity for the asset;
(c) authorise the Secretary to give an intervention request to the authorised agency.
An information-gathering direction requires the relevant entity to give information to the Secretary.
An action direction requires the relevant entity to do, or refrain from doing, a specified act or thing.
An intervention request is a request that the authorised agency do one or more specified acts or things in relation to the asset.
Division 2 - Ministerial authorisation relating to cyber security incident
35AB Ministerial authorisation
Scope
(1) This section applies if the Minister is satisfied that:
(a) a cyber security incident:
(i) has occurred; or
(ii) is occurring; or
(iii) is imminent; and
(b) the incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset (the primary asset ); and
(c) there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; and
(d) no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
Authorisation
(2) The Minister may, on application by the Secretary, do any or all of the following things:
(a) authorise the Secretary to give directions to a specified entity under section 35AK that relate to the incident and the primary asset;
(b) authorise the Secretary to give directions to a specified entity under section 35AK that relate to the incident and a specified critical infrastructure sector asset;
(c) authorise the Secretary to give to a specified entity a specified direction under section 35AQ that relates to the incident and the primary asset;
(d) authorise the Secretary to give to a specified entity a specified direction under section 35AQ that relates to the incident and a specified critical infrastructure sector asset;
(e) authorise the Secretary to give a specified request under section 35AX that relates to the incident and the primary asset;
(f) authorise the Secretary to give a specified request under section 35AX that relates to the incident and a specified critical infrastructure sector asset.
Note 1: Section 35AK deals with information gathering directions.
Note 2: Section 35AQ deals with action directions.
Note 3: Section 35AX deals with intervention requests.
(3) An authorisation under subsection (2) is to be known as a Ministerial authorisation .
(4) Subsection 33(3AB) of the Acts Interpretation Act 1901 does not apply to subsection (2) of this section.
Note: Subsection 33(3AB) of the Acts Interpretation Act 1901 deals with specification by class.
Information gathering directions
(5) A Ministerial authorisation under paragraph (2)(a) or (b):
(a) is generally applicable to the incident and the asset concerned; and
(b) is to be made without reference to any specific directions.
(6) The Minister must not give a Ministerial authorisation under paragraph (2)(a) or (b) unless the Minister is satisfied that the directions that could be authorised by the Ministerial authorisation are likely to facilitate a practical and effective response to the incident.
Action directions
(7) The Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d) unless the Minister is satisfied that:
(a) the specified entity is unwilling or unable to take all reasonable steps to respond to the incident; and
(b) the specified direction is reasonably necessary for the purposes of responding to the incident; and
(c) the specified direction is a proportionate response to the incident; and
(d) compliance with the specified direction is technically feasible.
Note: Section 12P provides examples of responding to a cyber security incident.
(8) In determining whether the specified direction is a proportionate response to the incident, the Minister must have regard to:
(a) the impact of the specified direction on:
(i) the activities carried on by the specified entity; and
(ii) the functioning of the asset concerned; and
(b) the consequences of compliance with the specified direction; and
(c) such other matters (if any) as the Minister considers relevant.
(9) The Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d) if the specified direction:
(a) requires the specified entity to permit the authorised agency to do an act or thing that could be the subject of a request under section 35AX; or
(b) requires the specified entity to take offensive cyber action against a person who is directly or indirectly responsible for the incident.
Intervention requests
(10) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) unless the Minister is satisfied that:
(a) giving a Ministerial authorisation under paragraph (2)(c) or (d) would not amount to a practical and effective response to the incident; and
(b) if there is only one relevant entity for the asset concerned - the relevant entity is unwilling or unable to take all reasonable steps to respond to the incident; and
(c) if there are 2 or more relevant entities for the asset concerned - those entities, when considered together, are unwilling or unable to take all reasonable steps to respond to the incident; and
(d) the specified request is reasonably necessary for the purposes of responding to the incident; and
(e) the specified request is a proportionate response to the incident; and
(f) compliance with the specified request is technically feasible; and
(g) each of the acts or things specified in the specified request is an act or thing of a kind covered by section 35AC.
Note: Section 12P provides examples of responding to a cyber security incident.
(11) In determining whether the specified request is a proportionate response to the incident, the Minister must have regard to:
(a) the impact of compliance with the specified request on the functioning of the asset concerned; and
(b) the consequences of acts or things that would be done in compliance with the specified request; and
(c) such other matters (if any) as the Minister considers relevant.
(12) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) if compliance with the specified request would involve the authorised agency taking offensive cyber action against a person who is directly or indirectly responsible for the incident.
(13) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) unless the Minister has obtained the agreement of:
(a) the Prime Minister; and
(b) the Defence Minister.
(14) An agreement under subsection (13) may be given:
(a) orally; or
(b) in writing.
(15) If an agreement under subsection (13) is given orally, the Prime Minister or the Defence Minister, as the case requires, must:
(a) do both of the following:
(i) make a written record of the agreement;
(ii) give a copy of the written record of the agreement to the Minister; and
(b) do so within 48 hours after the agreement is given.
Ministerial authorisation is not a legislative instrument
(16) A Ministerial authorisation is not a legislative instrument.
Other powers not limited
(17) This section does not, by implication, limit a power conferred by another provision of this Act.
35AC Kinds of acts or things that may be specified in an intervention request
For the purposes of the application of paragraph 35AB(10)(g) to a Ministerial authorisation of a request, each of the following kinds of acts or things is covered by this section:
(a) access or modify:
(i) a computer that is, or is part of, the asset to which the Ministerial authorisation relates; or
(ii) a computer device that is, or is part of, the asset to which the Ministerial authorisation relates;
(b) undertake an analysis of:
(i) a computer that is, or is part of, the asset to which the Ministerial authorisation relates; or
(ii) a computer program that is, or is part of, the asset to which the Ministerial authorisation relates; or
(iii) computer data that is, or is part of, the asset to which the Ministerial authorisation relates; or
(iv) a computer device that is, or is part of, the asset to which the Ministerial authorisation relates;
(c) if it is necessary to achieve the purpose mentioned in paragraph (b) - install a computer program on a computer that is, or is part of, the asset to which the Ministerial authorisation relates;
(d) access, add, restore, copy, alter or delete data held in:
(i) a computer that is, or is part of, the asset to which the Ministerial authorisation relates; or
(ii) a computer device that is, or is part of, the asset to which the Ministerial authorisation relates;
(e) access, restore, copy, alter or delete a computer program that is, or is part of, the asset to which the Ministerial authorisation relates;
(f) access, copy, alter or delete a computer program that is installed on a computer that is, or is part of, the asset to which the Ministerial authorisation relates;
(g) alter the functioning of:
(i) a computer that is, or is part of, the asset to which the Ministerial authorisation relates; or
(ii) a computer device that is, or is part of, the asset to which the Ministerial authorisation relates;
(h) remove or disconnect:
(i) a computer; or
(ii) a computer device;
from a computer network that is, or is part of, the asset to which the Ministerial authorisation relates;
(i) connect or add:
(i) a computer; or
(ii) a computer device;
to a computer network that is, or is part of, the asset to which the Ministerial authorisation relates;
(j) remove:
(i) a computer that is, or is part of, the asset to which the Ministerial authorisation relates; or
(ii) a computer device that is, or is part of, the asset to which the Ministerial authorisation relates;
from premises.
35AD Consultation
(1) Before giving a Ministerial authorisation under paragraph 35AB(2)(c) or (d), the Minister must consult the specified entity unless the delay that would occur if the specified entity were consulted would frustrate the effectiveness of the Ministerial authorisation.
(2) Before giving a Ministerial authorisation under paragraph 35AB(2)(e) or (f) in relation to an asset, the Minister must:
(a) if the asset is a critical infrastructure asset - consult the responsible entity for the asset; or
(b) if the asset is a critical infrastructure sector asset (other than a critical infrastructure asset) - consult whichever of the following entities the Minister considers to be most relevant in relation to the proposed authorisation:
(i) the owner, or each of the owners, of the asset;
(ii) the operator, or each of the operators, of the asset;
unless the delay that would occur if the entity or entities were consulted would frustrate the effectiveness of the Ministerial authorisation.
(3) If subsection (1) or (2) requires an entity to be consulted, that consultation must involve:
(a) giving the entity a copy of the draft Ministerial authorisation; and
(b) inviting the entity to make a submission to the Minister about the draft Ministerial authorisation within 24 hours after receiving the copy of the draft Ministerial authorisation.
35AE Form and notification of Ministerial authorisation
(1) A Ministerial authorisation may be given:
(a) orally; or
(b) in writing.
(2) The Minister must not give a Ministerial authorisation orally in relation to:
(a) a cyber security incident; and
(b) an asset;
unless the delay that would occur if the Ministerial authorisation were to be made in writing would frustrate the effectiveness of:
(c) any directions that may be given under section 35AK or 35AQ in relation to the incident and the asset; or
(d) any requests that may be given under section 35AX in relation to the incident and the asset.
Notification of Ministerial authorisations given orally
(3) If a Ministerial authorisation is given orally in relation to:
(a) a cyber security incident; and
(b) an asset;
the Minister must:
(c) do both of the following:
(i) make a written record of the Ministerial authorisation;
(ii) give a copy of the written record of the Ministerial authorisation to the Secretary and the Inspector-General of Intelligence and Security; and
(d) do so within 48 hours after the Ministerial authorisation is given.
(4) If a Ministerial authorisation is given orally in relation to:
(a) a cyber security incident; and
(b) a critical infrastructure asset;
the Minister must:
(c) do both of the following:
(i) make a written record of the Ministerial authorisation;
(ii) give a copy of the written record of the Ministerial authorisation to the responsible entity for the asset; and
(d) do so within 48 hours after the Ministerial authorisation is given.
(5) If a Ministerial authorisation is given orally in relation to:
(a) a cyber security incident; and
(b) a critical infrastructure sector asset (other than a critical infrastructure asset);
the Minister must:
(c) make a written record of the Ministerial authorisation; and
(d) give a copy of the written record of the Ministerial authorisation to whichever of the following entities the Minister considers to be most relevant in relation to the Ministerial authorisation:
(i) the owner, or each of the owners, of the asset;
(ii) the operator, or each of the operators, of the asset; and
(e) do so within 48 hours after the Ministerial authorisation is given.
Notification of Ministerial authorisations given in writing
(6) If a Ministerial authorisation is given in writing in relation to:
(a) a cyber security incident; and
(b) an asset;
the Minister must:
(c) give a copy of the Ministerial authorisation to the Secretary and the Inspector-General of Intelligence and Security; and
(d) do so within 48 hours after the Ministerial authorisation is given.
(7) If a Ministerial authorisation is given in writing in relation to:
(a) a cyber security incident; and
(b) a critical infrastructure asset;
the Minister must:
(c) give a copy of the Ministerial authorisation to the responsible entity for the asset; and
(d) do so within 48 hours after the Ministerial authorisation is given.
(8) If a Ministerial authorisation is given in writing in relation to:
(a) a cyber security incident; and
(b) a critical infrastructure sector asset (other than a critical infrastructure asset);
the Minister must:
(c) give a copy of the Ministerial authorisation to whichever of the following entities the Minister considers to be most relevant in relation to the Ministerial authorisation:
(i) the owner, or each of the owners, of the asset;
(ii) the operator, or each of the operators, of the asset; and
(d) do so within 48 hours after the Ministerial authorisation is given.
35AF Form of application for Ministerial authorisation
(1) The Secretary may apply for a Ministerial authorisation either:
(a) orally; or
(b) in writing.
(2) The Secretary must not apply orally for a Ministerial authorisation that relates to:
(a) a cyber security incident; and
(b) an asset;
unless the delay that would occur if the application were to be made in writing would frustrate the effectiveness of:
(c) any directions that may be given under section 35AK or 35AQ in relation to the incident and the asset; or
(d) any requests that may be given under section 35AX in relation to the incident and the asset.
(3) If an application for a Ministerial authorisation is made orally, the Secretary must:
(a) do both of the following:
(i) make a written record of the application;
(ii) give a copy of the written record of the application to the Minister; and
(b) do so within 48 hours after the application is made.
35AG Duration of Ministerial authorisation
Scope
(1) This section applies if a Ministerial authorisation is given in relation to:
(a) a cyber security incident; and
(b) an asset.
Duration of Ministerial authorisation
(2) Subject to this section, the Ministerial authorisation remains in force for the period specified in the Ministerial authorisation (which must not exceed 20 days).
Fresh Ministerial authorisation
(3) If a Ministerial authorisation (the original Ministerial authorisation ) is in force, this Act does not prevent the Minister from giving a fresh Ministerial authorisation that:
(a) is in the same, or substantially the same, terms as the original Ministerial authorisation; and
(b) comes into force immediately after the expiry of the original Ministerial authorisation.
(4) In deciding whether to give such a fresh Ministerial authorisation, the Minister must have regard to the number of occasions on which Ministerial authorisations have been made in relation to the incident and the asset.
(5) Subsection (4) does not limit the matters to which the Minister may have regard to in deciding whether to give a fresh Ministerial authorisation.
35AH Revocation of Ministerial authorisation
Scope
(1) This section applies if a Ministerial authorisation is in force in relation to:
(a) a cyber security incident; and
(b) an asset.
Power to revoke Ministerial authorisation
(2) The Minister may, in writing, revoke the Ministerial authorisation.
Duty to revoke Ministerial authorisation
(3) If the Minister is satisfied that the Ministerial authorisation is no longer required to respond to the incident, the Minister must, in writing, revoke the Ministerial authorisation.
(4) If the Secretary is satisfied that the Ministerial authorisation is no longer required to respond to the incident, the Secretary must:
(a) notify the Minister that the Secretary is so satisfied; and
(b) do so soon as practicable after the Secretary becomes so satisfied.
Notification of revocation
(5) If the Ministerial authorisation is revoked, the Minister must:
(a) give a copy of the revocation to:
(i) the Secretary; and
(ii) the Inspector-General of Intelligence and Security; and
(iii) each relevant entity for the asset; and
(b) do so within 48 hours after the Ministerial authorisation is revoked.
(6) If a Ministerial authorisation is revoked in relation to:
(a) a cyber security incident; and
(b) a critical infrastructure asset;
the Minister must:
(c) give a copy of the revocation to the responsible entity for the asset; and
(d) do so within 48 hours after the Ministerial authorisation is revoked.
(7) If a Ministerial authorisation is revoked in relation to:
(a) a cyber security incident; and
(b) a critical infrastructure sector asset (other than a critical infrastructure asset);
the Minister must:
(c) give a copy of the revocation to whichever of the following entities the Minister considers to be most relevant in relation to the Ministerial authorisation:
(i) the owner, or each of the owners, of the asset;
(ii) the operator, or each of the operators, of the asset; and
(d) do so within 48 hours after the Ministerial authorisation is revoked.
Revocation is not a legislative instrument
(8) A revocation of the Ministerial authorisation is not a legislative instrument.
Application of Acts Interpretation Act 1901
(9) This section does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act 1901 to an instrument made under a provision of this Act (other than this Part).
35AJ Minister to exercise powers personally
A power of the Minister under this Division may only be exercised by the Minister personally.
Division 3 - Information gathering directions
35AK Information gathering direction
Scope
(1) This section applies if a Ministerial authorisation given under paragraph 35AB(2)(a) or (b) is in force in relation to:
(a) a cyber security incident; and
(b) an asset.
Direction
(2) If:
(a) an entity is a relevant entity for the asset; and
(b) the Secretary has reason to believe that the entity has information that may assist with determining whether a power under this Act should be exercised in relation to the incident and the asset;
the Secretary may direct the entity to:
(c) give any such information to the Secretary; and
(d) do so within the period, and in the manner, specified in the direction.
(3) The period specified in the direction must end at or before the end of the period for which the Ministerial authorisation is in force.
(4) The Secretary must not give the direction unless the Secretary is satisfied that:
(a) the direction is a proportionate means of obtaining the information; and
(b) compliance with the direction is technically feasible.
(5) The Secretary must not give a direction that would require an entity to:
(a) do an act or thing that would be prohibited by section 7 of the Telecommunications (Interception and Access) Act 1979; or
(b) do an act or thing that would be prohibited by section 108 of the Telecommunications (Interception and Access) Act 1979; or
(c) do an act or thing that would (disregarding this Act) be prohibited by section 276, 277 or 278 of the Telecommunications Act 1997.
(6) Before giving a direction under this section to an entity, the Secretary must consult the entity unless the delay that would occur if the entity were consulted would frustrate the effectiveness of the direction.
Other powers not limited
(7) This section does not, by implication, limit a power conferred by another provision of this Act.
35AL Form of direction
(1) A direction under section 35AK may be given:
(a) orally; or
(b) in writing.
(2) The Secretary must not give a direction under section 35AK orally unless the delay that would occur if the direction were to be given in writing would frustrate the effectiveness of the direction.
(3) If a direction under section 35AK is given orally to an entity, the Secretary must:
(a) do both of the following:
(i) make a written record of the direction;
(ii) give a copy of the written record of the direction to the entity; and
(b) do so within 48 hours after the direction is given.
35AM Compliance with an information gathering direction
An entity must comply with a direction given to the entity under section 35AK to the extent that the entity is capable of doing so.
Civil penalty: 150 penalty units.
35AN Self-incrimination etc.
(1) An entity is not excused from giving information under section 35AK on the ground that the information might tend to incriminate the entity.
(2) If, at general law, an individual would otherwise be able to claim the privilege against self-exposure to a penalty (other than a penalty for an offence) in relation to giving information under section 35AK, the individual is not excused from giving information under that section on that ground.
Note: A body corporate is not entitled to claim the privilege against self-exposure to a penalty.
35AP Admissibility of information etc.
If information is given under section 35AK:
(a) the information; or
(b) giving the information;
is not admissible in evidence against an entity:
(c) in criminal proceedings other than proceedings for an offence against section 137.1 or 137.2 of the Criminal Code that relates to this Act; or
(d) in civil proceedings other than proceedings for recovery of a penalty in relation to a contravention of section 35AM.
Division 4 - Action directions
35AQ Action direction
(1) If an entity is a relevant entity for:
(a) a critical infrastructure asset; or
(b) a critical infrastructure sector asset;
the Secretary may give the entity a direction that directs the entity to do, or refrain from doing, a specified act or thing within the period specified in the direction.
(2) The Secretary must not give a direction under this section unless the direction:
(a) is identical to a direction specified in a Ministerial authorisation; and
(b) includes a statement to the effect that the direction is authorised by the Ministerial authorisation; and
(c) specifies the date on which the Ministerial authorisation was given.
Note: A Ministerial authorisation must not be given unless the Minister is satisfied that the direction is reasonably necessary for the purposes of responding to a cyber security incident - see section 35AB.
(3) The period specified in the direction must end at or before the end of the period for which the Ministerial authorisation is in force.
(4) A direction under this section is subject to such conditions (if any) as are specified in the direction.
(5) The Secretary must not give a direction under this section that would require an entity to give information to the Secretary.
Other powers not limited
(6) This section does not, by implication, limit a power conferred by another provision of this Act.
35AR Form of direction
(1) A direction under section 35AQ may be given:
(a) orally; or
(b) in writing.
(2) The Secretary must not give a direction under section 35AQ orally unless the delay that would occur if the direction were to be given in writing would frustrate the effectiveness of the direction.
(3) If a direction under section 35AQ is given orally to an entity, the Secretary must:
(a) do both of the following:
(i) make a written record of the direction;
(ii) give a copy of the written record of the direction to the entity; and
(b) do so within 48 hours after the direction is given.
35AS Revocation of direction
Scope
(1) This section applies if:
(a) a direction is in force under section 35AQ in relation to a Ministerial authorisation; and
(b) the direction was given to a particular entity.
Power to revoke direction
(2) The Secretary may, by written notice given to the entity, revoke the direction.
Duty to revoke direction
(3) If the Secretary is satisfied that the direction is no longer required to respond to the cyber security incident to which the Ministerial authorisation relates, the Secretary must, by written notice given to the entity, revoke the direction.
Automatic revocation of direction
(4) If the Ministerial authorisation ceases to be in force, the direction is revoked.
Application of Acts Interpretation Act 1901
(5) This section does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act 1901 to an instrument made under a provision of this Act (other than this Part).
35AT Compliance with direction
(1) An entity commits an offence if:
(a) the entity is given a direction under section 35AQ; and
(b) the entity engages in conduct; and
(c) the entity's conduct breaches the direction.
Penalty: Imprisonment for 2 years or 120 penalty units, or both.
(2) Subsection (1) does not apply if the entity took all reasonable steps to comply with the direction.
35AV Directions prevail over inconsistent obligations
If an obligation under this Act is applicable to an entity, the obligation has no effect to the extent to which it is inconsistent with a direction given to the entity under section 35AQ.
35AW Liability
(1) An entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with a direction given under section 35AQ.
(2) An officer, employee or agent of an entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (1).
Division 5 - Intervention requests
35AX Intervention request
(1) The Secretary may give the chief executive of the authorised agency a request that the authorised agency do one or more specified acts or things within the period specified in the request.
(2) The Secretary must not give a request under this section unless the request:
(a) is identical to a request specified in a Ministerial authorisation; and
(b) includes a statement to the effect that the request is authorised by the Ministerial authorisation; and
(c) specifies the date on which the Ministerial authorisation was given.
Note: A Ministerial authorisation must not be given unless the Minister is satisfied that the request is reasonably necessary for the purposes of responding to a cyber security incident - see section 35AB.
(3) The period specified in the request must end at or before the end of the period for which the Ministerial authorisation is in force.
(4) A request under this section is subject to such conditions (if any) as are specified in the request.
(5) A request under this section does not extend to:
(a) doing an act or thing that would be prohibited by section 7 of the Telecommunications (Interception and Access) Act 1979; or
(b) doing an act or thing that would be prohibited by section 108 of the Telecommunications (Interception and Access) Act 1979; or
(c) doing an act or thing that would (disregarding this Act) be prohibited by section 276, 277 or 278 of the Telecommunications Act 1997.
Other powers not limited
(6) This section does not, by implication, limit a power conferred by another provision of this Act.
35AY Form and notification of request
(1) A request under section 35AX may be given:
(a) orally; or
(b) in writing.
(2) The Secretary must not give a request under section 35AX orally unless the delay that would occur if the request were to be given in writing would frustrate the effectiveness of the request.
Notification of requests given orally
(3) If a request under section 35AX is given orally, the Secretary must:
(a) do both of the following:
(i) make a written record of the request;
(ii) give a copy of the written record of the request to the chief executive of the authorised agency; and
(b) do so within 48 hours after the request is given.
(4) If a request under section 35AX is given orally in relation to a critical infrastructure asset, the Secretary must:
(a) do both of the following:
(i) make a written record of the request;
(ii) give a copy of the written record of the request to the responsible entity for the asset; and
(b) do so within 48 hours after the request is given.
(5) If a request under section 35AX is given orally in relation to a critical infrastructure sector asset (other than a critical infrastructure asset), the Secretary must:
(a) make a written record of the request; and
(b) give a copy of the written record of the request to whichever of the following entities the Secretary considers to be most relevant in relation to the request:
(i) the owner, or each of the owners, of the asset;
(ii) the operator, or each of the operators, of the asset; and
(c) do so within 48 hours after the request is given.
Notification of requests given in writing
(6) If a request under section 35AX is given in writing, the Secretary must:
(a) give a copy of the request to the chief executive of the authorised agency; and
(b) do so within 48 hours after the request is made.
(7) If a request under section 35AX is given in writing in relation to a critical infrastructure asset, the Secretary must:
(a) give a copy of the request to the responsible entity for the asset; and
(b) do so within 48 hours after the request is given.
(8) If a request under section 35AX is given in writing in relation to a critical infrastructure sector asset (other than a critical infrastructure asset), the Secretary must:
(a) give a copy of the request to whichever of the following entities the Secretary considers to be most relevant in relation to the request:
(i) the owner, or each of the owners, of the asset;
(ii) the operator, or each of the operators, of the asset; and
(b) do so within 48 hours after the request is given.
35AZ Compliance with request
(1) The authorised agency is authorised to do an act or thing in compliance with a request under section 35AX.
(2) An act or thing done by the authorised agency in compliance with a request under section 35AX is taken to be done in the performance of the function conferred on the authorised agency by paragraph 7(1)(f) of the Intelligence Services Act 2001.
35BA Revocation of request
Scope
(1) This section applies if a request is in force under section 35AX in relation to a Ministerial authorisation.
Power to revoke request
(2) The Secretary may, by written notice given to the chief executive of the authorised agency, revoke the request.
Duty to revoke request
(3) If the Secretary is satisfied that the request is no longer required to respond to the cyber security incident to which the Ministerial authorisation relates, the Secretary must, by written notice given to the chief executive of the authorised agency, revoke the request.
Automatic revocation of request
(4) If the Ministerial authorisation ceases to be in force, the request is revoked.
Notification of revocation of request
(5) If a request under section 35AX is revoked, the Secretary must:
(a) give a copy of the revocation of the request to the chief executive of the authorised agency and each relevant entity for the asset; and
(b) do so as soon as practicable after the revocation.
Application of Acts Interpretation Act 1901
(6) This section does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act 1901 to an instrument made under a provision of this Act (other than this Part).
35BB Relevant entity to assist the authorised agency
(1) If:
(a) a request is in force under section 35AX in relation to a critical infrastructure asset or a critical infrastructure sector asset; and
(b) an entity is a relevant entity for the asset;
an approved staff member of the authorised agency may require the entity to:
(c) provide the approved staff member with access to premises for the purposes of the authorised agency complying with the request; or
(d) provide the authorised agency with specified information or assistance that is reasonably necessary to allow the authorised agency to comply with the request.
Note: See also section 149.1 of the Criminal Code (which deals with obstructing and hindering Commonwealth public officials).
(2) Paragraph (1)(c) does not apply to premises that are used solely or primarily as a residence.
(3) An entity must comply with a requirement under subsection (1).
Civil penalty: 150 penalty units.
Liability
(4) An entity is not liable to an action or other proceeding for damages for, or in relation to, an act done or omitted in good faith in compliance with a requirement under subsection (1).
(5) An officer, employee or agent of an entity is not liable to an action or other proceeding for damages for, or in relation to, an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (4).
35BC Constable may assist the authorised agency
(1) If an entity refuses or fails to provide an approved staff member of the authorised agency with access to premises when required to do so under subsection 35BB(1):
(a) the approved staff member may enter the premises for the purposes of the authorised agency complying with the request mentioned in that subsection; and
(b) a constable may:
(i) assist the approved staff member in gaining access to the premises by using reasonable force against property; and
(ii) if necessary for the purposes of so assisting the approved staff member - enter the premises.
(2) If an approved staff member of the authorised agency has entered premises for the purposes of the authorised agency complying with a request under section 35AX, a constable may:
(a) assist the authorised agency in complying with the request by using reasonable force against property located on the premises; and
(b) for the purposes of so assisting the authorised agency - enter the premises.
35BD Removal and return of computers etc.
Removal of computers etc.
(1) If:
(a) in compliance with a request under section 35AX, the authorised agency adds or connects a computer or device to a computer network; and
(b) at a time when the request is in force, an approved staff member of the authorised agency forms a reasonable belief that the addition or connection of the computer or device is no longer required for the purposes of responding to the cyber security incident to which the relevant Ministerial authorisation relates;
the authorised agency must remove or disconnect the computer or device as soon as practicable after the approved staff member forms that belief.
(2) If:
(a) in compliance with a request under section 35AX, the authorised agency adds or connects a computer or device to a computer network; and
(b) the request ceases to be in force;
the authorised agency must remove or disconnect the computer or device as soon as practicable after the request ceases to be in force.
Return of computers etc.
(3) If:
(a) in compliance with a request under section 35AX, the authorised agency removes a computer or device; and
(b) at a time when the request is in force, an approved staff member of the authorised agency forms a reasonable belief that the removal of the computer or device is no longer required for the purposes of responding to the cyber security incident to which the relevant Ministerial authorisation relates;
the authorised agency must return the computer or device as soon as practicable after the approved staff member forms that belief.
(4) If:
(a) in compliance with a request under section 35AX, the authorised agency removes a computer or device; and
(b) the request ceases to be in force;
the authorised agency must return the computer or device as soon as practicable after the request ceases to be in force.
35BE Use of force against an individual not authorised
This Division does not authorise the use of force against an individual.
35BF Liability
Each of the following:
(a) the chief executive of the authorised agency;
(b) an approved staff member of the authorised agency;
(c) a constable;
is not liable to an action or other proceeding (whether civil or criminal) for, or in relation to, an act or matter done or omitted to be done in the exercise of any power or authority conferred by this Division.
35BG Evidentiary certificates
(1) The Inspector-General of Intelligence and Security may issue a written certificate setting out any facts relevant to the question of whether anything done, or omitted to be done, by the authorised agency, or an approved staff member of the authorised agency, was done, or omitted to be done, in the exercise of any power or authority conferred by this Division.
(2) A certificate issued under subsection (1) is admissible in evidence in any proceedings as prima facie evidence of the matters stated in the certificate.
35BH Chief executive of the authorised agency to report to the Defence Minister and the Minister
(1) If:
(a) the Secretary gives a request under section 35AX that was authorised by a Ministerial authorisation; and
(b) the authorised agency does one or more acts or things in compliance with the request;
the chief executive of the authorised agency must:
(c) prepare a written report that:
(i) sets out details of those acts or things; and
(ii) explains the extent to which doing those acts or things has amounted to an effective response to the cyber security incident to which the Ministerial authorisation relates; and
(d) give a copy of the report to the Defence Minister; and
(e) give a copy of the report to the Minister.
(2) The chief executive of the authorised agency must comply with subsection (1) as soon as practicable after the end of the period specified in the request and, in any event, within 3 months after the end of the period specified in the request.
35BJ Approved staff members of the authorised agency
(1) The chief executive of the authorised agency may, in writing, declare that a specified staff member of the authorised agency is an approved staff member of the authorised agency for the purposes of this Act.
(2) A declaration under subsection (1) is not a legislative instrument.
Division 6 - Reports to the Parliamentary Joint Committee on Intelligence and Security
35BK Reports to the Parliamentary Joint Committee on Intelligence and Security
(1) If the Secretary gives one or more directions under section 35AK or 35AQ, or one or more requests under section 35AX, in relation to a cyber security incident, the Secretary must give the Parliamentary Joint Committee on Intelligence and Security a written report about the incident.
(2) The report must include a description of each of the directions or requests.