Speakers
Synopsis
My presentation will explore the first duty of the state — protecting its polity. I will look at when and how government is to assure the continued delivery of public goods like national security in a crisis. I will explain where the line is between the state regulating the private sector’s assurance of national security, versus the state providing that public good itself by temporarily taking over the operation of private sector businesses through bespoke, coercive legal powers. This question is increasingly relevant amid the worsening cyber threat environment which Australia finds itself in, the imagined future of an onslaught of targeting of Australian networks being very much a perilous present.
I will examine how the state assures national security by regulating the cyber resilience of critical infrastructure (‘CNI’) assets. I will use the intervention request powers of the Australian government under part 3A of the Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’) as a case study. Activated in a national security crisis arising from a breach of cyber resilience of a CNI asset, these powers allow the Commonwealth to provide an ‘intervention request’ to the Director-General of the Australian Signals Directorate (‘ASD’) to take specified action in relation to the asset as a last resort when, say, its operator is unwilling or unable to reasonably respond; such that the expertise and capabilities of the state (via ASD) are required to resolve the crisis.
My presentation will open with a definition of regulation and the different types of regulation that are available to the state generally. It will explain how and why the state must act as a regulator, such as in the provision of public goods. After defining public goods and why they are under-produced by private firms, I will explain why national security is a public good, especially when provided through the cyber resilience of CNI assets; such that if the regulated private companies operating those assets are unable to assure national security, the state must intervene to provide it. This will underpin my case study on the intervention request powers under the SOCI Act.
In the case study, I will interrogate: the cyber threat environment for Australian CNI; the powers’ policy genesis; the circumstances under which they can be used and thus their explicit nature as of last resort; what they can be used for and for how long; the liability protections for operators of CNI assets that are the subject of intervention requests; and oversight mechanisms applying to the use of these powers. In the case study, I will keep relating elements of the intervention request powers with regulatory theory, as well as perform ‘mythbusting’ regarding the powers that have not received much public attention.
I will conclude by examining whether the powers require reform, given a few serious CNI compromises in Australia of late (Optus, Medibank and DP World Australia), the Minister for Home Affairs’ comments on them, and the proposed ‘last resort all-hazards consequence management power’ under Australia’s 2023-2030 Cyber Security Strategy.