Commonwealth Consolidated Acts Commonwealth Consolidated ActsScope
(1) This section applies if the Minister is satisfied that:
(a) a cyber security incident:
(i) has occurred; or
(ii) is occurring; or
(iii) is imminent; and
(b) the incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset (the primary asset ); and
(c) there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; and
(d) no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
(1A) This section also applies if the Minister is satisfied that:
(a) a cyber security incident:
(i) has occurred; or
(ii) is occurring; or
(iii) is imminent; and
(b) the incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset (the primary asset ); and
(c) the incident relates to an emergency specified in a national emergency declaration (within the meaning of the National Emergency Declaration Act 2020 ) that is in force; and
(d) no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
Authorisation
(2) The Minister may, on application by the Secretary, do any or all of the following things:
(a) authorise the Secretary to give directions to a specified entity under section 35AK that relate to the incident and the primary asset;
(b) authorise the Secretary to give directions to a specified entity under section 35AK that relate to the incident and a specified critical infrastructure sector asset;
(c) authorise the Secretary to give to a specified entity a specified direction under section 35AQ that relates to the incident and the primary asset;
(d) authorise the Secretary to give to a specified entity a specified direction under section 35AQ that relates to the incident and a specified critical infrastructure sector asset;
(e) authorise the Secretary to give a specified request under section 35AX that relates to the incident and the primary asset;
(f) authorise the Secretary to give a specified request under section 35AX that relates to the incident and a specified critical infrastructure sector asset.
Note 1: Section 35AK deals with information gathering directions.
Note 2: Section 35AQ deals with action directions.
Note 3: Section 35AX deals with intervention requests.
(3) An authorisation under subsection (2) is to be known as a Ministerial authorisation .
(4) Subsection 33(3AB) of the Acts Interpretation Act 1901 does not apply to subsection (2) of this section.
Note: Subsection 33(3AB) of the Acts Interpretation Act 1901 deals with specification by class.
Information gathering directions
(5) A Ministerial authorisation under paragraph (2)(a) or (b):
(a) is generally applicable to the incident and the asset concerned; and
(b) is to be made without reference to any specific directions.
(6) The Minister must not give a Ministerial authorisation under paragraph (2)(a) or (b) unless the Minister is satisfied that the directions that could be authorised by the Ministerial authorisation are likely to facilitate a practical and effective response to the incident.
Action directions
(7) The Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d) unless the Minister is satisfied that:
(a) the specified entity is unwilling or unable to take all reasonable steps to respond to the incident; and
(b) the specified direction is reasonably necessary for the purposes of responding to the incident; and
(c) the specified direction is a proportionate response to the incident; and
(d) compliance with the specified direction is technically feasible.
Note: Section 12P provides examples of responding to a cyber security incident.
(8) In determining whether the specified direction is a proportionate response to the incident, the Minister must have regard to:
(a) the impact of the specified direction on:
(i) the activities carried on by the specified entity; and
(ii) the functioning of the asset concerned; and
(b) the consequences of compliance with the specified direction; and
(c) such other matters (if any) as the Minister considers relevant.
(9) The Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d) if the specified direction:
(a) requires the specified entity to permit the authorised agency to do an act or thing that could be the subject of a request under section 35AX; or
(b) requires the specified entity to take offensive cyber action against a person who is directly or indirectly responsible for the incident.
Intervention requests
(10) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) unless the Minister is satisfied that:
(a) giving a Ministerial authorisation under paragraph (2)(c) or (d) would not amount to a practical and effective response to the incident; and
(b) if there is only one relevant entity for the asset concerned--the relevant entity is unwilling or unable to take all reasonable steps to respond to the incident; and
(c) if there are 2 or more relevant entities for the asset concerned--those entities, when considered together, are unwilling or unable to take all reasonable steps to respond to the incident; and
(d) the specified request is reasonably necessary for the purposes of responding to the incident; and
(e) the specified request is a proportionate response to the incident; and
(f) compliance with the specified request is technically feasible; and
(g) each of the acts or things specified in the specified request is an act or thing of a kind covered by section 35AC.
Note: Section 12P provides examples of responding to a cyber security incident.
(11) In determining whether the specified request is a proportionate response to the incident, the Minister must have regard to:
(a) the impact of compliance with the specified request on the functioning of the asset concerned; and
(b) the consequences of acts or things that would be done in compliance with the specified request; and
(c) such other matters (if any) as the Minister considers relevant.
(12) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) if compliance with the specified request would involve the authorised agency taking offensive cyber action against a person who is directly or indirectly responsible for the incident.
(13) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) unless the Minister has obtained the agreement of:
(a) the Prime Minister; and
(b) the Defence Minister.
(14) An agreement under subsection (13) may be given:
(a) orally; or
(b) in writing.
(15) If an agreement under subsection (13) is given orally, the Prime Minister or the Defence Minister, as the case requires, must:
(a) do both of the following:
(i) make a written record of the agreement;
(ii) give a copy of the written record of the agreement to the Minister; and
(b) do so within 48 hours after the agreement is given.
Ministerial authorisation is not a legislative instrument
(16) A Ministerial authorisation is not a legislative instrument.
Other powers not limited
(17) This section does not, by implication, limit a power conferred by another provision of this Act.