28 March 2022

Australia’s critical infrastructure laws are changing: This is what it means for your Data Centre Security

By George Dionisopoulos, Head of Security

Australia’s Federal Government is making important legislative changes to enhance the security and resilience of the nation’s critical infrastructure. If your organisation works with one or more data centre partners to manage your digital infrastructure, or if you are in the process of selecting a data centre partner, these changes have important implications for you.

What changes are happening to critical infrastructure laws? How will it affect data centre security policies?

The current changes before the Parliament (the Security Legislation Amendment (Critical Infrastructure) Bill 2021) will increase the scope of what is classed as ‘critical infrastructure’ in Australia. They will also tighten regulations for those who own and operate the infrastructure – including data centres.

The government will also be granted power to intervene in the operations of a business impacted by a serious cyber incident until the threat is resolved. This will only occur when there is no existing system in place to provide a ‘practical and effective response’.

Why change now?

There’s been a perfect ‘coming together’ of events, for Australia and the world.

In recent years, we’ve seen more and more cyber security threats to essential services, businesses and government. Multiple state governments have been impacted by intrusions and/or data breaches, as well as universities – and even Parliament House!

Meanwhile, from a data centre security perspective, the onset of COVID and increased demand for remote working and online retail has really underlined the need for data centres and other digital infrastructure to be considered ‘critical’. Without them, there would be no reliable work from home, and it’s highly likely our retail networks would have failed.

The government is laser focused on heightening the security and resilience of our critical infrastructure to cope with these threats, so data centre security standards are in the spotlight.

What’s not covered

Changes won’t end with the current Bill.

Critically, a set of draft Risk Management Program rules will be presented to Parliament sometime this year. Whatever their final form, one thing is clear: the new rules will place a far greater legal responsibility on owners and operators of critical infrastructure assets, including data centres, to demonstrate they’re managing and mitigating risks appropriately in their facilities and operations.

The government calls this an ‘all hazards approach’. The intent is that entities responsible for this nation’s critical infrastructure – including data centres – must demonstrate that an integrated approach to security risk management is part of their ‘business as usual’ (BAU) operations – never an afterthought.

How does the ‘all hazards approach’ differ from standard risk management?

If you’ve been serious about your data centre security risk posture all along, then it doesn’t!

In its simplest form, the ‘all hazards’ approach to risk and emergency management means looking at risks and hazards in a holistic way. You need to identify and understand all possible risks, both natural and human, and the likelihood that each will occur. In other words: security and risk management must be an integral part of your BAU.

At NEXTDC, our data centre security risk posture is baked into our core. We’ve been long-time advocates for companies taking a more integrated, holistic approach to security and risk. Our focus is now on converged security – that is, how the physical and cyber environments interact with each other.

This ensures customers:

  1. Have peace of mind that their digital infrastructure is safe and secure; and

  2. Can leverage our security certifications and protocols as supporting evidence with their own customers (we’re best in business and proud of it!).

Read more: NEXTDC’s Integrated Security Guide – building a universal security posture

What are the implications if my data centre provider isn’t up to speed with the proposed changes?

The most obvious outcome is the very real possibility of government intervention in the day-to-day operations of your business, in the case of a major security event. Couple that with the possible financial and reputational impacts, and it’s a long, hard path to full recovery.

You can also throw into the mix current government expectations around data sovereignty – in particular, the importance of working with colocation data centre providers who are Certified Strategic by the Digital Transformation Agency.

It’s going to become very hard for companies to win government contracts if they can’t demonstrate meeting and understanding the new requirements. We also expect other enterprises to follow suit and align themselves with government standards around security and data sovereignty.

Put simply, you’ll be discounted during the early stages of the tender process if you can’t show you’ve ticked all the right boxes around compliance with these security mandates.

Reach out to NEXTDC to find out more about how Australia’s critical infrastructure laws are changing, and how we can help you manage evolving security and risk implications for your business.