Veteran cybersecurity academic Dr Jill Slay has been appointed by the federal government to lead an independent review of Australia's critical infrastructure laws, the first since the Security of Critical Infrastructure (SOCI) Act was introduced in 2018. Her findings paint a sobering picture: the regulatory framework tasked with protecting Australia's most vital assets is failing to drive the security upgrades it was designed to achieve.
The core problem is stark. According to the review, operators view the Act's penalties as "a cost of doing business" rather than a genuine incentive to strengthen defences. When compliance becomes optional in practice, the regulatory regime loses its ability to push real security improvements. The result: mountains of documentation that satisfy bureaucratic requirements but fail to protect assets that Australians depend on every day.
Slay identified a troubling gap in industry thinking. She noted that most compliance officers and operators do not view security improvements as intrinsically linked to protecting Australia and its people. Penalties for failing to meet critical infrastructure risk management obligations can reach a maximum daily penalty of $660,000, yet these potential costs are apparently shrugged off as routine operational expenses rather than serious deterrents.
The review consulted widely across industry, and the feedback was consistent: the Act is confusing, complex and, above all, toothless. The Cybersecurity Act resulted in significant changes to the SOCI Act, which regulates assets like hospitals, banks and data centres, in the wake of high-profile cyber-attacks against companies like Optus and Medibank, with more data storage systems now counting as critical infrastructure and telcos facing tougher security standards. Yet the underlying problem persists: compliance is treated as a checkbox exercise rather than as genuine risk management.
Slay's recommendation is fundamental: scrap the light-touch approach. Instead, the government should restructure the Act to focus enforcement efforts on penalties that actually deter non-compliance, removing the perception that a company can simply absorb the cost and move on. The review also supports broadening the Act's reach to include artificial intelligence services, content delivery networks, hyperscale cloud providers, space assets and drone detection systems.
One striking observation in the review concerns the lack of emotional investment in national security among those implementing the rules. Exceptions existed among defence and intelligence professionals, who understood the stakes at a deeper level. For most others, compliance was a burden to be minimised rather than a civic duty worth taking seriously.
The government now faces a choice. A thorough restructuring will cost money and require genuine enforcement, but half measures risk leaving Australia's critical infrastructure vulnerable at a time of increasing cyber threats and geopolitical instability. As Slay concluded, anything less than complete restructuring would be naive in the face of ongoing geopolitical disruption and all-hazard threats. Australia's security depends on moving from paperwork to accountability.