Dr. Richard Browne:

On the first question, the committee is aware that we have a compliance function under the NIS directive covering several different sectors of critical infrastructure. We have powers roughly akin to those suggested by the Senator, including the ability to audit. We have an ongoing compliance process. It does not amount to a full audit, but when we are either uncomfortable with the level of preparedness or we are just doing a circular, it-is-that-time type of audit, we do audits of critical infrastructure operators. Those have found gaps in the past, which we have compelled them to fix and redress. That is a very detailed and complex process for a number of different reasons. In our view, it is much better served if it is mainlined as part of the general regulatory work of the organisation because quite often in regulated sectors funding is provided via regulatory decision and if a regulatory decision is that one must spend more on cybersecurity, that should come via the funding authority. That is somewhat self-evident.

On the issue of physical infrastructure, first, we do not have a role in physical infrastructure. In some of our incident response processes and some of our compliance work, we specify some physical controls that have to be in place. The first thing the committee should always keep in mind on this is that the most pressing threat to fibre infrastructure is always the big yellow digger, BYD, type. The most likely prospect is that somebody will hit it with a digger. The most likely prospect for subsea cables is that somebody will pull an anchor or a trawl over it. In some cases, fibres are armoured and protected against it, but not always. The physical infrastructure is complex, and the Commission on the Defence Forces report makes some recommendations relating to this which will be addressed in due course in a piece. We have spoken to our colleagues in the Cybersecurity and Infrastructure Security Agency, CISA, in the US about this in the recent past and they have outlined what they do. It is not wildly dissimilar to what happens here. There is a question, therefore, but there is no global unified solution to it.