Review of the Security of Critical Infrastructure

Background

The Department of Home Affairs is conducting an Independent Review of the Security of Critical Infrastructure (SOCI) Act 2018. The SOCI Act protects essential services and systems from failure or disruption. The review invites submissions on whether the Act is achieving its objectives, functioning as intended, having unintended consequences, and able to manage new or emergent threats.

Functionally, the Act is Australia's main tool for managing AI-related critical infrastructure risk. AI is rapidly becoming foundational infrastructure across the Australian economy. The Tech Council of Australia estimates AI could contribute $45-115 billion annually by 2030, and the Government is positioning Australia as a leading destination for data centre investment, with companies announcing upwards of $100 billion in planned investments between 2023-2025.

Our submission

Our submission highlights a major regulatory gap: data centres training general-purpose AI models likely fall outside SOCI Act coverage, despite becoming critical infrastructure. While the Act covers data centres primarily serving Government or critical infrastructure entities, this likely excludes facilities creating general-purpose AI capabilities used across the economy. This blind spot means major facilities, like the forthcoming $7 billion OpenAI-NEXTDC campus, could escape coverage. This leaves gaps in ownership transparency, incident reporting, risk management programs, and crisis coordination capabilities.

Our recommendations

• Bring data centres training and operating general-purpose AI within SOCI coverage based on their systemic importance, following international precedents from regions like the UK and Singapore
• Create a pathway to cover general-purpose AI models themselves as critical infrastructure as they become essential to Australian society