Andrew Wallace (Fisher, Liberal National Party) Share this | Hansard source

I rise to speak on the Cybersecurity Bill 2024 and related bills, which I spoke about only yesterday in tabling the report. After World War II began, Hitler's propaganda chief, Joseph Goebbels, said of the Allies:

They left us alone and let us slip through the risky zone, and we were able to sail around all dangerous reefs. And when we were done, and well armed, better than they, then they started the war!

Today, stretching from the Baltic Sea to the Korean Peninsula, once again a dark alliance of great powers has festered, working for many years to dismantle the global rules based order and, with it, Australia's democracy.

'Foreign interference corrodes our democracy, sovereignty, economy and community,' as Mike Burgess, the Director-General of Security, put so well in his annual threat assessment in February. As deputy chair of the Parliamentary Joint Committee on Intelligence and Security, I know how deeply our competitors seek to embed themselves in our democracy, and one of their greatest tools is the mobilisation of cybercapabilities. Australian families and businesses know how dangerous a cyber incident can be. We all remember the Cambridge Analytica incident from January to June 2024 alone. The Office of the Australian Information Commissioner saw 527 more notifications of cyberbreaches, impacting thousands of Australians. A third of these were what we call phishing attempt, a quarter were ransomware attacks and a fifth of these were brute-force hacking or malware attacks.

While most incidents don't make the front-page news, Australians will recall a number of recent incidents. We saw the Medibank and AHM cyber incidents, which resulted in Australians' sensitive health and identifying information being leaked. This large-scale attack was one in a recent string of large-scale attacks hitting Optus and Latitude Finance. The ProctorU remote education service was hacked, with 444,000 people's data linked to the dark web. The Australian National University in 2018 fell victim to a sophisticated attack which impacted thousands of students, accessing data that was nearly 20 years old.

In 2019 our very own parliament was hacked. The then head of the Australian Signals Directorate, or ASD, Mike Burgess, confirmed that cybercriminals using phishing methods sought to gain entry into the government's network, admitting that a small amount of data was taken. Thank God for parliament's cybersecurity unit—no sensitive data was accessed.

Australians from all walks of life know that cyberinsecurity puts lives and livelihoods at risk. Stephane Nappo from CISO said:

It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.

The impact of cyberinsecurity can be devastating, and Australian small and family businesses know this to be true as well. A former member of the US Homeland Security Council, Ted Schlein, said:

… there are only two kinds of companies in the world, those who have been breached and know it and those that have been breached and don't know it.

Sole proprietors, subcontractors, family restaurants, vendors, digital agencies and doctors' clinics all have access to sensitive financial, personal and legal data. And data is the treasure which digital pirates seek to loot.

At this point I want to acknowledge the great work of an organisation called IDCARE, which is based in my electorate. IDCARE is a not-for-profit organisation that does tremendous work across Australia, helping tens of thousands of people a year when they have had their digital identities stolen or corrupted. I want to send a shout-out to Dave Lacey and his team at IDCARE and encourage people that, if they have been hacked, if their data has been stolen, if their identity has been stolen, they shouldn't waste any time; they should get on the phone to IDCARE and get some help as soon as they possibly can.

This legislation is so very important. The three bills we're debating are designed to mandate minimum cybersecurity standards for smart devices; to introduce mandatory ransomware reporting for certain businesses to report ransom payments; to introduce limited-use obligations for the National Cyber Security Coordinator and the Australian Signals Directorate, or ASD; to establish a cyber incident review board and clarify, simplify, streamline, and align existing obligations, regulations and government assistance measures.

Once again, this important legislation to bolster Australia's national security comes on the back of the hard work and advocacy of the coalition. Yet again we are leading the government from opposition when it comes to keeping Australians safe. We put legislation on the table for ransomware action on more than one occasion. Labor obfuscated, dithered and delayed before finally relenting, just like they did on social media reform. The issues in this bill are no different. In the Cyber Security Bill 2024, the proposed mandatory standards for smart devices are welcome, but they are long overdue. This proposal was first canvassed by the former coalition government in our 2021 cybersecurity strategy discussion paper. The same can be said about limited-use obligations. The coalition first called for legislated limited-use obligations on 22 March 2023.

We called for the construction of a cyber incident review board, identifying that our country needed a mechanism to conduct objective investigations following significant cyber incidents. In line with recommendation 5 of the PJCIS report, the coalition is committed to seeing members of the Cyber Incident Review Board drawn from industry, academia and the Public Service. As the PJCIS outlined in our report tabled just yesterday:

While it is appropriate for senior public servants—including representatives of relevant statutory agencies such as ASD—to be included on the CIRB and in the exercise of its powers, the Committee has heard from some of a desire to also include representatives external to government.

Coalition members expect that the government will, along with addressing the remainder of the 13 recommendations of the PJCIS, take action accordingly to address our concerns and the concerns raised by small businesses and Australia's higher education sector. It is action that Australians and their businesses expect on matters as important as these. If this careless Labor government had moved more quickly with these reforms, it may have gone some way to boosting the willingness of businesses to share information with ASD in a timely and meaningful way.

The consultation process that preceded this legislation proves that the small business community and private sector are beginning to understand their role and responsibilities, as well as the threats and opportunities, when it comes to Australia's national security. What this process shows is that industry is ready to engage with the government and this parliament in developing policy, building capacity and responding to Australia's security threats. It's clear to me that the Australian business community is well and truly ready to contribute to the development of a national security strategy.

While I am pleased to see the government getting on board with the coalition's groundbreaking work to bolster Australia's cybersecurity, more must be done. We can't keep patching up our national security framework with quick fixes, bumper-sticker announcements and piecemeal bills. Cybersecurity, foreign interference, bribery, money laundering, border security and immigration, military secrets, scam prevention and social media reform are all important areas of legislation which the parliament has considered over the last few years, a number of them spearheaded by the coalition. But it's time to look at the bigger picture and begin developing and implementing a comprehensive national security strategy which is responsive, forward thinking and meaningful—not just a bandaid fix. Security should be built in, not a bolt-on in response to some media coverage or public incident. It's time for an integrated strategy that would engage Australian industry, academia, the community and all governments in developing a comprehensive plan to bolster Australia's self-reliance, sovereignty and security. Our AUKUS partners have implemented their own national security strategies, while our government has cut back on border security, crippled the space and defence industry, and dithered and delayed on cybersecurity.

Once again, I want to pay tribute to the late, great Jim Molan AO DSC, former senator and major-general, whose fierce advocacy for a grand national security strategy continues to inspire so many, including me. We can talk all we want about a defence strategy, a defence industry plan, a cybersecurity strategy or a ransomware action plan, but to what end? As Jim Molan said:

How can there be a defence strategy without an overarching and comprehensive national security strategy? What good is it to have a brilliant defence strategy without national liquid fuel, industry, pharma, science and technology, manpower, diplomacy and stocking policies …

We learnt during COVID that Australia is behind the eight ball when it comes to global supply of essential goods and services. Medicines and medical equipment; veterinary medicine for livestock; fuel for transport; manufacturing; power; defence; food and primary produce; space defence; biosecurity; market stability; cybersecurity; and land, sea and air defence are all important components of Australia's integrated national security. It's time that we addressed them as a whole and not in part, not in a piecemeal fashion.

I would like to take this opportunity to commend my colleagues in the PJCIS. I have served on many, many committees in this place.

I've chaired many of them and I've deputy-chaired many of them, and I can honestly say that the PJCIS has the highest workload of any committee that I have ever served on. It is not unusual for the PJCIS to be working on 14 inquiries at any one point in time.

I want to extend a shout-out to the former chair, the member for Wills. I said this yesterday and I'll say it again: the member for Wills is a good man who believes in the importance of the security of this nation. I think the member for Wills has been through a rough trot in recent times, and I wish him the best in his new role. I also want to give a shout-out to the new chair, Senator Raff Ciccone, who has already demonstrated a terrific grasp on the issues that we deal with in this committee. I look forward to working with him, as I do with all members of the committee.

The PJCIS is too important a committee to get bogged down in petty politics. There is no greater obligation on any member who serves in this place than to keep Australians safe. The PJCIS is really at the tip of that spear in ensuring that our security and intelligence agencies do what they say they're going to do and act in accordance with the law, and I'm very proud to be a part of it.

I thank Australian industry for their ongoing vigilance when it comes to cybersecurity, although there's much more work to be done. I call on this government to take seriously its responsibility to protect Australians and secure our future. It's well over time to introduce a comprehensive integrated national security strategy. Now let's just get it done.

See this speech in context