Andrew Charlton (Parramatta, Australian Labor Party) Share this | Hansard source

In July this year I was given the honour of being appointed the Special Envoy for Cyber Security and Digital Resilience by the Prime Minister. In this role I've had the opportunity to speak with dozens of stakeholders—from micro tech startups to multinational corporations, from sole operators to ASX 200 companies, from individual victims of cybercrime to international government counterparts. What I've learnt from these discussions is that cybersecurity is a critical issue that needs to be addressed at different scales with different groups and at different levels of technicality. Unlike other national security issues, the uplift of Australia's cybersecurity is a team sport. It cannot be done by government alone. It requires an interconnected and engaged group of stakeholders from across public and private sectors, working together towards the common goal of ensuring that Australian citizens and businesses can live, work and learn safely and securely online.

The legislative reforms that we're debating today take some key steps towards a digitally secure and safe future. It's another significant reform that this government is bringing forward to unlock the gains that the digital economy can provide for all Australians, following work across government, such as the Attorney-General's privacy reforms, the Treasury's anti-scam reforms and the communications portfolio's misinformation and disinformation reforms. This package includes our nation's first cybersecurity act, which, together with reforms to the Intelligence Services Act, contains four critically important measures.

First, the bill will create a framework for setting mandatory security standards for smart devices. At the end of 2023 there were 109 million smart devices in Australia, there being at least one device in 73 per cent of Australian homes. By the end of 2027, there are likely to be 353 million devices in Australia, worth over $2.1 billion to the Australian economy. The Cyber Security Bill will create a framework by which any smart device sold in Australia will meet three security requirements. Firstly, each device will be sold with its own unique password, ensuring that a widescale cyberattack cannot be perpetrated on the owners of a particular piece of technology.

Secondly, each device will have fault-reporting capabilities so that manufacturers have the information needed to remedy and identify vulnerabilities. Thirdly, each device will come with the information the purchaser needs to know about regularly updating the software in their device, so that any cyber vulnerabilities in software are removed as soon as possible. These critical changes will create a baseline of cybersecurity standards across Australia's smart device market, making our everyday lives safer and more secure.

Second, the cybersecurity bill creates a requirement for businesses above a prescribed level of annual turnover to report ransomware payments to government. Ransomware remains one of the most destructive types of cybercrime in Australia, with the capacity to cripple digital infrastructure through the encryption of devices, files and folders, rendering essential computer systems inaccessible or inoperable.

This reform is not the government stepping back from its advice that a ransom should never be paid. That is still our advice. Ransoms fund further criminal activity, and there is no guarantee that, if you pay a ransom, your network or information will be handed back. In fact, for many businesses, if they pay a ransom they're giving a signal to the market of their willingness to pay, putting themselves at risk of further and subsequent attacks. Instead, what the government is saying with this requirement is that we want to make sure we have a full picture of the ransomware threat in Australia.

There has been some public commentary that this reporting obligation will create unnecessary stress for small businesses that may be captured under the $3 million annual threshold, but the 72-hour timeframe for making a report only starts from the time that that ransom is paid, which may be some time after the incident itself occurs, and it will only be enforced in cases of egregious noncompliance. The penalty for noncompliance is not a punitive measure for acts done in good faith, as the bill clearly outlines.

Whilst those on the other side think that we should just be slapping an economy-wide ban on making any ransomware payment, the Albanese government wants to build an evidence base upon which a decision can be made. Having a thorough understanding of ransomware payments in Australia allows the Australian government to build a tailored package of assistance and guidance for victims, to assist in law enforcement and the disruption of threat activities, and, in future, to have the data to make an evidence based decision on whether a ransomware ban is suitable for Australia. This is evidence based policy, not shooting from the hip.

The third measure in the cybersecurity bill and in the amendments to the Intelligence Services Act will create a limited-use obligation whereby certain information provided by victims of a cyberattack to the National Cyber Security Coordinator and her office, or to officers from the Australian Signals Directorate, will not be able to be used for other purposes. This is incredibly important. The purpose of this limitation is to safeguard in the early stages of an incident, where information is being generated in real time and is unable to be verified. The Cyber Security Coordinator is responsible for leading whole-of-government coordination in response to significant cybersecurity incidents. Lieutenant General Michelle McGuinness is responsible for providing advice to the Minister for Cyber Security and other elected representatives that they need to direct government activities in response to a large-scale cyber incident. The coordinator and staff from her office need to receive contemporaneous information about an incident in order to perform this vital role.

In addition, ASD have the significant technical expertise to assist Australian businesses to respond to a cyberattack. They are the cyber firefighters, who need to receive technical information in real time to address an attack. That is why this piece of legislation is so important, because recent experience is that victims of a cyber attack have been hesitant to provide this vital information because of the risk of that information being lawfully provided by ASD to other Australian government regulators such as ASIC, OAIC and APRA and used against them. Government receives incident reports from a company's general counsel, when they really need to have a direct dialogue with the chief information security officer on technical details to best employ their assistance and expertise.

These limited-use provisions will create a limitation on how information provided to the Cyber Security Coordinator or to ASD will be able to be shared, by creating requirements for these officials not to share the information except in specific and prescribed circumstances.

It doesn't mean that regulators with cybersecurity requirements to enforce are excluded from ever receiving that information, but it does mean that the OAIC, ASIC, APRA and numerous other government regulators will only be able to receive information for their regulatory purposes from the entity under their existing powers. Limited use will enable the cyber coordinator to receive the real-time information necessary to provide government support in a time of crisis. It means that ASD, our cyber firefighters, can receive the information they need in a timely way to help put out a cyber incident.

The final measure in the Cyber Security Bill 2024 is to legislate the Cyber Incident Review Board, which will conduct postincident reviews of nationally significant cyber incidents. The board will conduct inquiries and make reports to industry and government on a no-fault basis to improve Australia's collective cybersecurity outcomes. The board will operate independent from government and have the capacity to conduct reviews on its own motion, on referral from the minister or from the cyber coordinator, or at the request of the victim of a cyber attack. It will have suitable powers to require the production of information, but information provided to the board will not be admissible in civil or criminal proceedings against the entity. Whilst reviews of previous cyber incidents can and have been conducted under government executive powers, legislating this board will create clear duties and obligations about the conduct of reviews and the treatment of information provided or generated in the course of a review. It promotes transparency of this important function and will provide public advice about an incident, with the aim of providing collective cybersecurity practices for all Australians.

This package of legislative reforms also builds on Australia's world-leading critical infrastructure security regulatory system, making three critical improvements identified as part of the government's Australian Cyber Security Strategy. This strategy's aim is to make Australia a world leader in cybersecurity by the end of 2030. The first measure expressly includes business-critical data as part of a critical infrastructure asset under the Security of Critical Infrastructure Act, the SOCI Act. As the customers and clients of Optus, Medibank and Latitude Financial, amongst numerous others, are now all too aware, the security of information that our critical infrastructure organisations collect and store to operate in our economy is just as important as keeping the lights on. It is just as important for the security requirements under the SOCI Act to apply in respect of business-critical data that our critical infrastructure assets hold to conduct their businesses not just in relation to the goods and services that they provide.

Let's take the water services sector as an example. The current SOCI Act would apply to a critical water asset—a water or sewerage system delivering services to at least 100,000 connections. Requirements have been applied to critical water assets under the SOCI Act to ensure that the physical, personnel, cyber and information risks associated with these assets are managed appropriately. What this amendment will do is ensure that business-critical data that a critical water asset operator holds to provide water and sewerage services, whether that be sensitive operational plans or customer information, is captured as part of these requirements. And when we're talking about better securing digital data, we're talking about meeting and, hopefully, exceeding cybersecurity requirements.

This bill also makes important reforms to clarify the security regulation of critical telecommunication assets—some of the most important assets to the way we live, learn and work online. The previous government did not sort through the patchwork of legislative requirements under the SOCI Act and the Telecommunications Act, which resulted in recommendations from the Parliamentary Joint Committee on Intelligence and Security directing government to do this. Their failure to act has created unnecessary ambiguity for industry and has limited the ability to ensure compliance. What the Albanese government is doing, after conducting a thorough and inclusive co-design process with industry and customer advocates, is creating a clear path forward to ensure our telecommunications networks remain secure without regulatory duplication, and we've clearly articulated the security requirements for our telcos and carriage service providers.

Finally, the SOCI Act reforms expand the scope of some, but not all, of the powers known as the government assistance measures. As currently enacted, those powers enable the government to work with industry to respond directly to a serious cybersecurity incident. What recent cybersecurity incidents have taught us is that government assistance to industry is not just necessary to respond to an incident. Assistance is also required to manage the consequences coming from an incident. Cyber vulnerabilities can often be detected and removed quickly, but the impacts of unauthorised access to systems and data may need to be managed for some time afterwards.

What I've heard from consultations with cybersecurity professionals, data centre providers and government officials is that a cybersecurity incident of significant national impact to Australia is not just probable; it's inevitable. The United States had the Colonial Pipeline incident in 2021, leading to large-scale petrol shortages on the east coast over six days, creating significant economic, social and personal impact. Over half of the UK's National Health Service was brought to its knees in the 2017 WannaCry ransomware attack. Patient records could not be accessed for several days, resulting in delayed surgeries and ward closures. Ukraine has experienced wave after wave of cyberattacks—switching off its power grid in the middle of the 2017 winter, leaving thousands of Ukrainians in the cold—as well as a number of subsequent attacks associated with its war with Russia.

Australia is not immune from these types of attacks and incidents in the future. In fact, we've already had large-scale data spills, such as Optus and Medibank Private, that have had a significant impact on Australians. While none of those incidents created the significant widespread economic and social impacts that have been experienced elsewhere, I want to make sure the Australian government can ably assist our critical infrastructure to respond to an incident of this scale, whether it be to stop the incident from occurring or to make sure that the consequences of the incident can be managed appropriately.

This is a package of key reforms necessary to support the continued uplift of Australia's collective cybersecurity. I want Australian citizens and businesses to be best placed to take every opportunity in the digital economy, something that cannot occur without being safe and secure online. I commend these bills to the Chamber.

See this speech in context