Michael McCormack (Riverina, National Party, Shadow Minister for International Development and the Pacific) Share this | Hansard source

If ever we had cause for alarm over cybersecurity, it was just the other day—5 November, in fact—when the Guardian published an article headed 'Is your air fryer spying on you? Concerns over "excessive" surveillance in smart devices'. The article, penned by UK Technology Editor Robert Booth, said:

Air fryers that gather your personal data and audio speakers "stuffed with trackers" are among examples of smart devices engaged in "excessive" surveillance, according to the consumer group Which?

According to the article:

The organisation tested three air fryers, increasingly a staple of British kitchens, each of which requested permission to record audio on the user's phone through a connected app.

The piece went on:

Smart air fryers allow cooks to schedule their meal to start cooking before they get home.

In this day and age of limited time and people very busy in their lives, it's a great idea. It's smart. It's the use of technology to meet a busy schedule.

Not all air fryers—

the Guardian said—

have such functionality but those that do often use an app installed on a smart phone.

Which? found the app provided by the company Xiaomi connected to trackers for Facebook and a TikTok ad network.

I'll digress a little. We've been told of the dangers of using TikTok, and, for any member of parliament who does use TikTok—I appreciate that it's a way of getting through to the younger generation—it is an absolute folly. Your information will be collected and sent where you don't need or want it to be.

The piece continues:

The Xiaomi fryer and another by Aigostar sent people's personal data to servers in China, although this was flagged in the privacy notice, the consumer testing body found.

I would defy that too many people actually read the fine print. If you are like me, once you get a device, you open the packaging and—as many blokes do—the last thing you have a look at are the instructions of how to put it together. You just put it together as best you can and plug it in the wall and hope that it works.

The article said:

Its tests also examined smartwatches that it said required 'risky' phone permissions—in other words giving invasive access to the consumer's phone through location tracking, audio recording and accessing stored files.

We know that so much of our information is collected. We know that so much of that data is stored. What we don't know is who is doing it and why and what they are going to use it for in the future.

I well recall, when I was second in charge of the National Security Committee—and I'm not giving away state secrets—some of the hacks that came across the table. Indeed, very sophisticated players from certain very large countries were able to infiltrate local councils, large and small, and businesses, large and small, in Australia. This is of great concern. We should be very worried, getting very prepared and making sure that we are doing everything we can to solidify our cybersecurity. In this day and age, the hackers, those players who would otherwise part our money and us, are getting better at what they do. Being able to be tracked and followed on everything that you do online through our cooking now is, indeed, a worry.

The article said:

In a response to Which?, Xiaom said respecting user privacy was among its core values and it adhered to UK data protection laws.

Ha! Yeah, right! It claimed it didn't sell any information to third parties, but that just beggars belief. Why would a company need to store data on an air fryer? Maybe to find out whether you are frying chips or vegetables or what, perhaps, you are cooking. No. You can't be that gullible. We can't be having these sorts of devices. If you've got one of those, you are being tracked. We know that. We appreciate that. People should do everything they can to ensure that they are not scammed.

I had the member for Whitlam, the minister responsible for scams, do a forum in my electorate. It was a very good thing. A lot of older people attended that. They are all too often overrepresented in the statistics of those people who have had money taken through nefarious ways and means. I was appreciative of the minister coming to Wagga Wagga to share his views and what the government is doing. The government can always do more. I appreciate that. Never before in history has cybersecurity been so important. Wherever you are and whatever you are doing, you are likely to be in the vicinity of a smart device with connectivity to the internet. It is not just computers and smartphones; we have smart TVs, smart fridges, smart lights, smart cameras and so much more. Indeed, a growing number of devices in homes are connected to the internet, including camera enabled doorbells and, as I mentioned, smart TVs. It's remarkable progress. Who would have thought 20 years ago that technology would become as prevalent and perhaps as invasive as it is today? Indeed, iPhones really only go back to 2008. Remember the bricks that some people used to carry around that used to be mobile phone technology? You may all be familiar with Apple, Siri, Amazon's Alexa and Google Assistant. They're always listening in in case you ever have a question to ask.

If you talk about a product or a topic, only to see advertisements then popping up on your internet feed as though somebody, somewhere, somehow, someway was listening in, of course, they are. We know that for a fact. Every time you use something connected to the internet, your data is being collected, it's being tracked and it's being used—and it's not always by people you should or could trust. Sometimes it's for good, to improve efficiency and the relevance of search results. Yes, that's correct. But every time this data is collected about you, it can be used for nefarious causes—particularly when data breaches occur and your data gets into the wrong hands.

By 2025, cybercrime is estimated to cost the world $10.5 trillion. In Australia, as of 2021, the University of New South Wales estimate cybercrime cost $42 billion—that's $42,000 million—to the Australian economy. That's almost equivalent to expenditure in many, many portfolios—including Defence. This is deeply concerning. It's cause for urgent action. That is why the coalition does support the policy intent of this package of bills.

I note these bills will give the Minister for Home Affairs the power to make mandatory security standards for smart devices. This is important. This is vital. If our air fryers can be spying on us, who knows what else is? Who would know? This is something the government must have at the forefront of its operations. People's security is absolutely the No. 1 priority for government. How many cameras, drones and other devices do government departments use that are manufactured in China? It would be a fascinating answer. Who knows how much confidential data is being collected by foreign actors, foreign players? The Cyber Security Bill 2024 will also empower the secretary of the Department of Home Affairs to issue compliance, stop and recall notices in order to enforce the mandatory security standards regime—not such a bad thing. This is a good start to improve the security of our devices.

Even properly-managed data can be breached by bad actors. That's why it's important that the government, via the Australian Signals Directorate, is informed of entities that have been subject to a cyberincident. This bill will ensure that entities with more than $3 million in annual turnover report cyberincidents to the ASD if they've made a ransomware payment or given any other benefit in connection to such an incident. The $3 million cap prevents excessive regulation on small businesses, but it does ensure that larger businesses are more likely to store your data and have the economic capacity to adhere to these regulations. That's something that perhaps needs looking at.

Naturally, some entities may be hesitant to report and provide data to the government for fear of adverse consequences. That's why this package establishes a limited use obligation which restricts how much information provided to the National Cyber Security Coordinator can be used or shared with other government entities. Further, this obligation will also be imposed on the ASD, which will be prevented from communicating such data for the purposes of investigating or enforcing a contravention of a Commonwealth, state or territory law other than a criminal offence against the entity subject to the cyberincident. This ensures reports and data supplied are full, honest, accurate and transparent, enabling the ASD to do its job properly, rather than struggling to obtain accurate data from entities fearful of ancillary consequences.

I have to say that we are fortunate in this country to have people who are very qualified in the space of cybersecurity. I know when the 2016 census went a little awry, Alastair MacGibbon played a very strong and powerful role. I know the role that the ASD played. I know just how important this is. We are very lucky that this nation has people in the Public Service and elsewhere who do their utmost to ensure that the bad guys don't win. As we move into an ever-more digitally connected future, it becomes ever-more imperative to enact the regulations and frameworks necessary to combat the established and emerging threats of cybercrime.

As of 2023, the Australian Trade and Investment Commission reported Australia's tech industry to be worth $167 billion. That's grown by 80 per cent in five years. Its growing at an exponentially fast rate. It is huge. It's also estimated to constitute $250 billion of our gross domestic product by 2030.

It's clear Australia must entrench its place on the world stage as a nation which is proactive and a world leader in cybersafety when it comes to digital technology, and I would like to think that, whichever party or parties occupy the government benches in Australia, the same priority and the same importance is placed on cybersecurity. I know that the government come to this place and space with good intent, and I encourage them and acknowledge them for that. It's very clear that Australia is targeted all too often by people and nations that want to do us harm. But this bill and other measures will ensure business has the confidence to continue to invest and grow.

I have to say I well remember that, when I was in government and was on the National Security Committee of cabinet, we made the rather controversial decision at the time to not allow Huawei to have the reach that they wanted in Australia, even though they were making big inroads. They were sponsoring the Canberra Raiders National Rugby League team. But why would we want to have a foreign entity with the capability to do what they could? We can't have our traffic lights and our hospital power systems operated by international players. Whilst I know it was a controversial decision at the time, it was the right course of action to take.

It's not just the tech sector that these regulations are relevant to; it's almost every business sector. Like a great octopus, players who want to and feel the need to can reach in and take anyone's money, and no-one is safe. Every business has a website these days. Nearly everybody shops online these days. More and more people are banking online as well. It is our duty, and it is the government's role, to ensure ordinary Australians are protected to the best of Australia's ability and the best of the government's ability. We must protect not just Australians but industry from cybercrime. That should be the ultimate goal: to keep Australians safe. I appreciate that that's what the government are endeavouring to do, and they have the coalition's support in just that.

Question agreed to.

Bill read a second time.

Message from the Governor-General recommending appropriation announced.

See this speech in context