House debates
Wednesday, 28 March 2018
Bills
Security of Critical Infrastructure Bill 2018; Second Reading
5:44 pm
Alex Hawke (Mitchell, Liberal Party, Assistant Minister for Home Affairs) Share this | Link to this | Hansard source
I present the explanatory memorandum to this bill and move:
That this bill be now read a second time.
Critical infrastructure is integral to the prosperity of the nation.
Secure and resilient infrastructure underpins the effective functioning of Australian society—ensuring we have continuous access to essential services for everyday life, such as food, water, energy and communications.
Foreign involvement in Australia's critical infrastructure plays an important and beneficial role in supporting economic growth. It can also improve productivity by enabling the development of much-needed infrastructure, introducing new technology, allowing access to global supply chains and markets, and enhancing Australia's skills base.
However, while recognising its many benefits, increasing foreign involvement in our national critical infrastructure means that Australia's critical infrastructure is more exposed than ever to sabotage, espionage and coercion.
In January last year the government established the Critical Infrastructure Centre. The centre, housed in the Department of Home Affairs, is a central point for government and industry to better understand and mitigate national security risks to Australia's critical infrastructure.
The centre was established to develop a deeper understanding of the national security risks across our high-risk critical infrastructure sectors, and to develop and implement mitigation strategies. The centre works collaboratively with industry and states and territories to ensure national security risks are being managed in a way that does not inhibit the ability of business to operate in a global economy.
To enhance the centre's ability to manage national security risks, the government introduced the Security of Critical Infrastructure Bill 2017 and the corresponding Security of Critical Infrastructure (Consequential and Transitional Provisions) Bill 2017 into the Senate in December last year. This bill will ensure that the government has the necessary powers to protect Australia from national security threats of sabotage, espionage and coercion stemming from malicious foreign involvement in our critical infrastructure.
The Security of Critical Infrastructure Bill will apply to a specified set of critical infrastructure assets in the high risk electricity, water, gas and ports sectors—approximately 106 assets in total. These reforms build upon and complement measures the government has already taken to manage these same risks to the telecommunications sector, by passing through the parliament the telecommunications sector security reforms in September last year.
Overview of key measures
The bill will establish a register of critical infrastructure assets, which will enhance the capability of the centre to understand who owns, controls and has access to Australia's critical infrastructure. This register will support more proactive management of the risks faced by assets in our high-risk sectors.
The bill will require owners and operators of specified critical infrastructure assets to provide specific, high-level information concerning the ownership and operation of the asset. This will include information on ultimate beneficial owners. This information is essential to informing a deeper understanding of who has access to, control of, or the ability to influence, the critical infrastructure on we which we all rely.
Ministerial directions power
The bill also contains a ministerial discretions power. This will enable the Minister for Home Affairs to ensure and issue a direction to an owner or operator of a critical infrastructure asset to mitigate national security risks that cannot be managed through cooperation or existing regulatory mechanisms. It is modelled on a similar power in the telecommunications sector security reforms.
This 'last resort' directions power could be used to direct asset owners and operators to undertake or refrain from certain actions. Importantly, this power is limited to instances where:
Safeguards
The bill includes a range of important safeguards. Before a direction is able to be issued, the minister will be required to be satisfied of certain matters, to consult with stakeholders, and to give consideration to a number of factors, including:
The minister's directions power is also subject to judicial review, while the ASIO adverse security assessment will be subject to merits review.
Following introduction, the bills were referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry. The committee released its report into the bills on 15 March this year, and the government thanks the committee for its comprehensive and timely work on the bills, particularly the hard work of the committee chair, Andrew Hastie. The government was pleased to accept all of the committee's recommendations. Accordingly, the bills currently before the House incorporate the necessary amendments to give effect to the committee's recommendations, including, in short, an amended and clarified definition of 'direct interest holder'; an exemption from the bills' obligations for money lenders where they are not in a position to influence or control the asset; a requirement that the affected party receives written notice if they are the subject of an ASIO adverse security assessment; and a requirement that the committee review the bill within three years of it receiving royal assent.
Conclusion
The Security of Critical Infrastructure Bill aligns with the government's clear intention to continue to cooperate and collaborate with all levels of government, regulators, owners and operators of critical infrastructure, including under the government's Critical Infrastructure Resilience Strategy. It strikes an appropriate regulatory balance by acknowledging the shared responsibility for managing national security risks, while empowering the Commonwealth to intervene to mitigate a risk where existing regimes cannot be used.
While maintaining competitiveness in a rapidly changing global market is essential, with this bill the government is taking the steps necessary to strengthen the security and resilience of Australia's critical infrastructure.
Leave granted for second reading debate to continue immediately.
5:51 pm
Mark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | Link to this | Hansard source
Labor have a long track record, stretching back to the foundation of our party, which reflects our understanding that it's the paramount responsibility of all parliamentarians, whether in government or in opposition, to keep our community safe and our nation secure. That's why Labor has consistently worked, both in government and in opposition, to ensure that our intelligence and law enforcement agencies have the powers and resources they need to carry out their vital roles. We know that the security threats we face are changing and we will continue to work constructively with the government to ensure that our laws are adapted to meet those threats. Consistent with our commitment to national security, Labor supports the Security of Critical Infrastructure Bill 2018 and the related Security of Critical Infrastructure (Consequential and Transitional Provisions) Bill 2018. We support these bills because we recognise the need to manage national security risks arising from the possibility of malicious interference in our critical infrastructure. Labor believes these bills strike an appropriate balance, imposing only the necessary and relatively minor regulatory requirements needed to improve the management of potential threats to our critical infrastructure.
The Security of Critical Infrastructure Bill provides 'a risk based regulatory framework to manage national security risks from foreign involvement in Australia's critical infrastructure'. The bill focuses primarily on the risk of sabotage, espionage and coercion in Australia's highest risk critical infrastructure sectors of electricity, gas, ports and water. Labor recognises that involvement in the Australian economy by foreign entities and individuals, particularly in the development and maintenance of Australian infrastructure, plays an important and beneficial role in supporting economic growth, creating employment opportunities, improving consumer choice and promoting competition. It also makes Australia an attractive destination for investment in foreign markets. However, with increased privatisation of Australia's critical infrastructure, frequent outsourcing and offshoring of supply chain arrangements, and the fact that Australia's international investment profile is changing, critical infrastructure is increasingly exposed to the risk of sabotage, espionage and coercion. This bill is an appropriate step to inhibit malicious conduct undertaken covertly which may have damaging implications for Australian society.
The regulatory framework in the bill is modelled substantially on the telecommunications sector security reforms, which were enacted last year as the Telecommunications and Other Legislation Amendment Act 2017. These reforms include, first, a security obligation on all telecommunications carriers, carriage service providers and carriage service intermediaries who will, under the reforms, be required to do their best to protect networks and facilities from unauthorised access and interference, including a requirement to maintain competent supervision and 'effective control' over telecommunications networks and facilities owned or operated by them. All carriers and nominated carriage service providers will be required to notify government of planned changes to their networks and services that could compromise their ability to comply with the security obligations. This is markedly similar to the notification concept that is contained in the bill that's now before the House. Further, the Secretary of the Attorney-General's Department has the power to obtain information and documents from carriers, carriage service providers and carriage service intermediaries to monitor and investigate their compliance with the security obligations.
Similarly, in the telecommunications sector, the Attorney-General has a new directions power to direct a carrier, carriage service provider or carriage service intermediary to do or not to do a specified thing that is reasonably necessary to protect networks and facilities from national security risks. Labor supported the telecommunications sector security reforms because Labor considered the codification of pre-existing beneficial relationships between government and the telecommunications sector would give greater certainty that as ownership of Australia's telecommunication infrastructure changed, the government would continue to process the appropriate mechanisms to work constructively with the sector to safeguard vital infrastructure.
It's worth saying about the telecommunications sector security reform that it was a long time in the making. Labor commenced the work on the telecommunication sector security reforms in around 2010. They were the subject of consideration by the Parliamentary Joint Committee on Intelligence and Security in a lengthy inquiry in 2012, and recommendations were made in a subsequent report of the Parliamentary Joint Committee on Intelligence and Security that further work be done to develop the telecommunication sector security reforms. They eventually came forward and became law in the Telecommunications and Other Legislation Amendment Act 2017, when that was finally brought forward.
No harm occurred because of the time that it took to bring to the parliament the codification that's bound up in the telecommunications sector security reforms legislation for the pretty simple reason that there is a very high degree of cooperation between telecommunications sector companies and the government of Australia. There has been a very high degree of cooperation for a very long time in relation to national security matters, and the purpose of the telecommunications sector security reform legislation was actually not to deal with any problem that had arisen up to that point—or even up to now—with cooperation from telecommunication sector companies and the government in relation to national security matters. Rather, the purpose of the legislation was to ensure that if any problem did arise in the future where a national security issue arose and action was needed from a telecommunications sector company, and in the event—and I'd have to say in the unlikely event—that the telecommunications sector company declined to cooperate with a request by government, the government would have not only the necessary powers to require that information be produced but, in addition, the necessary power to direct the telecommunications sector company to undertake actions that were required to protect Australia's national security.
The TSSR legislation applies to around 280 active carriers and a further number of carriage service providers. What's occurred in the Security of Critical Infrastructure Bill 2018 that's now before the House is that the model that was devised for the telecommunication sector security reforms has been applied here in relation to critical infrastructure. The Security of Critical Infrastructure Bill adopts a very similar regulatory structure to the telecommunications legislation. In contradistinction to the rather larger number that the telecommunications law applies to, the Security of Critical Infrastructure Bill will apply to the owners of around 140 critical infrastructure assets. As I've said, those critical infrastructure assets are ports, electricity, gas and water assets. Some of them are owned by private sector entities and some of them are owned by state government entities.
As with the telecommunications sector, Labor supports the need for regulation of the sectors which have these critical infrastructure assets. This will ensure that critical infrastructure assets, where they are partly owned by foreign entities—perhaps I should say particularly where they are partly owned by foreign entities—are still subject to control and direction by the Commonwealth. It's fundamental to the maintenance of the security, safety and prosperity of Australians that the owners of critical assets can be required to provide relevant information to government and that in times of emergency they can be directed to ensure that the needs of Australian society are met. This was a sentiment shared by state and territory governments and by industry and peak organisations, who have all expressed support for this bill in submissions to the Parliamentary Joint Committee on Intelligence and Security. This sentiment was not a new resolve but, rather, the agreement for a mechanism that allows both information gathering and directions powers for critical infrastructure assets.
In essence, this bill is a formalisation of longstanding conventions under which industry assists the government of the day to ensure control over electricity assets, gas assets, water assets and ports—of course, always in relation to any national security problem that might arise.
As I pointed out in relation to the telecommunications sector security reform, this legislation is not being introduced to deal with any actual problem that has arisen in dealings between the owners of these around 140 critical infrastructure assets and the national government. Rather, the legislation is being introduced to ensure that in any future eventuality, where the owner of one of those critical infrastructure declines to cooperate with a government request in relation to a national security matter or declines to cooperate with a government request for information about some aspect of a critical infrastructure asset that relates to a national security issue, the government will have the power to compel the production of information and to ensure that the government will have the power to direct an owner of a critical infrastructure asset to take a particular action that is needed for Australia's national security.
The bill presently sets out water, electricity, gas and ports above a certain threshold as critical assets. It will be obvious to the House that these assets are all fundamental to the daily functioning of households and businesses. The bill defines a 'critical water asset' under clause 5 as 'a water or sewerage system or network that is used to ultimately deliver services to at least 100,000 water connections or 100,000 sewerage connections under the management of a water utility'. That will give the House some idea of the scale of assets that are dealt with in this Security of Critical Infrastructure Bill. It's self-evident that all Australians require a clean and reliable supply of water and that disruption to Australia's water supply or water treatment facilities could have major consequences for the health of citizens, the viability of all institutions in Australian society, and the economy.
Similarly, a critical electricity asset is set out in clause 10(1)(a) as:
(a) a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers.
That provides the criticality for an electricity asset. The proper functioning of the Australian economy requires electricity, self-evidently, and keeping the lights on in Australian homes is a fundamental and basic necessity. It's clear that electricity assets providing transmission and distribution services across the country also form a core part of the nation's critical infrastructure.
A critical gas asset is defined in clause 12 of the bill as:
(a) a gas processing facility that has a capacity of at least 300 terajoules per day or any other capacity prescribed by the
rules;
(b) a gas storage facility that has a maximum daily quantity of at least 75 terajoules per day or any other quantity prescribed by the rules;
(c) a network or system for the distribution of gas to ultimately service at least 100,000 customers or any other number of customers prescribed by the rules;
(d) a gas transmission pipeline that is critical to ensuring the security and reliability of a gas market, in accordance with 3 subsection (2).
It is axiomatic that gas in Australia—like the other two services that I mentioned, water and electricity—is important. It is a required element for a wide range of industrial, commercial and residential uses, and it is an increasingly important export commodity as well.
Gas is particularly important for gas powered electricity generators, which account for approximately 20 per cent of Australia's electricity, and for manufacturing, which relies on gas for approximately 40 per cent of net energy requirements. We expect these numbers will grow as Australia transitions to a clean energy economy. Accordingly, the protection of gas infrastructure as a critical asset will grow, not diminish, over time. By defining the level of criticality, the bill limits the regulatory burden to Australia's largest and highest-risk critical assets. That is how we get to the 140 assets that are going to be the subject, potentially, of this regulatory scheme.
The bill will supplement the existing Foreign Investment Review Board's mechanism through which the Commonwealth can implement mitigations. However, because this only applies to foreign investments above certain thresholds at the time of the proposed transaction, it is not possible to use the FIRB mechanism to address risks in outsourcing or offshoring for assets owned by domestic entities or where sales fall outside of the FIRB screening thresholds. Accordingly, the creation of the security of critical infrastructure framework will improve upon existing safeguards that protect critical assets.
In practice, the Security of Critical Infrastructure Bill 2018 will add to the work currently undertaken by the Critical Infrastructure Centre, which collaborates with asset owners, asset operators and state and territory regulators to identify risks, implement asset-specific mitigation strategies and develop sector-wide best practice guidelines. The Critical Infrastructure Centre engages with asset owners and operators through the Trusted Information Sharing Network and directly, as needed.
The Parliamentary Joint Committee on Intelligence and Security conducted an inquiry into this bill and heard from a range of affected industries, including peak industry bodies and other interested parties. I thank the members of the Parliamentary Joint Committee on Intelligence and Security for the customary cooperative work that the committee was able to undertake on this inquiry, which resulted in nine recommendations that the committee has made to the government and the parliament.
In recommendation 1, the committee recommended that the Department of Home Affairs, in consultation with the Department of Defence and the Department of the Environment and Energy, review and develop measures to ensure that Australia has a continuous supply of fuel to meet its national security priorities. As part of developed measures, the committee recommended that the Department of Home Affairs should consider whether critical fuel assets should be subject to the regulatory regime which is being established by this bill. The committee considered that the department should conclude this review within six months. As a member of the committee, I note that the committee would like the department to brief the committee on the outcomes of the review, following its conclusion.
There was some consideration in the inquiry about fuel as an additional aspect to critical infrastructure. Again, it's self-evident that Australia is highly reliant on fuel infrastructure. Australia is presently almost entirely reliant on imported fuel. There are issues about storage of fuel in Australia. The purpose of this first recommendation of the committee was to invite the Department of Home Affairs and the other government departments mentioned to consider seriously whether or not fuel related infrastructure should be added to the categories dealt with by this new regulatory regime.
In recommendation 2:
The Committee recommends that the Department of Home Affairs examine the viability of developing a common data entry portal for use across Commonwealth, state and territory databases that require information from the same reporting entities.
This would limit the amount of reporting and allow the distillation of relevant information used by governments at Commonwealth, state and territory levels. A number of submitters to the inquiry made the point that all of them operate in highly regulated environments already. That, again, is self-evident: gas, water, electricity and ports are regulated by not only a range of Commonwealth laws and regulations but also a range of state laws and regulations and, in some cases, local council by-laws. All of those laws and regulations at local, state and Commonwealth levels require the owners of these 140-odd infrastructure assets to provide both a whole lot of information when they are setting up these particular assets and a whole lot more information to local, state and federal governments on an ongoing basis, often with annual reporting requirements. It's obviously desirable that these owners of critical infrastructure assets not be burdened with yet another disparate level of regulation or information provision requirement. If it's possible to develop some kind of standardisation of the information they're required to provide to local, state and federal governments, it will not only make the task of the owners of these critical infrastructure assets easier but also probably improve comprehensibility of the information provided and ready access by the national government to the information relevant to national security issues. It's desirable that the viability of a common data entry portal at least be examined, as the recommendation suggests.
In recommendation 3:
The Committee recommends that the Department of Home Affairs develop guidelines for entities subject to the Security of Critical Infrastructure Bill 2017. The guidelines should:
These guidelines should be made available prior to the end of the three-month transition period.
Again, this is consciousness on the part of the members of the committee that it's very important that ease of use and lightness of application be considered with any new regulatory scheme, that the obligations cast on the owners of critical infrastructure assets should not be any heavier than they need to be and that, in aid of that lightness of touch, guidelines ought to be developed so that owners of critical infrastructure assets immediately understand exactly what is required of them by this new regulatory scheme.
In recommendation 4:
The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to more appropriately define direct interest holder in order to capture the intended full range of ownership arrangements.
Further, the Explanatory Memorandum and the Bill should clarify that:
The government has implemented this recommendation in amendments passed in the Senate today.
In recommendation 5:
The Committee recommends that the Department of Home Affairs include in guidelines to be developed for entities subject to the Security of Critical Infrastructure Bill 2017, information regarding:
In recommendation 6, the committee recommended that the explanatory memorandum to the bill be amended to list the factors that the secretary must have regard to when deciding whether to disclose protected information under proposed sections 42 and 43 of the bill. Factors should include whether the disclosure is consistent with the object of the bill, and whether the purpose of the disclosure is proportionate to the sensitivity of the information being disclosed. The government has implemented this recommendation in tabling the explanatory memorandum in the Senate today.
In recommendation 7, the committee recommended that the explanatory memorandum to the bill be amended to clarify that the bill does not affect the operation of existing privacy obligations. In particular, the explanatory memorandum should clarify that proposed section 39 does not affect the operation of Australian Privacy Principle 11.2, and that the Department of Home Affairs as the administering agency would need to destroy personal information if it were no longer necessary. The government has implemented this recommendation in tabling the supplementary explanatory memorandum in the Senate today.
In recommendation 8, the committee recommended the bill be amended to require the relevant minister to provide to the subject entity notice of an adverse security assessment given in connection to the bill and merits review rights. The committee considered that the bill should be amended to align with requirements under section 38A of the Australian Security Intelligence Organisation Act 1979. The government has implemented this recommendation in the amendments passed in the Senate today.
In recommendation 9, the committee recommended the bill be amended to require the Parliamentary Joint Committee on Intelligence and Security to review the operation effectiveness and implications of the reform, commencing within three years of the bill receiving royal assent. The review should consider the appropriateness of a unified scheme to cover all critical infrastructure assets, including telecommunications assets. As I indicated at the start of these remarks, this particular regulatory scheme is modelled on, and is very close to, the regulatory scheme that forms part of the telecommunications sector security reforms. In conducting the review, the recommendation was that the Parliamentary Joint Committee on Intelligence and Security should also consider circumstances where the minister has used the declaration power under section 51. The government has implemented this recommendation too in amendments passed in the Senate today.
Regulatory schemes such as that proposed in this bill work best in a dialogue between government and the affected industries. Industry, government and the community all benefit from asset owners knowing in advance what is required of them and taking necessary steps without government needing to resort to regulatory enforcement. Labor believes that the committee's recommendations make it easier for the bill to achieve these ends. Accordingly, Labor supports the amendments which have been made by the government, which give effect to the recommendations of the Parliamentary Joint Committee on Intelligence and Security.
Those recommendations not requiring amendments to the bill or amendments to the explanatory memorandum were also all accepted by the government. It's a demonstration of the value of the collaborative and bipartisan processes of the Parliamentary Joint Committee on Intelligence and Security. Labor members worked collaboratively on the PJCIS, and we thank the government for its acceptance of the recommendations made in the inquiry. These bills are a useful addition to the regulatory architecture that protects and maintains critical infrastructure assets which are important to Australia's security and its continuing economic and social wellbeing. I commend these bills to the House.
6:14 pm
Andrew Wallace (Fisher, Liberal Party) Share this | Link to this | Hansard source
The Security of Critical Infrastructure Bill 2018, now before the House, will help to preserve Australia's national security by ensuring that the Australian government has the information and the powers it needs to protect the functioning and integrity of some of our critical infrastructure. Specifically, the bill would establish a register of critical infrastructure assets and require the owners of those assets to provide the Critical Infrastructure Centre with specific information about the asset's ownership and operation. This will allow the government to know who has access to, influence over, and control of our vital infrastructure.
Secondly, the bill grants the minister a power to direct owners or operators of these assets to mitigate against any identified national security risk which cannot be managed through existing mechanisms. In the last resort, it gives the minister the power to direct the owners to undertake, or refrain from, a particular action in order to avoid this national security risk.
Along with a number of my colleagues, I had the opportunity to see the importance of security around some of our critical infrastructure this month when I visited the Open Pool Australian Lightwater research reactor, or OPAL, in Lucas Heights with my colleagues from the Joint Standing Committee on Treaties. OPAL is one of the world's most effective, multipurpose research reactors. Without OPAL, it would be considerably more difficult for Australia to acquire the radioisotopes it needs to detect and treat cancers. Every Australian owes a debt of gratitude to the work that is being done by ANSTO. If ever we personally have—or a friend or family member has—been treated for cancer using radiotherapy we owe it to our researchers and scientists at OPAL.
Our capabilities in materials research and a wide range of industrial activities, including our ability to manufacture semiconductors for use in advanced electronics would be severely impacted if OPAL were not to function. Were the operation of OPAL to be disrupted, the consequences for Australia, whilst they wouldn't be catastrophic, would be very serious in terms of the lost productivity and the impact they would have to the health of all Australians. However, we can't forget what the opal reactor is. Though small and very safe, it is, fundamentally, a nuclear reactor, with many of the inherent dangers that may result from a malevolent interference. The reactor also uses low-enriched uranium fuel, containing just under 20 per cent uranium-235, and it generates a modest amount of nuclear waste, both of which must be kept out of the hands of anyone who would misuse them.
ANSTO describes itself as the custodian of Australia's landmark infrastructure. Despite being a civilian science and research facility, it takes its security responsibilities very seriously. As parliamentarians, we were not exempt from the strict security imposed on anyone who wishes to visit OPAL, and nor should we have been. The site is patrolled 24 hours a day by armed Australian Federal Police, who were a very visible presence during the time we were there. Indeed, whilst we were there we could hear AFP officers on the firing range, which makes up part of the large ANSTO campus. ANSTO is a statutory authority and it reports to this parliament. It maintains a risk and audit committee and its security processes have been subject to independent review and approval by the relevant Commonwealth bodies. In short, the Commonwealth has considerable control over the OPAL reactor, and, of course, its security.
However, not all of our critical infrastructure is so comprehensively owned, operated and secured by the Commonwealth. Foreign investment into Australia currently sits at $3.2 trillion. Most of this investment derives from close strategic and military allies like the United States, the United Kingdom and the European Union. However, our fastest growing source of overseas investment is China and Hong Kong. By the end of 2016, this investment had reached the total of $188 billion. This investment is very welcome, and China is one of our most important trading partners.
However, we must recognise that our national interests with a number of countries are not always aligned. In the area of infrastructure in particular, foreign investment has been particularly active. In September 2016, the Port of Melbourne was sold to a consortium of foreign and domestic investors for $9.7 billion. This complex group included directly and indirectly the Ontario Municipal Employees Retirement System, New York based Global Infrastructure Partners, the California Public Employees' Retirement System and the China Investment Corporation.
Indeed, the biggest coal export facility in the world, the Port of Newcastle, has been 50 per cent owned since 2014 by China Merchants Union, a majority Chinese government-owned enterprise. Similarly, the right to operate the Port of Darwin was sold to Chinese company Landbridge in 2015 for $506 million. Media reported last year that Landbridge were considering seeking a loan of $500 million from the Chinese government, with the port as security. Reports last month of a change in ownership structure proposed for Newcastle highlighted the potential lack of transparency involved in ownership by a foreign government.
When it comes to our liquid natural gas, an analysis by the Tax Justice Network last year revealed that overseas state owned corporations will own more than a 30 per cent stake in all Queensland production by 2020. The Chinese government, through its China National Offshore Oil Corporation and Sinopec, will own 17.3 per cent of production, while Malaysia's Petronas and South Korea's Kogas make up the rest. The same analysis found that five offshore LNG projects—Gorgon, Wheatstone, Pluto, Ichthys and Prelude—are 87 per cent foreign owned.
In electricity generation and retail, there is already substantial foreign ownership. Energy Australia, one of our trio of companies which together supplied nearly 70 per cent of retail customers in 2015, is owned by China Light and Power. In the ACT, 50 per cent of the power distribution company ActewAGL is owned by a joint venture of the Chinese company State Grid Corporation and Singapore Power International. State Grid Corporation also partly owns three of the five distributors in Victoria, as well as the largest stake in South Australia's energy transmitter, ElectraNet. The Hong Kong listed Cheung Kong Infrastructure likewise own a 51 per cent share in two of Victoria's distributors, and in South Australian Power Networks electricity distribution network.
Overseas investment in electricity generation is also growing. The recently completed Ararat Wind Farm, which will generate 240 megawatts for Victoria is owned by a consortium of UK, US and Canadian companies. Just in the past few weeks, German energy corporation Innogy has acquired two solar projects at Limondale and Hillston, which add to more than 450 megawatts in generation. French firm Neoen will be working on three renewable energy projects at Hornsdale and Dubbo, adding up to more than 250 megawatts, while Goldwind, a Chinese wind turbine manufacturer, will be developing a $400 million energy plant at White Rock to generate 175 megawatts. The list goes on: ESCO, ThyssenKrupp, Canadian Solar, Acciona, Engie—all are currently engaged in building hundreds of megawatts worth of new energy generation in Australia.
Most of this critical infrastructure does not have the obvious safety and security implications of a nuclear reactor. However, in each of the critical infrastructure categories listed in this bill—that is, ports, electricity, gas and water—malevolent interference from a foreign power could have very serious consequences. A safe, secure and clean water supply is vital for our citizens' health—without considering the substantial economic impact on the huge number of businesses that rely on water for their processes. For anyone who has watched the increasingly desperate situation playing out in Cape Town, the consequences of being unable to supply a city with enough water have been dramatically illustrated. Australia's water supply is highly concentrated in just three drainage divisions, making the risk even higher.
Our ports, on the other hand, facilitate more than a third of Australia's GDP, and are our major conduit for liquid fuels and for substantial parts of our civilian and military supply chains. Any important disruption to the operation of these ports would be devastating for our national economy.
When it comes to our electricity supply, the 2016 blackouts in South Australia—caused, unfortunately, by South Australia's own then Labor government rather than by any foreign power—resulted in costs of $367 million to local businesses, according to Business SA. There were 400,000 dosages of life-saving vaccines destroyed, while the health and wellbeing impact on those consumers left without power for days is hard to quantify.
Overseas, aggressive foreign powers have shown a strong interest in disrupting electricity supplies. Cyberattacks against the electricity grid of Ukraine in 2015 and 2016, for example, left more than 200,000 citizens without power. Electricity providers, like gas companies and water providers, also hold substantial quantities of data on their customers. Recent media reports regarding the activities of Cambridge Analytica in the US and UK, and reports of Russian interference in elections in the US and elsewhere, suggest the major compromising impact that a large-scale data breach by a hostile power could have on our economic and political life.
Gas is a vital Australian export asset. Australia is set to be the world's largest exporter of LNG by 2019, with the ABS estimating that these exports will be worth $36.3 billion in that year. It's also critical to a great many industrial and commercial processes: driving commercial boilers, which are used in manufacturing; food processing; dairy; and construction. Finally, LNG accounts for around 20 per cent of Australian electricity generation and for 40 per cent of the energy used by manufacturing. Any significant disruption to our domestic gas supply could cause blackouts, shut down factories and cost millions in lost export revenue.
Foreign investment in infrastructure across Australia is welcome. On the Sunshine Coast alone we already know of at least $6 billion worth of infrastructure upgrades that our community urgently needs. The Turnbull government has committed to spend a record $75 billion on infrastructure over the next 10 years, but more funds will always be needed. Foreign investment offers one of the best options for finding those funds and for delivering projects quickly and efficiently. Foreign investment also helps to increase our ties with other economies in our region and encourages greater prosperity for all of us.
However, as I have sought to outline today, this overseas investment comes with risks. We cannot ignore the fact that there are growing threats to Australia's national security from some of the very nations with which we trade. The world strategic situation is fast changing and competition between nations for exports and investment is ever increasing. We cannot guarantee that a state which is our friend today will not have powerful incentives to act against our national interest in the future.
6:33 pm
Anne Aly (Cowan, Australian Labor Party) Share this | Link to this | Hansard source
As the shadow Attorney-General mentioned in his speech earlier, Labor agrees to support the Security of Critical Infrastructure Bill 2018. We are in full support of this bill, and this bill, once enacted, would do two things. It would establish a register of critical infrastructure assets that will include information about who owns and operates those assets, which must not be made public, as well as allowing the minister to give a direction to a reporting entity, or to an operator of a critical infrastructure asset, to do or refrain from doing a specified act or thing within a certain time frame. That power may be used if the minister is satisfied that there is a risk that it is prejudicial to security that cannot otherwise be mitigated.
This bill takes into account the contemporary environment in which we operate here with the fragmentation of ownership of critical infrastructure. It is, in many respects, a precautionary bill which formalises the effective cooperation between the private sector and the government in the protection of critical infrastructure. It is heartening to see that the recommendations made by Parliamentary Joint Committee on Intelligence and Security, which tabled its report on the bill in March this year, have been amended and have been passed in the Senate today. I'd like to draw the House's attention to some of those recommendations and, specifically, to those recommendations that were passed earlier in the Senate, and the impact on the cooperation between the private sector and the government in the protection of critical infrastructure.
One of those recommendations was an amendment requiring the relevant minister to provide to the subject entity notice of an adverse security assessment made under the bill as well as the right to seek merits review of such an assessment. Another one of those recommendations was that within the three-month transition period the Department of Home Affairs develop and make available guidelines for entities subject to the bill that enable an entity to determine whether it is a reporting entity, and provide the entity with an understanding of the specific information it is required to report.
Both those recommendations that were passed as amendments are vital in ensuring that the cooperation between private industry and government in the protection of critical infrastructure continues and continues in ways that provide a robust regime for the protection of critical assets that are defined specifically within the bill to cover water, electricity, gas and ports. There are a range of threats to those particular assets, including terrorism and cyberattacks. And we must not forget insider threats, which are threats or attacks carried out by people within an organisation.
I refer to a paper—it's a fairly old paper but still a very relevant one—by the University of Pennsylvania. I recall several years ago being at a conference that brought together academics and practitioners in security. We discussed, at length, cooperation between the private sector and the government in the protection of critical infrastructure—particularly in this contemporary environment where you have the fragmentation of ownership of critical infrastructure assets—and where the responsibility lies, and how the communication between the private sector and the government enhances target hardening and enhances the protection of critical infrastructure.
This paper makes some pretty interesting points and really emphasises the importance of having a very robust framework for private-public coordination in protecting critical infrastructure. In one point, it says:
For many large technological network systems, the challenge of ensuring reliable operations has increased because operations both within and among firms have become increasingly interdependent. Elements of infrastructures in particular have become so interdependent that the destabilization of one is likely to have severe consequences for others.
This points, of course, to the interrelationship between different forms of critical infrastructure, or different assets within critical infrastructure, and the need to protect them all in a way that coordinates communication between the private sector and the government as well as intercommunication in the private sector.
Another point made in this paper is that strategies to protect critical infrastructure are not viable unless they are politically and economically sustainable. That's why I believe this bill creates that political environment, that political sustainability, for this ongoing critical relationship between the government and the private sector in the protection of critical infrastructure.
I also note that the National guidelines for protecting critical infrastructure from terrorism, which were published by the Commonwealth government in 2015, have an attachment that outlines the responsibilities of owners and operators of critical infrastructure and the Australian government in the protection of critical infrastructure. They note that the Australian government has a responsibility to identify national critical infrastructure and develop and maintain a database of national critical infrastructure, which is one of the things that this bill will do, to work closely with state and territory governments and owners/operators to identify critical infrastructure that if disrupted or destroyed could have significant multijurisdictional or national impacts, and to liaise with overseas governments on critical infrastructure protection issues and promote critical infrastructure research as a priority. It states:
Governments expect that owners/operators should:
So at a very practical level the bill will allow for a formalised framework in order to do that.
Finally, I refer to a report from the Counter-Terrorism Committee Executive Directorate of the United Nations Security Council, published in March last year. It's one of their trends reports. I'd recommend this to anyone who's interested in critical infrastructure, which can often be bit of a dry subject, let's admit it, but it can also be very fascinating as well if you're into that kind of thing. This report makes some very pertinent points, particularly around prevention and preparedness for critical infrastructure. It says:
In order to ensure better preparedness and response, an international network of "PCI focal points" can be appointed by Member States and relevant international, regional and subregional organizations. Policy guidance containing operational aspects, including early-warning systems and information-sharing, could also be developed.
I think this bill puts Australia well on its way to being able to cooperate not just nationally, between private sector and the government, but also internationally on an international network of physical critical infrastructure. What's interesting in this report as well is that the CTED, or Counter-Terrorism Executive Directorate, of the United Nations Security Council also recommends that:
Some States undertake stocktaking exercises to:
1. Determine existing means and capabilities.
2. Centrally compile and store this information.
3. Compare existing capabilities against identified requirements.
4. Outcome of comparison = areas for improvement.
These issues of critical infrastructure protection have been on the radar of international security professionals for several years now, as evidenced in some of the quotations I have taken from these reports. And it's heartening to see that, through bilateral cooperation with Labor through the Parliamentary Joint Committee on Intelligence and Security, we've come up with amendments to this bill to undertake and implement the recommendations made by the PJCIS. It will ensure that this bill is actually quite comprehensive in how it delivers, at a practical level, commitments to ensure continued cooperation between government and the private sector to ensure that our critical infrastructure is effectively protected and targets that would be attractive to those who wish to do us harm are effectively hardened. I would like to see that, three years down the track or a couple of years down the track, once this bill is implemented, the results of this bill and of the amendments made in implementing the recommendations made by the PJCIS help us to improve the regime that we currently have in the protection of our critical infrastructure assets here in Australia.
So I do commend this bill to the House, and Labor does very much support this bill. I would also like to commend the PJCIS and the way in which that committee worked in a bipartisan manner to come up with recommendations that would enhance the bill and ensure that the bill delivers and develops that robustness to the regime, particularly in this contemporary environment, where we are seeing and will continue to see a fragmentation of ownership of critical infrastructure. As a precautionary measure, there can be, in my mind, no more important move to make, as we go forward with further fragmentation of ownership of our critical infrastructure, than to ensure that we have the capabilities and the framework in place to ensure that our critical infrastructure continues to be protected and that we are prepared for any risks to our critical infrastructure.
6:46 pm
Andrew Hastie (Canning, Liberal Party) Share this | Link to this | Hansard source
I'm very glad to rise and speak on the Security of Critical Infrastructure Bill 2018. As Chair of the Parliamentary Joint Committee on Intelligence and Security, I worked very closely with my coalition colleagues and also the opposition to improve this bill. There was unanimous bipartisan support for it and I think it's an excellent bill, and the Australian people can be confident that it has the full support of this parliament.
The bill introduces new measures to protect Australia's critical infrastructure from threats of sabotage, espionage and coercion. It goes without saying that the security of critical infrastructure is essential to the effective functioning of Australian society. The government must be able to provide continuous access to essential services for everyday life in Australia, such as access to water, energy, power, communications and the like. Of course, we include ports as critical infrastructure because we do import a lot of things, particularly fuel. Almost all our fuel is entirely imported from overseas. This bill fulfils the two key tasks of the federal government, as I see it: national and economic security. The bill establishes two key measures: a register of critical infrastructure assets and a ministerial directions power. The register will enhance Australia's capability to understand exactly who owns, who controls and who has access to our critical infrastructure, and the directions power will enable a minister to issue a direction where existing mechanisms and cooperation cannot be used to mitigate national security risks. I think that's very, very important because, ultimately, the government's responsibility is to the Australian people and ensuring their interests are secured.
Before I move on, I want to frame this bill in the larger strategic context. A lot of Australians see the last 15 or so years as having been defined by 9/11. That looms large in the public mind. It certainly does for me. However, I think more pertinent now to Australia's situation are the events of 1 April 2001, and let me tell you why. It was the day of Hainan Island incident, where a United States Navy EP-3E Aries signals intelligence aircraft collided in mid-air with a People's Liberation Army Navy fighter jet. It sparked an international dispute between the United States and the People's Republic of China and was an early test for President George W Bush, only 10 weeks into his first term.
I needn't go over the details of that, but it was a significant incident. The US crew were forced to land on Hainan Island and were detained for about 10 days before being released back to the US. It's important, because I think it signified China's rise as a strategic competitor to the United States in the Asia-Pacific region. That rise has been happening for a lot longer than public discussion might suggest. Only in the last two years have we really started talking about China, its economic importance to Australia and, more importantly, some of the national security implications we're now dealing with. Hainan Island sits in the South China Sea, the maritime zone whose political reality China has changed through the building and militarising of artificial islands. That's the important strategic context.
China is also setting about expanding its economic interest through the 'One Belt, One Road' initiative. That involves the acquisition of infrastructure in other countries. Very recently a port in Sri Lanka went into Chinese hands. There was a lot of public unrest or anxiety about the 99-year lease of the port of Darwin a few years ago. Considered in that strategic framework, this bill is very important, which is why I support it. I share the unease at the idea that foreign states would have almost exclusive control and ownership of critical infrastructure like ports, considering our fuel security situation. We're almost entirely reliant upon the importation of liquid fuel, both crude and refined.
This bill mitigates the risk of foreign ownership. Australia has always been a net recipient of foreign investment. Our wool industry kicked off with foreign investment. Our resources sector has grown through foreign investment. In Canning we have a lot of foreign investment. I have two Alcoa refineries and an Alcoa mine. I have Newmont goldmine, Australia's largest. There's nothing wrong with that, but the key point is that where there is foreign investment in our critical infrastructure that provides essential services, the government should be in a position to mitigate that. We are in the middle of a discussion about foreign interference, espionage and sabotage. As a bit of backdrop to what we're discussing, I have here the Hansard evidence ASIO's Director-General of Security, Mr Duncan Lewis, gave to the PJCIS in Melbourne, 10 or so days ago:
Hostile foreign spies are currently conducting harmful activity against Australia on an unprecedented scale … Put simply, there are more foreign spies today, and they have more ways of attacking us … Our open democracy and the features of globalisation involve hitherto unimagined movement of money, movement of people, movement of information—which I hasten to say enrich our country and our society but nevertheless provide an unprecedented array of vectors that foreign spies can and do use to attack us. The most obvious example of this is the widespread use of the cyber vector to conduct espionage and interference.
As we grow in our technological sophistication, particularly with critical assets, we become increasingly vulnerable to cyberattack. He went on to say:
Cyber is a vector that simply did not exist during the previous high point of intelligence activity against Australia, the Cold War. The point here is that we are in a new and unexplored cyberthreat environment. Similarly, cheap and easy international travel, globalised communication technologies, and the global trade and finance systems that we take for granted in our modern society have also opened the door for hostile foreign spies, and they are, necessarily, ruthlessly exploiting these vectors to covertly harm our Australian interests.
This bill is part of a larger suite. There is still legislation before the committee, and it would be improper to discuss that, but this bill came out of the committee with unanimous bipartisan support. It's designed to protect our national interest and critical infrastructure.
Before I close I want to talk a bit more about the need to protect our economic security. It's just as important as our national security. Of course, in the foreign interference and espionage legislation there is a new offence that targets theft of trade secrets, and I think that will very nicely complement what we have here in this Security of Critical Infrastructure Bill. The point that the director-general of ASIO made is that we're increasingly vulnerable to cyberattacks and a lot of our critical infrastructure assets have increased cyberconnectivity and a reliance on global supply chains, with many services now offshore. So the bill does protect assets in the electricity, water, port and gas sectors. Importantly, it does not apply to the telecommunications sector, which is covered by other legislation that passed last year—another piece of legislation that received strong bipartisan support.
Before I close I do want to talk a bit about the fuel security recommendation that we made as a committee. I have mentioned already we're almost entirely reliant upon the importation of liquid fuel, both crude and refined, and so as a committee we are concerned when we see our fuel stocks. They sit at about 47 days as of November 2017. When you think about the US, they have something like 330. Greece has about 130 days. New Zealand has 90. The UK is somewhere in the vicinity of 200 days. When you consider us and benchmark us against other Western democracies, we are well behind the pack. And so one of the recommendations to come out of our review into this bill was that the Department of Home Affairs in consultation with the Department of the Environment and Energy and the Department of Defence look at our fuel supply chain and mitigate the national security risks that are present. I think it's important to note that most of the threats to our liquid fuel security come from foreign governments and, therefore, securing it requires a government response. We can't just rely upon the market. I think that is foolish thinking to say the least.
In any case, to sum up: this is a good bill. It addresses many of the concerns that the Australian people have raised through their MPs and senators over the last few years, particularly as we've had public discussions around the sale of the port of Darwin, for example, and so I commend this to the House. Thank you very much.
6:57 pm
Mike Kelly (Eden-Monaro, Australian Labor Party, Shadow Assistant Minister for Defence Industry and Support) Share this | Link to this | Hansard source
It's a great privilege to be able to speak on behalf of the Security of Critical Infrastructure Bill 2018 and the Parliamentary Joint Committee on Intelligence and Security. I'd particularly like to acknowledge the leadership of that committee by the chair, who has been doing an excellent job on that committee. But I have reflected before that this is a committee that I think embodies and exemplifies the best of bipartisanship in this building. It's made up of people with tremendously relevant experience from three of us who are all ex-Army. There's the Green faction and there's an ex-Attorney-General and an ex-policeman, and we've got a current shadow foreign affairs minister who is also in Finance and brings the dollars and cents side to the table. Senator Bushby makes great contributions. It's been a very positive experience for me in a building that's often portrayed as being one of great contest and partisanship. So this bill is a representation of that process working well—a process that's been underway for a few years to address our critical infrastructure needs and, as the member for Canning has spoken about, the threat that we face in terms of the heightened and industrial-scale cyberattacks in particular that we're seeing developed by governments such as that of Vladimir Putin, who has become quite a significant threat to the world at the present time.
The latest incident involving the nerve agent attack on a former Russian citizen on the soil of the United Kingdom illustrates the depths to which they will go. Of course, there are the revelations about the influence in the US election and the French election attempts there as well. This is a real and present threat not only to the sorts of cyberattacks we've had in terms of industrial espionage in the past—where we've had regular and daily attacks in that respect—but now we're seeing this evolve into the potential of a state, like Vladimir Putin's, adopting the Sun Tzu principle that the acme of success is to win without fighting; bring down all of your adversary's infrastructure without even having to fire a shot in some cases.
So we do have to have robust systems of protection. This legislation is a good start, of course, but it is legislation. We will need to follow through with a lot of practical measures to ensure that we can secure our infrastructure. I do applaud the government's establishment of the regional cybersecurity centres. I think that's going to be important for outreach to business. They're going to be a back door and a vulnerability as we go through this if we can't ensure that we're all secure in our networks. That is going to be absolutely critical.
The assets that this legislation deals with has been enumerated by previous speakers. It is now running parallel with a process that was put in place earlier in relation to the telecommunications sector security reforms, which began in September last year. One thing we reflected on in the committee was that we do have these parallel infrastructure aspects. And as we move through and review how this system is working we'll need to determine whether or not there is not a benefit perhaps, in a unilateral approach, rather than this bifurcated approach. There are differences in the types of infrastructure we're talking about. However, the experiences of both will definitely be very relevant. And there is an issue associated with the telecommunications aspect, which is that a lot of it will depend on the industry self-regulating, or self-providing, for the security measures that we know we need and that they have talked about.
The progress from this legislation is great, and it has reflected things that have been revealed as failures of the FIRB process—the Foreign Investment Review Board. There have been specific incidents that have given great cause for concern, not just internally but amongst our allies, like the United States. The port of Darwin has been a salient issue, and it did reveal some of those concerns. Also, the sale of Ausgrid in New South Wales highlighted the deficiencies in that FIRB process and the need for this measure to fill that gap.
What was most concerning about that was that the purchase of Ausgrid, potentially by a Chinese investor, was not done in consultation with Defence. Defence found out about this through media reports. What we had was a situation where critical Defence infrastructure would have been subject to this transaction. It's essential for Defence to be involved in that process. Hopefully, we will address that through this legislation in the future.
Another example was Global Switch, where we had the situation of potential Chinese investors acquiring a data centre complex which hosted a lot of very sensitive material—and not just our sensitive material. That also will be something to monitor closely in terms of the effectiveness of this legislation.
The member for Canning referred to another issue that is critical. It was subject to quite a bit of discussion within the committee, and there was interest in perhaps being a bit more robust in our recommendations about it but we tempered them. It comes back to this issue of energy security, particularly in relation to our transport fuels. I know the member for Wakefield has also commented on this in the past. We have this situation where, as the member highlighted, we have this strategic vulnerability created by the fact that our strategic resources of oil and transport fuels come across our sea lanes. There is some disaggregation of the sources of supply of the crude oil; however, we know that the sources of crude oil are concentrating more and more in the Middle East as dwindling oil resources in the world create that dynamic.
We know the vulnerabilities of political circumstances and conflict in the Middle East. We've seen oil used as a political weapon in the past by bad faith actors in the Middle East in relation to the crisis in 1973 and, again, in 1979, or simply by wars. That is a concern. Also, I know from my time in Strategy Group in Defence, monitoring influences from the Middle East in our region, that the petrodollar investment in radical madrasahs and in funding terrorist movements was of great concern to me. One of the things we need to do to ensure that our own security, our strategy vulnerability, is minimised in the future is to be more aggressive in pursuing alternative fuels for our country. The Pentagon is driving very hard in this direction, creating the Great Green Fleet in their ambition to move to biodiesel and other biofuels. We have really been left behind in a lot of this and we need to take this issue more seriously and be more urgent about it. It also conflates with our battles against the health effects of these fuels and the climate change issue.
We know that emissions in this country from vehicles are around 17 per cent of carbon emissions. On some reports, the toxicity of these emissions kills about 3,000 Australians a year. Overseas, we've seen that being amplified even more by greater population concentrations. In Scotland they've set themselves the goal of getting off oil fuels by 2032, and they'll ban diesel and petrol cars. Sweden set up an independent commission for the establishment of their independence from oil by 2025 and are well down that track, noting, in their circumstances, that they were concerned about their strategic vulnerability to Russia. The UK have now set themselves a goal of getting off petrol and diesel by 2040, noting, in their own analysis, that those fuels kill about 40,000 British citizens per annum; that's the estimate in the UK. France have set the same goal, 2040. Norway have set it at 2025; the Netherlands, 2030; Germany, 2030; and India, 2030. In India, it's interesting that the estimate of deaths per annum caused by these toxic fumes is 1.2 million. In China, where similarly they're now moving down this road to ban petrol and diesel, the deaths are estimated at 1.6 million per annum. Across Europe the estimation is 70,000 per year. From a simple health perspective and the estimated cost to the systems here in Australia, that could be upwards of a few billion dollars, maybe as much as $6 billion. So it's in our economic and health interests to get off fossil fuel as quickly as possible.
There are alternatives out there. When I was Minister for Defence Materiel I took some Defence logisticians with me to visit a site down at Nowra, a company called Algae.Tec. They had developed a technology that I had first seen in Israel, where they were strapping a facility to the Ashkelon coal-fired power station. It was a pond based system where they were, effectively, sucking in the carbon emissions from the coal-fired power station and rapidly growing this algae—which really is hungry for carbon—and turning it into a biodiesel fuel, which is a straight drop in fuel. There is no blending or conversion required.
The problem with the pond system was that it required a great space. It was hungry for space. But the beauty of what Algae.Tec in Nowra were doing was that they had taken that technology and refined it and turned it into a containerised process. This could eliminate 100 per cent of the emissions from the Bayswater power station with, approximately, a 10-hectare site facility and produce millions of litres of this biodiesel fuel. You can imagine what this could do for regional Australia's economy, for our energy security, for plugging into existing distribution systems and for ensuring our complete independence in relation to biodiesel fuels.
Obviously, we need a mix of technologies to achieve the goal of getting off this stuff, and I've been excited about the reporting of proton developments, in terms of battery storage, which will take lithium storage to a whole new level and eliminate the need for lithium batteries. These proton batteries will be incredibly efficient. They will be revolutionary applied to storage for housing and the motor vehicle space. There's a lot going on in that space. The world is getting more aggressive and determined to achieve an outcome that will ensure we have dealt with the range of issues I referred to.
From a national security point of view, I would urge the government—I would urge the Department of Home Affairs, who were a little bit dismissive of this in their response to the evidence in the committee process—that this is an urgent matter for our nation: for our security, for regional security, for undermining terrorism financing and in terms of our strategy vulnerability. I would urge perhaps replicating what the Swedes have done, and setting up a commission to establish our independence from oil as soon as possible, and setting a target date for that.
When we're talking about vulnerabilities of energy systems, there's no question in my mind that the privatisation process that a lot of people were concerned about has created vulnerabilities as well. I have mentioned the circumstances of the Ausgrid privatisation process and potential sale. It's worth noting that we've heard a lot of talk about Snowy 2.0, which I fully support and which will move us towards energy security and be a vital asset. It's worth noting that when Ben Chifley launched the Snowy Hydro Scheme, he did so under the defence power. Energy security in this nation is vital going forward.
What we're seeing revealed is that the privatisation process has created great vulnerabilities in terms of the effective maintenance of the system and in terms of its security. Unfortunately, this seems to have played out also in major bushfires in this nation, like the fires in Victoria in 2009 and the fires in the Blue Mountains in 2013. Now it appears that the fire we've just experienced down at Tathra was caused by power line failure; the situation down there seems to be pointing clearly in that direction, and that was the RFS preliminary assessment. We need to drill down on that incident because there are concerns and issues that have been raised in relation to this latest incident about the question of maintenance of those power lines. We had a regime previously where we talked about asset maintenance, and now we hear language of asset management. In this pure profit-driven approach to it, we're seeing situations of a lot of this infrastructure being left to go to its last legs before something is done about addressing that and maintaining the system to the standards it needs.
So I would urge the regulatory regimes that are being placed in the privatisation process which has occurred to ensure that we are maintaining these power lines and this infrastructure at the levels at which they must be maintained, and doing more, hopefully through this process of the critical infrastructure bill, to assess the need to provide systems integrity as well in terms of vulnerability to future cyberattack.
I salute the work of the committee on this process for the critical infrastructure bill. We have a lot more work in front of us and a lot more challenges in front of us. Life in this space is all about measures and countermeasures, so we have to continually revise and review what we're doing and how things operate together, and to work together in a bipartisan way for the benefit of our nation.
7:12 pm
Gai Brodtmann (Canberra, Australian Labor Party, Shadow Assistant Minister for Cyber Security and Defence) Share this | Link to this | Hansard source
I echo the comments made by my colleague and friend the member for Eden-Monaro with regard to the fact that we need to be ever-vigilant in this space. The technology is changing rapidly, and the threats at the non-state actor and the state actor level are changing rapidly. So we need to be constantly looking at legislation and regulation to ensure it's responding to the threat environment and the attack environment as quick as possible. That is challenging, because the development of legislation and regulation can quite often operate at a very glacial pace—not exactly a speedy pace. That's why we do need to be ever-vigilant. We need to be constantly assessing the environment, constantly looking at what the threats are, constantly looking at anticipating possible attacks. We need to see this bill as the first step in a very long journey to ensure that we continue to protect our national security and the prosperity of our nation.
As we know, the facilities that are called critical infrastructure addressed in the Security of Critical Infrastructure Bill 2018 are the facilities, supply chains, systems and networks that keep our country operating and which are amongst our most precious assets. Referred to as our critical infrastructure, these are those physical assets, supply chains, information technologies and communication networks which if destroyed, degraded or rendered unavailable for an extended period would significantly impact the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security. What this definition means in real terms is that these facilities and services are what keep our hospitals operating, our homes heated and our stores stocked. They're facilities that keep the lights on, our water running and clean and safe, and our economy operating. The disruption of this infrastructure—of these facilities, supply chains and technologies—either from physical or cyber-related threats can have a serious impact on our national security and our economic stability. As such, government must ensure that these assets are well protected from threats of foreign espionage, sabotage and coercion in an ever-evolving threat environment.
Currently, over 80 per cent of Australia's critical infrastructure is privately owned, and therein lies a challenge: how do you get the balance right ensuring that we have economic prosperity and national security while also acknowledging the fact these are private outfits with their own imperatives? Ensuring we have the adequate oversight of the risk exposure of these assets is vital in assessing and protecting them from interference, but the challenge is ensuring that we get the oversight and the balance right, especially given the fact that 80 per cent of these are private outfits.
The committee, as we've heard, made nine recommendations in its review of this bill, and this committee, as has been acknowledged by everyone who has spoken this evening, is very bipartisan. There is largely a common sense of mission, so I'm pleased the government has indicated support for these nine recommendations.
Protecting our nation's critical infrastructure is an important national security responsibility that requires the cooperation of many arms of government and the private sector, and that's why Labor supports this bill. The Critical Infrastructure Centre, which was established in January 2017, is intended to provide a central or culminating point for cooperation. It's tasked with collaborating with asset owners, operators, and state and territory regulators to identify risks, to implement mitigation strategies and to develop sector-wide best practice guidelines. It's a big task because that centre is quite a small outfit. I went to a conference recently where one of the senior managers of the centre said one of their biggest challenges is resources. I put that out there for the government. I've made this point on many panels before and at other conferences that this is a big job for the centre. I understand it's been absorbed into Home Affairs now, so it will be interesting to see where it finds its place there and also to find out whether it will be appropriately resourced because it's a big job. Liaising with the private sector, government, regulators—state, territory and local—is a big job.
The bill proposes the creation of a private register of critical infrastructure assets, and extends ministerial powers to give direction to individual reporting entities or operators of a critical infrastructure asset to do, or refrain from doing, a specified act or thing within a certain time frame. Such a power may be used if the minister is satisfied that there is a risk that is prejudicial to security that cannot otherwise be mitigated. Both the creation of the asset register and the extension of ministerial powers are good first steps. But as I said, and as the member for Eden-Monaro has mentioned, they are first steps. This is a journey; this is an iterative process. This bill is welcome but it is just one marker in that process. We do need to be open-minded, flexible and responsive in this environment.
There is still a need for baseline assurances that networks and systems running our critical infrastructure are adequately protected. The fact that the bill does not specifically include cyber and digital systems is, from my perspective as the shadow assistant minister for cybersecurity, disappointing. But I'm acknowledging the fact that we are taking those first steps and this is an iterative process. I will be looking to the government and to this committee to look in future at how we can include cybersecurity in more detail.
The Australian Cyber Security Centre's 2017 threat report noted that CERT Australia responded to 734 incidents affecting private sector systems of national critical infrastructure within the 2016-17 financial year. This equates to a significant cyberincident occurring on these networks more than twice a day. According to the Australian Security Intelligence Organisation 2017 annual report, Australia continues to be a target of espionage through cyber means. The cyberthreat is persistent, sophisticated and not limited by geography. The report also notes that the clandestine acquisition of intellectual property, science and technology, and commercially sensitive information is increasing. This highlights the need for a greater focus on the security of the cybersystems underpinning our critical infrastructure.
Given that cyberattacks are being perpetrated against our critical infrastructure systems on a daily basis, timely action needs to be taken. Unfortunately, this bill doesn't discuss this in much detail. It doesn't go into detail about the threats that critical infrastructure operators are struggling to repel. The explanatory documents do provide an example in which the minister could issue a direction to a company, compelling them to reduce their vulnerability by implementing extra cybersecurity protocols, but it doesn't provide further clarity to the private sector on how to protect their systems appropriately and comprehensively.
If we are to effectively safeguard our critical infrastructure, we need to think about more than the issue of who owns what, and the issue of physical assets such as ports, poles and wires. It's vitally important that we start thinking beyond just the physical. This is the first step; I appreciate that, but we do need to sit up straight and get onto this quick smart. We need to think beyond just critical infrastructure and the protection of it from a physical perspective; we also need to start thinking about it from a cybersecurity perspective. As more and more essential systems are managed electronically, interdependence between physical systems and cybernetworks needs to be clearly understood to ensure that services continue to be provided and that our people and interests continue to be protected. This isn't adequately explained in the bill.
Another element that is not adequately explained is why the bill only applies to four out of eight currently identified critical infrastructure sectors. US CERT released a report in October 2017 which stated:
Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks.
It's disappointing that this bill does not include all identified critical infrastructure sectors which are clearly at threat. I made submissions on this point to a number of inquiries, stating this issue, because our transport, telecommunications, banking networks, healthcare providers and subcontractor entities associated with critical infrastructure are all subject to the same risks of espionage, sabotage and coercion that are outlined here.
This bill identifies electricity, water and ports as the highest-risk sectors, yet there are other equally important sectors being overlooked. Eight critical infrastructure sectors are identified in the Critical Infrastructure Resilience Strategy. These are banking and finance, communication, energy, food and grocery, health, transport, water services and Commonwealth government. The Trusted Information Sharing Network, the primary national mechanism for business-to-government information sharing and resilience-building initiatives on critical infrastructure, states that each of these critical infrastructure sectors are, 'vital to Australia's social cohesion, economic prosperity and public safety'.
If each of these sectors are vital to Australia's social cohesion, economic prosperity and public safety, why aren't all of them included in the bill? Each of these identified critical infrastructure sectors have experienced some form of cyberthreat in the past 12 months. We've only got the four here. Compared with our international partners, eight is a conservative figure. The US critical infrastructure security and resilience strategy identifies 16 sectors. The UK identifies 13 sectors. Canada has 10 and Singapore 11. The sectors recognised by these nations but not currently recognised here in Australia include emergency services, information technology infrastructure, chemicals, manufacturing and electoral systems—and that's a whole different speech on electoral systems, particularly after what with we have seen in the US and what we have seen in France. Why aren't electoral systems in Australia treated as critical infrastructure? This is a big question.
To improve the security of our critical infrastructure, there needs to be a very careful evaluation of what sectors fall within our definition of 'critical infrastructure'. The bill also doesn't appear to consider supply chain security. Subcontractors and vulnerabilities in supply chain networks pose a significant threat to all forms of critical infrastructure. Last year, the then Minister Assisting the Prime Minister for Cyber Security made the announcement that a small defence contractor's network was compromised in 2016. An unknown hacker was able to steal 30 gigabytes of sensitive defence data, including information on major, multibillion-dollar defence projects. Data relating to the JSF, P-8 surveillance craft project, C-130 transport planes and several current naval vessels were all compromised.
The revelation highlights the risk that a vulnerable supply chain can have when it comes to protecting our national critical systems. Subcontractors are low-hanging fruit when it comes to foreign influence and interference and are often seen as the easy 'in' to protected networks and systems. One weak link is all it takes to expose sensitive information and introduce attack vectors into larger systems.
Our US ally recognised the supply chain threat long ago and has already taken steps to rectify it. In May 2017, an executive order was passed requiring all US government agencies to comply with a national cybersecurity standards framework. This includes cybersecurity risks facing the defence industrial base, including its supply chain.
As the member for Eden-Monaro has said, this bill is the first step in many ways. I commend the bill to the House but do make a number of recommendations for improvements in the future.
7:28 pm
Alex Hawke (Mitchell, Liberal Party, Assistant Minister for Home Affairs) Share this | Link to this | Hansard source
I thank the House and I thank all members for their contributions. In particular I say to the opposition member for Canberra: thank you for your contributions. Many good points have been made in this debate, and the government is aware of the need to continue this process of working together in the House to ensure that we do take these matters most seriously and cooperate with and take advantage of the experience of members in this House in so many of the important fields of national security to ensure we have world-leading legislation and world's best practice in our security laws.
Critical infrastructure is integral to the prosperity of our nation, and we know that security and resilient infrastructure underpins the functioning of Australian society. It ensures that we have continuous access to essential services for everyday life—food, water, energy, communications—and the Security of Critical Infrastructure Bill 2018 supports Australian government efforts to safeguard Australia's critical infrastructure. It will supplement existing federal, state and territory regulations and ensure the government has the necessary powers to protect Australia from the national security risks of sabotage, espionage and coercion stemming from malicious foreign involvement in our critical infrastructure.
The bill reflects consultation with states and territories and with industry stakeholders. Importantly, it also incorporates all nine recommendations made by the Parliamentary Joint Committee on Intelligence and Security.
I wish to thank the committee for its comprehensive review of the bills. I'm pleased to say the government has accepted all of the nine recommendations. The bill currently before the House incorporates the amendments to the bill that were necessary to give effect to all of the committee's recommendations. In particular, I want to thank the chair, the member for Canning, again, and the member for Holt, who is here as well, for their excellent cooperation in driving this committee process, but I thank all of the members who made their contribution today—government members, opposition members; the member for Isaacs, the member for Eden-Monaro—all of the people who've made a contribution. It is vital that we work together on this matter and it's vital that we do recognise that this is a journey that we're on. We will continue to put forward good quality legislation and have the committee drive improvements to Australia's laws.
The Security of Critical Infrastructure Bill aligns with the government's intention to continue to cooperate and collaborate with all levels of government in Australia and regulators, owners and operators of critical infrastructure. It will strike that appropriate regulatory balance by acknowledging shared responsibility for managing national security risks while empowering the Commonwealth to intervene to mitigate a risk where existing regimes cannot be used. The bill will of course allow the government to take the steps necessary to strengthen the security and resilience of our critical infrastructure. I commend the bill to the House.
Question agreed to.
Bill read a second time.