House debates

Wednesday, 20 October 2021

Bills

Security Legislation Amendment (Critical Infrastructure) Bill 2020; Second Reading

10:59 am

Photo of Brendan O'ConnorBrendan O'Connor (Gorton, Australian Labor Party, Shadow Minister for Foreign Affairs (House)) Share this | | Hansard source

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 responds to the threat of cyber-enabled attacks and other risks to Australia's critical infrastructure. Labor is committed to the safety and security of all Australians, and urgent cybersecurity reforms are definitely required to address the ever-increasing number of cyberattacks Australians face. The pervasive threat of a cyber-enabled attack and the manipulation of critical infrastructure is serious, is considerable in scope and impact and is increasing at an unprecedented rate. Ransomware and other cyberattacks are a multibillion- dollar cost to the nation annually, threatening jobs and investment when we can least afford it. A cyberattack is reported in Australia every eight minutes, which is a 13 per cent increase on pre-pandemic levels.

The COVID-19 pandemic has fast-tracked the movement of our lives online, where we now heavily rely upon digital systems to navigate life and business like never before. Many of Australia's most significant social and economic opportunities, as well as geostrategic and security challenges, are currently unfolding through the prism of cyber and critical technologies. This not only increases our reliance on cyber systems but also increases the risk should those systems become inoperable. It is for that reason that Labor will support this bill, which is a step forward in the protection of critical infrastructure and essential services that all Australians rely upon.

Critical infrastructure is increasingly interconnected and interdependent, making our lives easier and providing economic benefit. However, connectivity without proper safeguards creates vulnerabilities. These vulnerabilities, if exploited through cyberattacks, can result in cascading consequences across our economy, security and sovereignty. The interconnected nature of our critical infrastructure means that an attack on one essential function can have a domino effect that degrades or disrupts others. Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation 's wealth and prosperity and, indeed, our national security.

This bill proposes enhanced cybersecurity obligations for those assets that are most important this country. It introduces additional reporting requirements for cyber incidents that affect critical infrastructure assets. It also provides a definition of 'significant impact', and that is a cybersecurity incident that will have a significant impact if the incident has materially disrupted the availability of essential goods or services provided by using the asset. It also offers government assistance to relevant entities in response to significant cyberattacks that impact Australia's critical infrastructure assets.

While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune. Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on Australian food suppliers, on Australian hospitals, on our universities, on media outlets and even on this parliament's own network, just to mention a few. Internationally, cyberattacks have disrupted critical sectors. In the United States, for example, we have seen significant disruption to water and fuel supplies caused by cyberattacks. In this threat environment it is critical—it is crucial—that Australia's technical authority, the Australian Signals Directorate, is empowered to assist entities in responding to significant cybersecurity incidents to secure infrastructure assets. That is what this bill proposes to do.

These are last-resort powers, and affected entities will undoubtedly retain their reservations. In supporting this legislation, Labor is relying upon the intention stated in the bill and as given by the department and indeed by agency heads—that these powers will only be used as a last resort. With that in mind, it is very important to emphasise that the Parliamentary Joint Committee on Intelligence and Security will be notified and briefed each and every time the government enacts this power and will conduct a full review of the legislation when additional critical infrastructure reforms are introduced by government. In evidence provided to the committee, witnesses overwhelmingly indicated their willingness to co-operate with the Australian Signals Directorate. It is always the case that, where a parliament seeks to increase the power of executive government, parliamentary oversight is also increased in order to ensure sufficient transparency and accountability by the executive government. To that extent, we are very much supportive of those safeguards. In this threat environment it is critical, I think, that we have that caveat on the use of these powers, and that's what is intended by this bill.

Government assistance powers would only be needed in the event that an affected entity is unwilling or unable to respond appropriately, thus these measures should only be needed sparingly, if ever. In the instance that there is a disagreement between an entity and the Australian Signals Directorate on the best course of action, this bill incorporates the committee's recommendation to include safeguards that require the minister to consider multiple impacts and current responses. These are the checks and balances required at any stage when a parliament is seeking to increase executive powers, albeit for the common good and in the national interest. They ensure there's a balance with respect to decisions made by ministers or by executive government more generally.

I'd also note that the bipartisan committee also called on the Morrison government to review the processes for classified briefings for the opposition during caretaker periods, in response to serious cyberincidents, and to consider best-practice principles for any public announcement about those incidents, especially during election campaigns. We would expect, as would be the Westminster tradition and convention, that in the case of an election the opposition would be involved in such matters and that the matter itself would be dealt with, in the caretaker tradition, by the Public Service and the department heads. We've made that very clear.

While this proposed legislation is a positive move, we have to note that the government has so far fallen behind in taking meaningful action to prevent cyberattacks on Australian organisations. In fact, one of the Prime Minister's first actions upon coming to office was to abolish the dedicated cybersecurity minister, and it has been at the bottom of the government's to-do list ever since. The Australian Cyber Security Centre's second annual cyberthreat report, released last month, reaffirms the fact that ransomware remains the most serious cyberthreat facing Australian businesses. It also reveals a 15 per cent increase in reported attacks since last financial year, with more than one ransomware attack reported every day, on average. That's a remarkable number of incidents that are occurring currently.

In February we called upon the government to develop a national ransomware strategy to reduce the volume of these attacks and co-ordinate government action across policy, regulation, law enforcement, diplomatic and defence capabilities. More recently, Labor introduced the Ransomware Payments Bill 2021 into the House of Representatives and the Senate. The government last week—finally—heeded Labor's call for a national ransomware strategy to combat this billion dollar scourge.

With only a few parliamentary sitting weeks left in the year—and, indeed, possibly this parliamentary term—and more consultation on this proposed ransomware reporting scheme to be done, this looks like yet another announcement with no delivery from the Morrison-Joyce government. We're at the back end of this parliamentary term, this threat has been real and growing for days, weeks, months and years, and we are only now seeing the government seriously attending to this matter after the efforts of the opposition to make it very clear that the need was great and urgent. The government has conceded that more work needs to be done in communicating, consulting and responding to concerns regarding its proposed positive security obligations for critical infrastructure sectors. These important initiatives need to be done properly. These are important initiatives, and they do need to be done well and diligently.

While Labor supports this important bill, I can't overstate the need for more attention to be focused on reducing cyberattacks and protecting the critical infrastructure and essential services that all Australians rely upon.

11:11 am

Photo of Vince ConnellyVince Connelly (Stirling, Liberal Party) Share this | | Hansard source

It's a pleasure to rise to speak today on the Security Legislation Amendment (Critical Infrastructure) Bill 2020. I'm particularly pleased because I have some degree of experience, which I'll talk about shortly, in relation to the protection of critical infrastructure. I'm also greatly in favour of the concept of looking at what is most important and looking at ways to enhance protections around those critical pieces of infrastructure. Indeed, in the military, where I had my first career, when we plan operations, we look at our own forces and those of opposing forces and we look for critical capabilities. Then we look at what some of the critical vulnerabilities that sit below and enable those capabilities are. In the case of an enemy force, we look at how to target some of those vulnerabilities to, if you like, bring the house crumbling down. Equally, in our own interests, we look for our capabilities, what vulnerabilities we have and how we can provide protection against those vulnerabilities. So it's wonderful to see that the Morrison government is taking a similar, mature, methodical planning approach when looking at our national critical infrastructure. Indeed, this is the course that we must and will continue to take.

In the last parliament, we passed the Security of Critical Infrastructure Act 2018 to identify and manage national security risks of espionage, sabotage and coercion resulting from foreign involvement in Australia's critical infrastructure. The reforms in this bill will apply to a range of owners and operators of critical infrastructure. It's worth taking a moment to classify what we mean by critical infrastructure. There are 11 different categories. As I name each category, I feel certain that listeners will absolutely identify with why it is that each of these categories has been defined as 'critical'. The categories are: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage. Since we passed the Security of Critical Infrastructure Act 2018, new challenges have emerged. Indeed, on 1 July last year, our Prime Minister tabled and announced the 2020 Defence Strategic Update. What it painted was a picture of a degrading security environment, particularly within our Indo-Pacific region, and a large part of our response to our deteriorating security situation is looking at those vulnerabilities and how we can bolster their stability and security.

Of particular concern is the increase that we have observed in the aggressive use of what's referred to as 'grey zone activities'. What we mean by 'grey zone activities' is that they sit somewhere beyond that threshold of illegality but short of actual military conflict. Some of the examples are interference operations, coercive use of trade and , of course, economic levers. We've seen those geo-economic levers used in an aggressive form against Australia. These activities, whilst they sit below the threshold of open conflict, certainly threaten stability and, indeed, sovereignty. Whilst these grey zone activities are certainly not new and have always existed on the spectrum of conflict, what we are seeing is an escalation in the use of these grey zone activities, including in Australia and within our region.

Cyberwarfare is absolutely on the rise, and we can rightly refer to cyber as being a new battleground. In its Annual cyber threat report 2020-21 the Australian Cyber Security Centre noted that there were 67,500 reports of cybercrime. This reflects a 13 per cent increase on the previous year and equates, very worryingly, to a cyberattack here in Australia every eight minutes. This is indeed alarming. Throughout 2019 and during the 2020 COVID-19 pandemic Australia's critical infrastructure sectors were regularly targeted by malicious cyberactors seeking both to exploit the victims of the attack and in many cases to gain profit. This totally disregards our communities and in some examples has led to material impacts. For example, during this period we've seen multiple regional hospitals having been the victims of cyberattacks, and this has resulted in the delayed delivery of health services, including surgery, to regional communities. A major national food wholesaler was also the victim of a cyberattack. This affected their systems and temporarily disrupted their ability to provide food during a time when there was unprecedented pressure on the food and grocery sector. There was also a water provider which had its control system encrypted by ransomware. Had that system not been restored quickly enough from backups that could well have disrupted the supply of potable water to a regional population hub. It could also have disrupted the agricultural activities which relied on that same water source.

Attacks on our critical infrastructure require a joint response. They require government, business and individuals to operate in a coordinated fashion, and this indicates the interrelated nature of these risks. The new framework provided by these bills will enable government, industry and partners to defend Australia's national interests. It will require entities to adopt and maintain a risk-management program for critical infrastructure assets, and this will in turn bolster their resilience in the face of threats.

I've had the opportunity to see firsthand some of the Australian operators of critical infrastructure and to work hand in hand with some of those operators. After leaving the Australian Regular Army I worked for most of the last 14 years as a risk, crisis and business continuity management specialist. This involved working with largely mining, oil and gas companies and helping to build their resilience. This involved taking teams and training them in incident and crisis response, working with all levels of management to train on a system of response and to empower those individuals who were managers within their own business to take the responsibility to lead others and to manage through responses. The last engagement I had was with Woodside Energy, a great Western Australian company and the operator of a whole range of oil and gas platforms offshore and processing facilities onshore. Dealing with hydrocarbons, particularly when they're under high pressure, is already a very high-risk environment. Add to that the reality that some of these facilities also take the form of those targetable critical vulnerabilities I mentioned earlier, and we have absolutely no option but to invest in the protection of those assets.

In fact, some of the key themes in which these incident and crisis responders were trained and exercised came under the acronym PEARL, which stands for people, environment, asset, reputation and liability. The acronym makes them easy to remember. They are also prioritised. Of course, every organisation should and must look after their people first—their safety and their security. Of course, the environment, assets, reputation and liability also need a close degree of attention when we're looking to build that resilience.

I also credit some other great organisations, like Rio Tinto Iron Ore and BHP Billiton, which I saw, over many years, dedicate a great deal of effort to building resilience. Not only do we look at the training of teams of individuals to be ready to respond; we also look at the investment in physical infrastructure—in safety response systems, fire management systems and the readiness and maintenance of those systems to provide that protection.

I also had the opportunity to work with a number of organisations during live responses. That's where we see resilience really come to the fore, after the investment, over years, of training and equipment. I won't go into some of the specifics, but, needless to say, the readiness and resilience that was built up by companies like those I mentioned should be credited. It has paid off in spades already and will into the future. Through this bill, we can see how government is partnering with the investments that those businesses are making to protect the critical infrastructure upon which all Australians rely for our wellbeing and prosperity.

On the financial services front, I also worked with some of our major financial institutions, our banks. This is where business continuity becomes really essential. Of course, banks take the responsibility for safeguarding our personal savings, but, as institutions, they also, importantly, enable cash flow for our businesses, whether they be small family businesses or large businesses. Essentially, our banks set the conditions that underpin economic confidence. For this reason, the processes of business continuity management remain absolutely essential, and I provide credit to our banks and to our regulators—which, obviously, this government takes a large degree of responsibility for—for maintaining the resilience of our financial institutions in the interests of us all.

Entities will also now be required to report cybersecurity incidents to the Australian Signals Directorate, which will enable the latter to build a better picture of the threat environment surrounding Australia's critical infrastructure. This, in turn, will allow government to provide better advice and assistance to entities about how they can safeguard critical infrastructure. The public expects the Australian government will protect the nation if a cyberincident affects Australia's critical infrastructure and results in serious threats to Australia's interests. Even if a critical infrastructure entity is doing all it can to protect itself and the services that it provides, we recognise that there are some threats that are beyond the capabilities of critical infrastructure operators themselves to mitigate. That is why this bill also contains what I call 'last-resort powers', which can only be used in situations where an entity is unable or unwilling to respond to an incident. I note that this legislation has been developed through extensive consultation with industry, which is very welcome and will absolutely be continuing.

As I conclude, I'll lean on the words the Prime Minister used when he launched the 2020 Defence Strategic Update. He said:

The enduring responsibility of Government … is timeless—to protect Australia's national interest, our sovereignty, our values and the security of the Australian people.

This bill does exactly that, and I commend it to the House.

11:24 am

Photo of Tim WattsTim Watts (Gellibrand, Australian Labor Party, Shadow Assistant Minister for Communications and Cyber Security) Share this | | Hansard source

I'm pleased to have the opportunity to rise to speak on this significant bill, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, designed to better protect Australia's critical infrastructure assets from a growing range of cyberthreats. Labor broadly supports the measures in this bill and will be supporting the passage of this bill through the parliament this week. For the benefit of the previous speaker, I'll point out that the process that has brought this bill to the House today has been shambolic, to say the least, and it has left the parliament with significant additional work to achieve the aims of this bill.

In recognition of the increasingly interconnected and interdependent nature of Australia's complex modern economy and society, the bill before the House does significantly expand the definition of critical infrastructure, subject to Commonwealth regulation, from the current four sectors of electricity, gas, water and ports to 11 sectors of national significance encompassing communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage.

The bill then introduces a series of new obligations on the owners of this critical infrastructure, designed to improve the ability of both the owner and the Australian government to protect these assets from attack. For example, the bill introduces new requirements that critical infrastructure asset owners report certain cyberincidents to the government. In addition, the bill gives the government significant powers to intervene to assist critical infrastructure asset owners responding to critical cybersecurity incidents if necessary and, as a last resort, without the consent of the asset owner.

These new obligations and government powers are needed today because the threat environment facing critical infrastructure asset owners has deteriorated significantly in recent years. There has been a rapid growth of cyberattacks targeting critical infrastructure globally and in Australia from both nation state actors and from international organised crime groups.

In May 2021 the world saw a high profile example of the impact that a significant cyberattack could have on a piece of critical infrastructure. Affiliates of the Russian ransomware crew DarkSide, an organised crime group, targeted the US colonial pipeline in a ransomware attack that shutdown its operations for six days. That pipeline was responsible for carrying nearly half of all the fuel supply to the east coast of the United States. The fuel shortages and the lines at the petrol stations that we saw as a result made global news headlines.

Just a month later another Russian ransomware crew, the REvil group, launched a attack on JBS meats, the worlds largest meat supplier, bringing its operations to a halt, including in Australia—an attack that had the potential to cause food shortages around the world.

In the background to these high-profile attacks there have been a series of incidents affecting utilities around the world, including water and electricity companies and the operators of ports and rail networks. The Australian Cyber Security Centre's recent annual cyberthreat report has noted:

Approximately one quarter of cyber incidents reported to the ACSC during the reporting period were associated with Australia's critical infrastructure or essential services. Significant targeting, both domestically and globally, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life.

The secretary of the Department of Home Affairs underlined the urgency of the threat environment when he told the Parliamentary Joint Committee on Intelligence and Security in July 2021 that our security agencies wanted the government assistance provisions in this bill 'on the statute books tonight'. Addressing this worsening threat environment is both an urgent and a difficult talk. Cybersecurity is a whole of nation endeavour. It requires defending networks operated by multiple levels of government, within small and large businesses and within civil society. Indeed, the defence mobilisation review found that in the event of cyberwarfare many of the targets of state-sponsored cyberattacks will be civilian businesses or individuals. Designing policy interventions to protect this diverse and rapidly evolving attack service is difficult, particularly when the circumstances demand rapid action.

Unfortunately, the Morrison government has not met this challenge. This bill is yet another example of the Morrison government dithering on a major challenge and then rushing once we've reached the crisis point. It has been too slow to act. Then when the threat environment reached a crisis point it has failed to give due weight to the complexity of the challenge.

The time line leading up to the introduction of this bill tells the story of the government's lack of urgency. The genesis of the bill was the Cyber Security Strategy 2020. By the time the Cyber Security Strategy 2020 was released by the Morrison government in August 2020 the government's previous Cyber Security Strategy 2016 had reached the end of its four-year life four months before. The government spent 12 months developing its new strategy. Four months after the Cyber Security Strategy 2020, the government released an exposure draft for this bill and indicated that it intended to introduce the bill to parliament just 10 days after public consultation concluded. Dither and then rush—the Morrison government's MO.

This was a crazy approach to such a consequential and complex piece of legislation. Industry was aghast and warned in the most urgent terms that the governments rushed approach could do more harm than good. Stakeholders raised numerous concerns with the exposure draft, but the government insisted on forging ahead with minor technical amendments. In response, Labor insisted that a bill of this consequence and complexity be subject to a substantive PJCIS review. Thankfully, under an avalanche of objections, the government agreed that the bill be referred for the PJCIS for inquiry in December 2020. After the madcap rush to progress the exposure draft, this inquiry then took nine months. Yet again, it was left to the PJCIS and the constructive bipartisan efforts of the Labor members of this committee to do the hard work of getting the bill into a workable shape that the government itself had neglected. In this instance, the bill required a little bit more than panelbeating. Indeed, the unanimous bipartisan report of the PJCIS recommended radical surgery.

The governments original bill was split in two. Recognising the worsening threat environment and the 14 months that had passed since the release of 2020 cybersecurity strategy, the PJCIS ultimately recommended that only the most urgent measures in the original bill be passed subject to amendments. As previously outlined, these provisions include the expanded definition of critical infrastructure government assistance provisions in the event of a significant cyber incident and a mandatory reporting scheme for these incidents. However, the PJCIS finding that critical infrastructure asset owners 'did not feel like their input or feedback had been actioned or acknowledged during the government's consultations on the original bill,' the committee recommended other measures in the bill, like the establishment of risk management programs and the declarations of systems of national significance with associated enhanced security obligations, be 'revisited and amended in a consultive and collaborative basis' in a separate bill to be considered by the parliament at a later date.

This really is an extraordinary indictment of the Morrison government's failure to work in partnership with the broader Australian cybersecurity ecosystem in our shared task of protecting the nation from cyberthreats. As the PJCIS highlighted, the government's consultation failures on the provisions—that have now been punted to bill two—created enormous uncertainty across multiple industries about unknown future regulatory burdens that this legislation would impose. My observation, speaking to people in the industry, is that this uncertainty has had the opposite effect to that desired by the government. In response to this uncertainty, many organisations have fallen into a compliance mindset and adopted a wait-and-see approach to the cybersecurity measures that they might be required to implement by regulation. Instead of driving an uplift in cyber maturity, many organisations have paused their cybersecurity investments while they wait for clarity from the government.

It's been a real failure of the government to work in partnership with the IT systems operators outside of government towards a shared goal. Cybersecurity isn't something that government can do from behind the ramparts. It requires government to come out from the Commonwealth security and law enforcement silos and work hand in hand with operators of IT systems in an extremely diverse range of organisations—large public sector companies, privately held companies, state and local governments and even civil society group it is. It requires government to build trust with the operators of these networks—something that was not assisted by the process through which this bill was developed. Finally, it requires government to build understanding and expertise in the real-world challenges facing the operators of these IT systems.

The process of the development of this bill has highlighted that, while policymakers within the government are able to undertake a reasonable desktop exercise identifying the kinds of policy interventions you'd like to see in an ideal world, they have little appreciation for how private sector networks are actually developed, operated and defended in the real world. While there is significant technical expertise within Commonwealth defence, intelligence and law enforcement agencies, the government has shown at the policy level it does not have sufficient experience and understanding of the cybersecurity challenges of the private sector. This is a capability gap that the Commonwealth will need to address as the threats that this bill is designed to respond to become more acute. This is particularly notable in the context of the government assistance or step-in powers created by this bill. Anyone who has worked with large private sector IT networks understands that the risks of people who lack specific knowledge of a network interfering with it are significant. If you don't build it, it's easy to break things. The potential for unintended harm is significant and, with critical infrastructure, the scale of unintended harms are potentially extremely significant. As a series of major technology companies, like Google, Microsoft and Amazon Web Services, highlighted in the consultation of the PJCIS on this bill, government intervention in their networks has the potential to increase the risk they face from cyberthreats. AWS told the PJCIS:

… there is a deeper underlying assumption in the entire bill here that seems to be this: if something bad happens to a critical piece of Australia's infrastructure, then the government is capable of stepping in and fixing that bad thing. In many instances, we think there's a really big risk of the government stepping in and misunderstanding how the regulated entity operates, and maybe making things worse—so creating more or new problematic security incidents than are at risk in the process.

Microsoft explained the risk of installing foreign software on a network and said:

Doing so in the context of the data storage or processing sector with hyperscale cloud providers—these are interdependent systems. They will introduce vulnerabilities. We think it's going to potentially be a source of substantial third-party risk that we may have to mitigate for from the government if there is uncertainty on how these powers may be used.

Similarly, representatives of Google said:

What we need is information and collaboration, because the only software that's safe to operate in a Google or hyperscale cloud environment is our software and our systems that have been tested and vetted.

I am sure that the technical experts at the Australian Signals Directorate understand the reality of working with networks that you don't run, much more so than the policy designers of this legislative framework. The PJCIS heard that industry would overwhelmingly without compulsion cooperate with the ASD and the ACSC in the event of a major cybersecurity incident. These compulsory powers are only intended to deal with the most extreme scenario where entities are unwilling or unable to respond. I'm confident that these powers would only be exercised as an absolute last resort, if ever, and then with extreme reticence and caution.

Importantly, the PJCIS spent significant time considering a range of safeguards that could be put in place in the exercise of these powers. I welcome the proposal that any use of the assistance powers be reported to the PJCIS after they are rendered. That said, I share the view of Labor members expressed in their additional comments to the PJCIS report that there's more to do in this space. As this bill is currently drafted, all ministerial authorisations for the use of the government's intervention powers are excluded from judicial review. The government has not adequately explained its reasons for this wholesale exclusion from judicial review. The role of judicial review on the exercise of powers like this has been a common difference of approach between Labor and coalition members on the PJCIS over a number of inquiries now.

Labor members also highlighted the Law Council of Australia's submission that consideration should be given to an independent issuing authority for authorisations to exercise these powers along the lines recommended by the third INSLM. This would be similar to the authorisation of compulsory industry assistance powers under part 15 of the Telecommunications Act. I note in this respect the committee's recommendation that the impacts of the provisions of this bill be reviewed by the PJCIS again when bill two of these reforms is introduced into the parliament. I want to highlight the additional comments of Labor members. They said:

… the Committee should take advantage of that opportunity and—in the absence of compelling evidence from the Government—recommend further improvements to Part 3A.

In my remaining time I want to deal with two matters that the PJCIS highlighted in its report that are not dealt with in this bill—largely the protection of non-governmental democratic institutions under this regime. They aren't directly covered by the regulatory framework put in place by this law. In fact, we don't have existing institutional or program responses to lift the cyber-resilience of non-governmental democratic institutions in our society. I'm talking about political parties, think tanks, universities and newspapers. These have recently all been very frequent targets of cyberenabled foreign interference around the world. A constant theme of recent elections around the world is cyberenabled foreign interference.

Chris Krebs, a former Director of the US Cybersecurity and Infrastructure Security Agency, appeared before the PJCIS and warned that Australia needs a process in place to enable non-political entities to make disclosures of any cyberenabled foreign interference during an election campaign. He told the committee:

… you never want the incumbent with the ability to put their thumb on the scale and change the outcome of the election … you would not have wanted a White House press conference for those sorts of announcements because that, in and of itself, can be politicised.

This is an important learning for Australia. The committee report makes recommendations that the government put in place a process during the caretaker period for apolitical disclosure of cyberenabled foreign interference, and the government should take that up.

11:39 am

Photo of James StevensJames Stevens (Sturt, Liberal Party) Share this | | Hansard source

I rise to support the second reading on the Security Legislation Amendment (Critical Infrastructure) Bill 2020, a very important bill introducing enhanced frameworks to make sure we are providing the kinds of protections that are necessary, in the modern era, for our critical infrastructure when it comes to the risk of cyberattack. I think about this in the context of my home state of South Australia, with the infrastructure that is now coming online in the electricity sector and the sorts of risks that we need to be wary of as new technology enters our marketplace from an electricity point of view. I think Queensland has a rate of installation of rooftop solar that's around the same or slightly higher than South Australia's. Both states lead the nation, and as a nation we lead the world when it comes to the installation of rooftop solar. It's a good example of where the future of electricity generation is going to be, particularly for household-level consumption, going forward—in my view. It's a technology that has become much more affordable. Around one-third of households already have rooftop solar, and growth figures show that's only going to increase in the future.

I believe this is a source of generation that we'll increasingly rely on, but, equally, more technology makes it more reliable. One of the challenges with solar is that it's good when the sun is shining but, if the sun's not shining and you want to turn on your television or your dishwasher or cook your evening meal, it's not very helpful if you can't capture the generated electricity and store it. Now, of course, we have the advent of home-scale battery storage systems. They've been a little expensive for the average person to afford until now, but we know where the unit price of batteries is heading—down. Hopefully, it will become a more and more affordable option for people to couple their rooftop solar panels with a home battery so they can charge up the battery when the sun is shining during the day, when they might not be at home to consume energy, and save that energy to use when they need it in the evenings.

We're going a step further again in South Australia with battery units. Household batteries are sometimes described as a distributed grid—as in distributed generation and storage of electricity—and in South Australia, on that definition, we've got the largest distributed grid in the world. We hope to continue to build on that. The Commonwealth government, through the Clean Energy Finance Corporation, is co-financing a scheme with the South Australian government to provide subsidy for home batteries, because we want to partner as much of that rooftop solar with battery storage as we can, for the reasons I've just outlined. The next step, beyond us storing our own electricity at home and using it when we need it, is being able to share that electricity. If I've got excess electricity that I'm not using stored in my battery and someone else in my neighbourhood is running low on stored electricity, or any electricity, then, through that distributed grid, we can have a transaction where some of my electricity goes, at a charge, to the person who wants to consume it. We can have what is sometimes called a virtual power plant. When you think of all these small batteries combined, they're the same size as a major electricity generator and they're holding electricity that can be dispatched on demand, and all these systems are interconnected.

What's vitally important for that kind of virtual power plant to work is all the systems being able to talk to each other on a central platform—in the cloud, no doubt—and share information: who's got what energy; what future consumption and demand is likely to be; where there is excess energy being stored in a household and where there is a deficit of energy available to a household, despite what they're expected to consume going forward; and how we trade that electricity amongst all the people in this virtual power plant. That effectively means you've got not only distributed storage but also the ability to share demand and the most efficient way of capturing, storing and providing electricity for consumption. That's an unbelievable proposition. It's something for which the technology already exists, and we're trialling it in South Australia. That is all predicated on the technology and communication of all those units, which could be hundreds if not thousands, with billions and billions of data points coming together to provide electricity for a neighbourhood. That, of course, raises the huge risk of someone being able to interfere through the cyberworld in something like a virtual power plant and, effectively, take it offline and take out a neighbourhood's electricity source because, through a cyberattack, they were able to disrupt and infect that platform and remove the ability for that platform to come together, to share that collaboration and to provide the power source for an entire neighbourhood.

That is one example among thousands—if not millions—of others that we are going to have when it comes to the future of infrastructure in this country, whether it's at the low level—in small scale, like the example I've just outlined—or, again in electricity, in the very large scale. In South Australia, we're building an interconnector now with New South Wales. It will take around 800 megawatts of electricity in either direction, which will be vital for the stability of the South Australian grid, given some of the challenges we've had with that in recent years and will also be vital to the ability to attract investment in larger-scale generation and to have markets where renewable energy generated in large solar or wind projects in South Australia can be not just used domestically in the South Australian market but also exported for sale in somewhere like New South Wales. So, at the other end of the electricity infrastructure scale, a multibillion dollar interconnector is the sort of infrastructure that already—and even more so into the future—is reliant on cybercapability and is vulnerable to cyberattack.

That is the modern world. That is the current situation and the future, as well, for infrastructure. In terms of this bill, of course, electricity is one of the easier examples to talk about, but other speakers have talked about the wide variety of infrastructure that is captured that is going to be vulnerable to cyberthreats today and into the future. That is really every single piece of infrastructure we can conceive now and some that we can't yet conceive, because, in the future, almost everything is going to be reliant on cybertechnology and at risk of cyberthreat. In a beautiful country like ours, we've not had, from a physical infrastructure risk point of view, the same kind of alarm and concern throughout our history. Obviously we're lucky enough to be one country on an entire continent. We've not had a major conflict here since the advent of what some philosophers call 'total war' or 'absolute war' where, in modern warfare, infrastructure has become a major target physically, as has happened in other parts of the world. We don't have the sort of history or the culture of having a paranoia about the protection of our infrastructure. But, of course, that is not the case when it comes to the risk of cyber because there is no tyranny of distance related to cyber. There are no proximity issues with cyber. Someone anywhere else on the planet with an internet connection can attempt to launch a cyberattack on any critical infrastructure in our country, and that's why we now have the risk and the need to respond to that risk through this legislation and the other things that this government is doing.

I've had the pleasure, a couple of times, of going to the Australian Cyber Collaboration Centre which is located just outside of my electorate in the Adelaide CBD in the Lot Fourteen Precinct, which is the heart of the city deal between the federal government, the state government and the Adelaide City Council in South Australia. It's amazing what they're doing there. It is very much in line with what this legislation is about, which is creating partnerships and support between government, the private sector and other people that have expertise in cyber and in risks of cyber. There's a cyberwarfare range at the centre, which is quite an experience to visit. It's almost a SCIF-like set-up—a room that's secure—where you can come in as a company, plug your software platforms into the mainframe and have people launch cyberattacks on the systems of your business so that you can identify what the vulnerabilities to cyberattack might be for your software platforms and other systems that you use. You can also seek to repel those attacks and can use various tools available in the marketplace to see which ones are the most effective for the systems your business operates in order to best protect your business from the risk of these cyberattacks, and you can weigh up the wide variety of costs for different levels of security.

So, what's happening there at A3C, as it's known, is assisting the private sector, particularly those that have a significant vulnerability to cyberattacks. For somewhere like Adelaide, that's obviously industries like defence, space and critical infrastructure such as the mining sector and the ag sector. Given the examples of attacks on private sector businesses around the world, no-one who operates a computer could say that their business doesn't have a vulnerability to cyber. So, A3C is an opportunity for any business to engage with that industry collaboration and assess and then address modern cyber risks to their business.

The other thing we know about cyber is that whatever you do today is the best you can do to protect yourself against what are known to be the capabilities of offensive cyber today. But, every day, new capability is developed and new risks emerge, so we need to be ever vigilant and constantly learn from the attacks undertaken on businesses, particularly those that we have the purview of learning from in our own country. That's really what the heart of this bill achieves. By creating the reporting framework that is one of the pillars of this bill, we're essentially making sure there's a requirement for high-risk targets—particularly those captured within this bill, related to critical infrastructure—to first and foremost report any cyberattack or suspected cyberattack that they receive, because it's very important that the experts—and the ASD is a world-renowned agency when it comes to this topic—know and are able to capture all the known or suspected cyberattacks launched on critical infrastructure across the board in this country.

That puts a government agency like ASD in the best possible position to be aware that something has occurred, to perhaps have an initial triage approach to considering the initial prima facie evidence of what's occurred and to decide whether they need to look more closely at that attack. We know that there are attacks constantly. We have tens if not hundreds of thousands of attacks a year, and we know there are different levels of attacks that bring different risks. But ASD are the experts and the ones in the best position to make decisions around how to respond to those threats. By having a mandatory system of reporting in place, they're going to have the awareness of all the things they can then choose to look at and prioritise.

Secondly, we're talking about government having a much more significant involvement in working with the private sector when it comes to critical infrastructure to help them, work with them and provide support for them if and when they are imminently at risk of, adjacent or either side of, or in the middle of a cyberattack. As a Liberal, I'm always a bit nervous about interfering in businesses or having additional regulation or requirements on business. But this is something that I thoroughly support. An agency like the ASD, with the expertise that they have, should be in a position to provide all the necessary support to businesses. Not only do we want to look after them and support them but also, by the very nature of the definition that they are critical infrastructure, they're doing things that are vital in our society, and they are a very high-risk target to people who may wish harm upon Australia and our interests.

For those reasons, I commend the bill to the House, and I thank all those who made contributions. I am pleased that this legislation will have bipartisan support. It's important and necessary legislation that we should pass and give this new capability and this new framework to the ASD and other government agencies so they can get on with the good work they're doing in protecting our country.

11:54 am

Photo of Luke GoslingLuke Gosling (Solomon, Australian Labor Party) Share this | | Hansard source

Before I make some remarks on the Security Legislation Amendment (Critical Infrastructure) Bill 2020, I want to acknowledge the work being done right now by our warfare counter-cyberoperatives, Australians who are right now defending our country and our economy at the ASD and obviously at other agencies and in other organisations and businesses. They're in the fight on the front line right now.

As we've heard from several speakers, every eight minutes or so there's a cyberattack on our country. That's an attack on our economy, on our way of life and on our sovereignty, so this is very important legislation. Whilst I agree with some of the comments made by the speakers on our side about the delays and the misunderstandings that have been consistent in getting us to this point today, I nonetheless want to acknowledge the government in finally introducing these new laws to ensure the resilience and safeguarding of Australia's critical infrastructure, which most definitely has our support.

The government is introducing these new laws to ensure the resilience and safeguarding of Australia's critical infrastructure. There are many threats, ranging from natural hazards such as weather events to more direct, human induced threats, including interference, cyberattacks, espionage, or chemical or oil spills, to give some examples, as well as attacks by insiders. They all have the opportunity and the potential to significantly disrupt our critical infrastructure.

Pervasive threat of cyberenabled attacks and manipulation of critical infrastructure assets is very serious and considerable, as we heard and as we read almost daily. The scope and impact is significant, and there is an increasing, unprecedented rate of these cyberattacks. If at the start of my contribution there was a cyberattack and those Australians were fighting against it, trying to stop it and mitigate the damage, by the end of this contribution there will have been another one and Australians will again be at the fore of protecting our nation. So we are critical of the delays but on the same ticket in terms of the intent of this bill, because we are facing increasing cybersecurity threats to our essential services, to our businesses and to all levels of government, as we have experienced in our own federal Parliament House. The Commonwealth's parliament's IT systems have come under attack, as we're all well aware.

In the past two years, cyberattacks have also hit networks in the health and food sectors, media and, as all listeners will understand, our universities, where there's not only disruption of the work at our universities but the theft of our brilliant, internationally-acclaimed intellectual property from our brilliant academics and researchers.

Internationally, cyberattacks have disrupted critical sectors, including water and fuel supplies in the United States. In this threat environment, it's crucial that Australia's technical authority, the Australian Signals Directorate, is empowered to assist entities in responding to significant cybersecurity threats and incidents to secure our critical infrastructure assets.

Now, as speakers have already mentioned, these are last-resort powers and affected entities will undoubtedly retain their reservations and their right to keep a keen eye on all bills policies that federal governments have. In supporting this legislation, we are relying on the intention stated in the bill, as given by the department and agency heads, that these powers will only be used as a last resort. With this in mind, it is very important to emphasise that the PJCIS, the Parliamentary Joint Committee on Intelligence and Security, will be notified and briefed each time the government enacts this power and will conduct a full review of the legislation when additional critical infrastructure reforms are introduced by the government. In evidence provided to the committee, witnesses overwhelmingly indicated their willingness to cooperate with ASD. Government assistance powers would only be needed in the event that an affected entity is unwilling or unable to respond appropriately. Thus, these measures should only be needed rarely, if ever. In the instance that there is disagreement between an entity and ASD, in the best course of action the bill does incorporate the committee's recommendation to include safeguards that require the minister to consider multiple impacts and current responses to any actions under this legislation.

The government itself has conceded that more work needs to be done in communicating, consulting and responding to concerns regarding its proposed positive security obligations for critical infrastructure sectors. These are important initiatives, and they need to be done properly. As the member for Gellibrand said, government agencies and the federal government itself need to engage with industry more. They need to build a deeper level of understanding and build a deeper level of trust and together build a deeper level of expertise to meet the threats that are increasing, that are significant and that could do great harm to our nation and, obviously, great harm to the economy. We need to build that resilience together. The member himself has a great deal of experience in this industry, and I hope that the federal government takes his contribution and looks at it very seriously indeed, because there is bipartisan support for this bill and bipartisan support for securing our nation from all threats. Cyber is becoming a domain and already is a domain where significant threats can materialise.

As I said, by now, those Australians working at ASD and in other agencies are combatting yet another cyberattack. This is real. It's happening every day, every eight minutes, so it's good that this legislation has finally arrived. Cyberspace is such an important domain and it's a place where threats to our nation can arise and are continually arising. It is such a crucial domain and it's one that I, having a responsibility as a federal representative, have been seeking to understand at a deeper level so that I am able to support, to the best of my ability, those Australians who right now are countering these threats. I recently, with the member for Bean, spent some time on an ADF parliamentary program focused on cyber: cyberwarfare, cyberdefence, cyberoffence. We visited a number of organisations that are providing cyber and information warfare capabilities to Defence and the whole of the Australian government. I was incredibly impressed by the intelligence and adaptability of these mostly young, some not so young, Australians who are operating in this domain, defending our sovereignty and defending our economy, so I want to give a shout out to all of those. Obviously I won't give your names, but I want to acknowledge the importance of the ADF Parliamentary Program that gives the opportunity for elected federal members to spend time with the ADF to understand the seriousness of the work you do and the need for proper resourcing. I acknowledge Lieutenant Colonel Andy Martin and also the host for that event from the Navy. They are exceptional Australians doing fantastic work.

In the time remaining, I will do something that I think we should all do more often, and that is provide some contextual information to Australians who are tuning in today about this domain of cyberspace and the incredibly important work that ASD and some of our ADF defence agencies are doing. Cyberspace is a global domain within the information environment, consisting of an interdependent network of information technology infrastructure including the internet, telecommunications networks, computer systems and embedded processes and controllers. The resident data is used to store, modify, exchange, process and collaborate on information. Cyberspace is unbound by physical location or international boundaries. It is like the matrix; it's everywhere. Cyberspace provides users with unprecedented access to information, audiences and critical targets across vast distances, and this is why it is so important. On a day-to-day basis you are in this domain and you are potentially the subject of some sort of attack or even monitoring. That's why it needs the vigilance of the operators in this environment and the interest, concern and resourcing of government to work closely with industry to make sure that Australians are protected as much as possible.

There can be conflict within cyberspace, and we learnt more about what we can do and where we're under-resourced in this area during that parliamentary program. Conflict in cyberspace can be conducted across large geographic distances, and it can have significant effects. We visited and spent time with the Information Warfare Division, which was formed only recently, in 2017, in the Department of Defence. It's formation was part of an initiative by the Australian government to combat threats to Australia's national interests in the information environment. I acknowledge Major General Susan Coyle, CSC, DSM, who is the Head of Information Warfare—this fifth-domain warfare for the defence of our nation. It's incredibly important work. She is a very impressive person who I've known for some time, and I really wish that division all the very best in its important work, as I do the Australian Signals Directorate for their important work.

There are great Australians doing work every day to protect our nation, our sovereignty and our prosperity by protecting our economy, and they're unsung heroes. They are not out on the front line in another country. They are here defending, in the cyberspace domain, our people, our country and our way of life. It is incredibly important work. So even though you are necessarily anonymous in the work that you do, I reconfirm from federal Labor—and, I'm sure, all parliamentarians—our thanks to you for the important work that you do and our support for this legislation that will be used as a last resort, should it be needed in this essential business that we are in of defending the Australian people with every resource that we have at our disposal.

12:09 pm

Photo of Pat ConaghanPat Conaghan (Cowper, National Party) Share this | | Hansard source

I'm pleased to rise to speak on the second reading of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. In my view, what makes Australia probably the best country in the world is the ease of access to critical services. Every Australian has learnt through experience to have high expectations when it comes to accessing those services, and rightly so. We have an expectation because, on the whole, things just work. We expect our lights to go on. We expect our water to run. We expect our kids to have easy access to education. We expect to have access to our own money, our own bank accounts—and it goes on and on and on. Unfortunately, recent events have posed a threat to this access and, in very real terms, to what makes this country what it is and how it works. We take for granted that our services will just simply work, that the security of these services is assured and that we maintain sovereignty of those services, but increasingly we are faced with the sad fact that this may not be and is not the case. In reality, our critical services are so interconnected in nature that if the cybersecurity of one of them is breached the domino effect could result in significant consequences to not only our national security but our economy and our sovereignty, and that is completely unacceptable for a country as free as ours.

When our essential services are faced with a physical threat, such as fires or floods, it's a given that government agencies and the wider Australian public will do whatever they can to preserve the critical running of those services. I know that in 2019 when bushfires engulfed my own electorate of Cowper and then again in 2021 when we had the devastating floods we made sure the access way to our hospitals and fire services were maintained. We prioritised the protection of phone towers and electricity poles. We set up perimeters. We called for reinforcements. Once a catastrophic physical event occurs, we reassess our situation and form plans as to how best to protect ourselves from that disruption ever happening again. We look at the experiences and best practices from around the world. We learn and evolve. We adjust and change our safeguards accordingly. When it comes to a physical threat, this type of response is a given, but the fact remains that what you can't see can hurt you. In fact, the threats posed by cyberattacks on our essential service networks are more catastrophic than any individual physical threat could ever be, and the response to safeguard these services from such attacks needs to be appropriately significant.

We've seen from overseas the extreme impact of cyberincidents such as the ransomware attack on the Colonial Pipeline in the US, which affected the distribution of fuel throughout the country. On home soil, in the past couple of years, we've seen cyberattacks on this place, the federal parliament, on logistics in the medical sector and on universities—and these are only the ones that were publicised in the media. In fact, in the 2021 financial year, the Australian Cyber Security Centre, or the ACSC, received over 67,500 cybercrime reports. That's an average of one every eight minutes. Concerningly, this represents an increase of 13 per cent from the previous financial year. I don't know what's more concerning about those figures—the 13 per cent increase or the fact that the ACSC received close to 60,000 cybercrime reports even before the true impact of COVID hit us.

Since COVID, there has been an increasing trend towards ransomware related activities, with demands ranging from thousands to millions of dollars, and, increasingly, cybercriminals are moving away from low-level attacks on individuals in our community to the larger, more profitable, high-end organisations. In short, they're essentially going for the big fish, and the big fish tend to be our critical services. To increase the likelihood of ransoms actually being paid, cybercriminals are encrypting networks, exfiltrating data and then threatening to publish the stolen information online for all to see. The risk that this poses is not just to Australians but to our national security, and it grows more menacing as the shifts in targeting and tactics intensify.

The reforms outlined in the amendment bill will strengthen Australia's ability to effectively respond to serious cyberattacks on critical infrastructure. Pleasingly, as a first step, the bill expands the definition of 'critical infrastructure' in response to society's evolving modern needs. The government will continue to review these definitions to ensure they remain current, given the changing technologies and threats. Fundamentally, a service is deemed critical when it's considered to be the case that, if the asset were destroyed, there would be a significant detrimental impact to our basic standard of living, to Australia's wealth and prosperity or to the security of large or sensitive data holdings. Taking this into account, critical infrastructure will now include energy, communications, financial services, defence industry, higher education and research, data storage and processing, food and grocery, health care and medical, space technology, transport, and water and sewerage.

The bill looks to introduce a cyberincident reporting regime for critical infrastructure assets. To effectively protect our critical infrastructure, we need to truly understand the threat, and no-one and no group can do that without the proper data and the proper information. If incidents aren't reported, we can't be expected to learn from them and stop them from happening again or from escalating in the future. The reporting regime will require entities to report cybersecurity incidents to the Australian Cyber Security Centre through the ReportCyber portal and provide ownership and operator information for the Register of Critical Infrastructure Assets. Critical infrastructure entities will have up to 12 hours to report a critical cybersecurity incident, once they become aware of it, and up to 72 hours to report other cybersecurity incidents, the timing of which aligns with other existing reporting regimes, both nationally and globally.

The next step of the bill relates to making government assistance available to industry, as a last resort and subject to appropriate limitations. There may be situations where there is an imminent cybersecurity threat or an incident that poses a risk of negatively impacting Australia's national interest. Where responding to such a situation is beyond the capability of the asset's owners or operators, the reforms will provide government with the ability to provide reasonable and proportionate directions or assistance to those entities to resolve the incidents. These actions will focus exclusively on protecting and defending the asset, noting its importance to the economy, to society or to defence, and it will be a criminal offence not to comply with the directions made under the government's assistance regime. It is important to note that intervention on this scale may be authorised only once the Minister for Home Affairs has sought agreement from the Prime Minister and the Minister for Defence. It should be noted that these powers are clearly defined and confined, proportionate and appropriate, and subject to a range of safeguards.

The reporting regime and government assistance powers recognise that industry has a role to play too, and this imposition of obligations on business is an important part of a comprehensive response to the serious challenges we face.

In conclusion: we, as Australians, have a right to assume that our critical services will continue to work now and into the future; we, as Australians, have a right to assume that our sovereignty is secure when it comes to accessing what we have come to expect are basic services to the modern world and a right to assume that our government is doing everything within its power to preserve the security of our essential services and our economy. I note—and it's pleasing to see—that both sides of the House have approached this in a bipartisan way. This bill is a critical step towards facilitating the government's and the private sector's ability to meet those fundamental assumptions. As the type and scale of the threat to Australians' way of life continues to evolve, so too must the legislation in place evolve to counteract those threats, and I'm proud to be part of a government that is proactively doing so.

12:21 pm

Photo of Julian HillJulian Hill (Bruce, Australian Labor Party) Share this | | Hansard source

I echo a lot of the previous speakers in saying the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is an important bill. Australia is facing increasing cybersecurity threats, which underscores the need for this legislation. Those threats are not just to the private sector but to government, essential services and the stuff that sits in the middle, if you like, between the public and private sectors—critical infrastructure which is regulated in various ways by government but may be provided in the private sector and, of course, by individuals.

These are crimes and scams which concern so many in the community, from the proverbial little old lady being scammed out of small amounts of money, as has been said, to crimes that increasingly are rising up the value chain—the modern equivalents of the bank heist. But even more serious are the threats to essential services and critical infrastructure which this bill primarily concerns itself with. We have already seen, in the United States, examples of fuel and water infrastructure being disrupted by cybercriminals and cyberattacks. In this bill the government, for once—to their credit—are focused on an important issue, but typically, as the Parliamentary Joint Committee on Intelligence and Security found, they've mucked up their legislation quite profoundly. So I'm pleased that the minister—and it's good that we've actually got someone in the Home Affairs ministry at least impersonating an adult, after the obstinacy of the previous incumbent, who liked to say no just for the fun of it—has listened to the PJCIS, a government controlled committee, and the opposition and agreed to split the bill in half. With the half bill going forward we will of course vote for it.

The half of the bill that was retained and will go forward with everyone's support includes expanding the definition of critical infrastructure beyond the four sectors that were already covered—electricity, gas, water and ports—to incorporate seven new systems of national significance. The list will now be: communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and groceries, health care and medical, space technology, transport, and water and sewerage.

The second thing the bill, or half bill, will take forward is the introduction of additional reporting requirements for cyberincidents that affect critical infrastructure assets, which, of course, are the critical intelligence-collecting tools for the responsible agencies.

The parts of the bill that the PJCIS said, in essence, were half-baked, would do more harm than good if they proceeded and needed a further reworking include the requirement to introduce 'government assistance to relevant entities for critical infrastructure sector assets in response to significant cyberattacks' and the introduction of 'additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements'. In essence, these things need more consultation with industry.

Just about everyone out in the real world—experts and people who actually run this critical infrastructure—who examined the government's proposals had reservations and said that the process was flawed, that the consultation process leading up to the drafting of the legislation was inadequate, that there was an unknown and totally unquantifiable regulatory impact of much of it because of the ham-fisted way the government had brought the legislation in and that there was far too much detail unknown left to the regulations. It makes sense in this kind of stuff that not everything is codified in the legislation and that many decision points would be left in the regulations. But, when you are introducing an entirely new regime with potentially enormous compliance costs and regulatory burden on industry, the regulations should be developed and consulted with alongside the legislation. Sure, they can be amended down the track by the responsible minister, but it's not an adequate way of actually bringing in a whole new regime, imposing costs on whole sectors of the economy, to not be able to tell them what they're actually up for instead of, 'Oh, don't worry. Trust us; we're the government.'

An aspect of the legislation which has received significant media attention is, if you like, the big stick intervention power. Obviously the home affairs minister wanted a big stick after the Minister for Industry, Energy and Emissions Reduction got himself a big stick. It gives the ASD the power to assist entities—'assist is a very polite government word, but I think it means to intervene and take control—whether they like it or not in responding to significant cybersecurity incidents to secure critical infrastructure assets. We take the government's assurances that these extreme powers would be used only in emergency events, and quite rightly there's a reporting regime through the PJCIS.

That kind of wraps up my comments on the bill itself. But I do want to note that the government, through this, is imposing a lot on the private sector—new standards, new accountability and a pretty heavy-duty intervention power. The government, though, are in no position, really, to lecture anyone on cybersecurity or cyber-resilience. They're in their ninth year and their record on cybersecurity—and that of their own government departments and agencies—is abysmal. The government need to get their own house in order, really, before they can with credibility tell the private sector that they're going to put all these compliance costs on them. Indeed, as we've just discussed, they can't even quantify what the costs might be.

In my just over five years in the parliament, I've sat on the Public Accounts and Audit Committee. It's not for everyone—it can be pretty dry—but it's a really important and fascinating committee, because you constantly rove across every part of government, working closely with the Auditor-General. I read and look at all the audit reports that come through. One of the most common themes of the Auditor-General, who I think is now six years into his 10-career term, is noncompliance by the government year after year. We in this committee feel like goldfish, going round and round in the bowl seeing the same thing—government departments not complying with the cybersecurity standards. For my sins, last year when I was stuck in Canberra for long slabs—six weeks or eight weeks—I decided one Sunday to sit down and read a whole bunch of stuff, including the Auditor-General's mid-term report. He did a report, five years through his 10-year term. I know, I know—it's fascinating! It is actually a great report. The Auditor-General is a really clever, thoughtful man who's got a view across government. I would recommend that nerdy members—I know there are a few more out there—actually take the time to have a look at this stuff on occasion. It's five years of reflections. He said:

… the category which consistently has the most number of financial audit findings raised relates to the information technology control environment, with the most common area relating to weaknesses in security management. These findings are consistent with the conclusions in performance audits of cyber security, which have also consistently identified non-compliance.

With cyber security being an area of government priority—

or so they say; they say it is a priority but they don't do much—

for many years, these findings are disappointing.

The Auditor-General is, of course, prone to understatement and measured language. 'Disappointing' is pretty high up in his lexicon of 'no good', 'not good enough' 'got to do something' and 'got to improve things'. He went on to document:

Cyber resilience and compliance with mandatory IT security policies has been a key program of audit in recent years.

In other words, 'I do this year after year.'

This government spent eight years cutting the Auditor-General's budget, year after year, to reduce scrutiny—an effective cut of over 22 per cent by the time the government was finally shamed this year into starting to reverse that trajectory. Even with that cut of 22 per cent to reduce scrutiny of this government's performance, rorts, waste and mismanagement, the Auditor-General has found space and resources every year to keep looking at cybersecurity and cyber-resilience, and every year this government fails its own tests. Since 2013-14, when the government came to office, the ANAO conducted five performance audits—this was a couple of years ago, they have done a couple more—looking at 17 different government entities. The audits found:

… compliance with mandatory requirements of information security continued to be low.

These are not 'nice to do'. They're not, 'This would be a good idea.' These are the mandatory requirements the government puts on itself, which they continue to fail. Let's be really clear: this bill is putting massive new requirements on the real economy out there, and the government, for eight years, has failed to get its own house in order.

The 2018 Cyber Resilience audit found that low levels of compliance were driven by entities not adopting a risk-based approach to prioritise improvements to cyber security, and cyber security investments being focused on short-term operational needs rather than long-term strategic objectives.

That's a bit like the government really.

The government should be an exemplar in these things. The private sector should be able to look to the government and see the best practice in cybersecurity on behalf of Australians, given the critical data and critical essential services which the government operates, at least those which they haven't managed to privatise yet.

I'll read a few examples to keep making the point. In a recent audit report looking at the cybersecurity strategies of non-corporate Commonwealth entities—that's Public Service speak for 'departments that aren't corporatised'—the auditor general looked at the Attorney-General's Department; the Australian Signals Directorate; the Department of Home Affairs—they're the big three, aren't they? They're responsible for cybersecurity policy—the Department of the Prime Minister and Cabinet; the Future Fund Management Agency—there's just a few billion going on there—the Australian Trade and Investment Commission, Austrade; the Department of Education, Skills and Employment; the Department of Health—there's a little bit of secret data there, maybe—and IP Australia. Guess what he found?

None of the seven selected entities examined have fully implemented all the mandatory Top Four mitigation strategies.

The top four are the mandatory four that have been mandatory for years. So none of those seven agencies last year had even got the top four. The government now—finally, after years of being poked by the Public Accounts and Audit Committee—have said, 'Yes, you're right; we should mandate the essential eight.' The government have just put new standards on, and they haven't even met the four that we've been pushing for for the last few years.

Even worse, perhaps, than the noncompliance is that the agencies, year after year, are still deluding themselves, the government, the parliament and, therefore, the public about how they're actually going. This is the key point I want to make, and it does relate to the bill: we really need to think about, as we're putting these requirements on the private sector, how we are working in the public sector to get cybersecurity and cyber-resilience standards up. The current system relies on self-assessment. I'll just go back to the Auditor-General's mid-term report. It's a great summary. He said:

The public sector operates largely under a self-regulatory approach.

Policy owners—the Department of Finance, for some things; the Attorney-General's Department; the Home Affairs Department; and the Public Service Commission—establish rules of operation and then largely leave it to the head of each department or agency to be responsible for the compliance, reporting to the minister.

There are almost no formal mechanisms in these frameworks to provide assurance on compliance. Often the ANAO—

when they randomly come in, every 20 years, in some cases, to smaller agencies—

is the only source of compliance reporting and our resources mean that coverage is quite limited.

That's very polite code for, 'The government doesn't give us enough money, because they keep cutting our budget,' just to remind people again.

That's the Auditor-General pointing out that, in cybersecurity, the government sets a bunch of standards and then says, 'It's up to the departments.' There's supposed to be an audit framework around that, where departments assess themselves every year against a checklist and report that in. What the Auditor-General consistently finds is that they delude themselves. They just tick the boxes and go: 'Yes, we're going well. It's all good; it's tickety-boo. We've got four out of four here with the big four.' I have read so many of these audits. To quote again from the same audit report, No. 32 of 2021, which looked at those seven departments:

For the three entities that had self-assessed full implementation for one or more of the Top Four mitigation strategies … two had not done so accurately. None of these three entities were cyber resilient.

Even worse than the fact that there are still problems in compliance—no doubt because of resources, culture or whatever—is the fact that the reports which come into the parliament and the government aren't even right. That's an issue I believe we seriously need to look at.

We can't just let this roll on. It has gone on for the six years I've been on the committee. Gai Brodtmann, the former member for Canberra, went round and round in circles on this for years. It's basically been the entire term of this government's office. It's their ninth year, and they have not taken their own responsibilities seriously. Of the three entities, only Treasury was compliant with the top four mitigation strategies—a tick to Treasury. National Archives was not compliant. Geoscience Australia wasn't compliant, and they've got critical national security data. Audit reports for years found that, with Services Australia and their system redevelopment, the cybersecurity risk framework was not appropriately managed and operating costs were not monitored. In relation to the My Health Record system, the ANAO found that 'management of shared cybersecurity risks was not appropriate and should be improved'. In planning for the 2021 census, the ANAO found 'the ABS has not fully implemented all the lessons from the 2016 census, particularly in relation to developing its cybersecurity'.

I will spare the House my reading the rest of them, given that I have only one minute left, but you get the point. This has gone on for years. For the government to say, 'We're going to put these standards on the private sector,' while they don't have their own house in order shows that the system isn't working. That's the point. It's a systemic problem now. We actually need to change the way we do this assurance process. I'll draw a parallel with financial accounts. Government departments don't just take their financial accounts and dump them into parliament and say, 'Here are our accounts.' There's a robust and rigorous system of independent audit and assurance over those accounts. We've just completed a 10-year reform program, so the performance statements of government departments in the corporate plans are now going to get a mandatory robust independent audit and assurance system over them. That's my point and that's what I'm calling for. We need a similarly robust, independent assurance because we can no longer trust what the government agencies are telling the government.

I commend half of the bill—not the dud half that the government mucked up. I commend half of the bill and I call on the government to get their own house in order.

12:36 pm

Photo of Celia HammondCelia Hammond (Curtin, Liberal Party) Share this | | Hansard source

I'm pleased to have the opportunity to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2020. The expanding threat of cybersecurity vulnerability and malicious cyberactivity has become increasingly evident in recent years. While Australia has enjoyed relative security in this regard, the incidence of cyberattacks, ransomware and the exploitation of system vulnerabilities has been increasing in frequency, scale and sophistication in recent years. In Australia, recent high-profile cybersecurity incidents affecting government departments, including parliamentary networks, major logistics and transport companies, the health sector, education providers and media companies have brought public attention to this issue. Internationally, there have been cyberattacks on critical infrastructure, including water services and airports. In the year 2019-20, the Australian Cyber Security Centre reported 2,266 cybersecurity incidents with just over one-third of those incidents coming from critical infrastructure companies and assets. However, the ASD has said that this is expected to be just a fraction of the number of cyber incidents affecting critical infrastructure, given the voluntary nature of reporting.

The Australian Cyber Security Centre notes that phishing and spear phishing remain the most common methods used by cyberadversaries to gain access to networks or to distribute malicious content. Typically, this involves an unsuspecting user executing or opening a file that they received via email as part of a spear-phishing campaign. The ASD has also publicly noted that, alongside the increasing sophistication of cybercriminals, the likelihood and severity of cyberattacks is also increasing due to our growing dependence on new information technology platforms and interconnected devices and systems. While the 5G mobile network will underpin Australia's transition to a more digital economy and the internet and internet connected devices will enable a greater flow of information and efficiencies than ever before, it also makes us more vulnerable to significant threats to our infrastructure, our information and systems more broadly. It's against this background that the SOCI bill was first introduced late last year and, indeed, the explanatory memorandum to this bill makes the point very clearly:

Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty.

…   …   …

… the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others.

Because of these factors, the amendments in this bill were designed to enhance the obligations in the SOCI act and expand its coverage to sectors including communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage.

Following its introduction in December 2020, the bill was referred to the Parliamentary Joint Committee on Intelligence and Security later that month. The committee received over 80 submissions to this inquiry and held a number of private and public hearings. As is noted in the advisory report that the PJCIS tabled on 29 September 2021, while there was general acknowledgement from all submitters of the level of the threat and the need to do more, there were a number of conflicting views and opinions over elements of the bill. Before coming to those conflicting views or issues, and the government's response to the PJCIS advisory report, it is worth noting some of the evidence presented to the committee regarding the level of the threat.

When outlining these threats and the increasing challenge of preparing, hardening and countering assets, the secretary of the Department of Home Affairs said this to the committee:

Cyberattacks will soon reach global pandemic proportions. This has been building for about five years but has accelerated over the course of the COVID pandemic.

…   …   …

Basic cybersecurity protections will always help, but malicious actors, such as cybercriminals, state sponsored actors and state actors themselves will defeat the best defences that firms, families and individuals can buy. We have to do what we can, of course, to defend our own networks and devices against known vulnerabilities. However, just as we do not rely on home security alarms and door locks to deal with serious and organised crime, we cannot leave firms, families and individuals on the field on their own.

Evidence at the committee was also received from a panel of experts, and one of those experts in the public hearing on 9 July highlighted the shift in the cyberthreat environment. Mr Chris Krebs noted:

… there have been three strategic shifts over the last several years in the threat actor landscape. First … was ransomware and criminal actors.

…   …   …

I think the second strategic shift that we've seen was probably over the last two to three years, where, rather than go after their primary targets through the front door, the intelligence apparatus of our adversaries—traditionally, from the US perspective at least, we call that Russia, China, Iran and North Korea, but obviously there are others—have sought to effectively use the global ICT ecosystem, the systems we use on a daily basis, as a real-time collection apparatus.

…   …   …

The third and final strategic shift that I'd suggest we really prioritise is a shifting to functional disruptions and moving away from purely reconnaissance and intelligence collection.

The committee also heard evidence that the rise of cyber-enabled crime and security threats has not been counted evenly by entities and that there has been an uneven investment in cybersecurity. There are companies out there who have been spending almost a billion dollars a year on cybersecurity programs, which is clearly a significant investment, but it's also true that that is not consistent across any industry anywhere.

As noted earlier, while the need for reforms was not contested in evidence to the inquiry, a number of significant concerns were expressed about aspects of the bill and the process taken to develop it. The detail on these is found in the PJCIS advisory report, and I will outline a number of them. The first of those regards the timeline for the co-design of rules and economic modelling. There was concern that there was insufficient time for that to be done. A second concern that was raised by a number of submitters was around the variation in the breadth and specificity in the definitions of what would be included and what a critical infrastructure asset is. That caused concern in various sectors that the definitions were either too specific or too broad. Another concern was the unknown regulatory burden of positive security obligations. Then there was a concern about the time frames outlined in the bill for the notification of cybersecurity incidents to ASD under proposed part 2B. The final concern raised was that the potential reach of the powers in the bill was not being accompanied by appropriate authorisation or oversight mechanisms in the eyes of some.

Ultimately, as noted in the advisory report, the PJCIS, a bipartisan committee, whilst strongly supporting the aims of the bill, came to the conclusion that it would need a significant amount of redrafting to pass in its entirety in a way that was going to ensure maximum buy-in and maximum understanding. The committee reached the conclusion that that would be required to be able to respond to the level of concerns that had been raised in an appropriate fashion. The committee's concern was that doing so would significantly delay the time-critical elements of the bill. As a result of that, the PJCIS made 14 recommendations in the advisory report, including splitting the bill into two separate bills with a first bill to incorporate the measures to respond to cyberincidents and cyberincident reporting as well as associated definitions and powers. What we are discussing today is actually the government's response to the PJCIS report and, in particular, the recommendation to split the bill into two separate bills.

The amendments in what we're discussing today are effectively creating the first of those bills. The key measures retained in this particular bill include: first, government assistance to relevant entities for critical infrastructure sector assets in response to serious cybersecurity incidents that impact on Australia's critical infrastructure assets. Second is the mechanism by which cyberincident reporting to the ASD may be required by responsible entities for critical infrastructure assets that are subject to cybersecurity incidents. Thirdly, it has expanded the definition of 'critical infrastructure assets' to include assets across the 11 industry sectors, so increasing them from four to 11. Importantly, this bill also extends—this concern was raised, and so has been actively addressed—the period for making a written cybersecurity incident report to the ASD. It also addresses another concern that had been raised by increasing the level of consultation and oversight which is going to be carried out as the next bill is developed.

By way of finishing, there is no doubt that cybersecurity threats are very real and potentially very significant, and doing something as soon as possible is imperative. The bipartisan committee, the PJCIS, acknowledges this very real threat but also identifies significant concerns with the draft bill which could potentially undermine it achieving its aims and goals. On this point I note the criticism from earlier opposition speakers, although I note that none of them actually sat on the committee. They criticised the government's approach on this bill and the failure to get the legislation perfect the first time. If only it were remotely possible to draft perfect legislation for anything or to have a perfect process for anything. I also dismiss those criticisms because this legislation concerns an area that involves many different sectors facing many different threats, and they are evolving in a very fast-changing landscape. We heard in the evidence that was given to the committee and which I cited earlier that some of these threats are only just emerging. The third wave of what we are now concerned about is actually just emerging. It's not that we've been sitting back and watching all this happen before responding. A lot of these threats, and their increase and their severity, have been within the last three to five years, if not in the last 12 to 18 months. The fact that the PJCIS works in the way that it does—that it gets the opportunity to have inquiries into bills and to hear from experts and then to effectively give recommendations to the government in a bipartisan way, pointing out issues that have emerged through that process—is to me a sign that democracy is working and that there are good checks and balances. I believe that the fact that the minister and the government responded to the recommendations of the committee reflects responsible and sound governance by this government. I commend this bill to the House.

12:50 pm

Photo of Andrew WilkieAndrew Wilkie (Clark, Independent) Share this | | Hansard source

[by video link] Good afternoon and hello from Hobart. I'd like to echo the considered comments of the member for Curtin, the previous speaker. I believe the member is quite right that the cyberthreat to the public and private sectors is very real and very significant. It's more diverse than people might have once believed. We have the obvious perpetrators, like China, Russia, Iran and North Korea, and we have seemingly countless criminal gangs attacking the Australian public and private sectors. We also have state-sponsored criminal actors. Regrettably, we even have allies who like to eavesdrop on the public and private sectors in Australia to try to find out what's going on. I'm too polite to list some of those countries. We would be naive to think that anyone and everyone don't have an interest in our electronic world and in our data and aren't attempting to obtain some of it.

That's a longwinded way of saying there's obviously merit in the Security Legislation Amendment (Critical Infrastructure) Bill 2020. I applaud the government for trying to take action against the cyberthreat to this country. I think it's also good that the government split, albeit at the last minute, the original bill in accordance with the strong recommendation of the PJCIS. The original bill was unsatisfactory, and it's wise to have carved out what the government thinks are the most urgent aspects of the bill to try to get them through the parliament this week. I say that in essence.

However, I note that both the PJCIS and the Australian Signals Directorate have cast doubt on the urgency of getting anything through the parliament this week. The Australian Signals Directorate mentioned earlier in the year that the likelihood of this legislation being used is 'very rare'—and I understand those were the words they used. Why are we continuing to act with such urgency, when we could slow it down and make sure that the provisions in these reforms are really well crafted, watertight and effective? I think we're missing an opportunity there. We're creating perhaps to some degree too much concern about getting this through this week.

I will also ventilate a couple of other concerns with this bill. I think it does give excessive power to the government and the minister in particular because the people who affected by the decisions of the government and the minister don't have any resort to judicial review or any sort of effective independent oversight of the decisions of the government or the minister. In fact, I note that in the bill before the House now the right to judicial review is explicitly carved out and denied to the people or organisations that would be affected by the decisions of the government and the minister in the future.

I also make the point that the reforms in this bill are not adequately funded. I do note that in the last federal budget there was $42 million set aside to secure critical infrastructure, but I suggest that it's patently obvious that to do this job properly we will need many multiples of that and we can't rely on existing government agencies, like the ASD, to raid their own existing budgets to implement additional safeguards. They need additional funding. I would certainly support that occurring.

Talking more broadly than just the provisions of this bill, I take this opportunity to say that the government has a lot more work to do. Yes, it does need to rework what we now know as the second bill, the bit that has been put aside. It needs to get that right. It needs to go slowly. It needs to work closely with all stakeholders. It needs to listen to their reasonable concerns and address all reasonable concerns. The cyberthreat to this country is too big an issue to not get right and to not properly fund. The government also needs to do much more work more broadly.

I did 20 years in the Army. I did a lot of work on vital asset protection and I well know you can't have a platoon of infantry soldiers on every vital asset in the country, or a battalion at every port, or a division along every strategic railway line. We can't do that in a practical sense so we have to be clever about the way we respond to the threats from nation states.

We also need to do much more work on other threats to our critical infrastructure. I'm talking about our physical infrastructure now, and the obvious example of that is, of course, our telecommunications infrastructure. We learned through the terrible bushfires of 18 months ago that our critical communications infrastructure is terribly, terribly vulnerable. In fact, the Australian Communications and Media Authority claim that nearly 1,400 telecommunications facilities were directly or indirectly affected during the 2019-20 Black Summer bushfires, during which the average outage was 3½ days and the longest was 23 days. Of course bushfires are going to destroy infrastructure, but there are all sorts of things we can do to make our physical infrastructure more robust. For example, better battery storage to cover outages in mains powers to phone towers, the purchase of more mobile telephony facilitates for mobile phones.

I do note that since the bushfires the government has put some more money into this, but, again, it's a bit like the funding for the reforms before House today about cybersecurity, it's not enough. We are kidding ourselves if we think we can throw several tens of millions of dollars at these issues and then sleep easy at night, that our technical and our physical infrastructure and our data are all safe. It won't be. We're up against forces that are very, very well funded. We are up against the climate which is becoming increasingly unpredictable and severe. We need to harden this country in all the ways we can and we need to be prepared to pay for it.

Also, when we're talking about the security of this country—this might be some way from the substantive matter before the House at the moment, but I actually think it's very relevant. If we are going to talk about cybersecurity and we are going to talk about hardening our physical infrastructure and things like being more robust against natural disasters, we have also got to talk, and in more detail, about all the other ways that foreign actors interfere in our sovereignty and in our national security, particularly when you look at national security in the broadest sense, which brings me to the issue, again, of reviewing the foreign investment provisions in this country.

It is a good thing, obviously, that the Treasurer said at the start of COVID that there would be a national security assessment of all foreign investment. But to the best of my knowledge, that was, or is, a temporary arrangement, tied very much to COVID and the risk of foreign actors, foreign corporates, raiding Australian corporates when they are vulnerable during COVID. I think that those national security safeguards should be permanent and apply all the time.

I think we should go a lot further when it comes to the conduct of the Foreign Investment Review Board and what the Treasurer and the government allows in the future. Here are a couple of ideas for you, Deputy Speaker. For starters, the Foreign Investment Review Board should apply much tougher scrutiny of investment that could adversely affect Australia's agricultural, business and property sectors, including the commercial property sector, as well as—I suppose this is the new bit—our cultural, environmental and heritage wellbeing. This scrutiny must apply equally to all foreign investors with no exemptions.

An example of a specific reform is that all purchases of agricultural land worth over $2 million should go to the Foreign Investment Review Board, instead of the current threshold of $15 million. And there needs to be greater reliance on land leases instead of freehold title. That last point is something that comes up with me constantly in my community. They're acknowledging this country was built on foreign investment and we need foreign investment. I'm not anti foreign investment. It's just got to be on our terms. That includes if someone wants to farm a substantial piece of farmland or broadacre prime agricultural land. Maybe that can be allowed, but it must be leasehold not freehold title. My constituents raise that all the time: lease farmland to foreign interests; don't sell it to foreign interests. The current business investment requirement that all acquisitions on an interest of 20 per cent or more in any Australian business valued at over $261 million should also be applied to all foreign investment instead of the current practice of allowing carve outs for favoured trading partners, including China—remember that we have some sort of trade agreement with China, apparently—Japan, Korea, Singapore, New Zealand and the United States. That was very free-ranging omnibus of matters connected with cybersecurity, but I maintain that my point is valid: the government needs to work harder to safeguard Australia's sovereignty and security.

When it comes to cybersecurity, let's properly fund what's before us today. Let's talk to stakeholders and ensure that concerns that still exist about the bill before the House today, including the fact that there's no judicial review of ministerial decisions, are addressed. Let's fix those sorts of things. The sign of a good government is one that is not pigheaded but instead listens to stakeholders, to the crossbench and to the opposition, takes on board all of the good ideas that come from all directions and implements them—and properly funds the measures before the House today. But it also needs to look at all the other ways in which we can safeguard Australia's national security, not just cybersecurity but also our defence arrangements, hardening our infrastructure against natural disasters and looking afresh at our foreign investment provisions. That's something that would be very appealing to a great many Australians. There are so many things we could be doing and need to be doing, not just the edgy things like cybersecurity that are getting all the publicity at the moment.

I'll leave it there. I commend the bill in essence, although it's flawed, and I look forward to the other half of the bill coming before the House, which needs to be much improved in what was in the original version.

1:02 pm

Photo of Matt KeoghMatt Keogh (Burt, Australian Labor Party, Shadow Minister for Defence Industry) Share this | | Hansard source

[by video link] I wonder how many government members have two-factor or three-factor authentication enabled on their systems on their phones and computers. I wonder how many use the password 'password123' to get into secure networks. I wonder how many of them leave their laptops open or unattended in an office or on a plane or have TikTok on their phone. Now I ask the same of every public servant in this nation. Every public servant has access to highly privileged information—information that could be dangerous or at least embarrassing in the wrong hands. The digital literacy of this government and their departments leaves a lot to be desired. Unfortunately, the same can be said for the private sector as well. Honestly, the digital literacy of the nation concerns me.

The pervasive threat of cyber-enabled attacks on and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and is increasing at an unprecedented rate. We are facing increased cybersecurity threats to essential services, businesses and all levels of government. In the past two years, cyberattacks have struck the federal parliament's network, the health sector, the media and universities. Potentially most concerning is that they struck the food and beverage sector, with Lion beer shut down for almost three weeks. Many people in Australia found that very disturbing.

More seriously, though, earlier this year we saw an attack on a critical fuel pipeline in the US. While there are different levels of concern about the things that happen and the troubling prospects they raise, if such an incident were to occur to a piece of our essential infrastructure, such as a central industry like the resources sector, by striking out ports in northern Australia, which are responsible for exporting to the world, or our oil and gas rigs in the offshore industry, our nation's economy would just about flatline. Similarly, if our southern import ports were hit, our supply chains would stop, leaving us cut off and without vital supplies, including, potentially, fuel.

In his submission on this matter to the PJCIS, retired Air Vice Marshal John Blackburn AO expressed concerns resulting from his work examining Australia's national resilience. He is particularly troubled about our lack of national liquid fuel security. The coronavirus pandemic has exposed a global lack of resilience as a result of collective failure to assess and act on national risks and vulnerabilities in the face of a rapidly changing world. Australians have also been complacent with respect to the significant exponential changes occurring in the world and our growing lack of national resilience. We've already seen supply chain disruptions due to COVID-19 and vaccine nationalism. There is no doubt that if push comes to shove other nations will restrict fuel exports to us if they need that fuel.

But it's not just about fuel supply, it's not just about jobs and it's not just about the economy. It's about our national security, our sovereign integrity and our ability to look after ourselves. As I mentioned, earlier this year we saw a damaging cyberattack in the US. The Colonial Pipeline suffered a ransomware cyberattack that took its service down for five days, causing massive fuel supply issues across the United States. The pipeline, almost 9,000 kilometres long, usually carries 2.5 million barrels of diesel, petrol and jet fuel per day. So, having it offline for five days caused huge economic damage to the nation, and many states declared a state of emergency. The organisation that attacked the pipeline operates by infiltrating an organisation's computer network and stealing sensitive data. A day or so after that they will make themselves known to that organisation and make threats about data being leaked should a ransom not be paid. Or they will seize operation of that computer network and not provide access to it until a ransom is paid.

This organisation and many across the world know that attacking critical infrastructure such as pipelines is a way of making a quick buck. We in Australia are not immune to such coercions. As an island nation reliant on our critical resources industry and ports of trade, and of course our energy networks, for everything, this is not a threat we can take lightly. The threat of cyberattack and the manipulation of critical infrastructure assets is serious, is massive in scope and is increasing at an unprecedented rate—certainly faster than this government, responsible for myriad digital disasters in recent years, can cope with.

The bill before us today was introduced in December last year. Since that time the PJCIS has been working on its inquiry. We've heard a great deal of feedback that there is a lot more work to do on this suite of legislation, with many stakeholders concerned about the lack of consultation to date. The inquiry of the Parliamentary Joint Committee on Intelligence and Security received around 100 submissions and held numerous hearings of experts and industry professionals. Many companies, industry bodies and trade unions expressed concern with the bill, its consultative development and issues with regulatory impact, particularly the concurrent rules development that occurred throughout the review.

Threats to critical infrastructure are serious. When they happen, we need to act—swiftly. The lack of action and consultation to date makes it clear that we are not at all ready for these sorts of threats. As such, I support the recommendation from the PJCIS to split this bill in order to pass its most urgent parts whilst continuing to refine more-complex elements that at this stage are not fit for purpose. Subsequently, bill No. 1 will deal with the expansion of the 11 sectors that are deemed to be systems of national significance, the additional reporting requirements for cyber incidents and the new government assistance measures. Bill No. 2 can handle the positive security obligations and sector-specific requirements following further consultation with industry.

In this complex threat environment that we currently find ourselves in it is crucial that Australia's highest authority on these issues, the Australian Signals Directorate, is empowered to assist entities in responding to significant cybersecurity incidents in order to secure our nation's critical infrastructure assets. ASD has observed that malicious cyber activity against Australia's national and economic interests is increasing in frequency, scale and sophistication. In 2019-20 there were 2,266 cyber incidents reported to the Australian Cyber Security Centre. Just over a third of all incidents reported to the centre over the past 12 months have been reported by Australia's critical infrastructure sector. This is expected to be just a fraction of the number of cybersecurity incidences affecting critical infrastructure, given the voluntary nature of the reporting.

ASD's knowledge of domestic cybersecurity threats and vulnerabilities relies on the Australian community and industry voluntarily reporting incidents. This voluntary reporting and sharing of information assists ASD with identifying threats and subsequently publishing advice to mitigate those threats to others. That's why, as important as the bill before us today is to ensuring that we have the right legislative mechanisms for action when required, our national digital literacy and institutional knowledge of cybersafety must also be significantly improved as a nation. It's up to each and every Australian, as well, to protect themselves, their families and their businesses online—and, let's face it, we can't now conduct our lives without being online.

The Australian Cyber Security Centre, working within the Australian Signals Directorate, are supporting the government with their cybersecurity strategy, but a strategy has not been released since 2016. The cyberthreat landscape, however, has shifted and evolved dramatically since that time. The magnitude of threats faced by Australian businesses and families has increased. It's up to us all, but especially the government, to be proactive in this space. I believe that kids should be learning how to stay safe online from the moment that they can work out on their own how to watch Bluey on mum and dad's iPad. It's just as important as looking both ways before crossing the road. Cybersecurity education must become the norm early on, from primary school, and in small businesses, large businesses and government departments. It's not just about cybersecurity; it's about cyberliteracy. It's about literacy in cybersecurity requirements and protecting ourselves, our privacy and our information.

A higher number of incident reports to ASD through the provisions proposed in the bill will assist in building improved national situational awareness and allow ASD to identify trends and provide targeted advice to others in order to assist entities with better preparing and protecting their networks and Australia's critical infrastructure. But, with that, each Australian must be educated on what to look for and what to report.

The expansion of the definition of 'critical sectors' in this bill to include the defence industry as one of 11 systems of national significance elevates the importance of having a sovereign, self-sufficient Australian defence industry. Indeed, it begs the question: how was this sector not included before? As retired Air Vice-Marshal John Blackburn AO says about fuel: 'If push comes to shove in a conflict situation, we must not assume that other nations will have the desire or capacity to support our defence assets. As a result, we must be able to scale up, invest in and ensure the security of our Australian defence industry and our sovereign capability to maintain, sustain, repair and upgrade our defensive capabilities and equipment.'

The powers in the bill before us today are last-resort powers, and that is the assurance that both Labor and affected entities wish to confirm. Most organisations affected by this are very willing to work with the Australian Signals Directorate, and the government assistance powers should only be needed in the case of an affected entity being either unwilling or unable to respond appropriately. One would expect that the use of such measures would be uncommon and rare. Should there be an instance where there is disagreement between the affected entity and the ASD on an appropriate course of action to combat a threat, there are safeguards in place that will involve the minister having the final say. As I have said, the initiatives put forward in this bill are important. We must get this right and we must act quickly, but, equally, we must improve the cybersecurity literacy of everyone so we remain resilient as a nation. I commend to the House the components of the bill that should now be proceeded with and I look forward to seeing the results of the work on the remainder as a separate bill.

1:14 pm

Photo of Mark DreyfusMark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | | Hansard source

My colleagues, in particular the shadow minister for defence, have done a very good job in outlining what the Security Legislation Amendment (Critical Infrastructure) Bill 2020 does and why, subject to passage of the government's amendments, Labor supports it. I would just like to make a few comments about why the Parliamentary Joint Committee on Intelligence and Security, of which I am a member, recommended that the original bill introduced by the government be split in two and that very significant parts of the bill not proceed at all in their current form.

The parts of the bill that the committee found should not proceed in their current form included proposed new positive security obligations for workers and businesses who operate and maintain a vast array of infrastructure assets across Australia. The detail of exactly what those positive security obligations would or could be and who those new obligations would apply to was to be left to regulation. This meant the breadth and potential impact of the legislation was uncertain; but, potentially, the measures proposed by the government would have impacted literally hundreds of thousands of workers and businesses across Australia.

It was both deeply concerning and wholly unsurprising to learn that, despite the impact that these proposed measures could have on the lives and livelihoods of hundreds and thousands of Australian workers, the government did not consult workers or a single trade union prior to the introduction of the critical infrastructure bill and the government barely consulted with industry either. It is quite unusual for the intelligence and security committee to receive submissions from trade unions, but the government's failure to consult with workers or their representatives was drawn to the intelligence and security committee's attention by the ACTU and the Electrical Trades Union of Australia.

This abject failure to consult was not only an insult to Australian workers who would be potentially impacted by the measures in this bill; it was also counterproductive. As the ETU told the intelligence and security committee in one of its three submissions to the committee's inquiry, by failing to consult with the ETU and other unions, the Department of Home Affairs had:

… missed a significant opportunity to gain insights into the security and resilience of critical infrastructure from the perspective of the people who actually build, maintain and operate these assets on a daily basis. In addition, the Department appears to have no visibility of existing provisions in industry, at least as they relate to the industry sectors the ETU is familiar with, and their effectiveness.

The government's failure to consult, coupled with the broad and uncertain nature of the powers it was seeking in the original version of this bill, gave a rise to a serious and understandable concern and anxieties the part of many workers and their representatives. As the ACTU noted about the original version of the bill:

… this proposal could subject nurses, truck drivers, call centre workers, electrical linesperson's and even apprentice electricians to the same rules as ASIO officials, subject to the Minister's whims.

…   …   …

Some employers have already flagged to their workers they intend to use the introduction of this legislation to request access to workers' communication and social media and discriminate against employees for their political views, in order to over-zealously comply with rules not yet issued. As union members in public services can attest, political preferences, party membership, membership of a trade union, participation in democratic expressions of protest, social media profiles, internet activity, and psychological medical history are examined in security vetting. Awarding this power to industry or subjecting packaging workers in the food and grocery sector to this process through a Government agency would be a gross overreach.

I'd also like to acknowledge the many businesses and industry groups who also expressed concerns about the breadth and ill-defined nature of many of the powers in the government's original bill, albeit from a different perspective. The concerns of workers' representatives and the concerns of industry were heard loud and clear by Labor and Liberal members of the intelligence and security committee alike, which is why the committee recommended unanimously that the critical infrastructure bill be split into two, with many of the more contentious measures to be reconsidered and redrafted in light of the committee's comments and feedback from key stakeholders.

I would like to thank the government—and I can thank the minister because she's present here in the chamber—for accepting the committee's recommendations, which were a sensible, measured and bipartisan response to an identified need by security agencies on the one hand and, on the other, serious and understandable concerns about the original version of the bill from a range of stakeholders, including the ETU, the ACTU, industry groups and legal experts. With the amendments introduced by the government to implement the intelligence and security committee's recommendations, I commend the bill to the House.

1:19 pm

Photo of Karen AndrewsKaren Andrews (McPherson, Liberal Party, Minister for Home Affairs) Share this | | Hansard source

The Morrison government is committed to uplifting the security of critical infrastructure and safeguarding the essential services they provide for all Australians. Recent incidents, such as compromises of the Australian parliamentary network, university networks and key corporate entities, illustrate that threats to the operation of Australia's critical infrastructure assets continue to be significant. The interconnected nature of our critical infrastructure means that a compromise of one essential function can have a domino effect that degrades or disrupts others. The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty as well as to the Australian way of life.

The government has introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 to enhance the security of critical infrastructure in Australia, to build situational awareness and to enable the government to assist industry to effectively prevent, defend against and recover from serious cybersecurity incidents. The measures in this bill are a vital step towards uplifting the security of the critical infrastructure that underpins the delivery of goods and services that are essential to the Australian way of life, our nation's wealth and prosperity and our national security. I would like to thank the Parliamentary Joint Committee on Intelligence and Security for its work on this bill, through its inquiry and recommendations. I also thank members for their contributions and call on them to support this vital bill.

Question agreed to.

Bill read a second time.