Michelle Landry (Capricornia, National Party, Shadow Assistant Minister for Manufacturing) Share this | Link to this | Hansard source

The coalition supports the policy intent of the bills, the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. As cyber threats continually evolve and the strategic environment continues to deteriorate, urgent action is required to uplift Australia's national cyber resilience.

The reforms introduced by this package of legislation represent a logical extension of the world-leading approach taken by the former coalition government, who architected the security-of-critical-infrastructure regime and authored successive national cybersecurity strategies in 2016 and 2020. However, we continue to hold significant concerns, as do many interested stakeholders, about the government's rushed process and limited time for parliamentary scrutiny, which increases the risk of overlooking unintended consequences and drafting errors in the legislation.

The former coalition government introduced the Security of Critical Infrastructure Act 2018, which outlined the legal obligations for entities that own, operate or have direct interests in critical infrastructure assets and included government assistance powers for serious cybersecurity threats or attacks. The former coalition government amended the SOCI Act in 2021 and again in 2022 to enhance security obligations for critical infrastructure assets and systems of national significance, including by introducing mandatory risk management programs for certain assets.

In the wake of the Optus and Medibank cyber incidents in 2022, the former Minister for Home Affairs and Minister for Cyber Security, Clare O'Neil, trashed the SOCI Act:

That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident. It was poorly drafted.

On a separate occasion she praised the SOCI reforms, saying, 'If you look at the work that was done on the Security of Critical Infrastructure Act in the last parliament, when I describe that law to politicians around the world their mouths are open, thinking, "How can we construct something similar in our country?"'

It is somewhat ironic that the backbone of Labor's much-touted cyber legislation is a modest and logical extension of the SOCI reforms introduced by the previous government. Clare O'Neil's desperation to politicise what should be bipartisan national security policy is emblematic of Labor's chaotic approach to national security writ large. It is good to see the government has finally seen reason as to the merits of the coalition's world-leading SOCI reforms to the point that it has decided to double down on our approach, and we welcome the measures in the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. We welcome the limited-use provisions in the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, the ISA bill, which will provide assurance to entities that the information they disclose to government about cyber incidents will not be used against entities' interests in the future.

The former director-general of the Australian Security Directorate, Ms Rachel Noble, publicly endorsed this concept in November 2022:

Speaking purely from ASD's perspective, I think the safe harbour concept is a most excellent idea because, to your point, where there is ambiguity—if I'm dealing with a government, do you hand that information to other government departments or don't you? How can I be sure that that won't occur without my permission and so forth?

So from an operational perspective, in the heat of the incident, if you will, when we're still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others, whether they are other government agencies or other people scrutinising the process, like we've seen in class action lawsuits, for example, that is very attractive to us as well.

Senator Paterson first called for a legislated limited-use obligation on 22 March 2023. I note that, if the Australian government had moved more quickly with this reform, it may have gone some way to address the declining willingness from industry to share information with ASD in a timely way, which have we witnessed in the intervening years.

The proposed mandatory standards for smart devices in the Cyber Security Bill 2024 are welcome and long overdue. This proposal was first canvassed by the former coalition government in the discussion paper, 'Strengthening Australia's cyber security regulations and incentives: an initiative of Australia's cyber security strategy 2020', released on 13 July 2021.

The need for these reports has become more acute in recent years, as we have learned more about the national security risks of internet-connected devices through successive audits, which revealed hundreds of Chinese-manufactured cameras, drones and internet-connected solar inverters in use across Commonwealth government sites. The Commonwealth government has had ample time to develop and refine this proposal, and we welcome this work finally coming to fruition.

The coalition welcomes the introduction of the legislated Cyber Incident Review Board, the CIRB. Senator Paterson originally called for this construct on 19 November 2023, noting the need for a mechanism to conduct dispassionate, objective investigations following significant cyber incidents, for the collective benefit of organisations who may be able to benefit from the lessons learned. This came after the US government announced the establishment of the Cyber Safety Review Board in 2021. Had the Australian government acted sooner to establish a construct here, it may have assisted post-incident investigations into significant incidents such as the MediSecure data breach and the CrowdStrike outage, which both occurred earlier this year.

Nevertheless, the coalition welcomes the establishment of the CIRB—however belated—noting the clarification provided during the Parliamentary Joint Committee on Intelligence and Security inquiry that standing members of the Cyber Incident Review Board do not necessarily need to be members of the public service, which will provide flexibility to include representatives external to government if the minister deems it appropriate.

While the coalition supports the policy intent of the bills, we continue to hold significant concerns about the Albanese Labor government's rushed process and limited time for parliamentary scrutiny, which increases the risk of overlooking unintended consequences and drafting errors in the legislation. The former Minister for Home Affairs and former Minister for Cyber Security, the Hon. Clare O'Neil MP, originally announced the development of the 2023-2030 Australian Cyber Security Strategy on 8 December 2022. The cyber strategy was released on 22 November 2023 and, on 19 December 2023, the Department of Home Affairs released a consultation paper on legislated reforms arising from the cyber strategy, which informed the current bills.

The Department of Home Affairs consulted on a targeted exposure draft of the proposed legislation reform package between 4 and 11 September 2024. The government introduced the bills into the House on 9 October 2024 and referred the package to the PJCIS on the same day, with submissions due by 25 October 2024. This means that stakeholders had only two weeks to make a submission on the bills, and the PJCIS had just over a month to consider and report on the bill.

Given these reforms have been in train for close to two years, it is inexplicable that the government has seen fit to reduce the time for parliamentary scrutiny in its desperation to pass this legislation before the end of the year. Multiple stakeholders shared these concerns during the PJCIS inquiry. The government has shown a flagrant disregard for these concerns, and it remains abundantly clear that the condensed inquiry timeframe is insufficient to properly scrutinise such highly complex and consequential legislation. The PJCIS report canvases numerous concerns and potential issues already identified through this inquiry. It stands to reason that a more fulsome scrutiny process would reveal even more areas that warrant further consideration. The coalition has repeatedly cautioned against this impetuous approach, and any unintended consequences that arise in the future as a result of this rushed process lie solely with the government.

The coalition supports the policy intent of the legislative package. In the face of a complex and evolving threat environment, the Commonwealth government needs robust leaders to protect Australians from cyberthreats. Industry should also be able to engage quickly and confidently with government in responding to cyber challenges, and we welcome the limited use provisions which will go some way to facilitating this culture of cooperation. The coalition will be supporting these bills without amendment.

This legislative package comprises three bills which seek to implement reforms emerging from the 2023-2030 Australian Cyber Security Strategy. The Cyber Security Bill 2024 has four elements. It introduces a power to make mandatory security standards for smart devices, also known as Internet of Things, or IoT, devices, requiring entities to implement security standards specified by the Minister for Home Affairs. There is an accompanying enforcement and compliance regime which will allow the Secretary of the Department of Home Affairs to issue compliance, stop and recall notices.

It introduces mandatory reporting obligations, requiring entities who are affected by a cyber incident to report to the Australian Signals Directorate if they make a ransomware payment or give other benefits in connection to the cybersecurity incident, enforced by civil penalty provisions. This obligation applies to entities with an annual turnover of more than $3 million—noting this threshold can be altered by the minister—as well as entities responsible for critical minerals that are already subject to mandatory cyber incident reporting under the Security of Critical Infrastructure Act 2018.

It establishes a limited time obligation that restricts how information that is provided to the National Cyber Security Coordinator during a cyber incident can be used and on-shared by other government entities. This also enshrines the cyber coordinator role in legislation and confirms the voluntary basis by which an entity provides information.

It establishes an independent cyber incident review board, with limited information-gathering powers, to conduct no-fault reviews of significant cyber incidents and to compel information from entities involved in a cybersecurity incident under review where voluntary requests for information have been unsuccessful.

The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 has two schedules. Schedule 1 amends the Intelligence Services Act 2001 to legislate the limited use obligation to protect information voluntarily provided to or acquired or prepared by ASD during an impacted entity's engagement in relation to a cybersecurity incident. This mirrors the equivalent provision for the coordinator enshrined in the Cyber Security Bill and specifies permitted purposes for information sharing. The bill also prevents ASD from communicating limited cybersecurity information for the purposes of investigating or enforcing a contravention of a Commonwealth, state or territory law, other than a criminal offence, against an impacted entity.

The amendments do not impact the reporting and notification requirements of entities under existing legislation to Australian regulatory bodies; preclude other government agencies, including regulators, from seeking or acquiring such information directly from entities under existing information-gathering powers; or provide a shield or safe harbour for entities against legal liability.

Schedule 2 amends the Freedom of Information Act to exempt from FOI requests any information received by the coordinator under the limited use obligation, noting that ASD is already exempt from the FOI Act.

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, the SOCI bill, has six elements. It expands the definition of 'critical infrastructure assets' to include secondary assets which hold business-critical data and relate to the functioning of the primary asset to capture data storage systems that could impact the critical infrastructure and expands SOCI government assistant powers to facilitate the use of a last-resort directions power for the Secretary of the Department of Home Affairs when authorised by the minister for the purposes of managing both multi-asset incidents and the consequences of serious incidents which could have, are having or have had a relevant impact on one or more critical infrastructure assets. This facilitates the management of consequences stemming from all hazard incidents; however, it does not extend powers relating to intervention requests, which remain limited to cyberincidents.

It introduces a revised harms based definition of 'protected information' under SOCI and clarifies the operation of the secrecy and disclosure provisions, in particular to enable greater intergovernmental sharing of protected information across industry collaboration. It reduces the unnecessary burdens of these provisions on entities in the ordinary conduct of business, introduces a review-and-remedy directions power for the Secretary of the Department of Home Affairs or the relevant Commonwealth regulator which is exercisable where it has been identified a critical infrastructure risk management program is seriously deficient. It moves certain security notification obligations under the telecommunications sector security reforms, TSSRs, administered by the Home Affairs portfolio, into the SOCI act and clarifies and aligns the regulations, including by creating a new part in the SOCI act for critical telecommunications assets. This includes consequential amendments to the telecommunications interception and access act and other acts. It removes direct interest holders from administrative obligations associated with systems of national significance, SONS, to protect the identity of SONS and reduce the risk of inappropriate information disclosure.

Debate adjourned.