House debates
Tuesday, 19 November 2024
Bills
Cyber Security Bill 2024, Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024; Second Reading
8:00 pm
Tim Watts (Gellibrand, Australian Labor Party, Assistant Minister for Foreign Affairs) Share this | Link to this | Hansard source
I'm very pleased to take the opportunity to speak on the Cyber Security Bill 2024 today. I first raised the issue of ransomware in this parliament more than seven years ago, in 2017. It has long been an area of interest and concern to me—including during the last parliament, when I was the shadow assistant minister for cybersecurity. I should also acknowledge that it's an area of interest for others here in this chamber today. In that term, I introduced a private member's bill dealing with these issues, the Ransomware Payments Bill 2021, which would have formed a policy foundation for a coordinated government response to the threat of ransomware.
As Assistant Minister for Foreign Affairs, I was pleased to work with the then cybersecurity minister, the member for Hotham, on the international chapter of the 2023-2030 Australian Cyber Security Strategy, launched in November last year. This recognised that the evolving challenges of cyberspace required us to work with our international partners to uphold international law and norms of responsible state behaviour in cyberspace and to impose costs on bad actors that make cyberspace less safe and less secure. The strategy sets out how we will improve cybersecurity, manage cyber-risks and better support Australians and Australian businesses in cyberspace. This includes reinforcing our cyberdefences; strengthening our resilience, or our ability to bounce back from cyber incidents; deterring and responding to malicious actors; and working closely with international partners—reducing the returns to bad actors targeting Australia with cybercrime and increasing the costs to them of targeting our businesses.
This bill delivers on measures promised by our government in that strategy. It takes necessary steps to ensure that Australians and Australian businesses can enjoy the full benefit of the internet, while keeping us safe. There's an urgent need for this bill. The previous government did little to address these threats. When I introduced the private member's bill on ransomware from opposition, the Australian Cyber Security Centre had identified ransomware as the greatest cyberthreat facing Australian business, but the current Leader of the Opposition—the previous home affairs minister and defence minister—has never even used the word 'ransomware' in parliament.
Last year, ransomware was still the most destructive cybercrime threat to Australians, causing up to $3 billion in damages to the Australian economy, and ransomware attacks are only becoming more prevalent in our world. This bill will lay the foundation for a co-ordinated strategy to fight ransomware. It will introduce a mandatory reporting obligation for entities that are affected by a cyber incident, receive a ransomware demand and elect to make a payment or give benefits in response to that demand. This is essential for us to be able to develop a fuller picture of ransomware attacks in Australia and the scale of the threat, enabling a more coordinated government response.
Even prior to this bill, the Albanese Labor government was already taking steps to tackle ransomware. Australia has led the International Counter Ransomware Task Force since January 2023, driving international cooperation on countering ransomware, including through information and intelligence sharing, and facilitating collaboration with law enforcement. We provided an additional $75 million to the AFP to boost the Hack the Hackers program. This is an investment that will equip the police, who are responsible for fighting cybercrime, with the skills and capabilities needed to disrupt these actors and protect the community.
The Australian Federal Police and the Australian Signals Directorate established Operation Aquila in November 2022 to investigate, target and disrupt cybercriminal syndicates. Ransomware threat groups were a priority, and under Operation Aquila the AFP and ASD, with other agencies and international partners, were able to link Mr Aleksandr Ermakov to the breach of the Medibank Private network. Following very substantive efforts across these agencies, in an Australian first, we used Australia's cybersanctions powers on Mr Ermakov for his role in the cyberattack earlier this year.
Our cybersanctions framework was established to deter and frustrate cybercriminals, to impose costs on them for their activities. It enables us to sanction a person or entity in relation to a significant cyberincident with a targeted financial sanction and/or travel ban. This disrupts their ability to conduct their business by limiting their access to the financial system, including crypto exchanges, and their ability to travel overseas. It also reveals their identity and their tradecraft, exposing cybercriminals who trade in anonymity, and makes it more difficult for them to conduct their activities. Frankly, being sanctioned is bad for business. Cybersanctions are now a key tool for us to consider when responding to significant cyberincidents.
I am pleased that since sanctioning Aleksandr Ermakov we have also sanctioned a further four Russian cybercriminals and imposed cybersanctions on three people for their involvement in the Evil Corp cybercrime group: Maksim Viktorovich Yakubets, Igor Olegovich Turashev and Aleksandr Viktorovich Ryzhenkov. They had senior roles in Evil Corp. I called for Mr Yakubets to be sanctioned during debate in this place during the introduction of the Magnitsky legislation in 2021. I said at that time:
… Maksim Yakubets, the leader of the Evil Corp ransomware group in Russia, has been sanctioned by the US government. He drives a fluoro camouflaged Lamborghini with the licence plate 'Thief'. That kind of impunity needs to end.
So it was particularly satisfying to see the Australian government sanction him last month. We have also sanctioned Dmitry Khoroshev for his senior leadership role in the LockBit ransomware group.
We have taken clear steps to deter cybercriminals from targeting Australians. The Australian Cyber Security Centre also provides ransomware guidance to help Australians and businesses protect themselves and respond to ransomware attacks. They are available to provide assistance 24/7. One key piece of advice from the ACSC, and something that I have said here in this place before, is that you should never pay a ransom, ever. Paying a ransom does not guarantee that you will regain access to your information or prevent further disruption. It doesn't guarantee that your data won't be sold or leaked. But it does provide criminal organisations with further resources and incentivises further cybercrime, putting even more Australians at risk.
This is why we need a coordinated approach to tackling ransomware. We need a whole-of-nation effort to improve the government's threat picture to inform additional protections, current incident response procedures and future policy. That is what this bill does. It will not completely solving the ransomware issue. There are no silver bullets here. But it is a critical step. We understand that cybersecurity incidents can be sensitive issues. Targets of cyberattacks may be reluctant to report them. But we need to understand the cyberthreat landscape so the government can more effectively assist organisations with their incident responses as well as providing them with the information they need to protect themselves before these incidents occur.
The reporting of cybersecurity incidents by members of the public and Australian businesses is crucial in this respect. That is why this bill will establish a limited use obligation that will restrict how information provided to us during a cybersecurity incident will be used to give Australians and Australian businesses confidence that the information they provide will be used appropriately. We are committing to protect the information that these businesses and Australians share with government by using and sharing it only with the government agencies and regulators where necessary and only for the purpose of assisting the incident responses. This is because the Albanese Labor government wants to work with you to protect you.
This bill will also establish the power to mandate security standards for smart devices that are internet or network connected. These devices, like smart TVs, smart watches, baby monitors and home assistants, have become integral parts of our everyday lives, and our usage of and reliance on them continues to grow. Indeed, there are estimates that there will be more than 21 billion IoT devices connected to the internet globally by 2030. We want Australians to be confident in the safety of the digital products they buy, but at the moment there aren't any mandated cybersafety standards applied to IoT products. We saw the destructive capability of these IoT products during the Mirai botnet incident some years ago.
So it is essential that the government makes sure that they are safe for Australians.
Australian households and businesses are bearing the financial costs and negative societal effects of persistent and preventable cybersecurity incidents. We want to build trust in digital products so we can live in a country where safe digital products are the norm, and that's what this bill will help to build. The establishment of a cyber incident review board to conduct postincident reviews of significant cybersecurity incidents will help ensure Australia is well placed to better prevent, detect and respond to incidents in the future, and that mechanism will assess what happened in cybersecurity incidents of national importance. It will improve public understanding about what occurred and, by doing so, it should encourage the rest of the community to learn from the incident and uplift all of our cybercapabilities together, proving our national cyber-resilience.
Now, building cyber-resilience is a shared global challenge, and Australia's security and prosperity are linked to our regions, so our efforts do not end at our national borders. Our flagship Cyber and Critical Technology Cooperation Program works across the Indo-Pacific to help countries maximise the opportunities and mitigate the risks related to cyberspace and critical technologies to enhance the resilience of the region. Last year I announced the establishment of the Pacific Cyber Rapid Assistance for Pacific Incidents and Disasters, the RAPID teams, to help respond to cybercrises in the Pacific when Pacific governments request the assistance of the Australian government. It's been a resounding success and warmly welcomed in the region.
In many respects Australia is already a leader in cybersecurity, but this bill will ensure that Australia has a world-leading, robust cybersecurity regime going forward. The time to act is now, and I commend this bill to the House.
8:11 pm
Andrew Wallace (Fisher, Liberal National Party) Share this | Link to this | Hansard source
I rise to speak on the Cybersecurity Bill 2024 and related bills, which I spoke about only yesterday in tabling the report. After World War II began, Hitler's propaganda chief, Joseph Goebbels, said of the Allies:
They left us alone and let us slip through the risky zone, and we were able to sail around all dangerous reefs. And when we were done, and well armed, better than they, then they started the war!
Today, stretching from the Baltic Sea to the Korean Peninsula, once again a dark alliance of great powers has festered, working for many years to dismantle the global rules based order and, with it, Australia's democracy.
'Foreign interference corrodes our democracy, sovereignty, economy and community,' as Mike Burgess, the Director-General of Security, put so well in his annual threat assessment in February. As deputy chair of the Parliamentary Joint Committee on Intelligence and Security, I know how deeply our competitors seek to embed themselves in our democracy, and one of their greatest tools is the mobilisation of cybercapabilities. Australian families and businesses know how dangerous a cyber incident can be. We all remember the Cambridge Analytica incident from January to June 2024 alone. The Office of the Australian Information Commissioner saw 527 more notifications of cyberbreaches, impacting thousands of Australians. A third of these were what we call phishing attempt, a quarter were ransomware attacks and a fifth of these were brute-force hacking or malware attacks.
While most incidents don't make the front-page news, Australians will recall a number of recent incidents. We saw the Medibank and AHM cyber incidents, which resulted in Australians' sensitive health and identifying information being leaked. This large-scale attack was one in a recent string of large-scale attacks hitting Optus and Latitude Finance. The ProctorU remote education service was hacked, with 444,000 people's data linked to the dark web. The Australian National University in 2018 fell victim to a sophisticated attack which impacted thousands of students, accessing data that was nearly 20 years old.
In 2019 our very own parliament was hacked. The then head of the Australian Signals Directorate, or ASD, Mike Burgess, confirmed that cybercriminals using phishing methods sought to gain entry into the government's network, admitting that a small amount of data was taken. Thank God for parliament's cybersecurity unit—no sensitive data was accessed.
Australians from all walks of life know that cyberinsecurity puts lives and livelihoods at risk. Stephane Nappo from CISO said:
It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.
The impact of cyberinsecurity can be devastating, and Australian small and family businesses know this to be true as well. A former member of the US Homeland Security Council, Ted Schlein, said:
… there are only two kinds of companies in the world, those who have been breached and know it and those that have been breached and don't know it.
Sole proprietors, subcontractors, family restaurants, vendors, digital agencies and doctors' clinics all have access to sensitive financial, personal and legal data. And data is the treasure which digital pirates seek to loot.
At this point I want to acknowledge the great work of an organisation called IDCARE, which is based in my electorate. IDCARE is a not-for-profit organisation that does tremendous work across Australia, helping tens of thousands of people a year when they have had their digital identities stolen or corrupted. I want to send a shout-out to Dave Lacey and his team at IDCARE and encourage people that, if they have been hacked, if their data has been stolen, if their identity has been stolen, they shouldn't waste any time; they should get on the phone to IDCARE and get some help as soon as they possibly can.
This legislation is so very important. The three bills we're debating are designed to mandate minimum cybersecurity standards for smart devices; to introduce mandatory ransomware reporting for certain businesses to report ransom payments; to introduce limited-use obligations for the National Cyber Security Coordinator and the Australian Signals Directorate, or ASD; to establish a cyber incident review board and clarify, simplify, streamline, and align existing obligations, regulations and government assistance measures.
Once again, this important legislation to bolster Australia's national security comes on the back of the hard work and advocacy of the coalition. Yet again we are leading the government from opposition when it comes to keeping Australians safe. We put legislation on the table for ransomware action on more than one occasion. Labor obfuscated, dithered and delayed before finally relenting, just like they did on social media reform. The issues in this bill are no different. In the Cyber Security Bill 2024, the proposed mandatory standards for smart devices are welcome, but they are long overdue. This proposal was first canvassed by the former coalition government in our 2021 cybersecurity strategy discussion paper. The same can be said about limited-use obligations. The coalition first called for legislated limited-use obligations on 22 March 2023.
We called for the construction of a cyber incident review board, identifying that our country needed a mechanism to conduct objective investigations following significant cyber incidents. In line with recommendation 5 of the PJCIS report, the coalition is committed to seeing members of the Cyber Incident Review Board drawn from industry, academia and the Public Service. As the PJCIS outlined in our report tabled just yesterday:
While it is appropriate for senior public servants—including representatives of relevant statutory agencies such as ASD—to be included on the CIRB and in the exercise of its powers, the Committee has heard from some of a desire to also include representatives external to government.
Coalition members expect that the government will, along with addressing the remainder of the 13 recommendations of the PJCIS, take action accordingly to address our concerns and the concerns raised by small businesses and Australia's higher education sector. It is action that Australians and their businesses expect on matters as important as these. If this careless Labor government had moved more quickly with these reforms, it may have gone some way to boosting the willingness of businesses to share information with ASD in a timely and meaningful way.
The consultation process that preceded this legislation proves that the small business community and private sector are beginning to understand their role and responsibilities, as well as the threats and opportunities, when it comes to Australia's national security. What this process shows is that industry is ready to engage with the government and this parliament in developing policy, building capacity and responding to Australia's security threats. It's clear to me that the Australian business community is well and truly ready to contribute to the development of a national security strategy.
While I am pleased to see the government getting on board with the coalition's groundbreaking work to bolster Australia's cybersecurity, more must be done. We can't keep patching up our national security framework with quick fixes, bumper-sticker announcements and piecemeal bills. Cybersecurity, foreign interference, bribery, money laundering, border security and immigration, military secrets, scam prevention and social media reform are all important areas of legislation which the parliament has considered over the last few years, a number of them spearheaded by the coalition. But it's time to look at the bigger picture and begin developing and implementing a comprehensive national security strategy which is responsive, forward thinking and meaningful—not just a bandaid fix. Security should be built in, not a bolt-on in response to some media coverage or public incident. It's time for an integrated strategy that would engage Australian industry, academia, the community and all governments in developing a comprehensive plan to bolster Australia's self-reliance, sovereignty and security. Our AUKUS partners have implemented their own national security strategies, while our government has cut back on border security, crippled the space and defence industry, and dithered and delayed on cybersecurity.
Once again, I want to pay tribute to the late, great Jim Molan AO DSC, former senator and major-general, whose fierce advocacy for a grand national security strategy continues to inspire so many, including me. We can talk all we want about a defence strategy, a defence industry plan, a cybersecurity strategy or a ransomware action plan, but to what end? As Jim Molan said:
How can there be a defence strategy without an overarching and comprehensive national security strategy? What good is it to have a brilliant defence strategy without national liquid fuel, industry, pharma, science and technology, manpower, diplomacy and stocking policies …
We learnt during COVID that Australia is behind the eight ball when it comes to global supply of essential goods and services. Medicines and medical equipment; veterinary medicine for livestock; fuel for transport; manufacturing; power; defence; food and primary produce; space defence; biosecurity; market stability; cybersecurity; and land, sea and air defence are all important components of Australia's integrated national security. It's time that we addressed them as a whole and not in part, not in a piecemeal fashion.
I would like to take this opportunity to commend my colleagues in the PJCIS. I have served on many, many committees in this place.
I've chaired many of them and I've deputy-chaired many of them, and I can honestly say that the PJCIS has the highest workload of any committee that I have ever served on. It is not unusual for the PJCIS to be working on 14 inquiries at any one point in time.
I want to extend a shout-out to the former chair, the member for Wills. I said this yesterday and I'll say it again: the member for Wills is a good man who believes in the importance of the security of this nation. I think the member for Wills has been through a rough trot in recent times, and I wish him the best in his new role. I also want to give a shout-out to the new chair, Senator Raff Ciccone, who has already demonstrated a terrific grasp on the issues that we deal with in this committee. I look forward to working with him, as I do with all members of the committee.
The PJCIS is too important a committee to get bogged down in petty politics. There is no greater obligation on any member who serves in this place than to keep Australians safe. The PJCIS is really at the tip of that spear in ensuring that our security and intelligence agencies do what they say they're going to do and act in accordance with the law, and I'm very proud to be a part of it.
I thank Australian industry for their ongoing vigilance when it comes to cybersecurity, although there's much more work to be done. I call on this government to take seriously its responsibility to protect Australians and secure our future. It's well over time to introduce a comprehensive integrated national security strategy. Now let's just get it done.
8:26 pm
Andrew Charlton (Parramatta, Australian Labor Party) Share this | Link to this | Hansard source
In July this year I was given the honour of being appointed the Special Envoy for Cyber Security and Digital Resilience by the Prime Minister. In this role I've had the opportunity to speak with dozens of stakeholders—from micro tech startups to multinational corporations, from sole operators to ASX 200 companies, from individual victims of cybercrime to international government counterparts. What I've learnt from these discussions is that cybersecurity is a critical issue that needs to be addressed at different scales with different groups and at different levels of technicality. Unlike other national security issues, the uplift of Australia's cybersecurity is a team sport. It cannot be done by government alone. It requires an interconnected and engaged group of stakeholders from across public and private sectors, working together towards the common goal of ensuring that Australian citizens and businesses can live, work and learn safely and securely online.
The legislative reforms that we're debating today take some key steps towards a digitally secure and safe future. It's another significant reform that this government is bringing forward to unlock the gains that the digital economy can provide for all Australians, following work across government, such as the Attorney-General's privacy reforms, the Treasury's anti-scam reforms and the communications portfolio's misinformation and disinformation reforms. This package includes our nation's first cybersecurity act, which, together with reforms to the Intelligence Services Act, contains four critically important measures.
First, the bill will create a framework for setting mandatory security standards for smart devices. At the end of 2023 there were 109 million smart devices in Australia, there being at least one device in 73 per cent of Australian homes. By the end of 2027, there are likely to be 353 million devices in Australia, worth over $2.1 billion to the Australian economy. The Cyber Security Bill will create a framework by which any smart device sold in Australia will meet three security requirements. Firstly, each device will be sold with its own unique password, ensuring that a widescale cyberattack cannot be perpetrated on the owners of a particular piece of technology.
Secondly, each device will have fault-reporting capabilities so that manufacturers have the information needed to remedy and identify vulnerabilities. Thirdly, each device will come with the information the purchaser needs to know about regularly updating the software in their device, so that any cyber vulnerabilities in software are removed as soon as possible. These critical changes will create a baseline of cybersecurity standards across Australia's smart device market, making our everyday lives safer and more secure.
Second, the cybersecurity bill creates a requirement for businesses above a prescribed level of annual turnover to report ransomware payments to government. Ransomware remains one of the most destructive types of cybercrime in Australia, with the capacity to cripple digital infrastructure through the encryption of devices, files and folders, rendering essential computer systems inaccessible or inoperable.
This reform is not the government stepping back from its advice that a ransom should never be paid. That is still our advice. Ransoms fund further criminal activity, and there is no guarantee that, if you pay a ransom, your network or information will be handed back. In fact, for many businesses, if they pay a ransom they're giving a signal to the market of their willingness to pay, putting themselves at risk of further and subsequent attacks. Instead, what the government is saying with this requirement is that we want to make sure we have a full picture of the ransomware threat in Australia.
There has been some public commentary that this reporting obligation will create unnecessary stress for small businesses that may be captured under the $3 million annual threshold, but the 72-hour timeframe for making a report only starts from the time that that ransom is paid, which may be some time after the incident itself occurs, and it will only be enforced in cases of egregious noncompliance. The penalty for noncompliance is not a punitive measure for acts done in good faith, as the bill clearly outlines.
Whilst those on the other side think that we should just be slapping an economy-wide ban on making any ransomware payment, the Albanese government wants to build an evidence base upon which a decision can be made. Having a thorough understanding of ransomware payments in Australia allows the Australian government to build a tailored package of assistance and guidance for victims, to assist in law enforcement and the disruption of threat activities, and, in future, to have the data to make an evidence based decision on whether a ransomware ban is suitable for Australia. This is evidence based policy, not shooting from the hip.
The third measure in the cybersecurity bill and in the amendments to the Intelligence Services Act will create a limited-use obligation whereby certain information provided by victims of a cyberattack to the National Cyber Security Coordinator and her office, or to officers from the Australian Signals Directorate, will not be able to be used for other purposes. This is incredibly important. The purpose of this limitation is to safeguard in the early stages of an incident, where information is being generated in real time and is unable to be verified. The Cyber Security Coordinator is responsible for leading whole-of-government coordination in response to significant cybersecurity incidents. Lieutenant General Michelle McGuinness is responsible for providing advice to the Minister for Cyber Security and other elected representatives that they need to direct government activities in response to a large-scale cyber incident. The coordinator and staff from her office need to receive contemporaneous information about an incident in order to perform this vital role.
In addition, ASD have the significant technical expertise to assist Australian businesses to respond to a cyberattack. They are the cyber firefighters, who need to receive technical information in real time to address an attack. That is why this piece of legislation is so important, because recent experience is that victims of a cyber attack have been hesitant to provide this vital information because of the risk of that information being lawfully provided by ASD to other Australian government regulators such as ASIC, OAIC and APRA and used against them. Government receives incident reports from a company's general counsel, when they really need to have a direct dialogue with the chief information security officer on technical details to best employ their assistance and expertise.
These limited-use provisions will create a limitation on how information provided to the Cyber Security Coordinator or to ASD will be able to be shared, by creating requirements for these officials not to share the information except in specific and prescribed circumstances.
It doesn't mean that regulators with cybersecurity requirements to enforce are excluded from ever receiving that information, but it does mean that the OAIC, ASIC, APRA and numerous other government regulators will only be able to receive information for their regulatory purposes from the entity under their existing powers. Limited use will enable the cyber coordinator to receive the real-time information necessary to provide government support in a time of crisis. It means that ASD, our cyber firefighters, can receive the information they need in a timely way to help put out a cyber incident.
The final measure in the Cyber Security Bill 2024 is to legislate the Cyber Incident Review Board, which will conduct postincident reviews of nationally significant cyber incidents. The board will conduct inquiries and make reports to industry and government on a no-fault basis to improve Australia's collective cybersecurity outcomes. The board will operate independent from government and have the capacity to conduct reviews on its own motion, on referral from the minister or from the cyber coordinator, or at the request of the victim of a cyber attack. It will have suitable powers to require the production of information, but information provided to the board will not be admissible in civil or criminal proceedings against the entity. Whilst reviews of previous cyber incidents can and have been conducted under government executive powers, legislating this board will create clear duties and obligations about the conduct of reviews and the treatment of information provided or generated in the course of a review. It promotes transparency of this important function and will provide public advice about an incident, with the aim of providing collective cybersecurity practices for all Australians.
This package of legislative reforms also builds on Australia's world-leading critical infrastructure security regulatory system, making three critical improvements identified as part of the government's Australian Cyber Security Strategy. This strategy's aim is to make Australia a world leader in cybersecurity by the end of 2030. The first measure expressly includes business-critical data as part of a critical infrastructure asset under the Security of Critical Infrastructure Act, the SOCI Act. As the customers and clients of Optus, Medibank and Latitude Financial, amongst numerous others, are now all too aware, the security of information that our critical infrastructure organisations collect and store to operate in our economy is just as important as keeping the lights on. It is just as important for the security requirements under the SOCI Act to apply in respect of business-critical data that our critical infrastructure assets hold to conduct their businesses not just in relation to the goods and services that they provide.
Let's take the water services sector as an example. The current SOCI Act would apply to a critical water asset—a water or sewerage system delivering services to at least 100,000 connections. Requirements have been applied to critical water assets under the SOCI Act to ensure that the physical, personnel, cyber and information risks associated with these assets are managed appropriately. What this amendment will do is ensure that business-critical data that a critical water asset operator holds to provide water and sewerage services, whether that be sensitive operational plans or customer information, is captured as part of these requirements. And when we're talking about better securing digital data, we're talking about meeting and, hopefully, exceeding cybersecurity requirements.
This bill also makes important reforms to clarify the security regulation of critical telecommunication assets—some of the most important assets to the way we live, learn and work online. The previous government did not sort through the patchwork of legislative requirements under the SOCI Act and the Telecommunications Act, which resulted in recommendations from the Parliamentary Joint Committee on Intelligence and Security directing government to do this. Their failure to act has created unnecessary ambiguity for industry and has limited the ability to ensure compliance. What the Albanese government is doing, after conducting a thorough and inclusive co-design process with industry and customer advocates, is creating a clear path forward to ensure our telecommunications networks remain secure without regulatory duplication, and we've clearly articulated the security requirements for our telcos and carriage service providers.
Finally, the SOCI Act reforms expand the scope of some, but not all, of the powers known as the government assistance measures. As currently enacted, those powers enable the government to work with industry to respond directly to a serious cybersecurity incident. What recent cybersecurity incidents have taught us is that government assistance to industry is not just necessary to respond to an incident. Assistance is also required to manage the consequences coming from an incident. Cyber vulnerabilities can often be detected and removed quickly, but the impacts of unauthorised access to systems and data may need to be managed for some time afterwards.
What I've heard from consultations with cybersecurity professionals, data centre providers and government officials is that a cybersecurity incident of significant national impact to Australia is not just probable; it's inevitable. The United States had the Colonial Pipeline incident in 2021, leading to large-scale petrol shortages on the east coast over six days, creating significant economic, social and personal impact. Over half of the UK's National Health Service was brought to its knees in the 2017 WannaCry ransomware attack. Patient records could not be accessed for several days, resulting in delayed surgeries and ward closures. Ukraine has experienced wave after wave of cyberattacks—switching off its power grid in the middle of the 2017 winter, leaving thousands of Ukrainians in the cold—as well as a number of subsequent attacks associated with its war with Russia.
Australia is not immune from these types of attacks and incidents in the future. In fact, we've already had large-scale data spills, such as Optus and Medibank Private, that have had a significant impact on Australians. While none of those incidents created the significant widespread economic and social impacts that have been experienced elsewhere, I want to make sure the Australian government can ably assist our critical infrastructure to respond to an incident of this scale, whether it be to stop the incident from occurring or to make sure that the consequences of the incident can be managed appropriately.
This is a package of key reforms necessary to support the continued uplift of Australia's collective cybersecurity. I want Australian citizens and businesses to be best placed to take every opportunity in the digital economy, something that cannot occur without being safe and secure online. I commend these bills to the Chamber.
8:42 pm
Michael McCormack (Riverina, National Party, Shadow Minister for International Development and the Pacific) Share this | Link to this | Hansard source
If ever we had cause for alarm over cybersecurity, it was just the other day—5 November, in fact—when the Guardian published an article headed 'Is your air fryer spying on you? Concerns over "excessive" surveillance in smart devices'. The article, penned by UK Technology Editor Robert Booth, said:
Air fryers that gather your personal data and audio speakers "stuffed with trackers" are among examples of smart devices engaged in "excessive" surveillance, according to the consumer group Which?
According to the article:
The organisation tested three air fryers, increasingly a staple of British kitchens, each of which requested permission to record audio on the user's phone through a connected app.
The piece went on:
Smart air fryers allow cooks to schedule their meal to start cooking before they get home.
In this day and age of limited time and people very busy in their lives, it's a great idea. It's smart. It's the use of technology to meet a busy schedule.
Not all air fryers—
the Guardian said—
have such functionality but those that do often use an app installed on a smart phone.
Which? found the app provided by the company Xiaomi connected to trackers for Facebook and a TikTok ad network.
I'll digress a little. We've been told of the dangers of using TikTok, and, for any member of parliament who does use TikTok—I appreciate that it's a way of getting through to the younger generation—it is an absolute folly. Your information will be collected and sent where you don't need or want it to be.
The piece continues:
The Xiaomi fryer and another by Aigostar sent people's personal data to servers in China, although this was flagged in the privacy notice, the consumer testing body found.
I would defy that too many people actually read the fine print. If you are like me, once you get a device, you open the packaging and—as many blokes do—the last thing you have a look at are the instructions of how to put it together. You just put it together as best you can and plug it in the wall and hope that it works.
The article said:
Its tests also examined smartwatches that it said required 'risky' phone permissions—in other words giving invasive access to the consumer's phone through location tracking, audio recording and accessing stored files.
We know that so much of our information is collected. We know that so much of that data is stored. What we don't know is who is doing it and why and what they are going to use it for in the future.
I well recall, when I was second in charge of the National Security Committee—and I'm not giving away state secrets—some of the hacks that came across the table. Indeed, very sophisticated players from certain very large countries were able to infiltrate local councils, large and small, and businesses, large and small, in Australia. This is of great concern. We should be very worried, getting very prepared and making sure that we are doing everything we can to solidify our cybersecurity. In this day and age, the hackers, those players who would otherwise part our money and us, are getting better at what they do. Being able to be tracked and followed on everything that you do online through our cooking now is, indeed, a worry.
The article said:
In a response to Which?, Xiaom said respecting user privacy was among its core values and it adhered to UK data protection laws.
Ha! Yeah, right! It claimed it didn't sell any information to third parties, but that just beggars belief. Why would a company need to store data on an air fryer? Maybe to find out whether you are frying chips or vegetables or what, perhaps, you are cooking. No. You can't be that gullible. We can't be having these sorts of devices. If you've got one of those, you are being tracked. We know that. We appreciate that. People should do everything they can to ensure that they are not scammed.
I had the member for Whitlam, the minister responsible for scams, do a forum in my electorate. It was a very good thing. A lot of older people attended that. They are all too often overrepresented in the statistics of those people who have had money taken through nefarious ways and means. I was appreciative of the minister coming to Wagga Wagga to share his views and what the government is doing. The government can always do more. I appreciate that. Never before in history has cybersecurity been so important. Wherever you are and whatever you are doing, you are likely to be in the vicinity of a smart device with connectivity to the internet. It is not just computers and smartphones; we have smart TVs, smart fridges, smart lights, smart cameras and so much more. Indeed, a growing number of devices in homes are connected to the internet, including camera enabled doorbells and, as I mentioned, smart TVs. It's remarkable progress. Who would have thought 20 years ago that technology would become as prevalent and perhaps as invasive as it is today? Indeed, iPhones really only go back to 2008. Remember the bricks that some people used to carry around that used to be mobile phone technology? You may all be familiar with Apple, Siri, Amazon's Alexa and Google Assistant. They're always listening in in case you ever have a question to ask.
If you talk about a product or a topic, only to see advertisements then popping up on your internet feed as though somebody, somewhere, somehow, someway was listening in, of course, they are. We know that for a fact. Every time you use something connected to the internet, your data is being collected, it's being tracked and it's being used—and it's not always by people you should or could trust. Sometimes it's for good, to improve efficiency and the relevance of search results. Yes, that's correct. But every time this data is collected about you, it can be used for nefarious causes—particularly when data breaches occur and your data gets into the wrong hands.
By 2025, cybercrime is estimated to cost the world $10.5 trillion. In Australia, as of 2021, the University of New South Wales estimate cybercrime cost $42 billion—that's $42,000 million—to the Australian economy. That's almost equivalent to expenditure in many, many portfolios—including Defence. This is deeply concerning. It's cause for urgent action. That is why the coalition does support the policy intent of this package of bills.
I note these bills will give the Minister for Home Affairs the power to make mandatory security standards for smart devices. This is important. This is vital. If our air fryers can be spying on us, who knows what else is? Who would know? This is something the government must have at the forefront of its operations. People's security is absolutely the No. 1 priority for government. How many cameras, drones and other devices do government departments use that are manufactured in China? It would be a fascinating answer. Who knows how much confidential data is being collected by foreign actors, foreign players? The Cyber Security Bill 2024 will also empower the secretary of the Department of Home Affairs to issue compliance, stop and recall notices in order to enforce the mandatory security standards regime—not such a bad thing. This is a good start to improve the security of our devices.
Even properly-managed data can be breached by bad actors. That's why it's important that the government, via the Australian Signals Directorate, is informed of entities that have been subject to a cyberincident. This bill will ensure that entities with more than $3 million in annual turnover report cyberincidents to the ASD if they've made a ransomware payment or given any other benefit in connection to such an incident. The $3 million cap prevents excessive regulation on small businesses, but it does ensure that larger businesses are more likely to store your data and have the economic capacity to adhere to these regulations. That's something that perhaps needs looking at.
Naturally, some entities may be hesitant to report and provide data to the government for fear of adverse consequences. That's why this package establishes a limited use obligation which restricts how much information provided to the National Cyber Security Coordinator can be used or shared with other government entities. Further, this obligation will also be imposed on the ASD, which will be prevented from communicating such data for the purposes of investigating or enforcing a contravention of a Commonwealth, state or territory law other than a criminal offence against the entity subject to the cyberincident. This ensures reports and data supplied are full, honest, accurate and transparent, enabling the ASD to do its job properly, rather than struggling to obtain accurate data from entities fearful of ancillary consequences.
I have to say that we are fortunate in this country to have people who are very qualified in the space of cybersecurity. I know when the 2016 census went a little awry, Alastair MacGibbon played a very strong and powerful role. I know the role that the ASD played. I know just how important this is. We are very lucky that this nation has people in the Public Service and elsewhere who do their utmost to ensure that the bad guys don't win. As we move into an ever-more digitally connected future, it becomes ever-more imperative to enact the regulations and frameworks necessary to combat the established and emerging threats of cybercrime.
As of 2023, the Australian Trade and Investment Commission reported Australia's tech industry to be worth $167 billion. That's grown by 80 per cent in five years. Its growing at an exponentially fast rate. It is huge. It's also estimated to constitute $250 billion of our gross domestic product by 2030.
It's clear Australia must entrench its place on the world stage as a nation which is proactive and a world leader in cybersafety when it comes to digital technology, and I would like to think that, whichever party or parties occupy the government benches in Australia, the same priority and the same importance is placed on cybersecurity. I know that the government come to this place and space with good intent, and I encourage them and acknowledge them for that. It's very clear that Australia is targeted all too often by people and nations that want to do us harm. But this bill and other measures will ensure business has the confidence to continue to invest and grow.
I have to say I well remember that, when I was in government and was on the National Security Committee of cabinet, we made the rather controversial decision at the time to not allow Huawei to have the reach that they wanted in Australia, even though they were making big inroads. They were sponsoring the Canberra Raiders National Rugby League team. But why would we want to have a foreign entity with the capability to do what they could? We can't have our traffic lights and our hospital power systems operated by international players. Whilst I know it was a controversial decision at the time, it was the right course of action to take.
It's not just the tech sector that these regulations are relevant to; it's almost every business sector. Like a great octopus, players who want to and feel the need to can reach in and take anyone's money, and no-one is safe. Every business has a website these days. Nearly everybody shops online these days. More and more people are banking online as well. It is our duty, and it is the government's role, to ensure ordinary Australians are protected to the best of Australia's ability and the best of the government's ability. We must protect not just Australians but industry from cybercrime. That should be the ultimate goal: to keep Australians safe. I appreciate that that's what the government are endeavouring to do, and they have the coalition's support in just that.
Question agreed to.
Bill read a second time.
Message from the Governor-General recommending appropriation announced.