Tim Watts (Gellibrand, Australian Labor Party, Assistant Minister for Foreign Affairs) Share this | Link to this | Hansard source

I'm very pleased to take the opportunity to speak on the Cyber Security Bill 2024 today. I first raised the issue of ransomware in this parliament more than seven years ago, in 2017. It has long been an area of interest and concern to me—including during the last parliament, when I was the shadow assistant minister for cybersecurity. I should also acknowledge that it's an area of interest for others here in this chamber today. In that term, I introduced a private member's bill dealing with these issues, the Ransomware Payments Bill 2021, which would have formed a policy foundation for a coordinated government response to the threat of ransomware.

As Assistant Minister for Foreign Affairs, I was pleased to work with the then cybersecurity minister, the member for Hotham, on the international chapter of the 2023-2030 Australian Cyber Security Strategy, launched in November last year. This recognised that the evolving challenges of cyberspace required us to work with our international partners to uphold international law and norms of responsible state behaviour in cyberspace and to impose costs on bad actors that make cyberspace less safe and less secure. The strategy sets out how we will improve cybersecurity, manage cyber-risks and better support Australians and Australian businesses in cyberspace. This includes reinforcing our cyberdefences; strengthening our resilience, or our ability to bounce back from cyber incidents; deterring and responding to malicious actors; and working closely with international partners—reducing the returns to bad actors targeting Australia with cybercrime and increasing the costs to them of targeting our businesses.

This bill delivers on measures promised by our government in that strategy. It takes necessary steps to ensure that Australians and Australian businesses can enjoy the full benefit of the internet, while keeping us safe. There's an urgent need for this bill. The previous government did little to address these threats. When I introduced the private member's bill on ransomware from opposition, the Australian Cyber Security Centre had identified ransomware as the greatest cyberthreat facing Australian business, but the current Leader of the Opposition—the previous home affairs minister and defence minister—has never even used the word 'ransomware' in parliament.

Last year, ransomware was still the most destructive cybercrime threat to Australians, causing up to $3 billion in damages to the Australian economy, and ransomware attacks are only becoming more prevalent in our world. This bill will lay the foundation for a co-ordinated strategy to fight ransomware. It will introduce a mandatory reporting obligation for entities that are affected by a cyber incident, receive a ransomware demand and elect to make a payment or give benefits in response to that demand. This is essential for us to be able to develop a fuller picture of ransomware attacks in Australia and the scale of the threat, enabling a more coordinated government response.

Even prior to this bill, the Albanese Labor government was already taking steps to tackle ransomware. Australia has led the International Counter Ransomware Task Force since January 2023, driving international cooperation on countering ransomware, including through information and intelligence sharing, and facilitating collaboration with law enforcement. We provided an additional $75 million to the AFP to boost the Hack the Hackers program. This is an investment that will equip the police, who are responsible for fighting cybercrime, with the skills and capabilities needed to disrupt these actors and protect the community.

The Australian Federal Police and the Australian Signals Directorate established Operation Aquila in November 2022 to investigate, target and disrupt cybercriminal syndicates. Ransomware threat groups were a priority, and under Operation Aquila the AFP and ASD, with other agencies and international partners, were able to link Mr Aleksandr Ermakov to the breach of the Medibank Private network. Following very substantive efforts across these agencies, in an Australian first, we used Australia's cybersanctions powers on Mr Ermakov for his role in the cyberattack earlier this year.

Our cybersanctions framework was established to deter and frustrate cybercriminals, to impose costs on them for their activities. It enables us to sanction a person or entity in relation to a significant cyberincident with a targeted financial sanction and/or travel ban. This disrupts their ability to conduct their business by limiting their access to the financial system, including crypto exchanges, and their ability to travel overseas. It also reveals their identity and their tradecraft, exposing cybercriminals who trade in anonymity, and makes it more difficult for them to conduct their activities. Frankly, being sanctioned is bad for business. Cybersanctions are now a key tool for us to consider when responding to significant cyberincidents.

I am pleased that since sanctioning Aleksandr Ermakov we have also sanctioned a further four Russian cybercriminals and imposed cybersanctions on three people for their involvement in the Evil Corp cybercrime group: Maksim Viktorovich Yakubets, Igor Olegovich Turashev and Aleksandr Viktorovich Ryzhenkov. They had senior roles in Evil Corp. I called for Mr Yakubets to be sanctioned during debate in this place during the introduction of the Magnitsky legislation in 2021. I said at that time:

… Maksim Yakubets, the leader of the Evil Corp ransomware group in Russia, has been sanctioned by the US government. He drives a fluoro camouflaged Lamborghini with the licence plate 'Thief'. That kind of impunity needs to end.

So it was particularly satisfying to see the Australian government sanction him last month. We have also sanctioned Dmitry Khoroshev for his senior leadership role in the LockBit ransomware group.

We have taken clear steps to deter cybercriminals from targeting Australians. The Australian Cyber Security Centre also provides ransomware guidance to help Australians and businesses protect themselves and respond to ransomware attacks. They are available to provide assistance 24/7. One key piece of advice from the ACSC, and something that I have said here in this place before, is that you should never pay a ransom, ever. Paying a ransom does not guarantee that you will regain access to your information or prevent further disruption. It doesn't guarantee that your data won't be sold or leaked. But it does provide criminal organisations with further resources and incentivises further cybercrime, putting even more Australians at risk.

This is why we need a coordinated approach to tackling ransomware. We need a whole-of-nation effort to improve the government's threat picture to inform additional protections, current incident response procedures and future policy. That is what this bill does. It will not completely solving the ransomware issue. There are no silver bullets here. But it is a critical step. We understand that cybersecurity incidents can be sensitive issues. Targets of cyberattacks may be reluctant to report them. But we need to understand the cyberthreat landscape so the government can more effectively assist organisations with their incident responses as well as providing them with the information they need to protect themselves before these incidents occur.

The reporting of cybersecurity incidents by members of the public and Australian businesses is crucial in this respect. That is why this bill will establish a limited use obligation that will restrict how information provided to us during a cybersecurity incident will be used to give Australians and Australian businesses confidence that the information they provide will be used appropriately. We are committing to protect the information that these businesses and Australians share with government by using and sharing it only with the government agencies and regulators where necessary and only for the purpose of assisting the incident responses. This is because the Albanese Labor government wants to work with you to protect you.

This bill will also establish the power to mandate security standards for smart devices that are internet or network connected. These devices, like smart TVs, smart watches, baby monitors and home assistants, have become integral parts of our everyday lives, and our usage of and reliance on them continues to grow. Indeed, there are estimates that there will be more than 21 billion IoT devices connected to the internet globally by 2030. We want Australians to be confident in the safety of the digital products they buy, but at the moment there aren't any mandated cybersafety standards applied to IoT products. We saw the destructive capability of these IoT products during the Mirai botnet incident some years ago.

So it is essential that the government makes sure that they are safe for Australians.

Australian households and businesses are bearing the financial costs and negative societal effects of persistent and preventable cybersecurity incidents. We want to build trust in digital products so we can live in a country where safe digital products are the norm, and that's what this bill will help to build. The establishment of a cyber incident review board to conduct postincident reviews of significant cybersecurity incidents will help ensure Australia is well placed to better prevent, detect and respond to incidents in the future, and that mechanism will assess what happened in cybersecurity incidents of national importance. It will improve public understanding about what occurred and, by doing so, it should encourage the rest of the community to learn from the incident and uplift all of our cybercapabilities together, proving our national cyber-resilience.

Now, building cyber-resilience is a shared global challenge, and Australia's security and prosperity are linked to our regions, so our efforts do not end at our national borders. Our flagship Cyber and Critical Technology Cooperation Program works across the Indo-Pacific to help countries maximise the opportunities and mitigate the risks related to cyberspace and critical technologies to enhance the resilience of the region. Last year I announced the establishment of the Pacific Cyber Rapid Assistance for Pacific Incidents and Disasters, the RAPID teams, to help respond to cybercrises in the Pacific when Pacific governments request the assistance of the Australian government. It's been a resounding success and warmly welcomed in the region.

In many respects Australia is already a leader in cybersecurity, but this bill will ensure that Australia has a world-leading, robust cybersecurity regime going forward. The time to act is now, and I commend this bill to the House.

Andrew Charlton (Parramatta, Australian Labor Party) Share this | Link to this | Hansard source

In July this year I was given the honour of being appointed the Special Envoy for Cyber Security and Digital Resilience by the Prime Minister. In this role I've had the opportunity to speak with dozens of stakeholders—from micro tech startups to multinational corporations, from sole operators to ASX 200 companies, from individual victims of cybercrime to international government counterparts. What I've learnt from these discussions is that cybersecurity is a critical issue that needs to be addressed at different scales with different groups and at different levels of technicality. Unlike other national security issues, the uplift of Australia's cybersecurity is a team sport. It cannot be done by government alone. It requires an interconnected and engaged group of stakeholders from across public and private sectors, working together towards the common goal of ensuring that Australian citizens and businesses can live, work and learn safely and securely online.

The legislative reforms that we're debating today take some key steps towards a digitally secure and safe future. It's another significant reform that this government is bringing forward to unlock the gains that the digital economy can provide for all Australians, following work across government, such as the Attorney-General's privacy reforms, the Treasury's anti-scam reforms and the communications portfolio's misinformation and disinformation reforms. This package includes our nation's first cybersecurity act, which, together with reforms to the Intelligence Services Act, contains four critically important measures.

First, the bill will create a framework for setting mandatory security standards for smart devices. At the end of 2023 there were 109 million smart devices in Australia, there being at least one device in 73 per cent of Australian homes. By the end of 2027, there are likely to be 353 million devices in Australia, worth over $2.1 billion to the Australian economy. The Cyber Security Bill will create a framework by which any smart device sold in Australia will meet three security requirements. Firstly, each device will be sold with its own unique password, ensuring that a widescale cyberattack cannot be perpetrated on the owners of a particular piece of technology.

Secondly, each device will have fault-reporting capabilities so that manufacturers have the information needed to remedy and identify vulnerabilities. Thirdly, each device will come with the information the purchaser needs to know about regularly updating the software in their device, so that any cyber vulnerabilities in software are removed as soon as possible. These critical changes will create a baseline of cybersecurity standards across Australia's smart device market, making our everyday lives safer and more secure.

Second, the cybersecurity bill creates a requirement for businesses above a prescribed level of annual turnover to report ransomware payments to government. Ransomware remains one of the most destructive types of cybercrime in Australia, with the capacity to cripple digital infrastructure through the encryption of devices, files and folders, rendering essential computer systems inaccessible or inoperable.

This reform is not the government stepping back from its advice that a ransom should never be paid. That is still our advice. Ransoms fund further criminal activity, and there is no guarantee that, if you pay a ransom, your network or information will be handed back. In fact, for many businesses, if they pay a ransom they're giving a signal to the market of their willingness to pay, putting themselves at risk of further and subsequent attacks. Instead, what the government is saying with this requirement is that we want to make sure we have a full picture of the ransomware threat in Australia.

There has been some public commentary that this reporting obligation will create unnecessary stress for small businesses that may be captured under the $3 million annual threshold, but the 72-hour timeframe for making a report only starts from the time that that ransom is paid, which may be some time after the incident itself occurs, and it will only be enforced in cases of egregious noncompliance. The penalty for noncompliance is not a punitive measure for acts done in good faith, as the bill clearly outlines.

Whilst those on the other side think that we should just be slapping an economy-wide ban on making any ransomware payment, the Albanese government wants to build an evidence base upon which a decision can be made. Having a thorough understanding of ransomware payments in Australia allows the Australian government to build a tailored package of assistance and guidance for victims, to assist in law enforcement and the disruption of threat activities, and, in future, to have the data to make an evidence based decision on whether a ransomware ban is suitable for Australia. This is evidence based policy, not shooting from the hip.

The third measure in the cybersecurity bill and in the amendments to the Intelligence Services Act will create a limited-use obligation whereby certain information provided by victims of a cyberattack to the National Cyber Security Coordinator and her office, or to officers from the Australian Signals Directorate, will not be able to be used for other purposes. This is incredibly important. The purpose of this limitation is to safeguard in the early stages of an incident, where information is being generated in real time and is unable to be verified. The Cyber Security Coordinator is responsible for leading whole-of-government coordination in response to significant cybersecurity incidents. Lieutenant General Michelle McGuinness is responsible for providing advice to the Minister for Cyber Security and other elected representatives that they need to direct government activities in response to a large-scale cyber incident. The coordinator and staff from her office need to receive contemporaneous information about an incident in order to perform this vital role.

In addition, ASD have the significant technical expertise to assist Australian businesses to respond to a cyberattack. They are the cyber firefighters, who need to receive technical information in real time to address an attack. That is why this piece of legislation is so important, because recent experience is that victims of a cyber attack have been hesitant to provide this vital information because of the risk of that information being lawfully provided by ASD to other Australian government regulators such as ASIC, OAIC and APRA and used against them. Government receives incident reports from a company's general counsel, when they really need to have a direct dialogue with the chief information security officer on technical details to best employ their assistance and expertise.

These limited-use provisions will create a limitation on how information provided to the Cyber Security Coordinator or to ASD will be able to be shared, by creating requirements for these officials not to share the information except in specific and prescribed circumstances.

It doesn't mean that regulators with cybersecurity requirements to enforce are excluded from ever receiving that information, but it does mean that the OAIC, ASIC, APRA and numerous other government regulators will only be able to receive information for their regulatory purposes from the entity under their existing powers. Limited use will enable the cyber coordinator to receive the real-time information necessary to provide government support in a time of crisis. It means that ASD, our cyber firefighters, can receive the information they need in a timely way to help put out a cyber incident.

The final measure in the Cyber Security Bill 2024 is to legislate the Cyber Incident Review Board, which will conduct postincident reviews of nationally significant cyber incidents. The board will conduct inquiries and make reports to industry and government on a no-fault basis to improve Australia's collective cybersecurity outcomes. The board will operate independent from government and have the capacity to conduct reviews on its own motion, on referral from the minister or from the cyber coordinator, or at the request of the victim of a cyber attack. It will have suitable powers to require the production of information, but information provided to the board will not be admissible in civil or criminal proceedings against the entity. Whilst reviews of previous cyber incidents can and have been conducted under government executive powers, legislating this board will create clear duties and obligations about the conduct of reviews and the treatment of information provided or generated in the course of a review. It promotes transparency of this important function and will provide public advice about an incident, with the aim of providing collective cybersecurity practices for all Australians.

This package of legislative reforms also builds on Australia's world-leading critical infrastructure security regulatory system, making three critical improvements identified as part of the government's Australian Cyber Security Strategy. This strategy's aim is to make Australia a world leader in cybersecurity by the end of 2030. The first measure expressly includes business-critical data as part of a critical infrastructure asset under the Security of Critical Infrastructure Act, the SOCI Act. As the customers and clients of Optus, Medibank and Latitude Financial, amongst numerous others, are now all too aware, the security of information that our critical infrastructure organisations collect and store to operate in our economy is just as important as keeping the lights on. It is just as important for the security requirements under the SOCI Act to apply in respect of business-critical data that our critical infrastructure assets hold to conduct their businesses not just in relation to the goods and services that they provide.

Let's take the water services sector as an example. The current SOCI Act would apply to a critical water asset—a water or sewerage system delivering services to at least 100,000 connections. Requirements have been applied to critical water assets under the SOCI Act to ensure that the physical, personnel, cyber and information risks associated with these assets are managed appropriately. What this amendment will do is ensure that business-critical data that a critical water asset operator holds to provide water and sewerage services, whether that be sensitive operational plans or customer information, is captured as part of these requirements. And when we're talking about better securing digital data, we're talking about meeting and, hopefully, exceeding cybersecurity requirements.

This bill also makes important reforms to clarify the security regulation of critical telecommunication assets—some of the most important assets to the way we live, learn and work online. The previous government did not sort through the patchwork of legislative requirements under the SOCI Act and the Telecommunications Act, which resulted in recommendations from the Parliamentary Joint Committee on Intelligence and Security directing government to do this. Their failure to act has created unnecessary ambiguity for industry and has limited the ability to ensure compliance. What the Albanese government is doing, after conducting a thorough and inclusive co-design process with industry and customer advocates, is creating a clear path forward to ensure our telecommunications networks remain secure without regulatory duplication, and we've clearly articulated the security requirements for our telcos and carriage service providers.

Finally, the SOCI Act reforms expand the scope of some, but not all, of the powers known as the government assistance measures. As currently enacted, those powers enable the government to work with industry to respond directly to a serious cybersecurity incident. What recent cybersecurity incidents have taught us is that government assistance to industry is not just necessary to respond to an incident. Assistance is also required to manage the consequences coming from an incident. Cyber vulnerabilities can often be detected and removed quickly, but the impacts of unauthorised access to systems and data may need to be managed for some time afterwards.

What I've heard from consultations with cybersecurity professionals, data centre providers and government officials is that a cybersecurity incident of significant national impact to Australia is not just probable; it's inevitable. The United States had the Colonial Pipeline incident in 2021, leading to large-scale petrol shortages on the east coast over six days, creating significant economic, social and personal impact. Over half of the UK's National Health Service was brought to its knees in the 2017 WannaCry ransomware attack. Patient records could not be accessed for several days, resulting in delayed surgeries and ward closures. Ukraine has experienced wave after wave of cyberattacks—switching off its power grid in the middle of the 2017 winter, leaving thousands of Ukrainians in the cold—as well as a number of subsequent attacks associated with its war with Russia.

Australia is not immune from these types of attacks and incidents in the future. In fact, we've already had large-scale data spills, such as Optus and Medibank Private, that have had a significant impact on Australians. While none of those incidents created the significant widespread economic and social impacts that have been experienced elsewhere, I want to make sure the Australian government can ably assist our critical infrastructure to respond to an incident of this scale, whether it be to stop the incident from occurring or to make sure that the consequences of the incident can be managed appropriately.

This is a package of key reforms necessary to support the continued uplift of Australia's collective cybersecurity. I want Australian citizens and businesses to be best placed to take every opportunity in the digital economy, something that cannot occur without being safe and secure online. I commend these bills to the Chamber.

Michael McCormack (Riverina, National Party, Shadow Minister for International Development and the Pacific) Share this | Link to this | Hansard source

If ever we had cause for alarm over cybersecurity, it was just the other day—5 November, in fact—when the Guardian published an article headed 'Is your air fryer spying on you? Concerns over "excessive" surveillance in smart devices'. The article, penned by UK Technology Editor Robert Booth, said:

Air fryers that gather your personal data and audio speakers "stuffed with trackers" are among examples of smart devices engaged in "excessive" surveillance, according to the consumer group Which?

According to the article:

The organisation tested three air fryers, increasingly a staple of British kitchens, each of which requested permission to record audio on the user's phone through a connected app.

The piece went on:

Smart air fryers allow cooks to schedule their meal to start cooking before they get home.

In this day and age of limited time and people very busy in their lives, it's a great idea. It's smart. It's the use of technology to meet a busy schedule.

Not all air fryers—

the Guardian said—

have such functionality but those that do often use an app installed on a smart phone.

Which? found the app provided by the company Xiaomi connected to trackers for Facebook and a TikTok ad network.

I'll digress a little. We've been told of the dangers of using TikTok, and, for any member of parliament who does use TikTok—I appreciate that it's a way of getting through to the younger generation—it is an absolute folly. Your information will be collected and sent where you don't need or want it to be.

The piece continues:

The Xiaomi fryer and another by Aigostar sent people's personal data to servers in China, although this was flagged in the privacy notice, the consumer testing body found.

I would defy that too many people actually read the fine print. If you are like me, once you get a device, you open the packaging and—as many blokes do—the last thing you have a look at are the instructions of how to put it together. You just put it together as best you can and plug it in the wall and hope that it works.

The article said:

Its tests also examined smartwatches that it said required 'risky' phone permissions—in other words giving invasive access to the consumer's phone through location tracking, audio recording and accessing stored files.

We know that so much of our information is collected. We know that so much of that data is stored. What we don't know is who is doing it and why and what they are going to use it for in the future.

I well recall, when I was second in charge of the National Security Committee—and I'm not giving away state secrets—some of the hacks that came across the table. Indeed, very sophisticated players from certain very large countries were able to infiltrate local councils, large and small, and businesses, large and small, in Australia. This is of great concern. We should be very worried, getting very prepared and making sure that we are doing everything we can to solidify our cybersecurity. In this day and age, the hackers, those players who would otherwise part our money and us, are getting better at what they do. Being able to be tracked and followed on everything that you do online through our cooking now is, indeed, a worry.

The article said:

In a response to Which?, Xiaom said respecting user privacy was among its core values and it adhered to UK data protection laws.

Ha! Yeah, right! It claimed it didn't sell any information to third parties, but that just beggars belief. Why would a company need to store data on an air fryer? Maybe to find out whether you are frying chips or vegetables or what, perhaps, you are cooking. No. You can't be that gullible. We can't be having these sorts of devices. If you've got one of those, you are being tracked. We know that. We appreciate that. People should do everything they can to ensure that they are not scammed.

I had the member for Whitlam, the minister responsible for scams, do a forum in my electorate. It was a very good thing. A lot of older people attended that. They are all too often overrepresented in the statistics of those people who have had money taken through nefarious ways and means. I was appreciative of the minister coming to Wagga Wagga to share his views and what the government is doing. The government can always do more. I appreciate that. Never before in history has cybersecurity been so important. Wherever you are and whatever you are doing, you are likely to be in the vicinity of a smart device with connectivity to the internet. It is not just computers and smartphones; we have smart TVs, smart fridges, smart lights, smart cameras and so much more. Indeed, a growing number of devices in homes are connected to the internet, including camera enabled doorbells and, as I mentioned, smart TVs. It's remarkable progress. Who would have thought 20 years ago that technology would become as prevalent and perhaps as invasive as it is today? Indeed, iPhones really only go back to 2008. Remember the bricks that some people used to carry around that used to be mobile phone technology? You may all be familiar with Apple, Siri, Amazon's Alexa and Google Assistant. They're always listening in in case you ever have a question to ask.

If you talk about a product or a topic, only to see advertisements then popping up on your internet feed as though somebody, somewhere, somehow, someway was listening in, of course, they are. We know that for a fact. Every time you use something connected to the internet, your data is being collected, it's being tracked and it's being used—and it's not always by people you should or could trust. Sometimes it's for good, to improve efficiency and the relevance of search results. Yes, that's correct. But every time this data is collected about you, it can be used for nefarious causes—particularly when data breaches occur and your data gets into the wrong hands.

By 2025, cybercrime is estimated to cost the world $10.5 trillion. In Australia, as of 2021, the University of New South Wales estimate cybercrime cost $42 billion—that's $42,000 million—to the Australian economy. That's almost equivalent to expenditure in many, many portfolios—including Defence. This is deeply concerning. It's cause for urgent action. That is why the coalition does support the policy intent of this package of bills.

I note these bills will give the Minister for Home Affairs the power to make mandatory security standards for smart devices. This is important. This is vital. If our air fryers can be spying on us, who knows what else is? Who would know? This is something the government must have at the forefront of its operations. People's security is absolutely the No. 1 priority for government. How many cameras, drones and other devices do government departments use that are manufactured in China? It would be a fascinating answer. Who knows how much confidential data is being collected by foreign actors, foreign players? The Cyber Security Bill 2024 will also empower the secretary of the Department of Home Affairs to issue compliance, stop and recall notices in order to enforce the mandatory security standards regime—not such a bad thing. This is a good start to improve the security of our devices.

Even properly-managed data can be breached by bad actors. That's why it's important that the government, via the Australian Signals Directorate, is informed of entities that have been subject to a cyberincident. This bill will ensure that entities with more than $3 million in annual turnover report cyberincidents to the ASD if they've made a ransomware payment or given any other benefit in connection to such an incident. The $3 million cap prevents excessive regulation on small businesses, but it does ensure that larger businesses are more likely to store your data and have the economic capacity to adhere to these regulations. That's something that perhaps needs looking at.

Naturally, some entities may be hesitant to report and provide data to the government for fear of adverse consequences. That's why this package establishes a limited use obligation which restricts how much information provided to the National Cyber Security Coordinator can be used or shared with other government entities. Further, this obligation will also be imposed on the ASD, which will be prevented from communicating such data for the purposes of investigating or enforcing a contravention of a Commonwealth, state or territory law other than a criminal offence against the entity subject to the cyberincident. This ensures reports and data supplied are full, honest, accurate and transparent, enabling the ASD to do its job properly, rather than struggling to obtain accurate data from entities fearful of ancillary consequences.

I have to say that we are fortunate in this country to have people who are very qualified in the space of cybersecurity. I know when the 2016 census went a little awry, Alastair MacGibbon played a very strong and powerful role. I know the role that the ASD played. I know just how important this is. We are very lucky that this nation has people in the Public Service and elsewhere who do their utmost to ensure that the bad guys don't win. As we move into an ever-more digitally connected future, it becomes ever-more imperative to enact the regulations and frameworks necessary to combat the established and emerging threats of cybercrime.

As of 2023, the Australian Trade and Investment Commission reported Australia's tech industry to be worth $167 billion. That's grown by 80 per cent in five years. Its growing at an exponentially fast rate. It is huge. It's also estimated to constitute $250 billion of our gross domestic product by 2030.

It's clear Australia must entrench its place on the world stage as a nation which is proactive and a world leader in cybersafety when it comes to digital technology, and I would like to think that, whichever party or parties occupy the government benches in Australia, the same priority and the same importance is placed on cybersecurity. I know that the government come to this place and space with good intent, and I encourage them and acknowledge them for that. It's very clear that Australia is targeted all too often by people and nations that want to do us harm. But this bill and other measures will ensure business has the confidence to continue to invest and grow.

I have to say I well remember that, when I was in government and was on the National Security Committee of cabinet, we made the rather controversial decision at the time to not allow Huawei to have the reach that they wanted in Australia, even though they were making big inroads. They were sponsoring the Canberra Raiders National Rugby League team. But why would we want to have a foreign entity with the capability to do what they could? We can't have our traffic lights and our hospital power systems operated by international players. Whilst I know it was a controversial decision at the time, it was the right course of action to take.

It's not just the tech sector that these regulations are relevant to; it's almost every business sector. Like a great octopus, players who want to and feel the need to can reach in and take anyone's money, and no-one is safe. Every business has a website these days. Nearly everybody shops online these days. More and more people are banking online as well. It is our duty, and it is the government's role, to ensure ordinary Australians are protected to the best of Australia's ability and the best of the government's ability. We must protect not just Australians but industry from cybercrime. That should be the ultimate goal: to keep Australians safe. I appreciate that that's what the government are endeavouring to do, and they have the coalition's support in just that.

Question agreed to.

Bill read a second time.

Message from the Governor-General recommending appropriation announced.