Jenny McAllister (NSW, Australian Labor Party, Shadow Cabinet Secretary) Share this | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. This is a bill that went to PICAS, and I was pleased to have the opportunity to consider it as originally presented in that forum. I've been very grateful to have been a member of that committee for much of my time in the parliament, first as a member and now as the deputy chair. I want to make a few general remarks about its operation and purpose before moving to the specifics of this bill.

When this committee was first established during the Hawke government it was not without controversy. Indeed, it was actively opposed by many from the Liberal-National coalition, who were then in opposition. I think it's fair to say that the value and importance of the PJCIS is now recognised across the aisle, and that's a good thing, because the inquiries that the committee undertakes allow for a deep and detailed policy consideration of a kind that is not always possible in other parts of the parliamentary system. There's an idea, I think sometimes, that the committee's work is done in secret, but that's actually a misunderstanding of how we work. In fact, much of what happens happens in public. The deliberations and negotiations that we go through collectively as a committee when we're drafting our committee reports really do create the space to identify and iron out potential problems with laws. Honest and open dialogue lies at the heart of the work that's undertaken by the members of the committee, and it is a source of enduring value. It's one of the reasons Labor has sought to protect the operation of the committee and to continue to ask what is required to ensure it's able to do the work that the parliament requires it to do.

The workload of the committee has been especially high in recent years, and I would note that the work that we do as committee members is really only possible because of the assistance and expertise of the secretariat that assists us. It is imperative that the parliament continue to properly resource that secretariat so that it is able to help produce detailed, thoroughly researched reports which can support the parliament in debates like this. We also need to ensure that the powers and operation of the PJCIS reflect the responsibilities that it has. This is an increasingly complex and significant national security policy area. I have a longstanding view that it is time to enhance the powers of the PJCIS. There are many more national security laws than there were at the beginning of the century, and as the powers and capabilities of the intelligence community grow, it is appropriate that the oversight of those agencies grows also.

Many of you will know that I have introduced in this place a private senator's bill which builds on the work of Senators Faulkner and Wong before me. The bill seeks to better align the governing legislation of the PJCIS to its work by implementing the recommendations of the 2017 Independent Intelligence Review. Nonetheless, the committee as presently constituted and with its existing powers, as I said, plays a really important role. The culture is as important as the structure, and the report that informs the debate today is a product of a productive culture. Of course, the bill that was originally introduced looks quite different to the bill that is before us. I will talk through how we arrived at that position.

The bill deals with an extremely important policy area. The threat of cyber-enabled attack and manipulation of our critical infrastructure is serious. It is considerable in scope and impact and, unfortunately, it is increasing at an unprecedented rate. We do face increasing threats to essential services, to businesses and to all levels of government. In the past two years, cyberattacks have struck federal parliamentary networks, the health and food sectors, media and universities. That's not just true here; it's a trend internationally. It presents real challenges for policymakers, for governments and for operational agencies, because the solution cannot lie in governmental action alone. The solution can't lie in the creation of new criminal offences alone. The solution must lie in creating frameworks for cooperation between business owners and asset managers and government to ensure that we are protecting those assets that really underwrite so many economic and social activities in the Australian context.

Unfortunately the first attempt at this bill really didn't get it right. The original bill sought to introduce a very wide range of new measures—and that's fine; in fact, we do need to think carefully about how government and business will work together. But the approach taken by the government meant that the bill that first landed really did not get this right. As PJCIS found, the threats to critical infrastructure are complex, are serious and demand a swift and comprehensive response. However, the consequence of moving in a way that was insufficiently consulted on with industry meant that the first attempt made it unlikely that it would achieve the anticipated goal.

It was on that basis that the committee, unusually, recommended that the bill be split in two. The committee said that the government should prioritise the most urgent aspects of the bill in bill 1—that is, to expand the list of sectors deemed to be systems of national significance, the additional reporting requirements for cyber incidents and new government assistance measures. Then the committee recommended that other things, more-complex things, be deferred. The main purpose of recommending deferral was to allow additional time for consultation, because the overwhelming experience in receiving the submissions—and we received about 100 submissions—was that industry felt that there had been insufficient consultation on the matter at hand.

There were a range of concerns. In particular, the delegation of significant decisions into delegated legislation rather than primary legislation meant that neither the parliament nor the affected entities could really know the full impact, impost and cost of the legislation. This was incredibly significant for nearly all submissions. I'll point to one in particular. In a previous life I had the good fortune to work closely with many businesses in the Australian water sector, and I know that the sector is deeply concerned about an all-hazards approach to managing threats to their infrastructure. Their submission was that the way the legislation was drafted meant that they could not understand the costs that would be likely to be imposed upon their businesses. They were also concerned that the way the government had approached defining the risk and threat architecture meant that it risked departing from the internationally accepted standards that are universally used throughout the water sector.

It was an interesting example, because of course the businesses we are working with and talking about are used to managing risk—maybe not this risk, but certainly risks presented by natural hazards. That's a key factor if you're running a water infrastructure company or a water utility. So, their point in their submission to the committee—and they were just one of many—was that they would prefer to see the mechanisms by which risk was assessed and organised being better aligned with the international standards they were already using.

These weren't the only concerns. A number of other concerns were presented by industry. They felt that the notification time frame for advising a relative authority of critical or other cybersecurity incidents was too short and was inconsistent with existing guidelines. They were concerned that they might be directed to do things that would compromise their ICT systems, and of course we know how valuable an ICT system is for a business. This was particularly so for the technology companies—those with global operations—concerned or looking to be reassured that this core part of their business infrastructure wouldn't be negatively affected by an intervention from government. But the main issue, as I said, was regulatory complexity and the uncertainty associated with the cost of this legislation.

It was on that basis that the committee recommended that the bill be split, and I commend my colleagues on the committee for taking that approach. So the bill that's before us really only deals with the most pressing aspects that were presented to us as essential by the agencies. It includes an expanded definition of 'critical infrastructure assets' to include assets across 11 sectors. It now includes: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy—electricity and gas; food and groceries; health care and medical; space technology; transport; and water and sewerage. That's appropriate. It includes government assistance to relevant entities in response to significant cyberattacks. It requires mandatory notification of a cybersecurity incident within 84 hours, and it also provides an opportunity for oversight by the PJCIS.

The definition of 'significant incident' has been tightened and improved, and it includes consultation requirements, if there is a ministerial authorisation, to make sure that relative entities are informed in writing and offered the opportunity to make a submission within 24 hours of receiving an authorisation. I'm pleased that the government did accept the committee's recommendation in this regard, and I understand government will be proceeding to engage industry further on the additional components of the package that were not able to be presented in this legislation on this occasion.

I want to conclude by speaking briefly about democratic institutions and elections. As you can see from the list I just read out, they are not included in this bill. I'm comfortable with that, but we need to understand that our democratic institutions should in fact be considered critical infrastructure, and we need to pay closer attention to the extent to which they are adequately protected from external threats. We know, because we have seen it overseas, that there are many, many instances of interference in democratic processes and in democratic infrastructure. It's not the same, in my view, as business infrastructure; these things are different. But we do need to have a much clearer indication from the government about how it intends to protect democratic institutions and election infrastructure. So far that really has not been forthcoming. I do note that the security agencies are aware of this and speak about it when they are offered the opportunity to do so in public hearings, but what's needed is a strong leadership approach from government.

We need to understand how an attempt to interfere in an Australian election would be handled. Which agency would be responsible for taking the lead? Which minister would be responsible for coordinating the approach? If it occurred during a caretaker period, what would be the interaction with the opposition? Who would take responsibility for communicating about this in the public domain, to voters and electors? These are all important questions, and at the moment they remain unanswered. The problem is that, by not answering them, we create the opportunity for them to be answered in a hurry, and that is not a recipe for good policymaking. These are things that are able to be anticipated, and, in anticipating them, we should craft a response, preferably one that is shared on a bipartisan basis and actually reflects a shared commitment to protecting and nurturing our democratic arrangements.

I am out of time and so I will leave my remarks there. Labor does support this legislation. Again I thank my colleagues on the PJCIS for the incredibly constructive way they approached this inquiry.