Tim Ayres (NSW, Australian Labor Party, Assistant Minister for Trade) Share this | Hansard source

I table revised explanatory memoranda relating to the bills, and I move:

That these bills be now read a second time.

I seek leave to have the second reading speeches incorporated in Hansard.

Leave granted.

The speeches read as follows—

CYBER SECURITY BILL 2024

This Bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill (ISA Bill) and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill (ERP Bill), form the Cyber Security Legislative Reforms Package that will collectively strengthen our national cyber defences and build cyber resilience across the Australian economy.

This suite of legislative reforms will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, a significant step in achieving the Australian Government's vision of becoming a world leader in cyber security by 2030.

To achieve this goal, we must understand that cyber security is everyone's responsibility.

Our connections online form a significant part of the lives of most Australians—they enhance the way we live, work and play, and as we continue to invest in transformative digital technologies, this will only expand. At the same time, we need to be clear about how we're protecting Australian individuals and businesses. In order to enhance our collective cyber resilience, we need a clear legislative framework that addresses whole-of-economy cyber security issues, and positions us to respond to new and emerging cyber threats.

We need to ensure individuals can trust the products they use every day; we need to enhance our understanding of the threat of ransomware and cyber extortion so we can break the ransomware business model; we need to enhance protections for individuals experiencing a cyber incident to encourage their engagement with government; and we need to learn the lessons from cyber security incidents that have had a significant, detrimental impact on millions of Australians so that we can be better prepared going forward.

The Cyber Security Bill provides this framework, bringing together measures to achieve the Australian Government's vision under one holistic piece of legislation.

The Bill contains four measures:

These four measures form the Cyber Security Bill. Together with the other Bills in this Package, this Bill will equip both Government and industry with the awareness and resilience to better protect Australians from cyber security threats, providing a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber security landscape.

On 9 October, the Government referred the package to the Parliamentary Joint Committee on Intelligence and Security. The Committee has now handed down its report and recommended that, subject to implementation of the recommendations in its report, the Package be passed by the Parliament. The Government agrees or agrees in principle to all thirteen recommendations in the Committee's report.

The Government agrees to recommendations two and three, and will ensure reporting is user friendly, leveraging the existing single reporting portal. The Government will take an education-first approach, informing impacted entities of their new obligations through communications campaigns.

The Government agrees in principle to recommendation four. The Government agrees that ransomware payment reporting obligations will only apply to the extent that the ransomware incident relates to the reporting business entity's operations in Australia. The Cyber Security Bill as drafted gives this effect and this will be clarified in guidance.

The Government agrees to recommendation five and has revised the Explanatory Memorandum. The Explanatory Memorandum as tabled in the Senate gives effect to this intention that Standing Members of the Board will not need to be members of the Australian Public Service. In line with the Committee's report, composition of standing members will be considered further through industry consultation on the rules.

The Government agrees in principle with recommendation six, that the Minister for Cyber Security should consult with the Board before approving the Terms of Reference for each review. Consultation with the Board is built into the legislative framework and the Terms of Reference will be developed by the Board itself, prior to seeking approval from the Minister for Cyber Security.

The Government agrees with recommendation seven of the Committee's report, and has made amendments to the Cyber Security Bill in the House of Representatives to address this recommendation. The Cyber Security Bill, as introduced in the Senate, clarifies that information obtained by the National Cyber Security Coordinator in relation to a cyber security incident, or acquired by a Commonwealth body or State body from a ransomware payment report, is not admissible against the impacted entity in certain criminal or civil proceedings.

Concomitantly, these amendments ensure that information obtained by the Cyber Incident Review Board in the performance of its functions is not admissible in evidence against the entity in certain criminal and civil proceedings. The ISA Bill has also been amended in the House of Representatives to address recommendation seven to further clarify the application of the admissibility protections conferred by the limited use obligation.

Protections afforded to individuals and information under limited use have been further clarified in the Bills, explanatory memorandum and industry guidance, to address recommendation seven.

These actions ensure Government and industry can work together to communicate with clarity and confidence, making our responses more efficient and based on real-time insights. Cooperation on a national scale is one of Australia's greatest advantages against malicious cyber activity.

The Government agrees in principle to recommendation eight. The Government agrees any other right, privilege or immunity that a ransomware payment reporting entity has in respect to any proceedings, including legal professional privilege, will not be impacted. The Cyber Security Bill, as introduced in both chambers, provides this legal effect and the Department will ensure that this is clear to entities affected by the regime.

The Government agrees to recommendation nine, and the Department of Home Affairs will publish additional guidance on the intended interpretation and application of key definitions introduced in the Security of Critical Infrastructure Act 2018 (SOCI Act). This will be part of the comprehensive guidance being developed on the amendments being made under the ERP Bill to assist regulated entities in understanding their obligations. Consistent with previous reforms to the SOCI Act, the Department will continue to take an education-first approach to compliance, reserving compliance and enforcement action to a last resort.

The Government agrees with recommendation ten of the Committee's report, and has amended the Cyber Security Bill in the House of Representatives. The Cyber Security Bill, as introduced in the Senate, introduces a provision that the Committee may review the operation, effectiveness and implications of the Cyber Security Act as soon as practicable after 1 December 2027.

The Government agrees to recommendation eleven. The Minister for Home Affairs will initiate an independent review under section 60A of the SOCI Act by no later than 1 November 2025.

The Government agrees with recommendation twelve, and has amended the ERP Bill in the House of Representatives to amend section 60B of the SOCI Act to extend the Committee's ability to initiate a review into the operation, effectiveness and implications of the SOCI Act from 3 years to 5 years from Royal Assent of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act). The Government acknowledges the importance of conducting a holistic review of the SOCI Act, after the amendments being made by the ERP Bill are implemented. Together, the approach to recommendations eleven and twelve will ensure an independent review can fully assess the operation of the SOCI Act in time to inform the Committee's next review.

The Government agrees with recommendation thirteen, and has amended the ERP Bill in the House of Representatives to repeal section 60AAA of the SOCI Act, removing the now redundant six-monthly reporting to the Committee relating to consultation undertaken by the Department on the amendments made by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 and the SLACI Act. I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations.

I extend my thanks to staff at the Department of Home Affairs for their incredibly hard work developing this Bill. I commend this Bill to the chamber.

INTELLIGENCE SERVICES AND OTHER LEGISLATION AMENDMENT (CYBER SECURITY) BILL 2024

This is the second Bill in the Cyber Security Legislative Package and seeks to amend the Intelligence Services Act 2001 to legislate a limited use obligation for the Australian Signals Directorate (ASD), similar to the provisions relating to the National Cyber Security Coordinator under the Cyber Security Bill. A limited use obligation will protect the information voluntarily provided to, or acquired or prepared by, ASD during an impacted entity's engagement in relation to a cyber security incident or vulnerability.

Australian networks continue to be regularly targeted by opportunistic malicious cyber actors. As outlined in ASD's Annual Cyber Threat Report 2023-2024, ASD responded to over 1,100 incidents from Australian entities. Separately, nearly 87,400 cybercrime reports were received, averaging one every six minutes.

Together with the other Bills in this Package, this Bill will equip both Government and industry with the awareness and resilience to better protect Australians from cyber security threats, providing a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber security landscape.

ASD relies on the receipt of timely, detailed technical information from industry and victims of cyber attacks to build a coherent national cyber threat picture, provide advice on cyber security uplift, diagnose the cause and severity of cyber incidents, and assess the information against ASD's intelligence holdings to mitigate harms in the early stages of a cyber incident.

However, both industry feedback and ASD's operational experience indicates a declining willingness from entities to share technical cyber security incident information with ASD in a timely manner, principally due to concerns that information shared with ASD could be co-opted by other parts of Government to inform regulatory action.

A limited use obligation will ensure this information can only be communicated by ASD to others for a permitted cyber security purpose. It is not a safe harbour for industry and will not exempt an organisation from complying with their existing legal and regulatory obligations.

I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations. The Committee made one recommendation (recommendation seven) in its advisory report that relate to this Bill. As noted in the second reading speech for the Cyber Security Bill, the Government agrees with this recommendation. This Bill has been amended in the House of Representatives to address recommendation seven. As introduced in the Senate, this Bill clarifies the application of the admissibility protections conferred by the limited use obligation

With this measure, alongside the establishment and clarification of the role of the National Cyber Security Coordinator, we will ensure Government and industry can work together to communicate with clarity and confidence, making our responses to cyber security incidents more efficient and based on real-time insights. Cooperation on a national scale is one of Australia's greatest advantages against malicious cyber activity.

I extend my thanks to staff at the Australian Signals Directorate for their work developing this Bill. I commend this Bill to the chamber.

SECURITY OF CRITICAL INFRASTRUCTURE AND OTHER LEGISLATION AMENDMENT (ENHANCED RESPONSE AND PREVENTION) BILL 2024

This is the third Bill in the Cyber Security Legislative Package. This Bill seeks to amend the Security of Critical Infrastructure Act 2018 (the SOCI Act) to strengthen existing security obligations on critical infrastructure sectors to address gaps identified following recent major cyber security incidents.

Australia currently faces heightened geopolitical and cyber threats, which means that our critical infrastructure is increasingly at risk. The risk to our sovereignty, defence, and security has never been more present, especially for the critical infrastructure providing essential services crucial to our way of life.

Recent incidents illustrate that threats to the operation of Australia's critical infrastructure continue to be significant and far-reaching. From natural hazards through to human-induced threats—all have the potential to significantly disrupt critical infrastructure. Indeed, the Director-General of the Australian Security Intelligence Organisation has stated, "malign foreign powers will consider using sabotage to coerce, disrupt or retaliate during times of escalating geopolitical tensions. Pre-positioning malicious code in Australia's critical infrastructure is the most likely means."

An attack on a single critical infrastructure entity can quickly create catastrophic cascading consequences across critical infrastructure and Australia's socioeconomic stability, defence and national security.

This Bill will build upon previous reforms to the SOCI Act to uplift and enhance the security, resilience and agility of critical infrastructure in the face of an increasingly hostile and complex threat and risk landscape.

The Bill contains six measures in total:

Telecommunications Act 1997

I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations. The Committee made four recommendations (recommendations nine, eleven, twelve and thirteen) in its advisory report that relate to this Bill. As noted in the second reading speech for the Cyber Security Bill, the Government agrees with each of these recommendations. To address recommendations twelve and thirteen, the Government has amended this Bill in the House of Representatives. This Bill, as introduced in the Senate, will amend section 60B of the SOCI Act to extend the Committee's ability to initiate a review into the operation, effectiveness and implications of the SOCI Act from 3 years to 5 years from Royal Assent of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act); and will repeal section 60AAA from the SOCI Act.

Together with the other Bills in this Package, this Bill will help to strengthen our responses to the dynamic, cascading consequences of serious incidents that impact our critical infrastructure, and more broadly, the Australian community.

I extend my thanks to staff at the Department of Home Affairs for their incredibly hard work developing this Bill. I commend this Bill to the chamber.