James Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | Hansard source

I rise to make a contribution on this cybersecurity legislative package: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. The coalition supports the policy intent of the bills. As cyberthreats continue to evolve and the strategic environment continues to deteriorate, urgent action is required to uplift Australia's national cyber-resilience. As the ASIO director-general, Mike Burgess, said in his most recent annual threat assessment:

The most immediate, low cost and potentially high-impact vector for sabotage is cyber. Our critical infrastructure networks are interconnected and interdependent, which increases the vulnerabilities and potential access points.

ASIO is aware of one nation state conducting multiple attempts to scan critical infrastructure in Australia and other countries, targeting water, transport and energy networks.

The Australian Signals Directorate has also spoken of near constant cyberattacks on our government networks and critical infrastructure. But it is not just government and big corporates that have been impacted. Small businesses and everyday Australians are increasingly falling prey to criminally motivated cyber actors. In its annual cyberthreat report released on Wednesday, ASD highlighted that it received over 87,000 cybercrime reports in the 2023-24 financial year. This averages out to a report every six minutes. The threat report also noted that 11 per cent of the 1,100 cybersecurity incidents ASD responded to in the last financial year related to critical infrastructure, highlighting how these networks are an attractive target because of the sensitive data they hold and the widespread disruption that a cybersecurity incident could cause. Against this backdrop, we must ensure that our laws are fit for purpose to prepare for and respond to the quickly evolving cybersecurity challenges facing Australia. I support the efforts to do so through this legislation.

Before I speak to the bills before us, it's worth briefly reflecting on the history of reforms in this space. In government, the Liberal and National parties made tough but necessary decisions to secure our digital sovereignty, to equip our intelligence and security agencies with the appropriate tools and to harden the private sector from cyberattacks. We established the Australian Cyber Security Centre within the Australian Signals Directorate in 2014 to help drive a partnership between industry and government. We released the first ever cybersecurity strategy and appointed the first ever cybersecurity minister in 2016. We appointed the first ever cyber ambassador in 2017.

In 2018, we made ASD a statutory agency and legislated the first ever Security of Critical Infrastructure Act. We also led the world by banning Huawei and other high-risk vendors with close connections to the Chinese Communist Party from providing 5G mobile technology in Australia. Many other countries have since followed our lead. In 2020, we updated our Cyber Security Strategy and backed it with $1.67 billion of investment. This stands in stark contrast to the cybersecurity strategy released by the Albanese Labor government last year, which commits only $192 million over four years.

In 2021 we legislated a new legal framework for the Australian Federal Police to take the fight to criminals on the dark web, drawing on the assistance of ASD. We significantly enhanced the Security of Critical Infrastructure Act in 2021 and 2022 by expanding the sectors it covered from four to 11, requiring critical-infrastructure providers to implement risk management plans and giving emergency powers to ASD to step in in the event of a catastrophic attack on our most systemically important networks. And we made the largest-ever investment in ASD's history through Project REDSPICE—$10 billion over 10 years to effectively double their size, with 1,900 new personnel and the acquisition of new platforms, technologies and capabilities. The reforms introduced by the package of legislation before the Senate today represent a logical extension of the world-leading approach taken by the former coalition government.

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 contains a number of provisions that extend the powers of the existing SOCI framework, most significantly by expanding government assistance powers to facilitate the use of last-resort directions for managing the consequences of all hazards incidents. I remind the Senate that, in the wake of the Optus and Medibank cyber incidents in 2022, the then Minister for Home Affairs and Minister for Cyber Security, Clare O'Neil, trashed the SOCI Act, saying:

… that law was bloody useless, like not worth the ink printed on the paper, when it came to actually using it in a cyber incident. It was poorly drafted.

On a separate occasion, she actually praised the SOCI reforms:

If you look at the work that was done…on the Security of Critical Infrastructure Act in the last Parliament, when I describe that law to politicians around the world, their mouths are open thinking, "how can we construct something similar in our country?"

It's somewhat ironic, then, that the backbone of Labor's now-much-touted cyber legislation is a modest and logical extension of the SOCI reforms introduced by the previous government. Former minister O'Neil's desperation to politicise what should have been bipartisan national security policy is, unfortunately, emblematic of Labor's broader chaotic approach when it comes to national security. But it is good to see that the government has finally seen reason as to the merits of the coalition's world-leading SOCI reforms to the point that it's decided to double down on our approach, and I welcome the SOCI measures included in the legislation before us.

I also welcome the limited-use provisions in this legislation, which will provide assurance to entities that the information they disclose to government about cyber incidents will not be used against their interests in the future. We need seamless, time-sensitive sharing of information between government and business when there is a cyberattack. We can't afford for any CISO or their CEO to hesitate to pick up the phone to the ACSC and share what they know.

I asked the former director-general of the Australian Signals Directorate, Ms Rachel Noble, about the merits of a limited-use provision at a Senate estimates hearing two years ago. Ms Noble reflected:

Speaking purely from ASD's perspective, I think the safe harbour concept is a most excellent idea because, to your point, where there is ambiguity—if I'm dealing with a government, do you hand that information to other government departments or don't you? How can I be sure that that won't occur without my permission and so forth? So from an operational perspective, in that heat of the incident, if you will, when we're still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others, whether they are other government agencies or other people scrutinising the process, like we've seen in class action lawsuits, for example, that is very attractive to us as well.

I first publicly called for a legislated limited-use obligation on 22 March 2023. I note that if the Australian government had moved more quickly with this reform it may have gone some way to address the declining willingness of industry to share information with ASD in a timely way, which we have witnessed in the intervening years.

The proposed mandatory standards for smart devices in the Cyber Security Bill are welcome and long overdue. I note that the proposal to introduce minimum standards for internet connected devices was first canvassed by the former government in the July 2021 discussion paper stemming from the 2020 Cyber Security Strategy. The need for these reforms has become more acute in recent years as we have learned more about the national security risks of internet connected devices. In this term of parliament, I've conducted successive audits which revealed hundreds of Chinese manufactured cameras, drones and internet connected solar inverters in use across the Commonwealth government on many sites, including many in our Defence and law enforcement agencies. As a result, departments and agencies committed to removing more than 1,000 cameras made by Hikvision and Dahua from Commonwealth sites. Many agencies, including Australian Border Force and the ADF, have grounded their fleet of drones made by DJI. But all these actions came only after I called on the government to address these vulnerabilities and after many of our allies had done so.

The government's piecemeal response is not a robust or sustainable approach to addressing issues that are core to our national security, and it is my hope that the provisions in this legislation lead us towards a more consistent and economy-wide approach to managing these risks.

I welcome the two subsequent PSPF directions, issued by the Department of Home Affairs in July, which relate to managing the risks of foreign interference in technology assets, but I also note the ironic and deeply concerning revelations that the Minister for Home Affairs and Minister for Cyber Security, Mr Burke, is himself the owner of a Chinese-made, internet connected electric vehicle. This came after the department admitted it was possible for these EVs to listen to the occupants, track the movements of the driver and record people and places, and to transmit all of that data back to the manufacturer. It beggars belief that our Minister for Home Affairs and Minister for Cyber Security is driving around in a car that is a potential listening device for the Chinese Communist Party, and I hope these reforms can be used to protect regular Australians, and the minister himself, from these kinds of risks.

Cybersecurity is a shared challenge, and no-one is immune from cyberattacks. That's why it's important that we learn the right lessons from every major cyber incident and apply these lessons across industry and government to make sure we are better equipped next time we face something similar. Two years on from the data breaches suffered by Optus and Medibank, we are still in the dark about the specifics of what led to these incidents, how they were managed and what companies can learn from the incidents to guard against future cyberattacks of a similar nature. This is what prompted me, over a year ago, to call for a mechanism to conduct dispassionate, objective investigations following a significant cyber incident, for the collective benefit of the organisations, who may be able to learn the lessons. This came after the US government announced the establishment of a cyber safety review board in 2021. Had the Australian government acted sooner to establish an equivalent construct here, it may have assisted in post-incident investigations in significant incidents, such as the MediSecure data breach and the CrowdStrike outage, which occurred this year. Nevertheless, I welcome the establishment of a legislated cyber incident review board and I welcome the clarification provided that standing members of the Cyber Incident Review Board do not necessarily need to be members of the Public Service, which will provide flexibility to include representatives external to government if the minister deems it appropriate.

In its most recent cyberthreat report, ASD noted 11 per cent of all incidents ASD responded to in 2023-24 included ransomware—a three per cent increase from the year before. In a report released earlier this year, the UK's National Cyber Security Centre assessed that AI will heighten the global ransomware threat and increase the volume and impact of cyberattacks in the next two years by lowering the barrier to entry for novice cybercriminals, hackers for hire and hacktivists. The mandatory reporting requirements for entities who make a ransomware payment is therefore timely. The regime will assist government and industry to get a fuller sense of the scale of the problem so that our cyber defences are tuned appropriately. There are many other worthy reforms in this package of legislation that I do not have time to discuss at length.

While the coalition support the policy intent of the bills, we do continue to hold significant concerns about the government's rushed process and the limited time for parliamentary scrutiny, which increases the risks of overlooking unintended consequences and drafting errors in the legislation. The former Minister for Home Affairs and Minister for Cyber Security originally announced the development of the most recent Cyber Security Strategy on 8 December 2022. The strategy was released on 22 November 2023, and on 19 December 2023 the department released a consultation paper on legislative reforms arising from the cyber strategy, which informed the current bills. The Department of Home Affairs consulted on a targeted exposure draft of the proposed legislative reform between 4 September and 11 September this year, and the government then introduced the bills on 9 October and referred them to the Parliamentary Joint Committee on Intelligence and Security on the same day, with submissions due by 25 October. This means that stakeholders had only two weeks to make a submission on the bills and that the PJCIS had just a month to consider and report on the bill.

Given these reforms have been in train for close to two years, it is inexplicable that the government has seen fit to reduce the time for parliamentary scrutiny in its desperation to pass the legislation before the end of the year. Multiple stakeholders shared these concerns during the PJCIS inquiry. The government has shown disregard for these concerns, and it remains clear that the condensed inquiry timeframe was not sufficient to properly scrutinise what is highly complex and consequential legislation. The intelligence committee report canvasses numerous issues identified throughout the inquiry, which has prompted the government to amend their own legislation in line with some of those recommendations. It stands to reason, though, that a more extensive scrutiny process would reveal even more that warrants further consideration.

The coalition has repeatedly cautioned against this approach, and any unintended consequences that arise in the future as a result of this rushed process will lie solely on the government.

As I said, the coalition supports the policy intent of this legislative package. In the face of a complex and evolving threat environment, the government needs robust levers to protect Australians from cyberthreats. We will always support sensible changes which ensure our legislation is fit for purpose to tackle the ever-evolving cyberthreats facing Australia, which is why we will be supporting the passage of these bills and the accompanying government amendments.