David Shoebridge (NSW, Australian Greens) Share this | Hansard source

I rise on behalf of the Greens to speak to this package of bills: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. I note at the outset that this process has been extraordinarily rushed by the government. There's been a chaotic, end-of-year rush to bring this legislation through, first of all, the somewhat secretive Parliamentary Joint Committee on Intelligence and Security, which, even though it's stacked with government and opposition members, expressed its concerns about the rush with which this legislation was brought to parliament.

Indeed, this complex legislation proposes a raft of cybersecurity changes for corporate and non-corporate Australia which we know are going to intersect with a series of other existing statutory obligations. Those obligations under the Corporations Act, the existing SOCI Act, the Australian taxation system and the Telecommunications Act, especially in relation to encryption, as well as obligations under the defence exports regime, mean that this legislation is actually incredibly complex reform which will potentially have ripples across an array of existing regulatory requirements.

And what did the government do? It gave the community and stakeholders two weeks to come to terms with the draft legislation and put submissions in. The Law Council of Australia, in their submission to the PJCIS, said:

… the Law Council is disappointed that a period of just over two weeks has been afforded between the tabling of the Package and the deadline for written submissions. We emphasise the complex nature of the legislation, which will have wide-reaching impact and consequences in a highly technical field. With respect, the current consultation period does not allow for meaningful and robust consultation with stakeholders to ensure the laws will work as effectively and efficiently as possible.

It wasn't just the Law Council. Pretty much every stakeholder that my office has spoken with and those that put in submissions have made these same points. The Cybersecurity Coalition, for example, in their engagement with the PJCIS said that, yes, they wanted to commend the government on its approach to industry consultation, but they reiterated concerns about the lack of time. The Australian Institute of Company Directors expressed their concern with the lack of time. The Australian Information Security Association also expressed their concerns with the lack of time.

So what does this legislation propose to do? It proposes to put in mandatory security standards for smart devices, the so-called Internet of Things, and I'll speak to that briefly when I talk about what this bill does and doesn't do. It puts mandatory obligations on certain businesses to report ransomware and cyberextortion requests and a very limited-use obligation that restricts how that cybersecurity information provided to the National Cyber Security Coordinator can be used and disclosed, and, again, I'll talk to the concerns about the lack of safe-harbour provisions in this legislation. It also establishes a cyber incident review board to conduct post-incident reviews into significant cybersecurity incidents, and I'll speak to the lack of independence in that cybersecurity review board as well.

Could I deal first of all with the mandatory security standards for smart devices. In this regard, I note that the Greens have circulated a second reading amendment which seeks to add to the motion the following:

(a) this scheme will work best if the rules applied to Internet of Things devices are harmonised with similar regulatory obligations in other jurisdictions; and

(b) the government has indicated it will consider alignment of schemes following the passage of the bills.

It is obviously necessary to put in place protections so that, as the Internet of Things grows—as our fridge talks to our car, talks to the front door, communicates with the phone and then shares that online—we have adequate security measures in place to ensure that, as we just travel about our daily business, we don't find ourselves the subject of some sort of global eavesdropping. And we know that's already happening. We know that's already happening, not so much because of the work of the government but because of the work of organisations like CHOICE and others that have pointed out that, for example, in the context of our motor vehicles, how many of the major brands are recording and transmitting data, including sometimes video and voice data, without our consent, simply as we move around in these vehicles.

Perhaps the worst offender is Tesla. Tesla motor vehicles actually record snippets of video and voice without your consent, without your information, as you drive around in Tesla motor vehicles, as well as data about where you go and how you drive, and feed that back to Tesla corporate headquarters in the United States—and feed it back to that champion of human rights, Elon Musk! You would have thought that the opposition would be concerned about that. They don't seem to be concerned about that. We're concerned about that. But it's not just Tesla that's doing a live feed from our motor vehicles back to Elon Musk, who is a danger to democracy, can I point out—absolutely a danger to democracy. It's Korean car brands and it's pretty much every imported Chinese car brand that in one way or another is gathering data about us without our consent, without any protections for us, and feeding it back to heaven knows where.

Of course we need security protections, and this legislation proposes that at some point, maybe in the next 12 months, there will be a process under which some rules will be written and maybe we'll get some kinds of security protocols put in place for the Internet of Things. But we don't know what. We don't know what. Industry has been saying there are well-established international standards that should be clearly articulated by the government, and they'll say that's what they're applying. Don't make up your own standard; look across the world and get the best global standards to put in place.

I'll just refer again to the PJCIS report, which dealt with this in some detail. At 5.26 in the report, it said this:

For example, the Institute for Integrated Economic Research … stated that it 'would be sensible' to adopt international standards, 'with the flexibility to change as the threat changes', but that 'it would be useful to set the one standard and enforce compliance' rather than adopting multiple standards. Similarly, … the Software Alliance … submitted that the government should 'take every effort to avoid a divergent approach from other like-minded countries'. Infoblox submitted that:

Aligning with international standards is not only beneficial for the impacted entities to comply but also essential for Australia to maintain global interoperability and consistency.

Consumer Electronics Suppliers Australia recommended that 'Australian requirements align with those of major overseas market' to 'minimise the need for bespoke Australian solutions and ensure the future-proofing of regulations against technological advancements'.

What are the standards that the government are applying? That's a question we'd like to see the minister answer. What are the standards it is intended will apply? For example, is the government intending to use the United Kingdom's Product Security and Telecommunications Infrastructure Act standards in rule making?

For example, is the government intending to use the United Kingdom's Product Security and Telecommunications Infrastructure Act standards in rule making? Is there an intent to use those international standards, agreed by much of industry, such as the ETSI EN 303 645 standard? What's the standard that the government's intending—are you just going to make up some sort of local South Pacific standard, which will then see a disconnect between Australian security standards and those in comparable jurisdictions? That, I think, is a question that surely the government will have an answer to today before we pass this rushed legislation. Surely, you know what standard you want to apply to the internet of things. But we need to do it rapidly. I don't know about you, Deputy President, but I don't like the idea of my car having a direct conversation with Elon Musk or whoever is monitoring it in Seoul or whoever is monitoring the information feed in Beijing. I'm not much attracted to that concept, and I would have thought the government should be passing legislation to prevent it happening. That is one of the other remarkable failures of this government—in its privacy legislations. This is meant to work coherently with privacy legislation, which is meant to be protecting our data, stopping it being farmed and sold for corporate benefit. But, while we get this rushed legislation through, we've also got a parallel piece of privacy legislation that doesn't even touch upon this. It doesn't do one thing to protect our data. This incoherence from the government on cybersecurity and privacy, failing to understand how these two things connect, is one of the key problems with this government's rushed legislation.

Can I speak briefly to the issues of ransomware and cyber extortion payments and this concept of limited use provision. The purpose, as the Greens understand it, of the limited use protections is do with whether entities—corporate or individuals—are supplying information to the government about their vulnerabilities, cybervulnerabilities or potentially ransom attacks. Remember this isn't always just one email saying, 'We've got your data; if you don't give us $1 million, we're going to blow your data.' Often these ransomware attacks can happen over months or even over a year or more. The limited use provisions mean that no government entity can use the information that has been supplied by entities that have reported for the purpose of civil proceedings against them. But there's no protection against criminal proceedings. I suppose the question that the government hasn't answered yet is: if you want cooperation from industry—and we absolutely need cooperation from industry—why aren't there safe harbour provisions, which already exist in the United States, which seem to be very effective in the United States in ensuring there is a relationship of trust between industry and government? These limited use provisions will not create that relationship of trust between industry and government. That will stop the flow of information and reports back to government, and that will not make us any safer.

Finally—although there is much more in this legislation that we could speak to—the proposed Cyber Incident Review Board is a modest step forward. Actually reviewing what went wrong, actually reviewing what happened in a cyberincident, and having some part of government responsible for doing that work is useful. But it should not be part of Home Affairs, because Home Affairs may often be the problem. Home Affairs may have failed to identify a problem. The regulation presented by Home Affairs may be part of the reason why a ransomware attack was successful. It may by why information wasn't supplied in a timely fashion. This Cyber Incident Review Board needs to be independent of Home Affairs. Our preferred option would be a standalone statutory entity. In the time we've had available, and given all the stress on our parliamentary drafters, we weren't able to do that and we're still waiting for the amendment to be circulated. That's no criticism to parliamentary drafters; they are absolutely under the pump and they're underresourced by this government.

But we're waiting for the amendment to be circulated that will move the Cyber Incident Review Board from Home Affairs, where there are obvious conflicts of interest, into, at least, the Department of the Prime Minister and Cabinet so there's some functional separation between the review board and the entity primarily responsible for cybersecurity. I'll finish with this. This is rushed legislation that's important, and the rush is part of the problem. I move:

That at the end of the motion, add "but the Senate notes that:

(a) this scheme will work best if the rules applied to Internet of Things devices are harmonised with similar regulatory obligations in other jurisdictions; and

(b) the government has indicated it will consider alignment of schemes following the passage of the bills."

Question negatived.