Raff Ciccone (Victoria, Australian Labor Party) Share this | Hansard source

I also rise to speak on the Senate's consideration of the Cyber Security Legislative Package 2024. This package aims to protect Australia's cyber infrastructure, which is an essential part of our national security. Our critical infrastructure underpins our country's ability to deliver essential goods and services to all Australians as our reliance on the digital economy continues to develop and grow. As we know, cyber attacks and threats to our critical infrastructure can be highly lucrative for cybercriminals.

At the end of October and the start of November, I chaired the Parliamentary Joint Committee on Intelligence and Security inquiry into this very important package. I want to start by thanking the corporate, industry and civil society submitters and government departments who participated in the public hearings. The committee, in its report, made clear that it supports the urgent passage of these three bills under the Cyber Security Legislative Package 2024. I also note that the evidence that was received by the committee from stakeholders was near universally supportive of the package. I am pleased to see the government's acceptance of the recommendations listed in the report, as illustrated by the amendments to the bill that were brought forward before the chamber. This is something that I and members of the committee welcome wholeheartedly. I'm also pleased that the Department of Home Affairs has considered the feedback and is intent on assisting industry to understand their responsibilities under the reforms.

The first of the three bills in the package, the Cyber Security Bill 2024, provides a very clear framework for the government to identify and to respond to new and emerging cyber attacks. It will provide additional protections to Australians and businesses and improve the government's threat picture to inform additional protections, current incident response procedures and future policy. The bill will also address existing legislative deficiencies that the government outlined throughout the development of the 2023-2030 Australian Cyber Security Strategy.

Let's take ransomware, for instance. The sophistication of ransomware is unprecedented and causes serious problems for businesses right across Australia. It's one of the most pervasive forms of cybercrime. In response to this growing threat, the government's Cyber Security Bill will create mandatory ransomware payment reporting requirements for businesses who are affected by a cyber incident and make ransomware payments. Mandatory reporting of ransomware payments will apply to businesses in Australia that meet an annual turnover threshold. They'll be required to report a ransomware payment to the Department of Home Affairs or to the Australian Signals Directorate within 72 hours of making the payment or becoming aware of the payment. The simple fact is that the current voluntary reporting scheme is underutilised, limiting the government's understanding of the ransomware threat landscape.

It will also allow the government to understand the sheer scope ransomware has on the Australian economy and protect Australian businesses to recover as quickly as possible. The reporting obligations aren't about calling out businesses and hurting their reputation. Instead, they'll enable us to determine the threat level and assist Australia's domestic law enforcement to disrupt cybercrime activities both locally and abroad.

Businesses will be protected from regulators and law enforcement, and the department has emphasised the importance of an education-first approach, not an enforcement led approach, to assist businesses. Ransomware alone costs the Australian economy up to an estimated $3 billion in damages each year.

The bill will also mandate security standards for smart devices that are either internet or network connected. These devices include smart TVs, smartwatches, home assistance, baby monitors, home routers and even consumer energy resources such as rooftop solar systems. Smart devices have become part of our daily lives. Many of us simply can't live without them. Unfortunately, however, many of these devices have poor security features that expose Australians to cyber threats, compromising users' cybersecurity, privacy and online safety. These connectible products will have to meet certain standards, bringing them into line with European standards, for example. Under this measure, smart devices in Australia will have a basic level of cybersecurity. The Australian Cyber Security Centre advises that, by securing smart devices, consumers' information will be protected and will have a reduced risk of being targeted by cybercriminals. Manufacturers and suppliers will also be responsible for compliance and will be required to provide a statement of compliance. Enforcement notices may also be issued if a smart device is not compliant with mandatory standards.

Lastly, the bill will also seek to establish a cyber incident review board to conduct reviews into significant cybersecurity incidents that have impacts on the Australian economy, national security or social prosperity. Currently, Australia has no formalised way to conduct post-incident reviews when such incidents occur. Recent cybersecurity incidents, such as the Optus and Medibank data breaches in 2022-23 and the MediSecure data breach in 2024, highlight that industry and government need an avenue to investigate and learn lessons from such incidents and to prepare for contingencies for future attacks. The board won't act as an investigative body that apportions blame to an organisation that is before the post-incident review. Any information that is given voluntarily to the board isn't admissible in criminal or civil proceedings and doesn't impact any existing legal obligations. Instead, the board will enable our country to learn from cybersecurity incidents to weigh up vulnerabilities that led to the attack and the effectiveness of the government and the industry response to the incident. The formation of the board will align Australia with other jurisdictions around the world—including the United States of America, which created its own cyber safety review board in 2022.

Meanwhile, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 amends the Security of Critical Infrastructure Act 2018. These reforms aim to improve the security and resilience of critical infrastructure by assisting the government and industry's ability to help prevent, manage and respond to future significant incidents impacting critical infrastructure through the act. Our country is facing increased geopolitical and cyber threats, putting our critical infrastructure at heightened risk. Critical infrastructure provides essential services that we rely on every single day. It's important that we make these reforms and pass them as quickly as possible. It is worth noting, however, that data is not the only target of threat actors. Critical infrastructure organisations are also targets, as they provide essential services to support Australian life and businesses, including our electricity, water, health, transport, logistics and telecommunications networks.

Finally, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 amends the Intelligence Services Act 2001 to legislate a limited-use obligation for the Australian Signals Directorate. Limited use is designed to encourage industry to share cybersecurity incident information with ASD, thereby bolstering ASD's ability to perform its cybersecurity functions.

The provision will work hand-in-glove with the compulsory reporting obligations to help us understand the scope of the threats.

Last week, ASD's Annual cyber threat report 2023-2024 highlighted our rapidly evolving cyber threat landscape, with over 87,000 reports of cybercrime received over the financial year—on average, a report every six minutes. The report also showed that, from last year, the average cost of cybercrime for small businesses rose by eight per cent to $49,600 per report, and for individuals, it rose by 17 per cent to $30,700 per report. We'll hear a lot about these bills before us—and it sounds like we'll probably end up in the committee stage—but our inquiry was certainly efficient and thorough. I also want to make the point that the process itself had a very comprehensive discussion around the issues the opposition and the crossbench have raised today.

The comprehensive consultation process—one of which I can only describe as 'gold standard' by the department—made it easy for the committee to discuss the issues that were raised with witnesses that appeared before it. It was fantastic to hear that the department had engaged with many stakeholders, particularly those in industry, for some time about these issues. That is why I mentioned earlier in my speech the fantastic work that was done to consult and iron out some of the issues before these bills were drafted and brought before the parliament today.

It's also important to reiterate that, as a direct result of this consultation process, there was and is broad support for the bills by industry and by many others that put submissions to the committee. In fact, many stakeholders participated in the inquiry. There government's consultation was best practice. Therefore, nothing in these bills was a surprise to them, with much of the content in the package already well known to industry. I also want to thank the government for the release of its 2023-2030 Australian Cyber Security Strategy back in November 2023 and the consultation paper that preceded it.

The Albanese government is committed to lifting our country's cyber legislative strategy and doing everything it can to support Australians and small businesses around the country. The Cyber Security Bill and related bills provide an opportunity for this country and for the Senate to strengthen our national cybersecurity defences. The bills will position Australians and our businesses, particularly in the small business community, to better respond and recover from cybersecurity threats and help our nation become a world leader in cybersecurity by 2030 in an evolving threat environment. I commend the bill to the Senate.