Senate debates
Monday, 22 November 2021
Bills
Security Legislation Amendment (Critical Infrastructure) Bill 2021; Second Reading
5:34 pm
Slade Brockman (President) Share this | Link to this | Hansard source
Senator Van, you have the call to continue your remarks.
David Van (Victoria, Liberal Party) Share this | Link to this | Hansard source
These assistance powers are necessary due to the current threats that we face and the expectation from the community that when Australia's interests are under threat the government will use its technical expertise to ensure essential services remain functioning. It is the government's ultimate responsibility to protect the availability of Australia's critical infrastructure, and it's crucial that the government has last-resort powers to respond to the incidents or to mitigate the impact of attacks.
While the government recognises that the industry should be the ones to respond to the vast majority of attacks and cybersecurity incidents, there will be times when their skills and powers will not be enough. As a last resort, government assistance will enable the government to step in and protect critical infrastructure when industry is unable to. These last-resort powers may be exercised only when: a cybersecurity incident has occurred, is occurring or is imminent; the incident has, is having or is likely to have, a relevant impact on a critical infrastructure asset; there is material risk that the incident has seriously prejudiced or is likely to seriously prejudice the stability of Australia, its people, the defence of Australia or national security; or when no existing regulatory mechanism can be used to address the cyberattack.
The government assistance powers are subject to ministerial authorisation powers, and include the ability for the secretary of the Department of Home Affairs to give directions to a specified entity for the purposes of gathering information to determine if a further power should be exercised. The secretary will also be able to provide directions to a specified entity, requiring the entity to do one or more things in response to the incident, or make a request to the authorised agency to provide specified assistance and cooperation to respond.
While these powers are significant, they are proportionate to the threat landscape that we face and are clearly defined and confined with a range of safeguards in place to ensure that they are used appropriately and only in the most serious circumstances. These safeguards include: the need for powers to be exercised only when no existing regulatory mechanism can be used to address the cyberattack; mandatory consultation with the relevant entity, except where consultation will frustrate the effectiveness of directions or requests; the intervention power is to be authorised only once the Minister for Home Affairs has sought agreement from the Prime Minister and the Minister for Defence; mandatory notification to the Parliamentary Joint Committee on Intelligence and Security as soon as practicable of the authorisation, circumstances, actions, status and parties involved in each measure; Inspector-General of Intelligence and Security oversight of intelligence agencies' functions; that the Commonwealth Ombudsman can investigate complaints made about actions of government agencies and the exercising of the government assistance measures; and annual reporting to parliament on the use of these powers to ensure the transparency and accountability to parliament and the Australian public.
The Parliamentary Joint Committee on Intelligence and Security has backed the passage of these urgent reforms. The complex and persistent nature of these threats that our critical infrastructure faces means we cannot sit and wait for a serious incident to occur before we act. The Morrison government is committed to protecting our national interest and ensuring that threats to our national security are mitigated so that our communities remain safe and our society continues to function. This bill is an important step in protecting our critical infrastructure from cybersecurity threats, making it essential that the bill be passed. I commend the bill to the Senate.
5:39 pm
Jenny McAllister (NSW, Australian Labor Party, Shadow Cabinet Secretary) Share this | Link to this | Hansard source
I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. This is a bill that went to PICAS, and I was pleased to have the opportunity to consider it as originally presented in that forum. I've been very grateful to have been a member of that committee for much of my time in the parliament, first as a member and now as the deputy chair. I want to make a few general remarks about its operation and purpose before moving to the specifics of this bill.
When this committee was first established during the Hawke government it was not without controversy. Indeed, it was actively opposed by many from the Liberal-National coalition, who were then in opposition. I think it's fair to say that the value and importance of the PJCIS is now recognised across the aisle, and that's a good thing, because the inquiries that the committee undertakes allow for a deep and detailed policy consideration of a kind that is not always possible in other parts of the parliamentary system. There's an idea, I think sometimes, that the committee's work is done in secret, but that's actually a misunderstanding of how we work. In fact, much of what happens happens in public. The deliberations and negotiations that we go through collectively as a committee when we're drafting our committee reports really do create the space to identify and iron out potential problems with laws. Honest and open dialogue lies at the heart of the work that's undertaken by the members of the committee, and it is a source of enduring value. It's one of the reasons Labor has sought to protect the operation of the committee and to continue to ask what is required to ensure it's able to do the work that the parliament requires it to do.
The workload of the committee has been especially high in recent years, and I would note that the work that we do as committee members is really only possible because of the assistance and expertise of the secretariat that assists us. It is imperative that the parliament continue to properly resource that secretariat so that it is able to help produce detailed, thoroughly researched reports which can support the parliament in debates like this. We also need to ensure that the powers and operation of the PJCIS reflect the responsibilities that it has. This is an increasingly complex and significant national security policy area. I have a longstanding view that it is time to enhance the powers of the PJCIS. There are many more national security laws than there were at the beginning of the century, and as the powers and capabilities of the intelligence community grow, it is appropriate that the oversight of those agencies grows also.
Many of you will know that I have introduced in this place a private senator's bill which builds on the work of Senators Faulkner and Wong before me. The bill seeks to better align the governing legislation of the PJCIS to its work by implementing the recommendations of the 2017 Independent Intelligence Review. Nonetheless, the committee as presently constituted and with its existing powers, as I said, plays a really important role. The culture is as important as the structure, and the report that informs the debate today is a product of a productive culture. Of course, the bill that was originally introduced looks quite different to the bill that is before us. I will talk through how we arrived at that position.
The bill deals with an extremely important policy area. The threat of cyber-enabled attack and manipulation of our critical infrastructure is serious. It is considerable in scope and impact and, unfortunately, it is increasing at an unprecedented rate. We do face increasing threats to essential services, to businesses and to all levels of government. In the past two years, cyberattacks have struck federal parliamentary networks, the health and food sectors, media and universities. That's not just true here; it's a trend internationally. It presents real challenges for policymakers, for governments and for operational agencies, because the solution cannot lie in governmental action alone. The solution can't lie in the creation of new criminal offences alone. The solution must lie in creating frameworks for cooperation between business owners and asset managers and government to ensure that we are protecting those assets that really underwrite so many economic and social activities in the Australian context.
Unfortunately the first attempt at this bill really didn't get it right. The original bill sought to introduce a very wide range of new measures—and that's fine; in fact, we do need to think carefully about how government and business will work together. But the approach taken by the government meant that the bill that first landed really did not get this right. As PJCIS found, the threats to critical infrastructure are complex, are serious and demand a swift and comprehensive response. However, the consequence of moving in a way that was insufficiently consulted on with industry meant that the first attempt made it unlikely that it would achieve the anticipated goal.
It was on that basis that the committee, unusually, recommended that the bill be split in two. The committee said that the government should prioritise the most urgent aspects of the bill in bill 1—that is, to expand the list of sectors deemed to be systems of national significance, the additional reporting requirements for cyber incidents and new government assistance measures. Then the committee recommended that other things, more-complex things, be deferred. The main purpose of recommending deferral was to allow additional time for consultation, because the overwhelming experience in receiving the submissions—and we received about 100 submissions—was that industry felt that there had been insufficient consultation on the matter at hand.
There were a range of concerns. In particular, the delegation of significant decisions into delegated legislation rather than primary legislation meant that neither the parliament nor the affected entities could really know the full impact, impost and cost of the legislation. This was incredibly significant for nearly all submissions. I'll point to one in particular. In a previous life I had the good fortune to work closely with many businesses in the Australian water sector, and I know that the sector is deeply concerned about an all-hazards approach to managing threats to their infrastructure. Their submission was that the way the legislation was drafted meant that they could not understand the costs that would be likely to be imposed upon their businesses. They were also concerned that the way the government had approached defining the risk and threat architecture meant that it risked departing from the internationally accepted standards that are universally used throughout the water sector.
It was an interesting example, because of course the businesses we are working with and talking about are used to managing risk—maybe not this risk, but certainly risks presented by natural hazards. That's a key factor if you're running a water infrastructure company or a water utility. So, their point in their submission to the committee—and they were just one of many—was that they would prefer to see the mechanisms by which risk was assessed and organised being better aligned with the international standards they were already using.
These weren't the only concerns. A number of other concerns were presented by industry. They felt that the notification time frame for advising a relative authority of critical or other cybersecurity incidents was too short and was inconsistent with existing guidelines. They were concerned that they might be directed to do things that would compromise their ICT systems, and of course we know how valuable an ICT system is for a business. This was particularly so for the technology companies—those with global operations—concerned or looking to be reassured that this core part of their business infrastructure wouldn't be negatively affected by an intervention from government. But the main issue, as I said, was regulatory complexity and the uncertainty associated with the cost of this legislation.
It was on that basis that the committee recommended that the bill be split, and I commend my colleagues on the committee for taking that approach. So the bill that's before us really only deals with the most pressing aspects that were presented to us as essential by the agencies. It includes an expanded definition of 'critical infrastructure assets' to include assets across 11 sectors. It now includes: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy—electricity and gas; food and groceries; health care and medical; space technology; transport; and water and sewerage. That's appropriate. It includes government assistance to relevant entities in response to significant cyberattacks. It requires mandatory notification of a cybersecurity incident within 84 hours, and it also provides an opportunity for oversight by the PJCIS.
The definition of 'significant incident' has been tightened and improved, and it includes consultation requirements, if there is a ministerial authorisation, to make sure that relative entities are informed in writing and offered the opportunity to make a submission within 24 hours of receiving an authorisation. I'm pleased that the government did accept the committee's recommendation in this regard, and I understand government will be proceeding to engage industry further on the additional components of the package that were not able to be presented in this legislation on this occasion.
I want to conclude by speaking briefly about democratic institutions and elections. As you can see from the list I just read out, they are not included in this bill. I'm comfortable with that, but we need to understand that our democratic institutions should in fact be considered critical infrastructure, and we need to pay closer attention to the extent to which they are adequately protected from external threats. We know, because we have seen it overseas, that there are many, many instances of interference in democratic processes and in democratic infrastructure. It's not the same, in my view, as business infrastructure; these things are different. But we do need to have a much clearer indication from the government about how it intends to protect democratic institutions and election infrastructure. So far that really has not been forthcoming. I do note that the security agencies are aware of this and speak about it when they are offered the opportunity to do so in public hearings, but what's needed is a strong leadership approach from government.
We need to understand how an attempt to interfere in an Australian election would be handled. Which agency would be responsible for taking the lead? Which minister would be responsible for coordinating the approach? If it occurred during a caretaker period, what would be the interaction with the opposition? Who would take responsibility for communicating about this in the public domain, to voters and electors? These are all important questions, and at the moment they remain unanswered. The problem is that, by not answering them, we create the opportunity for them to be answered in a hurry, and that is not a recipe for good policymaking. These are things that are able to be anticipated, and, in anticipating them, we should craft a response, preferably one that is shared on a bipartisan basis and actually reflects a shared commitment to protecting and nurturing our democratic arrangements.
I am out of time and so I will leave my remarks there. Labor does support this legislation. Again I thank my colleagues on the PJCIS for the incredibly constructive way they approached this inquiry.
5:54 pm
Eric Abetz (Tasmania, Liberal Party) Share this | Link to this | Hansard source
A little while ago I called for a national summit on cybersecurity to bring together the best and brightest from the private sector, the public sector and academia to work together to provide the most focused protection possible for all of us against cyberattacks. I made that call because in the most recent Australian Cyber Security Centre's annual cyber threat report we received an overview of the cyberthreats affecting Australia, and it impacts all of us. In the 2020-21 financial year the ACSC received over 67,500 cybercrime reports, an average of one every eight minutes, representing an increase of nearly 13 per cent from the previous financial year. Cybercrime reports submitted record a total self-reported financial losses of more than $33 billion. Ransom demands by cybercriminals range from thousands to millions of dollars. Almost 500 ransomware related cybercrime reports were received via the ReportCyber website, an increase of nearly 15 per cent compared to the previous financial year.
Cybercriminals are moving away from the low-level ransomware operations towards extracting hefty ransoms from large or high-profile organisations. To increase the likelihood of ransoms being paid cybercriminals are encrypting networks and also exfiltrating data then threatening to publish stolen information on the internet.
This is just a bit of an insight as to the cyberthreat that confronts us as a nation. In short, we have a problem. These attacks are by organised crime and state players who seek to do us harm, serious harm. So in this ugly and threatening environment there is an absolute imperative for the Security Legislation Amendment (Critical Infrastructure) Bill 2021.
This government is committed to protecting our critical infrastructure to secure the essential services all of us rely on—everything from electricity and water to health care and groceries. The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty. The amendments to the legislation will ensure the government is well placed to assist entities responsible for providing critical infrastructure assets to respond to serious cyberattacks as the first step in strengthening of Australia's critical infrastructure security.
The reforms outlined in the amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure in three ways: firstly, by expanding the definition of 'critical infrastructure' to include energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors; secondly, by introducing a cyberincident reporting regime for critical infrastructure assets; and, thirdly, by making government assistance available to industry as a last resort. Subject to appropriate limitations, government will be able to provide assistance immediately prior, during or following a significant cybersecurity incident to ensure the continued provision of essential services.
Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver and respond to the recommendations from the Parliamentary Joint Committee on Intelligence and Security to bring forward these elements as a priority. For the record, with Senator McAllister and others that have spoken on this bill, I serve on the Parliamentary Joint Committee on Intelligence and Security. I commend my colleagues on the way that we have been able to deal with these matters in a bipartisan way, putting forward suggestions to the government, which thankfully have been adopted, because our first concern and proper concern is the security of our fellow Australians and, in relation to this legislation, ensuring that our essential or critical infrastructure is protected as much as it possibly can be.
Importantly, the legislation will enable the government to provide emergency assistance or directions immediately before, during or after a significant cybersecurity incident, to mitigate and restore essential services. The community can be assured that any government powers will be subject to strong legislated safeguards and oversight mechanisms under very specific circumstances. It's one of those things, in debating and considering legislation of this kind, that, instinctively, I don't like this government involvement, but what I dislike even more are the threats of cyberattacks and seeing them play out elsewhere.
Attacks on our critical infrastructure require a joint response, involving government, business and individuals, reflecting the interrelated nature of the threat. The government is already working in partnership with critical infrastructure entities to codesign sector-specific requirements to manage and respond to the risks. The Australian government will continue to work with those entities that are responsible to ensure the second phase of reforms is implemented in a manner that secures appropriate outcomes without imposing unnecessary or disproportionate regulatory burdens. That's where further discussions are now taking place, and the view of the committee was that those matters had not been fully discussed and socialised with the sector. I look forward to the outcome of those discussions.
Why are these reforms necessary? While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune. As a government, we are seeking to be proactive as opposed to responding to an incident. International cyberincidents, such as the ransomware attack on the US company Colonial Pipeline, affected the distribution of fuel to customers on the east coast of the United States. This demonstrates the potential for attacks to cause devastating harm. Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on federal parliamentary networks, logistics, the medical sector and universities, just to mention a few. Internationally, we have seen disruptive cyberattacks on critical infrastructure, including water services and airports. Australia will not be, and is not, immune to those attempted attacks.
Throughout 2019 and during 2020 Australia's critical infrastructure sectors were regularly targeted by malicious cyberactors seeking to exploit both victims and the crisis of COVID for profit, with a total disregard for the community and the essential services upon which it relies. For example, during that period, multiple regional hospitals were the victims of a cyberattack. As a result, some health services to large regional communities, including surgeries, were disrupted. This has happened here. A major national food wholesaler was the victim of a cyberattack which affected their systems and temporarily disrupted their ability to provide food to our fellow Australians at a time of unprecedented pressure on the food and grocery sector. A water provider had its control system encrypted by ransomware, which, had the system not been restored quickly enough from backups, could have disrupted the supply of potable water to a regional population hub, as well as having the potential to impact on the economy, given the reliance of primary industry on this water supply. And on 19 June 2020, the Prime Minister advised that the Australian government was aware that Australia's critical infrastructure was being targeted by a sophisticated state based actor.
The situation is clear, unfortunately, that there are elements within the wider world community—both criminal actors and state based actors—that would seek to compromise the delivery of essential services to the Australian people, and that is why this bill which seeks to protect the critical infrastructure of our nation is so important. This government has been proactive in this space. Whilst more work needs to be done on other elements of the initial bill, that which is being put to the parliament in this legislation and which the Senate is being asked to pass is, on any assessment, vital. It's important. It's considered. The support of the Australian Labor Party, in that regard, is to be commended. The other aspect of the bill that needs to be considered is the incident reporting regime. Reporting cybersecurity incidents to the Australian Cyber Security Centre through the portal will help inform the government and us, as a nation and as a people, as to how to respond to these elements.
The approach taken by the Parliamentary Joint Committee on Intelligence and Security has been, to date, always a reasoned and considered approach where we seek to put political differences aside as much as possible with a sharp focus on the security of our nation and ensuring the very best outcome. So, when we are confronted with criminal elements and state actors—and these state actors, I would suggest, are dealing in a criminal manner as well—that are seeking to impact our very way of life and the provision of essential services to our fellow Australians, it is right and proper for the government to seek to legislate in this space to provide security and support to ensure that our fellow Australians are protected as much as they possibly can be.
The provision of ongoing oversight by the committee, I think, is important as well. The government has agreed to that, and that provides a bipartisan flavour to the oversight, because these powers that are given to government and government authorities are from time to time overused, if not abused, because there is a particular focus on one particular issue, and then you've got to balance those up with the other considerations which we, in a liberal democratic society, treasure and seek to protect. Getting that balance right is vitally important, and that is why having the oversight, along with the committee, is something which I am pleased the government is willing to do.
I commend the bill to the Senate. This is about protecting our fellow Australians in the best possible manner against those that seek to do us harm. I trust that this legislation will be able to be passed before we break.
6:08 pm
Tony Sheldon (NSW, Australian Labor Party) Share this | Link to this | Hansard source
I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. The pervasive threat of cyber enabled attack and manipulation of critical infrastructure assets is serious, is considerable in scope and impact, and is increasing at an unprecedented rate. Australia is facing an increasing cybersecurity threat to essential services, businesses and all levels of government. In the past few years, cyberattacks have struck federal parliamentary networks, the health and food sectors, media, universities and transport operators. You may recall that, only three months ago, the transport giant Toll Group in Australia faced a series of attacks on its operations which had a very detrimental attack on the performance of its business. Internationally, cyberattacks have disrupted critical sectors including water and fuel supplies in the United States.
It's important that Australia's critical infrastructure is protected from cyberattack, but the government's first attempt at legislating such protection was chaotic, uncoordinated and could not be supported, even by the government members of the Parliamentary Joint Committee on Intelligence and Security, to the credit of those senators.
The original bill expanded the definition of critical infrastructure coverage from four sectors: electricity, gas, water and ports to 11 systems of national significance: communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, water and sewage. The original bill introduced additional reporting requirements for cyberincidents affecting critical infrastructure assets. The original bill introduced new government assistance measures to relevant entities for critical infrastructure sector assets in response to significant attacks, including cyberattacks. It introduced additional positive security obligations for critical infrastructure assets, including a risk management program to be delivered through sector-specific requirements.
As the PJCIS report noted, threats to critical infrastructure are often complex and serious and demand a swift and comprehensive response. The PJCIS also found that the government's attempt to introduce both the new government assistance measures and the new positive security obligations for sector-specific requirements in the one bill, given the complexity of the latter, may have ended up achieving neither. With limited opportunity to pass legislation this year, the PJCIS recommended that the government prioritise the most urgent aspects of the bill in bill 1—they are, the expansion of the sectors deemed to be systems of national significance, the additional reporting requirements for cyber incidents and the new government assistance measures.
The committee recommended that the positive security obligations and sector-specific requirements be deferred to bill 2, following additional consultation with industry. The committee also recommended that bill 2, when introduced, be referred to the PJCIS again for another inquiry. That's certainly appropriate.
The PJCIS inquiry received around 100 submissions and held multiple public hearings featuring dozens of expert and industry appearances. Most, if not all, companies, industry bodies, trade unions and critical infrastructure asset owners and operators expressed some form of reservation with the bill. It consulted on the unknown or unquantified regulatory impact or the contemporaneous rules development that has occurred in parallel with the committee's review.
Key concerns heard by the committee included that the significant detail left to be resolved by sector-specific rules in delegated legislation instead of in the primary legislation meant that neither the parliament nor the affected entities could know the full impact, impost and cost of the legislation. There was concern that the notification time frames for advising the relevant authority of any critical or other cybersecurity incident within 12 and 72 hours respectively were too short and inconsistent with existing guidelines. Many companies were concerned that they would be directed to do actions that would, intentionally or otherwise, compromise their ICT systems. Sophisticated technology companies particularly and those with global operations were concerned that the ASD could not understand and would, therefore, cause harm to their systems. Across all sectors, the committee heard about growing regulatory complexity and duplication causing confusion in compliance costs, particularly in relation to sector-specific recommendations. Unions raised that potential positive security obligations could include expanded personal security checks.
Many stakeholders felt that the consultation process with the department was poorly promoted, that the process was too rapid and that that input, concern and feedback was not acknowledged or addressed. Considering the significance and complexity of the consistent issues raised by the bill, a lack of tangible suggestions to address these by the government and the department, and the depth of disagreement between stakeholders and the department, the committee felt any attempt to resolve these concerns with a single bill would unduly delay its time-critical elements.
Instead, the bill by the government being discussed here only introduces the most pressing elements of an enhanced cybersecurity framework: an expanded definition of 'critical infrastructure assets' to include assets across the 11 sectors I've just mentioned; government assistance to relevant entities for critical infrastructure sector assets in response to significant cyberattacks; mandatory notification requirements of a cybersecurity incident by an entity to a relevant Commonwealth body, to allow for the written report to be made within 84 hours instead of 48 hours of an oral report being made, and to empower a relevant Commonwealth body to exempt an entity from the requirement to provide a written report; PJCIS oversight arrangements whereby the secretary is required to give a written report to the PJCIS as soon as practicable after a government assistance measure is directed or requested, detailing the circumstances, actions, status and parties involved relevant to any cybersecurity incident; the PJCIS review of the operation, effectiveness and implications of the security of the critical infrastructure legislative framework in the act, to begin not less than three years from when the bill receives royal assent; reporting obligations, including the draft rules relating to the mandatory reporting obligations, being provided directly to any entities that would reasonably be impacted by the draft rules; and the minister having to formally respond to any submissions made by responsible entities. There's a definition of 'significant impact': a cybersecurity incident will have a significant impact if the incident has materially disrupted the availability of essential goods and services provided using the asset or if any of the circumstances specified in the rules exist in relation to the incident.
In relation to ministerial authorisation, under new section 35AD consultation is required to inform relevant entities in writing and invite those entities to make a submission within 24 hours of receiving the draft authorisation. A person is not entitled to cause access, modification or impairment of computer data or a computer program and if a person, including employees or agents of a responsible entity, exceeds their authority then that would amount to such unauthorised access, modification or impairment for the purposes of the act.
The government has accepted the committee's conclusion that significant engagement, consultation and work are required to achieve workable, positive and enhanced cybersecurity obligations and sector-specific rules and will defer those aspects to the forthcoming bill 2 expected in 2022. The committee also made two recommendations relating to democratic institutions and elections: that the government review the risks to democratic institutions, particularly from foreign-originated cyberthreats, with a view to developing the most appropriate mechanism to protect them at federal, state and local levels; and that the government review the processes and protocols for classified briefings for the opposition during caretaker periods in response to serious cyberincidents and consider the best-practice principles for any public announcement about those incidents. The government has not yet responded to these recommendations. While they're important recommendations they're not directly relevant to bill 1.
In a dynamic and changing cyberthreat environment it is crucial that Australia's technical authority, the Australian Signals Directorate, is empowered to assist entities in responding to significant cybersecurity incidents to secure critical infrastructure assets. These are last-resort powers, and affected entities will undoubtedly retain their reservations. In supporting the legislation, Labor is relying on the intention stated in the bill, and given by department and agency heads, that these powers will only be used as a last resort. With this in mind, it is very important to emphasise that the PJCIS will be notified and briefed each time the government enacts this power and that it will conduct a full review of legislation when additional critical infrastructure reforms are introduced by the government.
In evidence provided to the committee, witnesses overwhelmingly indicated their willingness to cooperate with ASD. Government assistance powers would only be needed in the event that an affected entity is unwilling or unable to respond appropriately. Thus these measures should only be needed rarely, if ever. In the instance that there is disagreement between an entity and ASD on the best course of action, this bill incorporates the committee's recommendation to include safeguards that require the minister to consider multiple impacts and current responses.
The government has conceded that more work needs to be done in communicating, consulting on and responding to concerns regarding its proposed positive security obligations for critical infrastructure sectors. These are important initiatives, and they need to be done properly.
As I mentioned before in regard to the Toll Group incident, the critical effect on businesses of any bill in this area needs to be fully considered. One thing was raised very clearly by some of the other industry bodies:
The Australian Investment Council said the new laws—
as they were first drafted—
were a threat to Australia's economic recovery from the COVID-19 pandemic as they had the potential to impede the ability of Australian businesses to access vitally important foreign funding.
… … …
The Business Council of Australia said the new laws—
as they were first proposed—
would jeopardise Australia's economic prosperity and discourage foreign investment. It said the new powers would affect users in jurisdictions outside of Australia, and it is not clear how they will interact with requirements under relevant US and European laws, such as privacy statutes.
These are critical questions that were raised by the business community but also by the trade union movement. The Secretary of the Australian Council of Trade Unions, Ms McManus, said:
Potentially forcing food and distribution centre workers, apprentice electricians and nurses—the workers who have carried us through the pandemic—to comply with lengthy security checks is a massive drain on the economy and an assault on the right to privacy that every Australian should be able to enjoy …
She went on to say:
The elements of this bill which could place additional requirements on ordinary working people will do nothing to strengthen national security and will only create problems for working people, for the agencies asked to enforce it, and for the Australian economy. They should be removed from the bill.
Of course, we now see the bill broken up into bill 1 and bill 2, which is critically important to get speedy action on those matters which have broader support in the Senate:
In its submission to the inquiry, Qantas said the financial implications of implementing the reforms may create a significant financial burden for some businesses including its own.
Again, those impacts need to be considered in any proposition of the bill.
In my last 20 seconds, I wanted to raise one thing that is always important for national security and that this government has failed to do: we have thousands of overseas seafarers coming in without appropriate security checks. It's about time the government stepped in to do something there as well.
6:23 pm
David Fawcett (SA, Liberal Party) Share this | Link to this | Hansard source
I rise to address the Security Legislation Amendment (Critical Infrastructure) Bill 2021, noting that the government has brought in some amendments. Like some of my colleagues, I'm a member of the Parliamentary Joint Committee on Intelligence and Security, and I have been for a number of years. This is probably one of the first times where I have seen the agencies get to the point where they haven't done sufficient consultation with industry, but it's an example, I think, of where this committee is very effective, in that, on a bipartisan basis, we were able to work with agencies and industries to get an understanding of where things sat—hence the recommendation to split the bill, which many of my colleagues have talked about. They have also talked about some of the particular measures in the bill, so what I plan to do with the time I have available here is to give people who may be listening to this debate a little more background on some of the emerging trends overseas and here in Australia. I will particularly look at some of the evidence that was provided to the committee by Ms Noble, who heads up ASD, because I think that really speaks to the heart of why these step-in powers are required and why we do need to get this right with industry.
The first incident I want to go to took place in Ukraine in 2015. The reason I'm talking about this particular cyberattack is experts believe it is the first time there has been a large-scale grid-level attack that has been successful on a modern nation. The control centres of three Ukrainian electricity distribution companies were remotely accessed, and the breakers at some 30 distribution substations in Kiev and a western region were opened, causing more than 200,000 consumers to lose power. In this case, the hackers gained entry through a sophisticated phishing campaign and BlackEnergy Malware to cause havoc in Ukraine. Governments and cybersecurity companies have attributed the hacks to Russian groups with suspected, albeit not proven, and unclear links to the Russian government. This occurred on the back of not only the 2014 annexation of the Crimea but also the incursion by Russian forces in the eastern part of Ukraine. Many people believe that this area of Ukraine has become a bit of a playground for Russia and other actors to, essentially, test their capabilities in cyberspace. In 2017 there was a hack that broke into thousands of Ukrainian networks by sabotaging a fairly widely used piece of software, and that attack disabled around 10 per cent of computers in Ukraine and inflicted financial costs to about 0.5 per cent of Ukraine's GDP. If you think about what 0.5 per cent of GDP would mean in Australia, it's a significant amount of money.
A number of companies and foreign governments have looked to help Ukraine, freeing up aid and other investments to try to boost their ability for cybersecurity. Latvia has also experienced crises. The most recent attacks are probably the two in the States that have made the media. One was the SolarWinds cyberattack, which is one of the most sophisticated and large-scale cyber operations that has ever been identified. The US government stated the operation was an intelligence-gathering effort, and they've attributed it to an actor that is most likely Russian in origin. The President of Microsoft said it was the largest, most sophisticated attack the world has ever seen, and it affected federal agencies, courts, the private sector, and state and local governments across the US. A more recent incident, from May this year, was the attack and shutdown of one of the US's major pipelines that supplied fuel infrastructure. The hackers stole data from the company while demanding a large ransom to get things going again.
That's the global scene. You can see that actors are using cyber means to impact critical infrastructure for criminal intent in terms of money, for espionage in terms of stealing money, or for a grey-zone technique of undermining the community's confidence and potentially diminishing a nation's capacity to control its own defence when it lacks things like electricity or communications. More recently—and starting to involve Australia—in July of this year Australia, the European Union, the United Kingdom and the United States for the first time attributed publicly an attack involving ransomware and IP theft that affected some 30,000 businesses around the world to the Ministry of State Security of the Chinese Communist Party. The threshold for attribution is quite high, but what that indicates is that when the strategic update of 2021 talks about the fact that grey-zone activities are increasing, we are seeing very tangible examples of that here in Australia. The consequences of disruptions in our digital systems are quite extreme, and not only from those obvious blockages or thefts. We've also seen a couple of failures just in the aviation industry, not necessarily attributable to malware or cyberattack, but it gives an indication of how that could be used to significantly disrupt the normal operations of a country. Just one here in Australia: when the ticketing system for Virgin went down globally, we saw massive delays of travel around Australia due to that ticketing and freight and luggage-loading system going down. And so it doesn't take too much to see, as you compare what happened through COVID and the impact when passenger flights weren't flying—on trade, on services such as mail, banking et cetera and on the movement of notes and other things around the country—that those services can experience significant impacts from attacks on critical infrastructure where it fails.
At the heart of the contention in this bill were concerns by industry around the step-in powers that were proposed by the original bill. I think it's really instructive to go to the evidence provided by Ms Noble, the head of ASD. A lot of people have indicated that industry cooperates, and that's acknowledged and, in fact, that is the vast majority of players in Australia, whether they be state governments or the private sector. In evidence from ASD during the inquiry, Ms Noble said:
… we do have some wonderful examples of incredible cooperation. You might recall that in 2019 there was a significant impact of ransomware against the Victorian health system, and that's a good example. We have a close relationship with the Victorian government and they also had a private incident response provider. So this was a terrific example of state government, federal government and private sector working together. 'Good' looks like this: they contacted us so we were able to work with them. They provided us with technical information from their network, like logs and images of discs. That happened on day one. Within 24 hours, we sent incident responders on the ground to work side by side with the Victorian government, the private entity impacted, their private service provider and our staff from the Australian Cyber Security Centre. We were able to fully map the network quickly and to identify the nature of the criminality.
That's an example that ASD provided of how things can, often do and should work for the benefit of the Australian people. But Ms Noble went on to say:
Bad looks like this––and this is a real example, but I'm not going to name names, because that's really important. We found out something happened because there were media reports. Then we tried to reach out to the company to clarify if the media reports were true, and they didn't want to talk to us. We kept pushing— sometimes we have to use our own very senior-level contacts; sometimes through people … who might know members of boards or chairs of boards—to try to establish trust and build a willingness to cooperate. At times, we have spent nearly a week negotiating with lawyers about us even being able to obtain just the basic information that I described in the first scenario, asking, 'Can we please just have some data from your network; we might be able to help by telling you quickly who it is, what they're doing and what they might do next?'
In this case that I'm referring to, five days later we were still getting very sluggish engagement and were trying to get them to provide data to us and to deploy some of our tools so that we could work out what was happening on their networks. That goes for 13 days. This incident had a national impact on our country. On day 14 were we only able to provide them with generic protection advice, and their network was still down. Three months later they got reinfected and we started again.
So it's important to understand that, when we talk about 'step-in powers', we're talking about scenarios like that, where, with good cooperation, you see a seamless working together, side by side, with people helping each other out and you get quick resolutions of these incidents, which can be damaging to Australia's ability to run an effective, free, First World nation and provide the services that Australians depend on. But where, for whatever reason, a commercial provider chooses not to engage with ASD and where the flow-on effects go on for days, if not weeks, and impact on Australia and Australia's capabilities, then it's appropriate that ASD is given the legal authority to step in to work not against but with that provider, because of the obligation for them to report and to cooperate.
It's important to understand that the threat environment is deteriorating. There has been a 60 per cent increase in ransomware attacks against Australian entities between last year and this year. We see both state based actors and criminals acting against Australian entities. They're motivated by a range of imperatives, from espionage to generating influence to interference to preparing to disrupt, degrade or deny services or actually disrupting, degrading or denying services. Some, as I've said, purely have the motivation of stealing money. There's also a broader economic cost. Some of the evidence, again from ASD, was that AustCyber have estimated that a significant cyberattack against Australia could cost around $30 billion and 160,000 or so jobs. That's ASD's and industry's assessment of what the cost could be of a significant cyberattack here in Australia that is sustained, and that's why these measures are important.
It's interesting that, over the past 12 months, just over one-third of all incidents that have been reported to ASD, the cybersecurity centre, were related to critical infrastructure, and the assessment is—because that reporting is currently voluntary—that that's only a fraction of what has probably occurred, hence the requirements not only for the step-in powers but also for reporting within 12 hours, if it's a critical and significant event. So, in the advisory report on this Security Legislation Amendment (Critical Infrastructure) Bill 2020, the committee has recommended that the emergency powers be swiftly legislated in a standalone bill with a second separate bill to be introduced after further consultation. This two-step approach, which the government has agreed to and which we're now dealing with today, will enable the quick passage of laws to counter the looming threats against Australia's critical infrastructure, while giving businesses and government the additional time to do the co-design work on the most effective regulatory framework to ensure the long-term security of our critical infrastructure.
As other colleagues have mentioned, our committee, the PJCIS, made 14 recommendations in relation to the bill. We received compelling evidence that the complexity and frequency of cyberattacks on critical infrastructure is increasing globally. Australia is not immune. There's clear recognition from government and industry that we need to do more, and this first bill—bill No. 1—is to expand the critical infrastructure sectors that are covered by the act to introduce government assistance measures to be used as a last resort in crisis scenarios, as well as mandating reporting obligations. I encourage senators to support the bill.
6:38 pm
Concetta Fierravanti-Wells (NSW, Liberal Party) Share this | Link to this | Hansard source
Over quite some years, I have repeatedly spoken about the national interest and our national sovereignty in reducing our dependency on the Communist regime in Beijing. As part of this, I have continued to stress how vital it is that we overhaul our critical infrastructure and foreign investment framework. This includes expanding the parameters of national interests to ensure we protect our national sovereignty. We need to look at practical ways to protect that sovereignty, starting with the port of Darwin. Post pandemic, we need to debate some difficult issues, including a clear direction on how we will ensure that we do not place ourselves in the same circumstances.
To date, critical infrastructure ownership has been, regrettably, restricted to ports and utilities assets like gas, water and electricity. Notwithstanding that, many of our critical assets, like the port of Darwin, are in the hands of entities with close ties to Beijing. I have been calling for critical infrastructure legislation to be strengthened to expand the coverage of this legislation to more sectors, including banking, finance, food and groceries, agriculture, health and medical, transport, data, communications and IT, and airports. Indeed, the Bills Digests for the Security of Critical Infrastructure Bill 2017 noted several stakeholders had suggested that the legislation should apply to additional sectors, including those that I have been advocating for. Regrettably, the Parliamentary Joint Committee on Intelligence and Security, which inquired into the bill in March 2018, was satisfied that additional sectors did not need to be included. However, it recommended the government:
… review and develop measures to ensure that Australia has a continuous supply of fuel to meet its national security priorities.
And as part of that process:
… should consider whether critical fuel assets should be subject to the Security of Critical Infrastructure Bill 2017.
I am pleased that finally the PJCIS has come to the realisation that it made a mistake, including about critical fuel assets, and that the Morrison government has finally worked out that protecting Australia's critical infrastructure to secure the essential services that all Australians rely on—everything from electricity and water to health care and groceries—is long overdue. It seems to have finally dawned on the Morrison government, despite the many warnings, that the increasingly interconnected nature of critical infrastructure exposes vulnerabilities that have, I believe, already resulted in significant consequences to our security, economy and sovereignty.
The PJCIS reported on the SCI bill in September 2021. The government has followed the advice of the committee and split the bill. Bill No. 1 addresses three components. Firstly, the reforms outlined in the amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of critical infrastructure to include the energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors. Secondly, the bill introduces a cyberincident reporting regime for critical infrastructure assets. Thirdly, it makes government assistance available to industry as a last resort and subject to appropriate limitations. Government will be able to provide assistance immediately prior to, during and following a significant cybersecurity incident to ensure the continued provision of essential services.
Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver. The objects of the SCI Act are to improve transparency and facilitate cooperation and coordination between the various levels of government in Australia. The aim of this is to allow information to be collected so that risks that may exist within current structures can be readily understood and managed. Whilst these changes are overdue, as I have also advocated, we should look at expanding restrictions that could be imposed to prevent acquisition, lease et cetera by entities, whether Australian owned or controlled or with foreign directors or directors with dual nationalities taking over Australian businesses or companies, including looking at reciprocity of ownership. There seems to be no legal or constitutional reason to prevent the SCI Act from being expanded to cover the subject of ownership as well as its current subject areas. I note the comments of the committee regarding the overall review of the act and how it will now be undertaken more effectively after the passage of bill 1.
I reiterate another concern that was raised by the committee in its report regarding the unknown regulatory burden of positive security obligations on industry. In submissions to the committee, an overwhelming concern from industry representatives was the unknown nature of the majority of the regulatory impact or burden to be imposed by the proposed new provisions. While the bill outlines and defines the types of obligations and some of the elements of those obligations that industries will have to comply with, most of the detail of what businesses will have to do and by what means is not prescribed in the bill. This detail is proposed to be designed and outlined in rules to be presented in delegated legislation. Without certainty regarding definitions and regulatory requirements, affected industries cannot plan for the potential impact and cost of the framework's requirements.
As chair of the Senate Standing Committee on the Scrutiny of Delegated Legislation, I believe this bill highlights yet again the propensity of the executive to relegate important obligations to delegated legislation. I welcome the committee's comments at paragraph 2.61 of its report. While this process of designating rules outside of the legislation is identified as providing for flexibility and consultation, most industry submitters expressed a preference for this detail to be included in the primary legislation, or that detail to be negotiated and provided in instruments to be considered alongside an amending bill before the framework be considered and passed through parliament. Indeed, at paragraph 3.6 the committee goes on to assert:
The significant detail left to be resolved by sector rules in delegated legislation instead of in the primary legislation does not allow the Committee, the Parliament, or the effected entities sufficient confidence of the full impact of the legislation.
I now turn to other concerns. The committee examines the threat to be countered, noting that the:
…threat of cyber security vulnerability and malicious cyber activity has become increasingly evident in recent years.
When outlining these threats and the increasing challenge of preparing, hardening and countering assets, Mr Mike Pezzullo, AO, Secretary of the Department of Home Affairs, stated:
Basic cyber security protections will always help, but malicious actors, such as cybercriminals, state sponsored actors and state actors themselves will defeat the best defences that firms, families and individuals can buy. We have to do what we can, of course, to defend our own networks and devices against known vulnerabilities.
The bill presupposes that any attack would come from external forces, but what if the threat comes from within the entity? What concerns me are the number of companies and subsidiary companies of overseas state-owned entities that operate across a broad spectrum of our economy and, more pertinently, the number who have majority or part ownership of critical assets. As the committee points out in its report:
The application of asset definitions only to assets that are located within Australia… further confuses the potential application to digital elements of critical infrastructure entities that have parts of their functional infrastructure or data located offshore…
As I have reiterated in speeches in this place which explore the legal contours of Chinese-controlled investment in Australia, there's a paper that I have previously cited by professors Roman Tomasic and senior lecturer Ping Xiong which stated that in 2003 China established the State-owned Assets Supervision and Administration Commission which oversees state shares in major SOEs. That paper states that in 2016 there were 66 major Chinese SOEs with a presence in Australia across most industry sectors. Of these, 39 were centrally controlled with 139 subsidiaries. The other 29 were provisionally controlled with 84 subsidiaries. We know that for Chinese companies corporate governance is limited. Rather, they are subject to corporate social responsibility norms underpinned by article 19 of China's company law, which requires that the Communist Party of China have its operatives embedded in their organisations to carry out their activities. The CCP is front and centre of SOEs, irrespective of whether they operate inside or outside China. Further and probably most significant is the issue of Australian businesses carried on by, or land acquired from, government—be that Commonwealth, state, territory or local government—not being subject to foreign acquisition procedures under the FATA Act, except if proposed to sell to a foreign government investor and if the subject of the sale was public infrastructure. A foreign government investor includes foreign governments, state-owned corporations and corporations in which a foreign government or separate government entity alone or together with one or more associates hold a substantial interest. This exemption afforded to acquisition of land or business from governments is very troubling given the nature of the pronouncements by Premier Dan Andrews in Victoria and his Belt and Road Initiative plans, as well as the extent of the reach of agreements between China and Premier McGowan's WA government.
This is the critical point that must be considered: the Commonwealth can regulate activities of governments only if there is a constitutional head of power that allows it to do so. In broadening any national security test consideration of the removal of the exemption relating to governments will be a critical test of the government's political fortitude in effecting real change. Hence, unless we remove that exemption so that all acquisitions by foreign entities are subjected to scrutiny and the national interest test, we will not address the elephant in the room—namely, investment by the CCP and its entities in Australia, especially in strategic assets. There has not, as far as I know, been any update to this listing. There is no public listing of PRC companies or PRC invested projects in Australia. The most accurate source of this is the PRC itself, but the PRC investment and corporate presence in Australia to some extent is held within Treasury. These figures are not publicly available and are often simply approvals rather than records of actual investments. China, obviously, has the best figures, but they are not publicly available. China has established a chamber of commerce in Australia to oversee the activities of its state owned entities, both national and provincial.
This body is highly influential, given it represents the owners of many billions of dollars. It branches right across the broad spectrum of energy, aviation, foreign relations, financial industry sectors, legal—you name it, they're there. The massive financial power, and thus influence, of this body on Australian companies and governments has not yet been fully appreciated. It is time that the public was made aware of the corporate reach of these PRC SOE companies, and this includes details of what government agencies know of their holdings and activities. A public database of Australian assets owned by Chinese entities or entities of countries with state owned entities that own assets would be an informative national resource for economic and security purposes, but, to my knowledge, such a database does not exist.
Accordingly, I found the recent ABC program on the Pandora papers, on 4 October, to be a very informative program. Indeed, it reaffirmed my concerns, which I have raised in the Senate, with respect to foreign investment matters. I do not normally agree with Senator Whish-Wilson, but I do agree that there should be a public beneficial-owners register. Indeed, I am on the record urging the government to establish a register so that Australians can know—indeed, they should know—about foreign ownership of assets in Australia. All Australians are entitled to know who owns what in their country, especially who owns those critical assets that are vitally important if attacks, particularly attacks from within, happen. Therefore, amendments to the SCI Act are the first step in strengthening Australia's critical infrastructure security, but there is, I fear, a lot more work still to be done.
6:53 pm
James Paterson (Victoria, Liberal Party) Share this | Link to this | Hansard source
I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. I'm pleased to have the opportunity to do so, having chaired the inquiry into the legislation. The Parliamentary Joint Committee on Intelligence and Security tabled its report out of session, so I'll speak to our recommendations as well as to this bill. At the outset, I thank my fellow members of the PJCIS, in particular the former deputy chair, Mr Byrne, and the shadow minister for home affairs, Senator Keneally, for the constructive and bipartisan way they worked with me and Liberal colleagues on the committee for our report and its recommendations.
Every 32 minutes a critical infrastructure asset suffers a cyberattack by a state or non-state actor. COVID-19 has seen a shift to even more of our lives being online, deepening our reliance on digital systems to navigate life and business like never before. Throughout the pandemic, the total number of reported cyberattacks in Australia increased by 13 per cent.
Many Australians are familiar with the criminal ransomware gangs and their for-profit motives in launching cyberattacks to extort economic advantage for themselves personally. These are serious and ever-present threats to the cybersecurity of our businesses large and small, as well as to individual Australians. Recent high-profile attacks against JBS Foods, the Nine Network and Colonial Pipeline powerfully illustrate the broader cost of these tactics to our economy.
However, the trend which focused the minds of PJCIS members the most on the urgent challenge facing us is the involvement of nation-states who use the cyber-realm as a new frontier to threaten our security, our sovereignty and our freedom. Our cyberchallenges are increasing in complexity as a result of the evolving security environment in the Indo-Pacific region. Grey-zone tactics which lie between peace and war, where foreign states use cyberintrusion and digital espionage, among other tools, to threaten our interests, are increasingly being relied upon, particularly by authoritarian states. Independent experts who appeared before the PJCIS told us that it was likely that foreign state actors are already prepositioned on sensitive networks and that that presence could be activated against our interests as a prelude to a regional crisis. ASIO Director-General Mike Burgess recently confirmed this fear as part of his annual report to the parliament, reaffirming the very real and serious risk we face as a nation and the urgent need to respond decisively.
Given how interconnected our digital systems are, it is not very difficult to imagine the society-wide consequences if, for example, our financial system were shut down, or if our food supply chains were suddenly disrupted. This would be debilitating, not only for individual Australian citizens but also for our country and particularly for our ability to project power into the region. With the evolving cyberthreat, it is clear that the digital world is the new battlefield, and Australia, along with our critical infrastructure service providers, needs to be armed to respond.
The recent public attribution, by Australia and many of our allies, of the Microsoft Exchange attack to the Chinese government and its agents is a concrete and recent example of this danger. It also highlights how there's not always a clear distinction between state and non-state actors when it comes to cyberthreats, with the Australian Signals Directorate's Rachel Noble telling the PJCIS that the Chinese government effectively propped open the doors of businesses around the world to enable cybertheft and extortion to take place by criminal actors.
It is worth noting in passing that there is a very high technical and political threshold for attributing cyberattacks. So the decision to do so in this instance by so many countries, including the European Union, NATO, all of the Five Eyes members and Japan, is a significant one. There have, of course, been other high-profile attempted and successful cyberintrusions which have not been publicly attributed, including against this parliament, against our political parties and against the Australian National University.
There is a clear recognition from both government and industry that we need to do more to protect our nation against these sophisticated cyberthreats. Our security agencies urgently need emergency powers to defend us from these threats. Of equal importance, however, is the need for critical infrastructure providers themselves to harden their own defences against this attack and to protect the essential services that we all rely upon. They have an obligation to do so, not just to protect their employees, their shareholders and their customers but in the national interest.
The PJCIS has considered this bill over the past year, over four public hearings and with 88 submissions also supplemented by classified briefings from security agencies on the threat environment. The challenge that the committee faced in this inquiry was to find an appropriate balance between, on one hand, what has been clearly demonstrated as an urgent need for the emergency intervention powers and, on the other hand, the legitimate concerns from industry that additional regulation could impose a financial burden and, particularly, could do so at a time that is sensitive for our economy as we recover from the pandemic.
In 14 recommendations, the committee has advised the government to adopt a two-step approach towards strengthening Australia's critical infrastructure against cyberattacks in particular. This two-step approach would give our security agencies the emergency tools they need to counter the urgent cyberthreats, in one bill, while giving industry additional time to finalise the co-design process of additional security obligations in a collaborative way with the government. The committee has recommended that the government legislate, in this first bill, those last-resort intervention powers for the Australian Signals Directorate, the expansion of the number of sectors captured by this legislation from four to 11, and the enhanced cyberincident reporting obligations. The proposed government amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 do just that.
The committee proposed immediate passage for these three key provisions and the associated enabling clauses because they were the most urgent and essential, and because the other clauses of the bill, whilst still important, attracted the most concern during the inquiry process. I do acknowledge that, while the broadest concern aired in the inquiry related to the positive security obligations recommended to proceed in a second bill after further consultation, there was opposition to the emergency assistance powers—in particular, from the tech sector. These are extraordinary powers and, while the committee did understand the desire on the part of the tech sector for their use to be judicially reviewable, given the clearly stated intention of the government for them only to be used in crisis scenarios, we did not think it was workable or desirable for these issues to be litigated in the courts in the event of a major national emergency. Instead, the PJCIS has recommended that it is notified of any use of these powers and that we'd be briefed on the circumstances of their use. This will allow the committee, on behalf of the parliament, to ensure that they are genuinely only used as a last resort, as the government has outlined.
The government is carefully considering the rest of the committee's recommendations, and I want to thank the government, in particular, the Minister for Home Affairs, Karen Andrews, for its engagement with the committee and for the implementation of our recommendations so far, reflected in this amended bill that we're debating today. I'd also like to thank the Director-General of the Australian Signals Directorate, Rachel Noble, and the head of the Australian Cyber Security Centre, Abigail Bradshaw, for their candid engagement with the committee and for the vitally important work that they do in combating these serious threats to our country. It's my hope that, equipped with these powers, and, ultimately, the passage of the second bill, these key agencies are able to work with industry, effectively to combat these threats.
The emergency reforms outlined in the amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of 'critical infrastructure' to now include energy; communications; financial services; the defence industry; higher education and research; data storage or processing; food and groceries; health care and medical; space technology; transport; and water and sewerage sectors by also introducing that cyberincident reporting regime for critical infrastructure assets. That's particularly important to make sure that we have a complete and full picture of the threat environment that we face. In evidence put to the committee, it is clear that there is underreporting of those cyberincidents and that there may be many more incidents occurring and, indeed, potentially, payments being made by firms in response to ransomware that are never reported and which we're never aware of. We do need to have a full picture.
Finally, we are making government assistance available to industry as a last resort, and subject to those appropriate limitations. This is the need outlined very articulately by the secretary of Home Affairs, Mike Pezzullo, in his evidence before the committee in July this year. He said that he would prefer to have that power on the statute books tonight. We haven't quite delivered as a parliament by getting them on the statute books in July, but I hope that very soon we'll have them on the statute books—after royal assent. That's because it is absolutely important our agencies have the powers they need to respond to that crisis scenario, although we hope it will never eventuate.
Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver. It's true that most companies do willingly cooperate with the Australian Signals Directorate when they suffer an attack. The government assistance mechanisms are an important tool of last resort to assist companies that are unwilling or unable to respond to a serious cyberincident. Unfortunately, during our inquiry, the committee did hear an example of at least one systemically important business that failed to cooperate with authorities in a timely way, leading to a nationwide disruption of its services. This business was then reinfected in a second attack. In the event of a crisis, our security agencies must have last-resort powers to avoid a situation like this and to keep critical infrastructure up and running if providers are unwilling or unable to do so themselves. These are world-leading powers which are vital for the task at hand, but they will be subject to strong safeguards and appropriate oversights.
There may be other businesses, as I said before, who have never reported that they were under attack. While the volume of cybercrime reporting has increased, the Cyber Security Centre stated in its latest annual threat report that reported cybersecurity incidents may not reflect all the cyberthreats and trends in Australia's cybersecurity environment. Mandatory cyberincident reporting for critical infrastructure assets will give the government a clear picture of the cyberthreat environment. This will ensure that our cybersecurity policies and the significant powers that we entrust our security agencies with accurately reflect and are proportionate to the threats and trends in Australia's cybersecurity environment.
Of course, cybersecurity is not just the government's job. Industry has a vital role to play, too. The passage of the subsequent bill, after further consultation and co-design, is essential to ensure a comprehensive response to the long-term security of our critical infrastructure. The second phase of these reforms will be implemented according to the PJCIS recommendations by further amending the Security of Critical Infrastructure Act and capturing those remaining elements of the SOCI bill, in particular the risk management program, the systems of national significance and the enhanced cybersecurity obligations.
I encourage industry and the Department of Home Affairs to continue to work productively together through the co-design process to refine the proposed regulations that make sure we strike the right balance so we can deliver those additional protections that we all agree are necessary. It is my hope that, by the time any revised second bill is referred to the PJCIS, the major concerns industry raised through the first inquiry will have been resolved so that we can quickly deal with it and it can be expeditiously legislated. While Australia has not yet suffered a catastrophic attack on critical infrastructure, as other speakers have said in this debate, sadly we are not immune, and the increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences for our security, our economy and our sovereignty. This demands both a swift response, which we are dealing with today, and a comprehensive response, which I hope we deal with in short order. I'm confident that the two-step approach adopted by the government to urgently expedite emergency powers for our security agencies to protect Australia's critical infrastructure does just that, and I commend the bill to the Senate.
7:06 pm
Sarah Henderson (Victoria, Liberal Party) Share this | Link to this | Hansard source
It's my pleasure to rise and make a contribution on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. I want to start my contribution by saying very clearly that the national security threat in this country has changed quite dramatically, as the director-general of ASIO made very clear in evidence during the last estimates. Foreign interference and espionage will soon overtake terrorism as the biggest national security threat to Australia. We have, of course, a very proud history of combating the physical threats to Australia's national security. For instance, since September 2014 Australia's law enforcement agencies have disrupted 21 major terrorist attack plots, 138 people have been charged as a result of 66 counterterrorism related operations around Australia and 50 terrorist offenders are currently behind bars for committing a Commonwealth terrorism offence. I'm very pleased to say that the Australian government has passed 22 tranches of national security legislation.
But, as we've just heard in the excellent contribution from Senator Paterson, who is the chair of the PJCIS, the increasingly larger threat to Australia's national security is in the threat posed by cyberattack—digital disruption—and other non-physical ways in which Australia's freedoms, its democracy and its national security can be compromised. That is why this particular bill is so important. The PJCIS has done an incredible amount of very fine work to identify the urgent need to pass this bill and to implement these emergency powers as well as to conduct further consultation with industry in relation to the second tranche of amendments to our law that are required.
I want to briefly reflect on my first speech in this place. I certainly raised my concerns about the protection of critical infrastructure back in October 2019, when I spoke about the need to keep our nation strong and the need to protect Australia's security and strategic interests and how we had taken enormous strides to combat terrorism and foreign interference, support our intelligence agencies and build our defence capability. But I also made the very strong point that, when things aren't working, we have to call them out. At that time, Australia's critical infrastructure assets weren't appropriately protected—our airports, our power stations, our data networks, our communications infrastructure and our ports, including the port of Darwin. I made the point very strongly that they should not be falling into foreign hands when there was a national security threat. Since that time, led by the Treasurer, there have been some very important reforms to our foreign acquisition laws so that critical infrastructure is better protected, the sale of critical infrastructure to foreign interests can be stopped on national security grounds and the disposition of critical infrastructure assets can be forced on national security grounds. On that note, as an aside, I welcome the Minister for Defence's decision to launch a Department of Defence investigation into the long-term leasehold of the Port of Darwin by a Chinese-owned company. I welcome the work that the Minister for Defence is doing in that regard.
As we've heard in this debate, Australia has seen increasing cyberthreats and attacks on critical infrastructure such as water services, airports, hospitals and even our own parliamentary network. Throughout 2019-20, Australia's critical infrastructure sectors were regularly targeted by malicious cyberactors seeking to exploit and harm victims for profit. For example, multiple regional hospitals were the victims of a cyberattack, and as a result some health services to large regional communities, including surgeries, were disrupted. A major national food wholesaler was the victim of a cyberattack which affected its systems and temporarily disrupted its ability to provide food to Australians at a time of unprecedented pressure on the food and grocery sector. A water provider had its control system encrypted by ransomware. Had the system not been restored quickly enough from backups, that could have disrupted the supply of potable water to a regional population hub, and it had the potential to impact the economy, given the reliance of primary industry on this water supply. In June last year the Prime Minister advised that the Australian government was aware that Australia's critical infrastructure was being targeted by a sophisticated state-based actor.
In the 2020-21 financial year alone, the Australian Cyber Security Centre received over 67,500 cybercrime reports—an average of one every eight minutes—representing an increase of nearly 13 per cent over the previous year. Cybercrime reports recorded total self-reported financial losses of more than $33 billion. In particular, as we have heard in this debate, Australia has seen a worrying escalation of ransomware attacks on individuals and businesses, exacerbated by the fact that cybercriminals are now moving away from low-level ransomware operations and towards attacks which extract heavy ransoms from large or high-profile organisations. These cybercriminals can cause—and are causing—enormous damage in the way they are encrypting networks, extracting data and often threatening to publish stolen material online. These attacks go to the heart of Australia's democracy and its freedom, and they represent a grave threat not just to our economy but also to our national security.
The Morrison government is committed to protecting Australia's critical infrastructure to secure the essential services all Australians rely on—everything from electricity and water to health care and groceries. The intelligence agencies, which do so much fine work to keep Australians safe, have raised the red flag on the urgent need to act quickly to take further action to protect our critical infrastructure. Amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 will ensure that the government is well placed to assist entities which are responsible for critical infrastructure assets to respond to serious cyberattacks as the first step in the strengthening of Australia's critical infrastructure security.
The reforms outlined in this amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure in a number of different ways. The bill expands the definition of 'critical infrastructure' to include the energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors. It introduces a cyber incident reporting regime for critical infrastructure assets. When critical infrastructure assets are under attack we need to know about it, and we need to know about it urgently, so that we—government, intelligence agencies and industry—can work together to combat these attacks. The bill also makes government assistance available to industry as a last resort and subject to appropriate limitations. The government will be able to provide assistance immediately prior to, during or following a significant cybersecurity incident to ensure the continued provision of essential services.
Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver, and of course they reflect the response to the recommendations from the Parliamentary Joint Committee on Intelligence and Security, which has brought forward these elements as a priority. The reforms will bring our response to cyberattacks more in line with the government's responses to threats in the physical world. As I mentioned at the beginning of my contribution, we can be mightily proud of the way in which we have combatted terrorism, but this is the new frontier, where no physical presence on our soil is necessary to represent a serious threat to our national security and our economy.
Importantly, the legislation will enable the government to provide emergency assistance or directions immediately before, during or after a significant cybersecurity incident to mitigate and restore essential services. As we know, nearly every essential service is run by sophisticated digital networks via sophisticated communications systems, and that of course makes the delivery of those services so much more efficient and ensures that we have state-of-the-art services in this country. But having all of this critical infrastructure underpinned by very sophisticated digital networks also presents new vulnerabilities in the way in which we are required to protect this infrastructure.
So this is a very important bill. This is a very important bill for Australia's democracy, for our economy and for our national security. I commend the work of the PJCIS in bringing forward its recommendations to ensure that our government works and acts quickly to address the further reforms which are required. I commend this bill to the Senate.
7:18 pm
Perin Davey (NSW, National Party) Share this | Link to this | Hansard source
I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. The increasingly interconnected nature of critical infrastructure exposes vulnerabilities in our nation and for our national security that could result in significant consequences, not just for security but for our economy and our sovereignty. Attacks on our critical infrastructure require a joint response involving government, business and individuals, reflecting the interrelated nature of the threat. Our government is already working in partnership with critical infrastructure entities to co-design sector-specific requirements to manage and respond to security risks across critical infrastructure sectors. The government will continue to work with these entities that are responsible for critical infrastructure to ensure that, as we go forward, a second phase of reforms is implemented in a manner that secures appropriate outcomes without imposing unnecessary or disproportionate regulatory burdens. But the reforms outlined in this bill will strengthen our existing ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of critical infrastructure, by including a cybersecurity incident reporting regime for critical infrastructure assets, and by making government assistance available to industry as a last resort and subject to appropriate limitations. These reforms are necessary because, while we haven't suffered a catastrophic attack on critical infrastructure to date, we are not immune, and we have seen attacks overseas that we don't want to see repeated in our own markets.
International cyber incidents, such as the ransomware attack on US company Colonial Pipeline which affected the distribution of fuel to customers on the east coast of the United States, demonstrate the potential for these attacks to cause devastating harm. We are facing increasing cybersecurity threats to our essential services, businesses and all levels of government. In the past two years we've seen cyberattacks on federal parliamentary networks, the logistics sector, the medical sector and on universities, just to mention a few, and while, thankfully, they didn't have significant consequences, they certainly had consequences that we need to address, and we need to make sure we are protected in the future.
The Australian Cyber Security Centre's Annual cyber threat report contains an overview of the cyberthreats affecting Australia and how the ACSC is responding, and provides vital advice on how all Australians and Australian organisations can protect themselves against those threats. In the 2020-21 financial year the ACSC received over 67,500 cybercrime reports, an average of one every eight minutes, representing an increase of nearly 13 percent on the previous financial year. Cybercrime reports admitted via ReportCyber at cyber.gov.au recorded total self-reported financial losses of more than $33 billion. Ransom demands by cybercriminals range from thousands to millions of dollars. Almost 500 ransomware-related cybercrime reports were received via the ReportCyber website, which is an increase of nearly 15 percent compared with the previous financial year. And cyber criminals are moving away from low-level ransomware operations. They are moving towards extracting hefty ransoms from large or high-profile organisations through increasingly sophisticated technological mechanisms. To increase the likelihood of ransoms being paid, these cybercriminals are encrypting networks and exfiltrating data, then threatening to publish stolen information on the internet.
These shifts in targeting and tactics have intensified the ransomware threat to Australian organisations across all sectors, including critical infrastructure, which is why these reforms are so important. These reforms will be implemented through strengthening the Australian government's capacity to identify and manage the national security risks of espionage, sabotage and coercion resulting from foreign involvement in Australia's critical infrastructure. The government amendments to this bill, the Security Legislation Amendment (Critical Infrastructure) Bill 2021, which amends the Security of Critical Infrastructure Act 2018, have been made to expand the security of critical infrastructure to cover 11 critical infrastructure sectors. This includes energy, communications, financial services, defence industry, higher education and research, data storage and processing, food and grocery, health care, medical, space technology, transport, and water and sewage sectors—all sectors that are vitally important to our day-to-day lives and to the lifestyle we have grown accustomed to in our nation.
The amendments will also apply the reporting obligations of critical infrastructure ownership and operational information to the register of critical infrastructure assets to the added critical infrastructure sectors. It will allow the government to mandate cyberincident reporting for critical infrastructure sectors to the Australian Signals Directorate's Australian Cyber Security Centre. It will also introduce government assistance measures providing powers for the government to respond to security incidents that seriously prejudice Australia's prosperity, national security and defence. Importantly, it will enable the Parliamentary Joint Committee on Intelligence and Security, PJCIS, to conduct a review of the operation, effectiveness and implications of the bill not less than three years from when the bill receives royal assent. That point is vitally important, because that adds to the scrutiny capacity of this parliament over the bill, to make sure that it is operating effectively, efficiently and as intended. It will allow the PJCIS to have an overview and a watching sight of how the bill is being implemented and to provide a review and any relevant recommendations when the review is conducted in three years time. As a member of the parliamentary committees for the scrutiny of bills and delegated legislation, I find that parliamentary scrutiny over such issues is very important and adds to the robustness of our legislation going forward.
The government assistance powers that are proposed as part of this bill have been proposed as a result of the consultations, which revealed a strong community expectation that, in emergency circumstances and as a matter of last resort, the government will use its technical expertise to protect Australia's national interests and restore the functioning of essential services. Collaborative resolution will always remain the most effective method of resolving an incident, and that is why it is the government's first preference to work with industries and with our critical infrastructure providers to maintain our national security. However, it is the government's ultimate responsibility to protect the availability of Australia's critical infrastructure, and, in such emergency circumstances, it is crucial that the government has last-resort powers to respond to the incident or mitigate its impact.
The government recognises that industry should and will, usually, be the first responder to the vast majority of cybersecurity incidents, with the support of government where necessary. However, under the provisions in this bill, the government does maintain the ultimate responsibility—as would be expected by the Australian public—and this is in Australia's national interests. So, as a last resort, government assistance will enable the government to protect critical infrastructure sector assets in the event of an imminent attack, during an attack or following a significant cyberattack. These last-resort powers may only be exercised where a cybersecurity incident has occurred, is occurring or is imminent; where an incident has had, is having or is likely to have a relevant impact on a critical infrastructure asset; or where there is a material risk that the incident has seriously prejudiced, will seriously prejudice or is likely to seriously prejudice the social or economic stability of Australia or its people, the defence of Australia or national security. They could also be brought in where there is no existing regulatory mechanism that can be used to address the cyberattack. The intervention power may only be authorised once the Minister for Home Affairs has sought agreement from the Prime Minister and the Minister for Defence. It is not a free-for-all. There are protections built in to ensure that it is truly used as a mechanism of last resort.
I want to reiterate that this bill has been consulted on. It's very important to understand the level of consultation that has occurred. From August to September, the Australian government consulted publicly on this bill and on protecting critical infrastructure and systems of national significance through the consultation paper. There were over 2,000 participants from over 500 entities who took part in town hall meetings, sector-specific workshops and bilateral meetings to support the development of the reforms, including the sector-specific thresholds.
The Department of Home Affairs received 194 submissions on the consultation paper, and in November 2020 the government consulted publicly on an exposure draft of the bill. Home Affairs also spoke to over a thousand individuals during that public consultation on the exposure draft, which opened on 9 November and closed on 27 November. There were also 122 further submissions received during the exposure draft consultation period. There were also the PJCIS hearings and, as we acknowledged at the time, many sectors have had multiple challenges to deal with during the pandemic.
In saying that, the consultation on this bill has been thorough. Amendments have been made in response to that consultation and the bill, as it now stands, is robust and fit for purpose, and I commend it to the chamber.
7:31 pm
Anne Ruston (SA, Liberal Party, Minister for Families and Social Services) Share this | Link to this | Hansard source
This Security Legislation Amendment (Critical Infrastructure) Bill 2021 responds to the recommendations of the Parliamentary Joint Committee on Intelligence and Security's advisory report on the bill and the statutory review of the Security of Critical Infrastructure Act 2018. The government acknowledges and thanks the committee for its work, both in relation to this bill and to other government national security priorities.
Cybersecurity threats targeting Australia's national and economic interests are increasing in frequency, scale and sophistication. Twenty-five per cent of cybersecurity incidents that the Australian Signals Directorate responded to last year were found to be targeting the nation's critical infrastructure, including energy, water, telecommunications providers and our essential health networks. As the Director-General of Security noted in his recent annual report, there is:
… potential for Australia's adversaries to pre-position malicious code in critical infrastructure, particularly in areas such as telecommunications and energy. Such cyber enabled activities could be used to damage critical networks in the future.
And:
Australia's threat environment is complex, challenging and changing.
This brings into focus the importance of these amendments and why the government has accepted the committee's recommendation to expedite the introduction of these important measures. The PJCIS has made 14 recommendations in the advisory report, notably, including that the bill be split into two, with a first bill to incorporate the measures to respond to cyberincidents and cyberincident reporting, as well as associated definitions and powers, and for a second bill to be introduced following industry consultation to include the remaining preventative measures. The PJCIS indicated that the measures in the bill should be legislated in the shortest possible time, given the moral imperative of the government and our security agencies to harden our essential services and ensure the continued safety of the Australian community.
The measures in the bill will expand the scope of the Security of Critical Infrastructure Act to include assets in an additional 11 industry sectors as critical infrastructure assets; provide a mechanism to require cyberincident reporting; enable government responses to serious cybersecurity incidents; and retain associated definitions and powers. The bill also includes a provision that the PJCIS may conduct a review of the operation's effectiveness and implications of the reformed security of the critical infrastructure legislative framework in the Security of Critical Infrastructure Act not less than three years from when this bill receives royal assent in accordance with recommendation 14 of the advisory report. The government will respond to the remaining PJCIS recommendations relating to the second bill as soon as possible.
Engagement with industry will not stop with the passage of this bill. The government will continue to work collaboratively with industry to support the implementation of their obligations with the ultimate goal of reducing the likelihood and the severity of catastrophic impacts to Australia's critical infrastructure. Malicious cyberactivity represents a threat to Australia's way of life. It can undermine our sovereignty, democratic institutions, economy and national security, and it is the responsibility of all Australians to protect themselves against it. Accelerated digitisation during the pandemic has made Australia more vulnerable to cybersecurity threats and emboldened malicious actors. These measures will be a step towards ensuring cyber-resilience for all Australians.
I commend the bill to the Senate. I also table a correction to the revised explanatory memorandum relating to this bill.
Matt O'Sullivan (WA, Liberal Party) Share this | Link to this | Hansard source
The question is that the second reading amendment moved by Senator Thorpe be agreed to.