Tim Ayres (NSW, Australian Labor Party, Assistant Minister for Trade) Share this | Link to this | Hansard source

I table revised explanatory memoranda relating to the bills, and I move:

That these bills be now read a second time.

I seek leave to have the second reading speeches incorporated in Hansard.

Leave granted.

The speeches read as follows—

CYBER SECURITY BILL 2024

This Bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill (ISA Bill) and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill (ERP Bill), form the Cyber Security Legislative Reforms Package that will collectively strengthen our national cyber defences and build cyber resilience across the Australian economy.

This suite of legislative reforms will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, a significant step in achieving the Australian Government's vision of becoming a world leader in cyber security by 2030.

To achieve this goal, we must understand that cyber security is everyone's responsibility.

Our connections online form a significant part of the lives of most Australians—they enhance the way we live, work and play, and as we continue to invest in transformative digital technologies, this will only expand. At the same time, we need to be clear about how we're protecting Australian individuals and businesses. In order to enhance our collective cyber resilience, we need a clear legislative framework that addresses whole-of-economy cyber security issues, and positions us to respond to new and emerging cyber threats.

We need to ensure individuals can trust the products they use every day; we need to enhance our understanding of the threat of ransomware and cyber extortion so we can break the ransomware business model; we need to enhance protections for individuals experiencing a cyber incident to encourage their engagement with government; and we need to learn the lessons from cyber security incidents that have had a significant, detrimental impact on millions of Australians so that we can be better prepared going forward.

The Cyber Security Bill provides this framework, bringing together measures to achieve the Australian Government's vision under one holistic piece of legislation.

The Bill contains four measures:

These four measures form the Cyber Security Bill. Together with the other Bills in this Package, this Bill will equip both Government and industry with the awareness and resilience to better protect Australians from cyber security threats, providing a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber security landscape.

On 9 October, the Government referred the package to the Parliamentary Joint Committee on Intelligence and Security. The Committee has now handed down its report and recommended that, subject to implementation of the recommendations in its report, the Package be passed by the Parliament. The Government agrees or agrees in principle to all thirteen recommendations in the Committee's report.

The Government agrees to recommendations two and three, and will ensure reporting is user friendly, leveraging the existing single reporting portal. The Government will take an education-first approach, informing impacted entities of their new obligations through communications campaigns.

The Government agrees in principle to recommendation four. The Government agrees that ransomware payment reporting obligations will only apply to the extent that the ransomware incident relates to the reporting business entity's operations in Australia. The Cyber Security Bill as drafted gives this effect and this will be clarified in guidance.

The Government agrees to recommendation five and has revised the Explanatory Memorandum. The Explanatory Memorandum as tabled in the Senate gives effect to this intention that Standing Members of the Board will not need to be members of the Australian Public Service. In line with the Committee's report, composition of standing members will be considered further through industry consultation on the rules.

The Government agrees in principle with recommendation six, that the Minister for Cyber Security should consult with the Board before approving the Terms of Reference for each review. Consultation with the Board is built into the legislative framework and the Terms of Reference will be developed by the Board itself, prior to seeking approval from the Minister for Cyber Security.

The Government agrees with recommendation seven of the Committee's report, and has made amendments to the Cyber Security Bill in the House of Representatives to address this recommendation. The Cyber Security Bill, as introduced in the Senate, clarifies that information obtained by the National Cyber Security Coordinator in relation to a cyber security incident, or acquired by a Commonwealth body or State body from a ransomware payment report, is not admissible against the impacted entity in certain criminal or civil proceedings.

Concomitantly, these amendments ensure that information obtained by the Cyber Incident Review Board in the performance of its functions is not admissible in evidence against the entity in certain criminal and civil proceedings. The ISA Bill has also been amended in the House of Representatives to address recommendation seven to further clarify the application of the admissibility protections conferred by the limited use obligation.

Protections afforded to individuals and information under limited use have been further clarified in the Bills, explanatory memorandum and industry guidance, to address recommendation seven.

These actions ensure Government and industry can work together to communicate with clarity and confidence, making our responses more efficient and based on real-time insights. Cooperation on a national scale is one of Australia's greatest advantages against malicious cyber activity.

The Government agrees in principle to recommendation eight. The Government agrees any other right, privilege or immunity that a ransomware payment reporting entity has in respect to any proceedings, including legal professional privilege, will not be impacted. The Cyber Security Bill, as introduced in both chambers, provides this legal effect and the Department will ensure that this is clear to entities affected by the regime.

The Government agrees to recommendation nine, and the Department of Home Affairs will publish additional guidance on the intended interpretation and application of key definitions introduced in the Security of Critical Infrastructure Act 2018 (SOCI Act). This will be part of the comprehensive guidance being developed on the amendments being made under the ERP Bill to assist regulated entities in understanding their obligations. Consistent with previous reforms to the SOCI Act, the Department will continue to take an education-first approach to compliance, reserving compliance and enforcement action to a last resort.

The Government agrees with recommendation ten of the Committee's report, and has amended the Cyber Security Bill in the House of Representatives. The Cyber Security Bill, as introduced in the Senate, introduces a provision that the Committee may review the operation, effectiveness and implications of the Cyber Security Act as soon as practicable after 1 December 2027.

The Government agrees to recommendation eleven. The Minister for Home Affairs will initiate an independent review under section 60A of the SOCI Act by no later than 1 November 2025.

The Government agrees with recommendation twelve, and has amended the ERP Bill in the House of Representatives to amend section 60B of the SOCI Act to extend the Committee's ability to initiate a review into the operation, effectiveness and implications of the SOCI Act from 3 years to 5 years from Royal Assent of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act). The Government acknowledges the importance of conducting a holistic review of the SOCI Act, after the amendments being made by the ERP Bill are implemented. Together, the approach to recommendations eleven and twelve will ensure an independent review can fully assess the operation of the SOCI Act in time to inform the Committee's next review.

The Government agrees with recommendation thirteen, and has amended the ERP Bill in the House of Representatives to repeal section 60AAA of the SOCI Act, removing the now redundant six-monthly reporting to the Committee relating to consultation undertaken by the Department on the amendments made by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 and the SLACI Act. I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations.

I extend my thanks to staff at the Department of Home Affairs for their incredibly hard work developing this Bill. I commend this Bill to the chamber.

INTELLIGENCE SERVICES AND OTHER LEGISLATION AMENDMENT (CYBER SECURITY) BILL 2024

This is the second Bill in the Cyber Security Legislative Package and seeks to amend the Intelligence Services Act 2001 to legislate a limited use obligation for the Australian Signals Directorate (ASD), similar to the provisions relating to the National Cyber Security Coordinator under the Cyber Security Bill. A limited use obligation will protect the information voluntarily provided to, or acquired or prepared by, ASD during an impacted entity's engagement in relation to a cyber security incident or vulnerability.

Australian networks continue to be regularly targeted by opportunistic malicious cyber actors. As outlined in ASD's Annual Cyber Threat Report 2023-2024, ASD responded to over 1,100 incidents from Australian entities. Separately, nearly 87,400 cybercrime reports were received, averaging one every six minutes.

Together with the other Bills in this Package, this Bill will equip both Government and industry with the awareness and resilience to better protect Australians from cyber security threats, providing a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber security landscape.

ASD relies on the receipt of timely, detailed technical information from industry and victims of cyber attacks to build a coherent national cyber threat picture, provide advice on cyber security uplift, diagnose the cause and severity of cyber incidents, and assess the information against ASD's intelligence holdings to mitigate harms in the early stages of a cyber incident.

However, both industry feedback and ASD's operational experience indicates a declining willingness from entities to share technical cyber security incident information with ASD in a timely manner, principally due to concerns that information shared with ASD could be co-opted by other parts of Government to inform regulatory action.

A limited use obligation will ensure this information can only be communicated by ASD to others for a permitted cyber security purpose. It is not a safe harbour for industry and will not exempt an organisation from complying with their existing legal and regulatory obligations.

I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations. The Committee made one recommendation (recommendation seven) in its advisory report that relate to this Bill. As noted in the second reading speech for the Cyber Security Bill, the Government agrees with this recommendation. This Bill has been amended in the House of Representatives to address recommendation seven. As introduced in the Senate, this Bill clarifies the application of the admissibility protections conferred by the limited use obligation

With this measure, alongside the establishment and clarification of the role of the National Cyber Security Coordinator, we will ensure Government and industry can work together to communicate with clarity and confidence, making our responses to cyber security incidents more efficient and based on real-time insights. Cooperation on a national scale is one of Australia's greatest advantages against malicious cyber activity.

I extend my thanks to staff at the Australian Signals Directorate for their work developing this Bill. I commend this Bill to the chamber.

SECURITY OF CRITICAL INFRASTRUCTURE AND OTHER LEGISLATION AMENDMENT (ENHANCED RESPONSE AND PREVENTION) BILL 2024

This is the third Bill in the Cyber Security Legislative Package. This Bill seeks to amend the Security of Critical Infrastructure Act 2018 (the SOCI Act) to strengthen existing security obligations on critical infrastructure sectors to address gaps identified following recent major cyber security incidents.

Australia currently faces heightened geopolitical and cyber threats, which means that our critical infrastructure is increasingly at risk. The risk to our sovereignty, defence, and security has never been more present, especially for the critical infrastructure providing essential services crucial to our way of life.

Recent incidents illustrate that threats to the operation of Australia's critical infrastructure continue to be significant and far-reaching. From natural hazards through to human-induced threats—all have the potential to significantly disrupt critical infrastructure. Indeed, the Director-General of the Australian Security Intelligence Organisation has stated, "malign foreign powers will consider using sabotage to coerce, disrupt or retaliate during times of escalating geopolitical tensions. Pre-positioning malicious code in Australia's critical infrastructure is the most likely means."

An attack on a single critical infrastructure entity can quickly create catastrophic cascading consequences across critical infrastructure and Australia's socioeconomic stability, defence and national security.

This Bill will build upon previous reforms to the SOCI Act to uplift and enhance the security, resilience and agility of critical infrastructure in the face of an increasingly hostile and complex threat and risk landscape.

The Bill contains six measures in total:

Telecommunications Act 1997

I thank the Parliamentary Joint Committee on Intelligence and Security (Committee) for its work on this Bill through its inquiry and recommendations. The Committee made four recommendations (recommendations nine, eleven, twelve and thirteen) in its advisory report that relate to this Bill. As noted in the second reading speech for the Cyber Security Bill, the Government agrees with each of these recommendations. To address recommendations twelve and thirteen, the Government has amended this Bill in the House of Representatives. This Bill, as introduced in the Senate, will amend section 60B of the SOCI Act to extend the Committee's ability to initiate a review into the operation, effectiveness and implications of the SOCI Act from 3 years to 5 years from Royal Assent of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act); and will repeal section 60AAA from the SOCI Act.

Together with the other Bills in this Package, this Bill will help to strengthen our responses to the dynamic, cascading consequences of serious incidents that impact our critical infrastructure, and more broadly, the Australian community.

I extend my thanks to staff at the Department of Home Affairs for their incredibly hard work developing this Bill. I commend this Bill to the chamber.

James Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | Link to this | Hansard source

I rise to make a contribution on this cybersecurity legislative package: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. The coalition supports the policy intent of the bills. As cyberthreats continue to evolve and the strategic environment continues to deteriorate, urgent action is required to uplift Australia's national cyber-resilience. As the ASIO director-general, Mike Burgess, said in his most recent annual threat assessment:

The most immediate, low cost and potentially high-impact vector for sabotage is cyber. Our critical infrastructure networks are interconnected and interdependent, which increases the vulnerabilities and potential access points.

ASIO is aware of one nation state conducting multiple attempts to scan critical infrastructure in Australia and other countries, targeting water, transport and energy networks.

The Australian Signals Directorate has also spoken of near constant cyberattacks on our government networks and critical infrastructure. But it is not just government and big corporates that have been impacted. Small businesses and everyday Australians are increasingly falling prey to criminally motivated cyber actors. In its annual cyberthreat report released on Wednesday, ASD highlighted that it received over 87,000 cybercrime reports in the 2023-24 financial year. This averages out to a report every six minutes. The threat report also noted that 11 per cent of the 1,100 cybersecurity incidents ASD responded to in the last financial year related to critical infrastructure, highlighting how these networks are an attractive target because of the sensitive data they hold and the widespread disruption that a cybersecurity incident could cause. Against this backdrop, we must ensure that our laws are fit for purpose to prepare for and respond to the quickly evolving cybersecurity challenges facing Australia. I support the efforts to do so through this legislation.

Before I speak to the bills before us, it's worth briefly reflecting on the history of reforms in this space. In government, the Liberal and National parties made tough but necessary decisions to secure our digital sovereignty, to equip our intelligence and security agencies with the appropriate tools and to harden the private sector from cyberattacks. We established the Australian Cyber Security Centre within the Australian Signals Directorate in 2014 to help drive a partnership between industry and government. We released the first ever cybersecurity strategy and appointed the first ever cybersecurity minister in 2016. We appointed the first ever cyber ambassador in 2017.

In 2018, we made ASD a statutory agency and legislated the first ever Security of Critical Infrastructure Act. We also led the world by banning Huawei and other high-risk vendors with close connections to the Chinese Communist Party from providing 5G mobile technology in Australia. Many other countries have since followed our lead. In 2020, we updated our Cyber Security Strategy and backed it with $1.67 billion of investment. This stands in stark contrast to the cybersecurity strategy released by the Albanese Labor government last year, which commits only $192 million over four years.

In 2021 we legislated a new legal framework for the Australian Federal Police to take the fight to criminals on the dark web, drawing on the assistance of ASD. We significantly enhanced the Security of Critical Infrastructure Act in 2021 and 2022 by expanding the sectors it covered from four to 11, requiring critical-infrastructure providers to implement risk management plans and giving emergency powers to ASD to step in in the event of a catastrophic attack on our most systemically important networks. And we made the largest-ever investment in ASD's history through Project REDSPICE—$10 billion over 10 years to effectively double their size, with 1,900 new personnel and the acquisition of new platforms, technologies and capabilities. The reforms introduced by the package of legislation before the Senate today represent a logical extension of the world-leading approach taken by the former coalition government.

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 contains a number of provisions that extend the powers of the existing SOCI framework, most significantly by expanding government assistance powers to facilitate the use of last-resort directions for managing the consequences of all hazards incidents. I remind the Senate that, in the wake of the Optus and Medibank cyber incidents in 2022, the then Minister for Home Affairs and Minister for Cyber Security, Clare O'Neil, trashed the SOCI Act, saying:

… that law was bloody useless, like not worth the ink printed on the paper, when it came to actually using it in a cyber incident. It was poorly drafted.

On a separate occasion, she actually praised the SOCI reforms:

If you look at the work that was done…on the Security of Critical Infrastructure Act in the last Parliament, when I describe that law to politicians around the world, their mouths are open thinking, "how can we construct something similar in our country?"

It's somewhat ironic, then, that the backbone of Labor's now-much-touted cyber legislation is a modest and logical extension of the SOCI reforms introduced by the previous government. Former minister O'Neil's desperation to politicise what should have been bipartisan national security policy is, unfortunately, emblematic of Labor's broader chaotic approach when it comes to national security. But it is good to see that the government has finally seen reason as to the merits of the coalition's world-leading SOCI reforms to the point that it's decided to double down on our approach, and I welcome the SOCI measures included in the legislation before us.

I also welcome the limited-use provisions in this legislation, which will provide assurance to entities that the information they disclose to government about cyber incidents will not be used against their interests in the future. We need seamless, time-sensitive sharing of information between government and business when there is a cyberattack. We can't afford for any CISO or their CEO to hesitate to pick up the phone to the ACSC and share what they know.

I asked the former director-general of the Australian Signals Directorate, Ms Rachel Noble, about the merits of a limited-use provision at a Senate estimates hearing two years ago. Ms Noble reflected:

Speaking purely from ASD's perspective, I think the safe harbour concept is a most excellent idea because, to your point, where there is ambiguity—if I'm dealing with a government, do you hand that information to other government departments or don't you? How can I be sure that that won't occur without my permission and so forth? So from an operational perspective, in that heat of the incident, if you will, when we're still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others, whether they are other government agencies or other people scrutinising the process, like we've seen in class action lawsuits, for example, that is very attractive to us as well.

I first publicly called for a legislated limited-use obligation on 22 March 2023. I note that if the Australian government had moved more quickly with this reform it may have gone some way to address the declining willingness of industry to share information with ASD in a timely way, which we have witnessed in the intervening years.

The proposed mandatory standards for smart devices in the Cyber Security Bill are welcome and long overdue. I note that the proposal to introduce minimum standards for internet connected devices was first canvassed by the former government in the July 2021 discussion paper stemming from the 2020 Cyber Security Strategy. The need for these reforms has become more acute in recent years as we have learned more about the national security risks of internet connected devices. In this term of parliament, I've conducted successive audits which revealed hundreds of Chinese manufactured cameras, drones and internet connected solar inverters in use across the Commonwealth government on many sites, including many in our Defence and law enforcement agencies. As a result, departments and agencies committed to removing more than 1,000 cameras made by Hikvision and Dahua from Commonwealth sites. Many agencies, including Australian Border Force and the ADF, have grounded their fleet of drones made by DJI. But all these actions came only after I called on the government to address these vulnerabilities and after many of our allies had done so.

The government's piecemeal response is not a robust or sustainable approach to addressing issues that are core to our national security, and it is my hope that the provisions in this legislation lead us towards a more consistent and economy-wide approach to managing these risks.

I welcome the two subsequent PSPF directions, issued by the Department of Home Affairs in July, which relate to managing the risks of foreign interference in technology assets, but I also note the ironic and deeply concerning revelations that the Minister for Home Affairs and Minister for Cyber Security, Mr Burke, is himself the owner of a Chinese-made, internet connected electric vehicle. This came after the department admitted it was possible for these EVs to listen to the occupants, track the movements of the driver and record people and places, and to transmit all of that data back to the manufacturer. It beggars belief that our Minister for Home Affairs and Minister for Cyber Security is driving around in a car that is a potential listening device for the Chinese Communist Party, and I hope these reforms can be used to protect regular Australians, and the minister himself, from these kinds of risks.

Cybersecurity is a shared challenge, and no-one is immune from cyberattacks. That's why it's important that we learn the right lessons from every major cyber incident and apply these lessons across industry and government to make sure we are better equipped next time we face something similar. Two years on from the data breaches suffered by Optus and Medibank, we are still in the dark about the specifics of what led to these incidents, how they were managed and what companies can learn from the incidents to guard against future cyberattacks of a similar nature. This is what prompted me, over a year ago, to call for a mechanism to conduct dispassionate, objective investigations following a significant cyber incident, for the collective benefit of the organisations, who may be able to learn the lessons. This came after the US government announced the establishment of a cyber safety review board in 2021. Had the Australian government acted sooner to establish an equivalent construct here, it may have assisted in post-incident investigations in significant incidents, such as the MediSecure data breach and the CrowdStrike outage, which occurred this year. Nevertheless, I welcome the establishment of a legislated cyber incident review board and I welcome the clarification provided that standing members of the Cyber Incident Review Board do not necessarily need to be members of the Public Service, which will provide flexibility to include representatives external to government if the minister deems it appropriate.

In its most recent cyberthreat report, ASD noted 11 per cent of all incidents ASD responded to in 2023-24 included ransomware—a three per cent increase from the year before. In a report released earlier this year, the UK's National Cyber Security Centre assessed that AI will heighten the global ransomware threat and increase the volume and impact of cyberattacks in the next two years by lowering the barrier to entry for novice cybercriminals, hackers for hire and hacktivists. The mandatory reporting requirements for entities who make a ransomware payment is therefore timely. The regime will assist government and industry to get a fuller sense of the scale of the problem so that our cyber defences are tuned appropriately. There are many other worthy reforms in this package of legislation that I do not have time to discuss at length.

While the coalition support the policy intent of the bills, we do continue to hold significant concerns about the government's rushed process and the limited time for parliamentary scrutiny, which increases the risks of overlooking unintended consequences and drafting errors in the legislation. The former Minister for Home Affairs and Minister for Cyber Security originally announced the development of the most recent Cyber Security Strategy on 8 December 2022. The strategy was released on 22 November 2023, and on 19 December 2023 the department released a consultation paper on legislative reforms arising from the cyber strategy, which informed the current bills. The Department of Home Affairs consulted on a targeted exposure draft of the proposed legislative reform between 4 September and 11 September this year, and the government then introduced the bills on 9 October and referred them to the Parliamentary Joint Committee on Intelligence and Security on the same day, with submissions due by 25 October. This means that stakeholders had only two weeks to make a submission on the bills and that the PJCIS had just a month to consider and report on the bill.

Given these reforms have been in train for close to two years, it is inexplicable that the government has seen fit to reduce the time for parliamentary scrutiny in its desperation to pass the legislation before the end of the year. Multiple stakeholders shared these concerns during the PJCIS inquiry. The government has shown disregard for these concerns, and it remains clear that the condensed inquiry timeframe was not sufficient to properly scrutinise what is highly complex and consequential legislation. The intelligence committee report canvasses numerous issues identified throughout the inquiry, which has prompted the government to amend their own legislation in line with some of those recommendations. It stands to reason, though, that a more extensive scrutiny process would reveal even more that warrants further consideration.

The coalition has repeatedly cautioned against this approach, and any unintended consequences that arise in the future as a result of this rushed process will lie solely on the government.

As I said, the coalition supports the policy intent of this legislative package. In the face of a complex and evolving threat environment, the government needs robust levers to protect Australians from cyberthreats. We will always support sensible changes which ensure our legislation is fit for purpose to tackle the ever-evolving cyberthreats facing Australia, which is why we will be supporting the passage of these bills and the accompanying government amendments.

David Shoebridge (NSW, Australian Greens) Share this | Link to this | Hansard source

I rise on behalf of the Greens to speak to this package of bills: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. I note at the outset that this process has been extraordinarily rushed by the government. There's been a chaotic, end-of-year rush to bring this legislation through, first of all, the somewhat secretive Parliamentary Joint Committee on Intelligence and Security, which, even though it's stacked with government and opposition members, expressed its concerns about the rush with which this legislation was brought to parliament.

Indeed, this complex legislation proposes a raft of cybersecurity changes for corporate and non-corporate Australia which we know are going to intersect with a series of other existing statutory obligations. Those obligations under the Corporations Act, the existing SOCI Act, the Australian taxation system and the Telecommunications Act, especially in relation to encryption, as well as obligations under the defence exports regime, mean that this legislation is actually incredibly complex reform which will potentially have ripples across an array of existing regulatory requirements.

And what did the government do? It gave the community and stakeholders two weeks to come to terms with the draft legislation and put submissions in. The Law Council of Australia, in their submission to the PJCIS, said:

… the Law Council is disappointed that a period of just over two weeks has been afforded between the tabling of the Package and the deadline for written submissions. We emphasise the complex nature of the legislation, which will have wide-reaching impact and consequences in a highly technical field. With respect, the current consultation period does not allow for meaningful and robust consultation with stakeholders to ensure the laws will work as effectively and efficiently as possible.

It wasn't just the Law Council. Pretty much every stakeholder that my office has spoken with and those that put in submissions have made these same points. The Cybersecurity Coalition, for example, in their engagement with the PJCIS said that, yes, they wanted to commend the government on its approach to industry consultation, but they reiterated concerns about the lack of time. The Australian Institute of Company Directors expressed their concern with the lack of time. The Australian Information Security Association also expressed their concerns with the lack of time.

So what does this legislation propose to do? It proposes to put in mandatory security standards for smart devices, the so-called Internet of Things, and I'll speak to that briefly when I talk about what this bill does and doesn't do. It puts mandatory obligations on certain businesses to report ransomware and cyberextortion requests and a very limited-use obligation that restricts how that cybersecurity information provided to the National Cyber Security Coordinator can be used and disclosed, and, again, I'll talk to the concerns about the lack of safe-harbour provisions in this legislation. It also establishes a cyber incident review board to conduct post-incident reviews into significant cybersecurity incidents, and I'll speak to the lack of independence in that cybersecurity review board as well.

Could I deal first of all with the mandatory security standards for smart devices. In this regard, I note that the Greens have circulated a second reading amendment which seeks to add to the motion the following:

(a) this scheme will work best if the rules applied to Internet of Things devices are harmonised with similar regulatory obligations in other jurisdictions; and

(b) the government has indicated it will consider alignment of schemes following the passage of the bills.

It is obviously necessary to put in place protections so that, as the Internet of Things grows—as our fridge talks to our car, talks to the front door, communicates with the phone and then shares that online—we have adequate security measures in place to ensure that, as we just travel about our daily business, we don't find ourselves the subject of some sort of global eavesdropping. And we know that's already happening. We know that's already happening, not so much because of the work of the government but because of the work of organisations like CHOICE and others that have pointed out that, for example, in the context of our motor vehicles, how many of the major brands are recording and transmitting data, including sometimes video and voice data, without our consent, simply as we move around in these vehicles.

Perhaps the worst offender is Tesla. Tesla motor vehicles actually record snippets of video and voice without your consent, without your information, as you drive around in Tesla motor vehicles, as well as data about where you go and how you drive, and feed that back to Tesla corporate headquarters in the United States—and feed it back to that champion of human rights, Elon Musk! You would have thought that the opposition would be concerned about that. They don't seem to be concerned about that. We're concerned about that. But it's not just Tesla that's doing a live feed from our motor vehicles back to Elon Musk, who is a danger to democracy, can I point out—absolutely a danger to democracy. It's Korean car brands and it's pretty much every imported Chinese car brand that in one way or another is gathering data about us without our consent, without any protections for us, and feeding it back to heaven knows where.

Of course we need security protections, and this legislation proposes that at some point, maybe in the next 12 months, there will be a process under which some rules will be written and maybe we'll get some kinds of security protocols put in place for the Internet of Things. But we don't know what. We don't know what. Industry has been saying there are well-established international standards that should be clearly articulated by the government, and they'll say that's what they're applying. Don't make up your own standard; look across the world and get the best global standards to put in place.

I'll just refer again to the PJCIS report, which dealt with this in some detail. At 5.26 in the report, it said this:

For example, the Institute for Integrated Economic Research … stated that it 'would be sensible' to adopt international standards, 'with the flexibility to change as the threat changes', but that 'it would be useful to set the one standard and enforce compliance' rather than adopting multiple standards. Similarly, … the Software Alliance … submitted that the government should 'take every effort to avoid a divergent approach from other like-minded countries'. Infoblox submitted that:

Aligning with international standards is not only beneficial for the impacted entities to comply but also essential for Australia to maintain global interoperability and consistency.

Consumer Electronics Suppliers Australia recommended that 'Australian requirements align with those of major overseas market' to 'minimise the need for bespoke Australian solutions and ensure the future-proofing of regulations against technological advancements'.

What are the standards that the government are applying? That's a question we'd like to see the minister answer. What are the standards it is intended will apply? For example, is the government intending to use the United Kingdom's Product Security and Telecommunications Infrastructure Act standards in rule making?

For example, is the government intending to use the United Kingdom's Product Security and Telecommunications Infrastructure Act standards in rule making? Is there an intent to use those international standards, agreed by much of industry, such as the ETSI EN 303 645 standard? What's the standard that the government's intending—are you just going to make up some sort of local South Pacific standard, which will then see a disconnect between Australian security standards and those in comparable jurisdictions? That, I think, is a question that surely the government will have an answer to today before we pass this rushed legislation. Surely, you know what standard you want to apply to the internet of things. But we need to do it rapidly. I don't know about you, Deputy President, but I don't like the idea of my car having a direct conversation with Elon Musk or whoever is monitoring it in Seoul or whoever is monitoring the information feed in Beijing. I'm not much attracted to that concept, and I would have thought the government should be passing legislation to prevent it happening. That is one of the other remarkable failures of this government—in its privacy legislations. This is meant to work coherently with privacy legislation, which is meant to be protecting our data, stopping it being farmed and sold for corporate benefit. But, while we get this rushed legislation through, we've also got a parallel piece of privacy legislation that doesn't even touch upon this. It doesn't do one thing to protect our data. This incoherence from the government on cybersecurity and privacy, failing to understand how these two things connect, is one of the key problems with this government's rushed legislation.

Can I speak briefly to the issues of ransomware and cyber extortion payments and this concept of limited use provision. The purpose, as the Greens understand it, of the limited use protections is do with whether entities—corporate or individuals—are supplying information to the government about their vulnerabilities, cybervulnerabilities or potentially ransom attacks. Remember this isn't always just one email saying, 'We've got your data; if you don't give us $1 million, we're going to blow your data.' Often these ransomware attacks can happen over months or even over a year or more. The limited use provisions mean that no government entity can use the information that has been supplied by entities that have reported for the purpose of civil proceedings against them. But there's no protection against criminal proceedings. I suppose the question that the government hasn't answered yet is: if you want cooperation from industry—and we absolutely need cooperation from industry—why aren't there safe harbour provisions, which already exist in the United States, which seem to be very effective in the United States in ensuring there is a relationship of trust between industry and government? These limited use provisions will not create that relationship of trust between industry and government. That will stop the flow of information and reports back to government, and that will not make us any safer.

Finally—although there is much more in this legislation that we could speak to—the proposed Cyber Incident Review Board is a modest step forward. Actually reviewing what went wrong, actually reviewing what happened in a cyberincident, and having some part of government responsible for doing that work is useful. But it should not be part of Home Affairs, because Home Affairs may often be the problem. Home Affairs may have failed to identify a problem. The regulation presented by Home Affairs may be part of the reason why a ransomware attack was successful. It may by why information wasn't supplied in a timely fashion. This Cyber Incident Review Board needs to be independent of Home Affairs. Our preferred option would be a standalone statutory entity. In the time we've had available, and given all the stress on our parliamentary drafters, we weren't able to do that and we're still waiting for the amendment to be circulated. That's no criticism to parliamentary drafters; they are absolutely under the pump and they're underresourced by this government.

But we're waiting for the amendment to be circulated that will move the Cyber Incident Review Board from Home Affairs, where there are obvious conflicts of interest, into, at least, the Department of the Prime Minister and Cabinet so there's some functional separation between the review board and the entity primarily responsible for cybersecurity. I'll finish with this. This is rushed legislation that's important, and the rush is part of the problem. I move:

That at the end of the motion, add "but the Senate notes that:

(a) this scheme will work best if the rules applied to Internet of Things devices are harmonised with similar regulatory obligations in other jurisdictions; and

(b) the government has indicated it will consider alignment of schemes following the passage of the bills."

Question negatived.

Raff Ciccone (Victoria, Australian Labor Party) Share this | Link to this | Hansard source

I also rise to speak on the Senate's consideration of the Cyber Security Legislative Package 2024. This package aims to protect Australia's cyber infrastructure, which is an essential part of our national security. Our critical infrastructure underpins our country's ability to deliver essential goods and services to all Australians as our reliance on the digital economy continues to develop and grow. As we know, cyber attacks and threats to our critical infrastructure can be highly lucrative for cybercriminals.

At the end of October and the start of November, I chaired the Parliamentary Joint Committee on Intelligence and Security inquiry into this very important package. I want to start by thanking the corporate, industry and civil society submitters and government departments who participated in the public hearings. The committee, in its report, made clear that it supports the urgent passage of these three bills under the Cyber Security Legislative Package 2024. I also note that the evidence that was received by the committee from stakeholders was near universally supportive of the package. I am pleased to see the government's acceptance of the recommendations listed in the report, as illustrated by the amendments to the bill that were brought forward before the chamber. This is something that I and members of the committee welcome wholeheartedly. I'm also pleased that the Department of Home Affairs has considered the feedback and is intent on assisting industry to understand their responsibilities under the reforms.

The first of the three bills in the package, the Cyber Security Bill 2024, provides a very clear framework for the government to identify and to respond to new and emerging cyber attacks. It will provide additional protections to Australians and businesses and improve the government's threat picture to inform additional protections, current incident response procedures and future policy. The bill will also address existing legislative deficiencies that the government outlined throughout the development of the 2023-2030 Australian Cyber Security Strategy.

Let's take ransomware, for instance. The sophistication of ransomware is unprecedented and causes serious problems for businesses right across Australia. It's one of the most pervasive forms of cybercrime. In response to this growing threat, the government's Cyber Security Bill will create mandatory ransomware payment reporting requirements for businesses who are affected by a cyber incident and make ransomware payments. Mandatory reporting of ransomware payments will apply to businesses in Australia that meet an annual turnover threshold. They'll be required to report a ransomware payment to the Department of Home Affairs or to the Australian Signals Directorate within 72 hours of making the payment or becoming aware of the payment. The simple fact is that the current voluntary reporting scheme is underutilised, limiting the government's understanding of the ransomware threat landscape.

It will also allow the government to understand the sheer scope ransomware has on the Australian economy and protect Australian businesses to recover as quickly as possible. The reporting obligations aren't about calling out businesses and hurting their reputation. Instead, they'll enable us to determine the threat level and assist Australia's domestic law enforcement to disrupt cybercrime activities both locally and abroad.

Businesses will be protected from regulators and law enforcement, and the department has emphasised the importance of an education-first approach, not an enforcement led approach, to assist businesses. Ransomware alone costs the Australian economy up to an estimated $3 billion in damages each year.

The bill will also mandate security standards for smart devices that are either internet or network connected. These devices include smart TVs, smartwatches, home assistance, baby monitors, home routers and even consumer energy resources such as rooftop solar systems. Smart devices have become part of our daily lives. Many of us simply can't live without them. Unfortunately, however, many of these devices have poor security features that expose Australians to cyber threats, compromising users' cybersecurity, privacy and online safety. These connectible products will have to meet certain standards, bringing them into line with European standards, for example. Under this measure, smart devices in Australia will have a basic level of cybersecurity. The Australian Cyber Security Centre advises that, by securing smart devices, consumers' information will be protected and will have a reduced risk of being targeted by cybercriminals. Manufacturers and suppliers will also be responsible for compliance and will be required to provide a statement of compliance. Enforcement notices may also be issued if a smart device is not compliant with mandatory standards.

Lastly, the bill will also seek to establish a cyber incident review board to conduct reviews into significant cybersecurity incidents that have impacts on the Australian economy, national security or social prosperity. Currently, Australia has no formalised way to conduct post-incident reviews when such incidents occur. Recent cybersecurity incidents, such as the Optus and Medibank data breaches in 2022-23 and the MediSecure data breach in 2024, highlight that industry and government need an avenue to investigate and learn lessons from such incidents and to prepare for contingencies for future attacks. The board won't act as an investigative body that apportions blame to an organisation that is before the post-incident review. Any information that is given voluntarily to the board isn't admissible in criminal or civil proceedings and doesn't impact any existing legal obligations. Instead, the board will enable our country to learn from cybersecurity incidents to weigh up vulnerabilities that led to the attack and the effectiveness of the government and the industry response to the incident. The formation of the board will align Australia with other jurisdictions around the world—including the United States of America, which created its own cyber safety review board in 2022.

Meanwhile, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 amends the Security of Critical Infrastructure Act 2018. These reforms aim to improve the security and resilience of critical infrastructure by assisting the government and industry's ability to help prevent, manage and respond to future significant incidents impacting critical infrastructure through the act. Our country is facing increased geopolitical and cyber threats, putting our critical infrastructure at heightened risk. Critical infrastructure provides essential services that we rely on every single day. It's important that we make these reforms and pass them as quickly as possible. It is worth noting, however, that data is not the only target of threat actors. Critical infrastructure organisations are also targets, as they provide essential services to support Australian life and businesses, including our electricity, water, health, transport, logistics and telecommunications networks.

Finally, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 amends the Intelligence Services Act 2001 to legislate a limited-use obligation for the Australian Signals Directorate. Limited use is designed to encourage industry to share cybersecurity incident information with ASD, thereby bolstering ASD's ability to perform its cybersecurity functions.

The provision will work hand-in-glove with the compulsory reporting obligations to help us understand the scope of the threats.

Last week, ASD's Annual cyber threat report 2023-2024 highlighted our rapidly evolving cyber threat landscape, with over 87,000 reports of cybercrime received over the financial year—on average, a report every six minutes. The report also showed that, from last year, the average cost of cybercrime for small businesses rose by eight per cent to $49,600 per report, and for individuals, it rose by 17 per cent to $30,700 per report. We'll hear a lot about these bills before us—and it sounds like we'll probably end up in the committee stage—but our inquiry was certainly efficient and thorough. I also want to make the point that the process itself had a very comprehensive discussion around the issues the opposition and the crossbench have raised today.

The comprehensive consultation process—one of which I can only describe as 'gold standard' by the department—made it easy for the committee to discuss the issues that were raised with witnesses that appeared before it. It was fantastic to hear that the department had engaged with many stakeholders, particularly those in industry, for some time about these issues. That is why I mentioned earlier in my speech the fantastic work that was done to consult and iron out some of the issues before these bills were drafted and brought before the parliament today.

It's also important to reiterate that, as a direct result of this consultation process, there was and is broad support for the bills by industry and by many others that put submissions to the committee. In fact, many stakeholders participated in the inquiry. There government's consultation was best practice. Therefore, nothing in these bills was a surprise to them, with much of the content in the package already well known to industry. I also want to thank the government for the release of its 2023-2030 Australian Cyber Security Strategy back in November 2023 and the consultation paper that preceded it.

The Albanese government is committed to lifting our country's cyber legislative strategy and doing everything it can to support Australians and small businesses around the country. The Cyber Security Bill and related bills provide an opportunity for this country and for the Senate to strengthen our national cybersecurity defences. The bills will position Australians and our businesses, particularly in the small business community, to better respond and recover from cybersecurity threats and help our nation become a world leader in cybersecurity by 2030 in an evolving threat environment. I commend the bill to the Senate.

Helen Polley (Tasmania, Australian Labor Party) Share this | Link to this | Hansard source

I rise to speak on the Cyber Security Bill and related bills. This issue is of great importance to our country, our citizens and our economy. As chair of the Joint Standing Committee on Law Enforcement and as a member of the Senate Standing Committee on Legal and Constitutional Affairs, I understand the importance of this issue. It's gripping Australia, and it's gripping the world. Governments around the world must act now if we have any chance of getting ahead of the game of crime syndicates, professional hackers, foreign adversaries and fighting against cybercrime.

I often relay tips to the public about the importance of personal online safety and tools they can implement to try and keep them safe online. There are simple strategies that can boost your cybersecurity, like updating your device regularly, setting up and performing regular backups, learning how to make a copy of your files so that you don't lose that valuable data, turning on multifaceted authentication, setting secure passphrases, recognising and reporting scams, learning how to identify common cyberattacks and defending yourself against cyberattacks. The simplest way you can protect your devices from cybercrime is to turn them off every day.

To get into the practice of doing that, before you get into the shower, turn your mobile phone or your iPad off and, when you get out of the shower, turn it back on. That is a really simple but effective way to help protect yourself.

As a government, since coming to office we have been very committed to meaningful reform. That's why I'd like to acknowledge the Minister for Home Affairs and Minister for Cyber Security, the Hon. Tony Burke, and the previous Minister for Home Affairs, now the Minister for Housing and Minister for Homelessness, the Hon. Clare O'Neil, for the work that they've undertaken. Cybersecurity deserves our attention, and this bill, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 form the cybersecurity legislative reform package of the Albanese Labor government.

As a government, we are committed to strengthening our national cyberdefences and building cyber-resilience across the Australian economy after some very high-profile cyberattacks and data breaches over the last five to 10 years. This suite of legislative reforms will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy, which Minister O'Neil worked tirelessly on, and I acknowledge her contribution. I also acknowledge the department's contributions and submissions to the inquiry of the Intelligence and Security Joint Committee. They were always informed and completely focused on enhancing our cybersecurity intelligence and infrastructure. I know our security and intelligence organisations, and sometimes we take them for granted, but they are so essential to ensuring our national security and our own personal security, so I want to acknowledge them here today.

This is a significant step in achieving the Australian government's vision of becoming a world leader in cybersecurity by 2030. To achieve this vision, Australia needs a clear legislative framework that addresses whole-of-economy cybersecurity issues and positions us to be able to respond to new and emerging threats from wherever they may come. Our country relies on a framework that enables individuals to trust the products that they use every day. We need a framework that enhances our ability to counter ransomware, cyberextortion and end-to-end encryption and to live with cryptocurrency and technological advancements. These are all important things that are part of our world now. We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government. We need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared, because time is of the essence. When a cybercrime has occurred, you have only hours to report that crime to have any hope of being able to track the cybercriminals, which is why we must report these crimes when they occur.

I don't know how many people I've met in the last few months that have actually lost tens of thousands of dollars and been far too trusting. These cybercrimes are real, and they can impact any of us. Sometimes people will say to me, 'You're a high-profile politician, and that's why you're a target.' That's not true, unfortunately. Cybercrime can happen to each and every one of us. So we need a framework that enhances protections for victims of cyber incidents and that, as I said, encourages them engage with the government. We need to ensure that people understand the importance of reporting these crimes as soon as possible.

I know people that have been stung by various scams, and they feel embarrassed.

They really do feel embarrassed and that they should have known better. But the reality is, these criminals are smart, they change the way that they operate all the time. They come from different places as well as from Australia—all these cybercrimes aren't just being perpetrated from people offshore.

The Cyber Security Bill provides a framework to build our cybersecurity as a nation in a globalised and technologically advanced world. The first measure under this bill will ensure that Australians can trust their digital products by enabling the government to establish mandatory security standards for smart devices. Australians are prolific users of smart devices—we love our gadgets—but consumers need to be assured that smart devices are still safe for them to use. To date, smart devices have not been subject to mandatory cybersecurity standards or regulations in Australia. Therefore, this bill will bring our country in line with international best practice and also will provide Australians with peace of mind that the smart devices we've come to rely on almost every day will meet our expectations around security.

The bill will enhance consumer security by prohibiting the use of universal default passwords on a smart device which create backdoors for potential hackers. The bill addresses the ransomware threat that continues to cause large-scale harm to the Australian economy and national security. Businesses are losing millions of dollars every year because of ransomware. We can stop it in its tracks with mandatory reporting of ransomware payments to learn from these attacks. We must prevent future ransomware crises and equip businesses to be able to bounce back following any incident.

The Cyber Security Bill's third measure seeks to support and assure Australian organisations as they respond to cybersecurity incidents. Close cooperation between government and industry is one of our greatest defences against cybercrime, which is malicious. In the wake of cybersecurity incidences, businesses need to know that they can call on government to quickly get the support that they need. The bill affirms the role of the National Cyber Security Coordinator to coordinate whole-of-government cyber-incident responses effectively. It also seeks to increase trust and engagement between business and government during an incident by limiting the circumstances under which the coordinator can use and share information that has been voluntarily provided by an affected entity. With these measures businesses will have a greater comfort to report cyber incidences and gain the assistance they need in order to respond to recover from cyber incidences.

We must remember that cyber crimes can impact businesses and individuals, and it's important that when you have an incident, you report it and reach out and get the support that you need. I thank Minister Burke and Minister O'Neill for their leadership, and I thank those who provided evidence to our committee to investigate this. I recommend the bill to be passed in the Senate today.

Murray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | Link to this | Hansard source

The cybersecurity legislative package will strengthen our national cyber defences and build cyber resilience across the Australian economy. This suite of legislative reforms will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, a key milestone towards the Australian government's vision of becoming a world leader in cybersecurity by 2030. There are three bills within this package: the Cyber Security Bill, proposing new legislation to rectify gaps in Australia's existing cybersecurity regulatory frameworks; the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill, to introduce a limited-use provision for the Australian Signals Directorate, similar to the provisions related to the national cyber security coordinator under the Cyber Security Bill; and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, to amend the Security of Critical Infrastructure Act 2018.

On 9 October Minister Burke referred the package to the Parliamentary Joint Committee on Intelligence and Security.

That committee has now handed down its report and recommended that, subject to implementation of the recommendations in its report, the package be passed by the parliament. The government agrees or agrees in principle to all 13 recommendations in the committee's report and, in line with recommendation 1, proposes the package be passed by the parliament. I thank the committee for its work on these bills through its inquiry and recommendations, and I thank all senators for their contributions to the debate on these important bills. On that basis, I commend the bills to the chamber.

Question negatived.

Original question agreed to.

Bills read a second time.