Ed Husic (Chifley, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Treasurer) Share this | Hansard source

When I heard that the member for Lyons was a candidate in the 2016 federal election, I had known him for quite some time and was very pleased and happy that he was standing as a candidate. He was subsequently elected, and he is doing a great job in his seat. But my faith in him was validated just now, when I had the opportunity to hear him quote from the movie Die Hard 4 in the federal parliament—this is the cherry on top of the cake! I never thought I'd hear that happen in this place. Well done, and kudos to you!

You made a number of very important points, emphasising what a lot of us believe is important with respect to the security of the services that are used and accessed by people online and, increasingly, every day. I think the member for Bass also made an important contribution in this debate. It reinforces in my mind that when it comes to digital economy matters the delegation from Tasmania that sits in the federal parliament today thinks very deeply about this, both in the House and in the other place, and it is to be commended for it.

I think we do not celebrate enough the contribution of the digital economy to the broader Australian economy. We have a number of firms in a wide variety of forms that are making an important contribution to the Australian economy. I note the presence of the member for Robertson, who, in a former life, worked for one of the major telcos in this country—a telco that is making a major contribution not only in this nation, but, importantly, within our region as well, in the form of Telstra. These are all firms that are in one way, shape or form providing jobs, providing commercial value to other firms, and contributing to the economy. More often than not, I think we overlook or take for granted their contribution. I mention this because I was very concerned by the submission that was made by four industry groups representing a lot of these firms as part of the process of considering the legislation that the government's put before the House—the submission of the Ai Group, the Australian Information Industry Association, the Australian Mobile Telecommunications Association, and the Communications Alliance. There were a number of things that were written in that submission that I want to be able to cover today, because I remain deeply concerned. I think it's important that, while we provide a very thorough security framework, we do promote best practice when it comes to cybersecurity. There were some things that were raised in that submission that I was deeply concerned about, and I think we need to set a marker down to keep an eye on them through the implementation process and beyond.

These firms rightly point out that the Australian ICT sector is 100 billion strong. That includes telecommunications carriers, carriage service providers, vendors and intermediaries. In the submission that they made, they raised a number of points. They said that the purpose of the reforms was unclear; that the nature of the compliance requirements was 'onerous', in their words; that there is no established strategy to brief carriage service providers on the threat environment; that there was vague drafting in what was put forward; and that the legislation itself doesn't include, or at least limit, the requirement for carriage service providers to retrofit or remove existing facilities. These are very serious concerns. Bear in mind that it is in the commercial interests of a lot of these companies to take very seriously cybersecurity threats and to be able to demonstrate to their customers that the network they are providing is as secure as it can possibly be. A lot of them recognise the value of it.

There are two groups of people who do not like how seriously a lot of tech firms take cybersecurity and privacy. The two groups are the people who want to cause ill and to be able to exploit vulnerabilities, and the government. The reason: a lot of these phones—for example, the iPhone, of which there's been a new version released today. I met with Apple's head of AI and Siri in the US earlier this year. A lot of people worry that when they talk to their phones—and I don't want to activate my own phone in the process of going through this example!—all of that data is retained on the phone. It cannot be accessed. It is not provided back to the servers at Apple, for example. In the next iteration of their product, the facial recognition elements of that, none of the facial recognition elements will go back overseas either. They will all be retained on the phone. These firms take very seriously the data there. We've had a debate in this country about how you can access—as was the case in the US where Apple stood very firm on not allowing government access to phones where there was a serious national security issue that underpinned the request to access those phones. But these firms take it seriously. It's not as though they are blithe or treating in any sort of lackadaisical manner the issue of cybersecurity; they treat it very seriously.

As much as the government is putting a lot of emphasis on these firms to maintain, to ensure that they invest in and to be able to demonstrate to government the security of their tech, what is interesting and what has been raised by this submission is that there is not an equivalent collaborative arrangement or mindset in government to work with these firms. This is a very important criticism that has been extended by the sector towards government. In the submission that was put forward by these four industry associations, they rightly pointed to the collaborative nature of the working relationship between government and industry in cybersecurity in the US. They did a similar sort of thing in pointing out what happens in the UK. In this country it appears to be a one-way street, where the government will dictate what the firms must do, but government will not share any sort of advance knowledge about threats to ensure that the sector can prepare. All the penalty and risk has to be borne by the industry, and there is no commensurate behaviour by government to inform of threats in advance.

I think this is a serious problem, because we all have a stake in improving cybersecurity. We all have a stake in making sure that these services continue to deliver, on top of what the sector is already doing, and this was raised through the committee process. The government recognises it needs to do more, but the test will be, 'Will they share information about threats in a timely way to allow the sector to respond accordingly?' Again, I quote from the submission:

Further, there is no obligation established in the legislation for the Attorney-General's Department to work cooperatively and proactively with Industry in identifying, communicating and responding to threats and attacks …

I think this is a vulnerability, and it needs to be addressed by government. It needs to be able to also ensure that industry is treated as a partner, not as someone that just basically jumps the minute government clicks their fingers. It shouldn't be that way. For example, something I was very concerned about was highlighted in the submission:

… there is no corresponding obligation on Government to justify its actions, take responsibility for any unintended outcomes, bear the costs or deliver a practical and timely threat advice service. Nor is there any guidance or limitation on regulatory creep—

none of that. The government just stonewalls on this. It keeps saying, 'No, we need to do this; there are threats at play, and industry simply needs to respond.' Industry, as I said, takes this seriously, and they should be treated seriously. Government should be better at lifting the general approach to cybersecurity when it comes, in particular, to what we're dealing with here. Again, I quote from their submission:

… the Associations reiterate a preferred approach would be to reconsider the roles and responsibilities of risk assessment through collaborative sharing of information about actual and potential threats, and what tools and techniques are recommended to ensure appropriate action is taken to protect all the components that make up networks (i.e. hardware and software)—

these are not outrageous things to request; they are quite straightforward—

Industry-developed frameworks are likely to be significantly more flexible with regards to the frequent adaptations required to keep up with technological progress and market changes—

another well-made point. The other thing that concerned me was that, if, for example, there is a case where government believes that there needs to be a retrofit of certain systems, the entire onus and cost is shifted onto industry. As I said in my earlier remarks, there's not enough flagging of potential threats to industry and sending a signal to the sector about things they need to do. That's absent. Then, if there is a problem and it requires a huge investment of resources, time and money to retrofit a particular network, for example, that cost could be completely borne by industry, with no regard by government. Government has said, through the course of the inquiry process, that this would be an extreme instance—and I agree; I think it would be extreme—but there needs to be a better assurance about how that cost issue would be managed. Again, in terms of those notification requirements, I go back to the submission:

It appears highly inefficient that C/CSPs are obliged to proactively notify Government of proposed changes to their networks … and proposed risk mitigation strategies while Government is not compelled to equally notify C/CSPs of any potential or real security threats …

The government agrees it needs to work better on that. On the issue of retrofitting, this is still left out there without any real commitment as to what will happen. In fact, I think the government has said no. This is despite the fact that the sector said in its submission:

… a simple assurance in the Explanatory Memorandum and Guidelines that non-compliant systems will not be penalised does not create sufficient certainty for C/CSPs.

… the legislation itself ought to be amended to reflect the intention to not require retrofits except in rare and extremely serious circumstances.

Again, these are important points, but the government has refused to come at least halfway—well, not even halfway; it's basically said it's not going to do it. I am very concerned that, in the rare instance that this occurs, the impact on the sector is significant. The way that the sector concluded their submission was by saying:

… the Associations do not believe that a comprehensive case for TSSR has been made. In its current form, the legislation is too discretionary and vague and is lacking two-way cooperation and information, thereby imposing substantial costs, uncertainty and regulatory risk onto the entities proposed to be regulated. The legislation is an over-reach and an unnecessary imposition …

I make these remarks in this debate so that they are markers, more than anything else. From my consultation with the sector, the industry echoed the remarks of some of my colleagues—that they were very happy with the way the committee process and the hearings went. They believe that the industry were heard. They do still have some concerns. They're very pragmatic. They say, 'Obviously, you're not going to get everything that you want,' but there are some serious issues in there that I think we need to keep tabs on in the longer term.

Throughout the whole debate about metadata—the issue about the costs and the way in which industry would have to respond on data storage and management as a result of that—the government played hardball with the sector for quite some time, even though how much cost would be imposed on them was well documented. Obviously, with the requirement for additional regulation, there will always be a cost. But I think we have to always bear in mind that costs are already put in place by the sector in their pursuit of customers and to be able to demonstrate to those customers that those systems are strong and are able to withstand known threats and potential vulnerabilities. They already invest in that. When government itself refuses to provide detail about potential threats and allows those industry players to modify their networks accordingly, but then leaves hanging over them the threat that there might be a cost for retrofit or for other required amendments to their network, I think that is pretty unfair to the sector.

So I'll be watching with interest. Obviously, our side has been keen to work with the government on this. We'll work with them on national security issues. But I think those industry concerns should be listened to.

See this speech in context