House debates

Wednesday, 28 March 2018

Bills

Security of Critical Infrastructure Bill 2018; Second Reading

6:33 pm

Photo of Anne AlyAnne Aly (Cowan, Australian Labor Party) Share this | Hansard source

As the shadow Attorney-General mentioned in his speech earlier, Labor agrees to support the Security of Critical Infrastructure Bill 2018. We are in full support of this bill, and this bill, once enacted, would do two things. It would establish a register of critical infrastructure assets that will include information about who owns and operates those assets, which must not be made public, as well as allowing the minister to give a direction to a reporting entity, or to an operator of a critical infrastructure asset, to do or refrain from doing a specified act or thing within a certain time frame. That power may be used if the minister is satisfied that there is a risk that it is prejudicial to security that cannot otherwise be mitigated.

This bill takes into account the contemporary environment in which we operate here with the fragmentation of ownership of critical infrastructure. It is, in many respects, a precautionary bill which formalises the effective cooperation between the private sector and the government in the protection of critical infrastructure. It is heartening to see that the recommendations made by Parliamentary Joint Committee on Intelligence and Security, which tabled its report on the bill in March this year, have been amended and have been passed in the Senate today. I'd like to draw the House's attention to some of those recommendations and, specifically, to those recommendations that were passed earlier in the Senate, and the impact on the cooperation between the private sector and the government in the protection of critical infrastructure.

One of those recommendations was an amendment requiring the relevant minister to provide to the subject entity notice of an adverse security assessment made under the bill as well as the right to seek merits review of such an assessment. Another one of those recommendations was that within the three-month transition period the Department of Home Affairs develop and make available guidelines for entities subject to the bill that enable an entity to determine whether it is a reporting entity, and provide the entity with an understanding of the specific information it is required to report.

Both those recommendations that were passed as amendments are vital in ensuring that the cooperation between private industry and government in the protection of critical infrastructure continues and continues in ways that provide a robust regime for the protection of critical assets that are defined specifically within the bill to cover water, electricity, gas and ports. There are a range of threats to those particular assets, including terrorism and cyberattacks. And we must not forget insider threats, which are threats or attacks carried out by people within an organisation.

I refer to a paper—it's a fairly old paper but still a very relevant one—by the University of Pennsylvania. I recall several years ago being at a conference that brought together academics and practitioners in security. We discussed, at length, cooperation between the private sector and the government in the protection of critical infrastructure—particularly in this contemporary environment where you have the fragmentation of ownership of critical infrastructure assets—and where the responsibility lies, and how the communication between the private sector and the government enhances target hardening and enhances the protection of critical infrastructure.

This paper makes some pretty interesting points and really emphasises the importance of having a very robust framework for private-public coordination in protecting critical infrastructure. In one point, it says:

For many large technological network systems, the challenge of ensuring reliable operations has increased because operations both within and among firms have become increasingly interdependent. Elements of infrastructures in particular have become so interdependent that the destabilization of one is likely to have severe consequences for others.

This points, of course, to the interrelationship between different forms of critical infrastructure, or different assets within critical infrastructure, and the need to protect them all in a way that coordinates communication between the private sector and the government as well as intercommunication in the private sector.

Another point made in this paper is that strategies to protect critical infrastructure are not viable unless they are politically and economically sustainable. That's why I believe this bill creates that political environment, that political sustainability, for this ongoing critical relationship between the government and the private sector in the protection of critical infrastructure.

I also note that the National guidelines for protecting critical infrastructure from terrorism, which were published by the Commonwealth government in 2015, have an attachment that outlines the responsibilities of owners and operators of critical infrastructure and the Australian government in the protection of critical infrastructure. They note that the Australian government has a responsibility to identify national critical infrastructure and develop and maintain a database of national critical infrastructure, which is one of the things that this bill will do, to work closely with state and territory governments and owners/operators to identify critical infrastructure that if disrupted or destroyed could have significant multijurisdictional or national impacts, and to liaise with overseas governments on critical infrastructure protection issues and promote critical infrastructure research as a priority. It states:

Governments expect that owners/operators should:

                  So at a very practical level the bill will allow for a formalised framework in order to do that.

                  Finally, I refer to a report from the Counter-Terrorism Committee Executive Directorate of the United Nations Security Council, published in March last year. It's one of their trends reports. I'd recommend this to anyone who's interested in critical infrastructure, which can often be bit of a dry subject, let's admit it, but it can also be very fascinating as well if you're into that kind of thing. This report makes some very pertinent points, particularly around prevention and preparedness for critical infrastructure. It says:

                  In order to ensure better preparedness and response, an international network of "PCI focal points" can be appointed by Member States and relevant international, regional and subregional organizations. Policy guidance containing operational aspects, including early-warning systems and information-sharing, could also be developed.

                  I think this bill puts Australia well on its way to being able to cooperate not just nationally, between private sector and the government, but also internationally on an international network of physical critical infrastructure. What's interesting in this report as well is that the CTED, or Counter-Terrorism Executive Directorate, of the United Nations Security Council also recommends that:

                  Some States undertake stocktaking exercises to:

                  1. Determine existing means and capabilities.

                  2. Centrally compile and store this information.

                  3. Compare existing capabilities against identified requirements.

                  4. Outcome of comparison = areas for improvement.

                  These issues of critical infrastructure protection have been on the radar of international security professionals for several years now, as evidenced in some of the quotations I have taken from these reports. And it's heartening to see that, through bilateral cooperation with Labor through the Parliamentary Joint Committee on Intelligence and Security, we've come up with amendments to this bill to undertake and implement the recommendations made by the PJCIS. It will ensure that this bill is actually quite comprehensive in how it delivers, at a practical level, commitments to ensure continued cooperation between government and the private sector to ensure that our critical infrastructure is effectively protected and targets that would be attractive to those who wish to do us harm are effectively hardened. I would like to see that, three years down the track or a couple of years down the track, once this bill is implemented, the results of this bill and of the amendments made in implementing the recommendations made by the PJCIS help us to improve the regime that we currently have in the protection of our critical infrastructure assets here in Australia.

                  So I do commend this bill to the House, and Labor does very much support this bill. I would also like to commend the PJCIS and the way in which that committee worked in a bipartisan manner to come up with recommendations that would enhance the bill and ensure that the bill delivers and develops that robustness to the regime, particularly in this contemporary environment, where we are seeing and will continue to see a fragmentation of ownership of critical infrastructure. As a precautionary measure, there can be, in my mind, no more important move to make, as we go forward with further fragmentation of ownership of our critical infrastructure, than to ensure that we have the capabilities and the framework in place to ensure that our critical infrastructure continues to be protected and that we are prepared for any risks to our critical infrastructure.

                  Comments

                  No comments