Gai Brodtmann (Canberra, Australian Labor Party, Shadow Assistant Minister for Cyber Security and Defence) Share this | Hansard source

Australia's Copyright Act originally dates right back to 1968. It was developed before man set foot on the moon, it was developed during the Vietnam War, it was developed during the Cold War, it was developed before the election of the great Gough Whitlam, it was developed before colour television, before digital, before the internet and before feminism. So, given that it's 50 years old, amendments to it to ensure that it keeps up to date with developments of the 21st century are welcome—amendments, of course, that are developed in close consultation with the stakeholders that are affected, that are inclusive and that respond to the needs of stakeholders.

This bill extends the operation of the safe-harbour scheme set out in the Copyright Act 1968 to a broader range of service providers. The existing safe-harbour scheme protects carriage service providers, in particular internet service providers such as Telstra and Optus, from the civil liability they could otherwise be exposed to for hosting or communicating material that infringes copyright. To be able to rely on a legal safe harbour created by the Copyright Act, the carriage service provider needs to demonstrate that they operate a scheme for removing copyright-infringing material if they are notified of such material by a rights holder.

The bill has broad support across many stakeholder groups and it's consistent with Labor's longstanding position on the issue, as communicated to those stakeholders when we had consultations with them. It's generally supported by rights holders and their peak groups also, because it provides a social good without undermining the commercial interests of content creators or their capacity to negotiate effectively with commercial enterprises for the distribution of their copyright materials. As mentioned, there's been extensive consultation on this bill. There's been consultation through a Senate inquiry, through a series of round tables that were conducted by the Department of Communications and the Arts, and through a range of consultation papers on the issue.

The point of what we are discussing today is the fact that we need to ensure that our legislation keeps up to date with the latest developments—that it keeps up to date with the 21st century. That's particularly the case with regard to copyright. One of my concerns—and I've expressed it many, many times in this parliament and elsewhere at conferences—is that I do not believe the government's work on critical infrastructure, particularly the cybersecurity of critical infrastructure, is keeping up to date with the latest developments. When you look at what's happening overseas, particularly in the US, with the protection and cybersecurity of critical infrastructure, it becomes incredibly stark that the government is not serious about protecting our critical infrastructure. The government really does need to lift its game when it comes to critical infrastructure and the cybersecurity of critical infrastructure in this country.

Australia has eight sectors that are deemed critical infrastructure—that is, eight sectors that are vitally important to Australia's social cohesion, its economic prosperity and its public safety. These are banking and finance, communication, energy, food and grocery, health, transport, water services, and Commonwealth government. If you compare that with what's happening overseas, we are very, very underdone in this area. In the United States, they've identified 16 sectors that are vital to their social cohesion, economic prosperity and public safety. In the United Kingdom, they've identified 13 sectors. In Canada, they've identified 10 sectors. In Singapore, they've identified 11 sectors. The sectors recognised by these nations but not currently included in the framework that governs our critical infrastructure include emergency services, information technology infrastructure, chemicals, manufacturing and, in the case of the US, electoral systems. Again, I've been pressing the government to start seriously thinking about including electoral systems in our critical infrastructure framework. We've seen what's happened overseas. We've seen what happened in the US. We've seen what happened in France. It is vitally important that we start taking this seriously not only in those eight sectors but also in expanding our sectors to include electoral systems.

We are so behind in terms of what's happening internationally on critical infrastructure, and I do believe that the government are not focusing enough attention on this, as I've said many, many times. They're not focusing enough attention on getting those sectors updated and broadened, but they also have this spaghetti junction of infrastructure supporting critical infrastructure and also cybersecurity. We've got the Australian Cyber Security Centre looking after cybersecurity, we've got Home Affairs looking after cybersecurity and we've got a Critical Infrastructure Centre looking after critical infrastructure—but, when they were pressed on whether they could include a closer examination of cybersecurity in the context of critical infrastructure and also whether they could broaden out those critical infrastructure sectors, we were told at a conference last year that they're under-resourced.

So here we are, with a government that talks a good game on cybersecurity and comes up with all these dazzling strategies. There's a lot of activity, but the outcomes are very hard to see, particularly in terms of the consolidation of the management of cybersecurity in this country. It's a complete dog's breakfast. It is all over the place, and the government have not consolidated the management of it; they've actually fractured it by having some of it being managed in Home Affairs, some of it being managed in ACSC and some of it being managed in various other parts of government. Trying to get a sense of who's actually managing what in cybersecurity in Australia in 2018 is a very challenging exercise. This government, I fear, has just allowed cybersecurity to be dictated by the personalities of its ministers: 'Okay, I want a bit of that,' 'I want a bit of that,' and, 'I want a bit of that.' That is why it's spread throughout government agencies.

That makes it very challenging when it comes to crises. We saw that with WannaCry. We saw that with NotPetya. In fact, we just celebrated—or not celebrated but went through—the anniversary of NotPetya, and the anniversary of WannaCry was about a month ago. When WannaCry hit, it was the Mother's Day weekend here. It hit the UK, and we were the next phase in terms of the time zone. And what happened here in Australia? I've taken up this point with the minister who had the responsibility for cybersecurity. In terms of communication, I woke up on Saturday morning and heard on the radio that WannaCry had hit. It had taken out the NHS in the UK. It had taken out companies throughout the world and had a significant impact on those private outfits as well as the NHS, the health system in the UK. And what happened? There was just a deafening silence from the government that Saturday when WannaCry hit. You turn on the radio. You hear about this. You think: 'Okay, what should I do? I'm a small business operating from home. What do I do to protect myself? What do I do to get a sense of what this means for me?'

And there's nothing—just a deafening silence from the government. The cyber czar at the time was doing the occasional tweet and the occasional media interview, but in terms of a consolidated communication, a consolidated message, out to the broader Australian community, no-one knew what was going to happen. We'd seen what happened on EHS. We'd seen what had happened to these big multinationals right throughout the word, and here we are in Australia, hearing all this news, wondering, again, 'If it's my small business or my company, what do I do?' and there was nothing—there was nothing from the government. As I said, the cyber czar, Alastair MacGibbon, was out there doing a bit of a tweet and a few media interviews here in Canberra, but that was about the extent of it. I've made this point repeatedly, but the government is not listening. We have got to improve the way that we communicate about cybersecurity in this country and we also need to improve the mechanisms we have in the event there's a cyber threat right throughout the nation.

At the moment, there is no crisis centre. At the moment, there is no one place to call. There is no one-stop shop for someone like a small business sitting here in Canberra, getting up, hearing that news on the Saturday morning and saying: 'What do I do? Where do I go?' There's nowhere to go. There are about five different sites you can go to. You can spend your morning trawling from one site to another. But even then the information that came out didn't really come out in terms of what people should be doing in terms of patching and backing up. It didn't come out till two days later, because everyone was off celebrating—and of course they would do that—with their mothers on Mother's Day. But this was potentially a crisis. No-one knew how this was going to play out in Australia. And the response by the government was underwhelming in the sense that there was really no response.

And so again I encourage this government, I implore this government to start taking communication about cybersecurity seriously and to consolidate the communication so that a small business sitting in Canberra, on a Saturday morning, has one location, one point of truth to go to in the event that there is a cyber crisis—one point of truth, one message that is clear on telling me what I need to do, and when I need to do it by.

With WannaCry we heard about 18 individuals and companies that were affected here in Australia, but that's just what we know about in terms of the reporting. We don't know how badly this affected Australia. Most of those were small businesses. And where did they go for information on it? They went to about 10 different sites if they knew how to navigate their way around the labyrinth that is the cybersecurity governance that this government has set up.

I go back to the critical infrastructure. I again implore the government to do something and start taking the cybersecurity of critical infrastructure seriously. As I said, we are way underdone in terms of the sectors covered in our framework, way underdone by international standards and also way underdone in terms of the cybersecurity management of that critical infrastructure. In the US each sector actually has a guiding council of experts from industry and from government. Say it's the electricity sector. They've got a guiding council of industry experts, government and peak associations who together work out the cybersecurity standards that need to be applied to the electricity sector. They work it out collectively, they come to an agreement, they look at international standards, they look at national standards and they work out what cybersecurity standards should be applied to, say, the electricity sector. We have none of that here. There's work being done on telecommunications, but that's it. We've still got those seven other sectors. As I said, we need to broaden those sectors as well if we are truly to keep up to date about what is happening internationally. There are 16 in the United States, 13 in the United Kingdom, 10 in Canada and 11 in Singapore. And the US also has it for electoral systems, which we should seriously be considering given what has happened internationally.

In terms of this copyright bill, amendments to ensure that legislation keeps up to date with the technology that is around, and keeps up to date with modern values, mores and developments, are vitally important. This is an iterative amendment. There has been consultation with a range of stakeholders, and we do need to ensure that copyright, particularly, keeps up to date with the latest technology.

But I also implore the government to ensure that its treatment of critical infrastructure keeps up to date with the latest developments. I implore the government to start taking the cybersecurity of critical infrastructure seriously: start broadening out the sectors, start implementing some sort of framework for standards in critical infrastructure and drag the critical infrastructure management of this nation into the 21st century, in keeping with the Five Eyes community and other nations in our region.

See this speech in context