House debates

Wednesday, 16 February 2022

Bills

Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022; Second Reading

5:05 pm

Photo of Katie AllenKatie Allen (Higgins, Liberal Party) Share this | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022. Critical infrastructure is:

…those physical facilities, supply chains, information technologies and communication networks which if destroyed, degraded or rendered unavailable for an extended period would significantly impact on the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security.

Typically, these assets are used in the supply of services critical to us all: communications, defence, food and water, health care and, of course, critical transport sectors. It goes without saying, therefore, that critical infrastructure is pivotal to the functioning and prosperity of every one of our lives and, indeed, the proper functioning of our nation. Any disruption to this critical infrastructure could be devastating to Australian businesses, leading to supply chain and service industry failures affecting us all.

Designed to strengthen critical infrastructure assets, this bill will protect the assets to ensure the continuity of essential services in this country. The potential risks of a disruption to critical infrastructure are significant, with the Australian way of life at risk without adequate protections in place. We could see shortages or destruction of essential medical supplies; supply chain issues for food and water; and the failure of our telecommunications network, so crucial to communication in this country. In addition, our transport and traffic management systems could be disrupted. The finance sector could be shut down, and business and government may be unable to function. These are risks that cyberwarfare and other threats may pose. They may sound apocalyptic, but that's because they are.

Australia is lucky to not have experienced any of these at scale in any significant way just yet. But we cannot be complacent about the very real threats that our dependence on the internet, the cyberworld and data generation pose to the functioning of society. Those threats are very real. For instance, in just the last three years there have been numerous cyberattacks on the federal parliamentary network. Further, malicious actors have conducted cyberattacks on health organisations and medical research facilities. Moreover, logistics businesses transporting groceries and medical supplies have also been subject to attacks attempting to derail these systems. Quite extraordinarily and very concerningly, the Australian Cyber Security Centre handled over 1,600 cyber incidents in the last two years alone, with approximately one-quarter of these incidents affecting entities associated with Australia's critical infrastructure. That's 400 times where Australia's communications, food and water supply or defence systems were under threat of malicious activity.

The immensity of these risks has itself called for action. In line with the recommendations made by the Parliamentary Joint Committee on Intelligence and Security's advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020, the bill before us today aims to address these very real threats to our safety and the prosperity of our nation. This advisory report, alongside over 12 months of industry consultation, has informed the reforms within this bill.

There are two key obligations of this bill which I will outline now. Firstly, critical infrastructure entities must maintain a risk management program whereby any potential material risks for the assets are identified and a concerted effort is made to reasonably mitigate the risks. This program would be then reported to a board, council or governing body of some kind to ensure compliance and effectiveness of the reporting. In doing so, the impact of hazards will be mitigated and the operation of critical infrastructure assets ensured. As the member for McPherson and Minister For Home Affairs noted, this kind of risk management is increasingly important, considering the interrelated nature of our critical infrastructure systems whereby Australia's economy, security and sovereignty are at stake.

Secondly, this bill provides that critical infrastructure systems that are nationally significant would have to be declared as a governing body. Due to this, critical assets will be identified and any interdependencies of assets across key sectors will be noted. This will allow for the potential consequences of the asset's failure to be recognised early and then risk-managed accordingly. Under this bill's reforms, the secretary of home affairs may require the development of cybersecurity incident response plans, cybersecurity exercises to build cyber-preparedness, vulnerability assessments to identify vulnerabilities for remediation, and the provision of systems information to build Australia's situational awareness. These reforms are crucial, as they will not only mitigate the risk of crisis but also improve Australia's ability to respond if just such a crisis does, in fact, arise. There are, of course, other measures within this bill which are being considered as well, and these measures include compilation using feedback received from stakeholders and aiming to improve the efficacy and efficiency of the statutory framework. Some of these measures include amending the classification system of critical infrastructure assets, and clarifying their impacted stakeholders, who have a right of reply to any ministerial decision enforced.

While the government notes the urgency of these reforms, they have been made in a considered fashion, with extensive industry consultation. To find the balance between maximising additional security for the nation and minimising compliance costs is difficult, but I trust that this bill, with so much consultation put forward, has found the right mix. Even post passage of this bill, the government will continue to collaborate closely with relevant industry professionals to ensure that the reforms are not only effective but do not place any excessive regulatory burden on these entities.

This bill is the second step in our plan to strengthen Australia's critical infrastructure in the national interest. This bill comes after extensive consultation with industry and will create a risk-management program, enhanced cybersecurity obligations, the systems of national significance, and updated information-sharing provisions. The obligations do not apply automatically and must be selectively 'switched on' by the minister. This bill has been developed by the Minister for Home Affairs and recognises the supply chain challenges due to the pandemic that the transport and food and grocery sectors are still managing. The best approach to managing our critical infrastructure from attacks is partnership between business and government that leverages expertise and reflects the complex and evolving nature of the threat. These reforms are a key part of the government's Cyber Security Strategy 2020 and help protect the security of essential services that Australians rely on every day and the sovereignty of our nation.

While those on this side are working hard to keep Australia and its critical infrastructure safe, those on the other side are complaining needlessly—in fact, those opposite have come into this debate to complain about us bringing on this important legislation. The protection of our critical infrastructure, however, is not something that can be delayed. Just to outline the progress of this legislation and the consultation engaged in, the key elements of this bill were first introduced in the parliament in December 2020. They were part of the critical infrastructure package that was extensively viewed by the Parliamentary Joint Committee on Intelligence and Security. The bill was split late last year, and the first half passed.

The exposure draft of this bill, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, has been out since the end of last year. The government worked extensively across the summer to consult widely with industry on the further development of this bill, and, in particular, on the risk management plans that formed the main element of this bill. The minister personally hosted nine round tables with the sector to hear their views. The important Parliamentary Joint Committee on Intelligence and Security has received several iterative briefings on this bill, including a briefing just last week on the finalised bill. So it is disingenuous for those opposite to say they haven't had time to consider this bill properly. The bill has been, appropriately, referred to the PJCIS, and the committee will report back before the bill is debated in the Senate. But let's be clear: this is important and urgent legislation. It is national security legislation. If those opposite want to play political games and whinge and complain in this place, it pretty much sums up their approach. It's not about what's in the national interest; it's all about political pointscoring to them.

The importance of this bill cannot be understated in a time of ever-increasing security threats. We can see that the world, post COVID, is becoming more unstable. We hear from the Northern Hemisphere that a great deal of security issues are potentially at foot—most notably, cybersecurity threats. We might feel that the Northern Hemisphere is a long way from here—but the cyberworld has brought the world closer to us. We had the tyranny of distance; we now have the power of proximity. But with that wonderful connection through the internet comes ever-increasing security threats. We must make sure that Australian businesses and governments keep up and stay ahead of these risks.

The Morrison government is committed to ensuring the security of Australia's critical infrastructure. By securing these assets from any shocks, the availability of vital services will be maintained for all Australians. This bill will ensure the prosperity of Australia by ensuring the assets maintaining our way of life are not at risk of any threats—whether that be malicious actors, national disasters or other perils. For that reason, I commend the bill to the House.

Comments

No comments