House debates

Wednesday, 16 February 2022

Bills

Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022; Second Reading

1:05 pm

Photo of Brendan O'ConnorBrendan O'Connor (Gorton, Australian Labor Party, Shadow Minister for Foreign Affairs (House)) Share this | Hansard source

I rise to speak to this bill, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, and in doing so I move:

That all words after "That" be omitted with a view to substituting the following words:

"whilst not declining to give the bill a second reading, the House is of the opinion that, in listing the bill for debate before such time as the Parliamentary Joint Committee on Intelligence and Security can conduct its inquiry and table its report, the Government has broken long-standing convention on national security legislation and substituted a bipartisan approach in the national interest for its own political expediency".

It is seconded by the member for Scullin. The bill we're debating today has its origins in another introduced by the then home affairs minister in December 2020. That bill was referred to the Parliamentary Joint Committee on Intelligence and Security for review, as is customary and proper for national security legislation. The PJCIS critical infrastructure bill review was a significant undertaking throughout 2021, receiving 88 submissions and 66 supplementary submissions and holding public hearings across four days. It's worth reflecting on and emphasising this review, because the bipartisan committee unanimously found that while uplifting the security of Australia's critical infrastructure was an urgent and crucial task it could not recommend passage of the minister's original bill. The committee arrived at this difficult decision because, quite simply, the bipartisan PJCIS unanimously found that the government had not finished its work on the bill and the work that it had done it had not done well enough.

The original bill sought to uplift security and resilience in all critical infrastructure sectors, promising that the government would work in partnership with the responsible entities of critical infrastructure assets to establish a clear, effective, consistent and proportionate approach to the security of critical infrastructure. The government promised that it would ensure these new requirements did not duplicate existing regulatory frameworks. It proposed four major areas of reform: first, to expand the coverage of critical infrastructure from four to 11 sectors; second, to introduce positive security obligations for critical infrastructure assets; third, enhanced cybersecurity obligations for assets deemed to be systems of national significance; and, finally, a provision for a government assistance regime to allow as a last resort emergency powers for government to secure Australia's critical infrastructure.

In principle, these are sound and indeed crucial policy priorities, but the committee found that far from being a clear and effective approach, far from being an exemplar of collaboration, far from avoiding regulatory burden, this bill was an irreconcilable mess and that it simply could not recommend the passage of the bill. I quote from the committee's report:

While the Committee strongly supports the aims of the SOCI Bill, it would need a significant amount of re-drafting to pass in its entirety and respond adequately to many of the concerns expressed to it during this review. This would delay significantly the time-critical elements of the Bill.

So as to not delay urgent provisions that would help secure Australia's critical infrastructure from cyberthreats, the committee, working pragmatically in a bipartisan manner, which is the best way for all committees to operate, in the best interest of the nation, recommended the bill be split.

Accordingly, the time-critical and most urgently needed elements of the critical infrastructure package were passed as the Security Legislation Amendment (Critical Infrastructure) Act 2021, receiving royal assent on 2 December last year. Accordingly, the government accepted the committee's findings that the remaining elements of the original 2020 bill be reintroduced as a separate bill. I quote again from the committee:

The Committee therefore recommends that the remaining elements of the SOCI Bill be amended in consultation with industry, and reintroduced in a subsequent Bill (Bill Two) containing the less urgent measures, such as risk management programs and declarations of Systems of National Significance (with accompanying enhanced cyber security obligations). Bill Two can then proceed at a more manageable pace for government and industry and ensure that the Security of Critical Infrastructure framework that Australia needs generates broad stakeholder consensus.

The Committee believes that the elements in Bill Two, following appropriate consultation and amendment where necessary, are essential because they recognise that industry has its own obligations to secure essential services for their customers and the nation.

The Committee is also recommending that Bill Two be referred to the Committee when it is introduced for further review …

The government has now come back to the opposition with this second bill and it is that which I speak of today.

The government has departed from the intention of the PJCIS bipartisan unanimous recommendations in a significant and deeply concerning way. Indeed, in asking the House to allow passage of a bill on which the committee is yet to report, meaning we cannot consider the committee's recommendations and any resulting amendments, the government is departing from a long-standing convention on national security. Labor have worked constructively and cooperatively on national security legislation. It is what we always do. We seek to find agreement. As I say, it is a committee that is bipartisan in nature and looks to work through outstanding differences to find, where possible, a unanimous position. But the government has ignored convention. It's in breach of what I would say are the national security conventions of this parliament by proceeding with the bill today and seeking passage without the proper review being undertaken by the relevant intelligence committee.

Today, Labor is left with two conclusions. The first is that this government has utterly failed to manage its legislative program effectively, let alone with the probity important national security legislation demands, and is thus cramming this bill into a rapidly diminishing parliamentary calendar, a problem completely of the government's own making.

The second conclusion—and one of gravest concern— is that this government is so desperate to distract from its infighting, incompetence and failure to deliver in response to the pandemic, national security, defence capability and so many areas of public policy it is now stooping to politicise national security. In recent days you may have seen very significant, eminent former and current public servants, heads and former heads of national security agencies, warn the government to not produce the debate and discourse about national security in a partisan manner, because that in itself will undermine our national security. We call upon the government to resist this base political instinct of the Prime Minister to go down his partisan path in the area of national security.

But, unfortunately, the procedure of this bill today is another example of a government willing to discard national security conventions of the parliament in order to politicise national security. That has been censured by no less than eminent independent current and former heads of intelligence agencies. I would say to the government that they really need to rethink this. If there are graver national security concerns, as we agree there are, if the region is less stable than it was some years ago, which the opposition agrees is the case, then it is not fitting for the government, the Prime Minister or any minister to seek to politicise these matters. They must desist in the interests of this nation.

In question time yesterday, the Minister for Home Affairs said that national security is a very serious task and not one that should be risked to those who would not tackle serious issues in a responsible and resolute way. With the actions today, their refusal to allow not just the House but the bipartisan Parliamentary Joint Committee on Intelligence and Security, chaired by a government member, to properly consider this bill, I would contend that the Prime Minister and the Minister for Home Affairs proved that it is they who are irresponsible on the serious task of national security. We call upon the government to not go down this path. It is not in the nation's interests. It might be in the base political interests of the Prime Minister and his personal ambitions, but it is not in the interests of this country. They need to desist in that behaviour.

This government has left to the eleventh hour the important responsibility of ensuring the protection of Australia's critical infrastructure. Let's be clear: Labor has done everything to work constructively and efficiently and expeditiously with regard to this legislation, including in seeking to work with the government to find an efficient time line to pass this bill without in any way compromising on the national security legislation demands, as the Australian people deserve. This is so important precisely because of the complex challenges of this threat environment.

Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can be deliberately or inadvertently compromised, resulting in disruption and consequences across Australia's society, economy, security and, frankly, sovereignty. Relying on post-incident management alone is inadequate to truly ensure the protection of Australian critical infrastructure. Prevention and risk management is essential to truly make an impact on the security and resilience of the Australian critical infrastructure.

The reforms in this bill seek to make risk management, preparedness, prevention and resilience business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of the threats. The owners and operators of critical infrastructure assets are best placed to understand and manage the risks associated with their assets. We are told the government will continue to work closely with industry through an enhanced partnership to establish baseline standards and support the uplift of security resilience practices across infrastructure. That is critical for this to be properly undertaken.

The enhanced framework and the intention, of course, is to uplift security and resilience across Australia's critical infrastructure assets. This framework, if properly implemented, when combined with better identification and sharing of threats, will ensure that Australia's critical infrastructure assets are more resilient and secure. So it is a vital reform that needs not only implementation but ownership, and it needs, I dare say, the bipartisan approach of this parliament. The government needs to continue to work with industry in these matters. The rationale for these efforts is that the Commonwealth needs to establish a clear, effective, consistent and proportionate approach to ensuring these matters are resolved.

What we would call upon the government to do is this: enshrine, as has always been the case, the pre-eminence of the committee in reviewing the provisions of this bill that should be considered by the committee before the determination and enactment of this legislation. That is what is needed today. The government needs to return to the conventions of national security in the parliament, because to rid itself of the normal conventions of considering national security legislation will, in fact, render this bill, if not ineffective, certainly imperfect as a result of not being properly considered in that very significant parliamentary committee.

In 2019, the Prime Minister called a press conference here at Parliament House. Of course, he had the media in front of him, and he had accompanying him the Minister for Home Affairs, now the defence minister. He told Australia that we were under attack, and he said that Australian organisations and Australia's critical infrastructure, including all levels of government, were subject to sophisticated, malicious cyberattacks. Well, that is the case. In fact, the opposition has been warning the government for some time now about the deficiencies in our ability to manage those attacks and indeed, where required, respond to those attacks. We've been underdone in this area of national security, and we've been calling on the government to actually focus on these issues. The threat of which the Prime Minister spoke is very real, and to that extent we, of course, agree with the government. It is a threat that demands an equally sophisticated response. Instead, in 2019 Australia just got another announcement and photo opportunity by the Prime Minister. But, of course, it's taken well over two years for the follow-up.

As I said earlier in this contribution to this debate, the problems of this bill, the problems that we find ourselves in in the dying days of this parliament and the fact that we are dealing with such significant legislation so much later than the announcement by the Prime Minister are a testament to the laziness and incompetence of the government. Foreshadowing an emergency, effectively, as the Prime Minister did in 2019 and having us debating this matter now in early 2022 really does speak to the incompetence and lethargy of this government. More should have been done earlier. In that time, the government has ignored urgent advice to do even the barest minimum to uplift Australian cybersecurity, such as by introducing a mandatory ransomware payment scheme. Instead, it left this to Labor to introduce, before finally adopting our call for a national ransomware strategy.

In the time since, of course, we have continued to see the Prime Minister talk about these matters but not deliver, and that is not good enough. There's no point in the government rhetorically talking about national security. You see it with the defence minister each and every day. He talks about a potential change to our region and the stability in our region, but he doesn't deliver the assets that are required for our Australian Defence personnel. It's very similar to what we're seeing here now. Cybersecurity was identified as a major threat many years ago, yet the government has been asleep at the wheel, even though it likes to boast that it has a focus on national security. There is no evidence to suggest that, whether it's failed Defence contracts with massive blowouts or massive delays or whether it's this legislation here, where so many stakeholders—so many sectors of our economy, the federal opposition and national security experts—have been calling on the government to respond to these matters. The government leaves it to the last minute and then decides to abrogate its responsibility to ensure that the parliamentary committee responsible for intelligence and security be involved in the final review. It says everything about the failure and the yawning gap between announcement and so-called delivery by this government. We say to the government: we support a proper response to cybersecurity. We support the provisions of that piece of legislation that was enacted recently, and we also want to see this area enacted. But we say this to the government: stick with the convention on national security and allow the bipartisan parliamentary committee that deals with these matters to consider the provisions of this bill. By doing that, we would obviously be able to join the government to support legislation arising from that review by the parliamentary committee in question.

But, to do otherwise, to disregard the review by the committee and to break with convention on national security, is the exact opposite of what a responsible government would do in these circumstances. With that, I move the amendment in my name and call on the government to do better in this area of significant public policy:

That all words after "That" be omitted with a view to substituting the following words:

"whilst not declining to give the bill a second reading, the House is of the opinion that, in listing the bill for debate before such time as the Parliamentary Joint Committee on Intelligence and Security can conduct its inquiry and table its report, the Government has broken long-standing convention on national security legislation and substituted a bipartisan approach in the national interest for its own political expediency".

Comments

No comments