House debates

Monday, 18 June 2018

Adjournment

National Security

7:30 pm

Photo of Gai BrodtmannGai Brodtmann (Canberra, Australian Labor Party, Shadow Assistant Minister for Cyber Security and Defence) Share this | | Hansard source

The Australian Cyber Security Centre 2017 threat report noted that CERT Australia responded to 734 incidents affecting private-sector systems of national critical infrastructure within the 2016-17 financial year. This equates to a significant cyberincident occurring on these networks more than twice a day. In October 2017, the US-CERT released a report that stated:

Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks.

According to the Australian Security Intelligence Organisation 2017 annual report, Australia continues to be a target of espionage through cybermeans. The cyberthreat is persistent, it's sophisticated and it is not limited by geography. The report also notes that the clandestine acquisition of intellectual property, science and technology and commercially sensitive information is increasing. This highlights the need for a greater focus on the security of the cybersystems underpinning our critical infrastructure.

If we are to effectively safeguard our critical infrastructure, we need to think about more than the issue of who owns what and the issue of physical assets such as ports, poles and wires. We need to think beyond just the protection of critical infrastructure from a physical perspective and start thinking about the protection of critical infrastructure from a cybersecurity perspective. As more and more essential services are managed electronically, interdependence between the physical systems and cybernetworks needs to be clearly understood to ensure that services continue to be provided and our national interest continues to be protected. We also need to broaden our thinking on what is classified as critical infrastructure.

The Trusted Information Sharing Network, Australia's primary national engagement mechanism for business-government information sharing and resilience-building initiatives on critical infrastructure resilience, describes critical infrastructure as the physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security. It states that each of these critical infrastructure sectors are vital to Australia's social cohesion, economic prosperity and public safety.

Why did the government's recent Security of Critical Infrastructure Act 2018 only address four sectors as being at the highest risk? We actually have eight critical infrastructure sectors in this country. These are the sectors that have been deemed as vital to Australia's social cohesion, economic prosperity and public safety. We have eight, so why did the act only include four sectors that are deemed as highest risk? I'll read out our eight. They are banking and finance, communication, energy, food and grocery, health, transport, water services and Commonwealth government. Each of these identified critical infrastructure sectors have experienced some form of cyberthreat in the past 12 month. It is great that we have eight—though, unfortunately, all eight weren't included in the governments critical infrastructure act—but, compared to other nations, we are very, very underdone. Eight is a conservative number. The United States critical infrastructure security and resilience strategy identifies 16 sectors, the United Kingdom identifies 13 sectors, Canada identifies 10 sectors and Singapore identifies 11 sectors. The sectors that are recognised by these nations include emergency services, information technology, infrastructure, chemicals, manufacturing and electoral systems. At the very least, electoral systems in Australia should be treated as critical infrastructure, particularly given what we've seen in the US and France.

We have got to start taking this seriously. We have got to start taking our critical infrastructure seriously. It's not enough only to protect the physical safety of our critical infrastructure; to partially list those services and facilities that are vital to our cohesion, economic prosperity or public safety; to ignore international cybersecurity standards; or to pretend that threats end where the supply chain starts. There is so much more to do in this space. I just wish the government were listening.