Karen Andrews (McPherson, Liberal Party, Shadow Minister for Home Affairs) Share this | Link to this | Hansard source

I move:

That this House:

(1) notes that the:

(a) Optus and Medibank data-breaches highlight the threats faced by Australians and Australian businesses from cyber-criminals;

(b) previous Government passed significant legislation to help protect Australians and our critical infrastructure from cyber-criminals; and

(c) Government's lacklustre response to the data breaches does nothing to allay the concerns and fears of Australians who may have been impacted by these cyber-attacks; and

(2) calls on the Government to support the passage of the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022, which would help law enforcement disrupt and deter cyber-criminals who engage in ransomware and cyber-extortion activities targeting Australians and Australian businesses.

I move this motion on behalf of all Australians who have been impacted by, and who remain unsure and worried about the extent of very serious cyberbreaches that have occurred in recent months—particularly, and notably, at both Optus and Medibank.

The silence from the government has been deafening on these breaches. The recent sobering annual threat assessment from the Australian Cyber Security Centre has documented our deteriorating cyber environment and has recognised cyberspace as a leading domain for warfare and crime, including extortion, espionage and fraud. The ACSC's third Annual cyber threat report revealed that it received over 76,000 cybercrime reports last financial year—a 13 per cent increase from the year before. That means the agency is receiving a report every seven minutes compared to one every eight minutes the year before.

In government, the coalition recognised the threat and took decisive action to harden our defences. We invested a record $1.6 billion to strengthen Australia's cybersecurity defences and meet emerging challenges in order to keep Australians safe. We boosted online safety with $125 million and a range of measures to keep Australians safe online, including the Online Safety Act 2021. We created new capability to identify and block SMS scams at their source. We gave police the powers they needed to police the dark web by passing groundbreaking new laws that allow law enforcement to intercept and disrupt organised criminals, paedophiles and drug pushers on the dark web and to shut down their evil trade. We introduced world-leading legislation to harden the defences of our critical infrastructure and systems of national significance, to ensure the community was better protected against serious cybersecurity incidents. We introduced the ransomware bill, referenced in this motion, which we re-introduced into this parliament and which we call on the government to support. It would create tougher penalties for cybercriminals.

And, importantly, we funded project REDSPICE in the March budget to meet the ongoing challenges we face as a nation. It's critical that project REDSPICE is delivered in full. REDSPICE is the single most significant investment to transform the Australian Signals Directorate's offensive and defensive capabilities. That's why last week I joined with my colleagues the shadow minister for defence and the shadow minister for cyber security to call on the Albanese government to guarantee future funding for offensive and defensive cybercapabilities.

The Albanese government should also support the swift passage of the coalition's ransomware bill, which increases penalties for a range of cybercrimes to give law enforcement, working in conjunction with our intelligence agencies, another tool to pursue cybercriminals. Our bill, which we first introduced earlier this year, would introduce a new standalone offence for all forms of cyberextortion so that cybercriminals who use ransomware face an increased maximum penalty of ten years imprisonment. It also introduced a new aggravated offence for cybercriminals seeking to target critical infrastructure, recognising the significant impact on assets that deliver essential services, with a maximum penalty of 25 years imprisonment. And it ensures that law enforcement can monitor and free the ill-gotten gains of cybercriminals by extending current powers that cover financial institutions to digital currency exchanges.

Mr Speaker, we don't pretend that this bill is a silver bullet, because no such thing exists, but it will present a new deterrent to these cybercriminals, and it is an important part of safeguarding Australians. Labor's absence on ransomware legislation is truly baffling, particularly when an alternative bill has been presented into this House. We on this side of the chamber remain very committed to ensuring that everything that can possibly be done is done to protect Australians. We are also concerned to make sure that Australians are given the information that they need, firstly to be able to protect themselves, but, when they have been the subject of a significant data breach or ransomware attack or any are cybersecurity incident, they are getting the information they need to protect, as much as possible, their data.

Louise Miller-Frost (Boothby, Australian Labor Party) Share this | Link to this | Hansard source

I thank the member for raising this important and timely issue of cybersecurity. It is clear that the recent spate of cybersecurity breaches has had a significant impact on a large number of Australians. Whether they were directly affected or not, the breaches have had an impact on their sense of personal security and on their ability to have confidence in the digital systems that we increasingly use to run and coordinate our lives. Many Australians have had some of their most sensitive financial or health data accessed by criminals, and, anecdotally, particularly since the Optus and Medibank data hacks, people in Boothby have been at pains to impress upon me the increase in spam messages, phone calls and unwanted electronic communications that they have received. At a time when, increasingly, we conduct our lives with government departments, agencies and service providers—and even with retail—online and via text message, these scams directly mimic those interactions and undermine our confidence in the systems.

I'm proud to stand here as a member of the government that is working tirelessly to respond to this enormous challenge. Our data is, potentially, held by many, many companies and agencies, including in the private, not-for-profit and government sectors. We now know that a data security breach is reported in Australia every seven minutes. While not all are as significant as the Optus or Medibank hacks, which impacted potentially millions of Australians, each breach is a serious invasion of privacy. It was reported this morning that 9.7 million current and former Medibank customers have had their personal data included in this latest hack. Even if there is no financial loss, these data breaches cause major disruption and can be extremely unsettling. The inconvenience of having to have all of your ID and financial cards reissued has been a challenge for many of our citizens.

The area of cybersecurity is also a constantly evolving and mutating area of criminal activity, and that is why this government is putting so much focus and expertise into tracking down those criminals who seek to do harm to law-abiding Australian citizens. The Albanese Labor government is managing the consequences of cyber breaches by coordinating government responses and bringing together efforts of multiple government and law enforcement agencies. Just as critically, we are ensuring Australians have the information and tools they need to be protected from harm. The member's characterisation of the government's response to recent high-profile data breaches is disingenuous at best. The Minister for Home Affairs, Clare O'Neil, has led the coordination of multiple federal, state and territory agencies and departments to support a rapid, focused response. To respond to the Medibank incident, the Albanese government activated the National Coordination Mechanism to ensure that all possible support is being provided both to Medibank and to those Australians affected.

The National Coordination Mechanism brings together agencies of the Australian government, state and territory, as well as industry and private sector stakeholders. The Australian Cyber Security Centre has been providing technical advice and assistance. The Australian Federal Police are leading the criminal investigation. The Department of Home Affairs has been supporting Services Australia and the department of health to work with Medibank to confirm what information has been exposed and to put protections in place. Services Australia have put in place proactive mitigation measures focusing on minimising exposure of customer records and protecting the agency's claims infrastructure.

The recent cyber incidents have highlighted the previous government's failings to create effective incident coordination and response mechanisms or fit-for-purpose legal powers to manage the consequences. This is, sadly, no surprise, given that the former government abolished the dedicated role for cybersecurity in the ministry, just when Australia most needed to be getting ahead of these cybercriminals.

Cybersecurity is a serious challenge for any government, and this government is determined to keep Australians safe online. It's a serious area of public policy, so it's unsurprising that those opposite can muster little more than a feeble critique. They've never really been in the business of solving problems for the Australian people. It is, however, good that those opposite now realise how urgent this is, as their previous actions were—as with so many things—too little too late.

Andrew Wallace (Fisher, Liberal National Party) Share this | Link to this | Hansard source

I rise to speak on this motion and to express my concern that the bill I seconded just a few weeks ago has been stonewalled by this Labor government. While Labor dithers and delays on cybersecurity, those who would do us harm continue to maliciously attack our small and family businesses and our critical infrastructure. This is the trend that, unfortunately, we are seeing more and more of. According to the ACSC's report released just last week, we've seen 76,000 cyberattacks over the last financial year. That equates to an attack every seven minutes. But those are just the reported attacks. How many unreported attacks are going on in this country? As the ACSC has noted, cyberspace is becoming a battleground, and we're seeing that most notably, of course, in Ukraine. It's not just cybercriminals, however, who are seeking to do Australians harm. Many attacks are being perpetrated by organisations within foreign governments designed to disrupt our very way of life and cause civil disharmony.

The bill that I seconded just a few short weeks ago, introduced by the member for McPherson, the shadow home affairs minister, was based on legislation we introduced when we were in government earlier this year. It would specifically reform criminal law and secure tougher penalties for all forms of cyberextortion in the event of the exact cybersecurity issues that we've been seeing in recent months—particularly in recent months in Australia. It forms part of the Ransomware Action Plan that the previous coalition government launched last year under the guidance of the then Minister for Home Affairs. It's a practical solution to an issue which costs as much as US$20 billion each year, and the number of those affected is only growing: Optus, Medibank, MyDeal, UnitingCare Queensland and Toll Holdings Ltd. These are enormous companies in Australia which hold very, very sensitive data on probably just about every Australian. Australians expect that their data will be protected. Australians expect that their government would take action to disrupt, deter and punish those involved in malicious cybercrimes such as these ransomware attacks. The opposition has offered good legislation to this government, free to take, free to implement and free to protect Australians' information. Instead, they seek to play politics by blocking sensible bills put forward by this opposition. And it is Australians and their businesses who are left to wear the consequences of serious data breaches.

So what is Labor going to do about this? It is essential that Labor outline what they are going to do about cybersecurity and data protection in our country. This is not a question of just hosting another summit or another talkfest; what are they going to do to get down to work and fix this problem? That is what Australians expect their governments to do; they expect them to work. Will Australians see the ransomware bill across the finish line in a show of bipartisanship on security? Will they consider the other measures which we brought to the table to protect Australians and their interests? Will they retain and deliver in full the record funding of almost $10 billion that we, when we were in government, made to implement Project REDSPICE, to strengthen our offensive and defensive cybercapabilities through the Australian Signals Directorate? It is absolutely imperative that we as a nation strengthen our ability to attack these sources that are seeking to attack us. It's not just a question of defensive measures; we have to increase and enable much better offensive mechanisms.

Lastly, I want to comment that there's no point in just putting investment into ambulances. We have to try and prevent things as well, which is what we're trying to do. I want to give a big shoutout to IDCARE, an organisation in my electorate which was funded by us when we were in government. If you have had your identity stolen or put at risk, contact IDCARE—do a Google search for IDCARE—and they will help you.

Steve Georganas (Adelaide, Australian Labor Party) Share this | Link to this | Hansard source

Australians have been rocked by two of the biggest data breaches and cybercrimes our country has seen, that is, Optus and Medibank, in the last few weeks. They happened so quickly and in such close succession that it has left people feeling even more vulnerable than before. Firstly, to the millions of Australians who have been affected by these data breaches: I express my sympathies and can understand the angst that you're feeling. It has been a difficult and worrying time for everyone. But I would also like to assure you that this government is doing everything to ensure that your personal information is better protected. This is more important than ever before. Just last week, the Australian Cyber Security Centre's Annual threat report, as we heard from the member for Fisher, found that a cybercrime is being reported every seven minutes in Australia. The report also showed an increase of 13 per cent in cybercrime in the previous year—and that was even before the Optus and Medibank issues occurred.

This is a very serious problem, one that exists in part because of inaction of the previous government over the past decade. Our existing privacy laws were left hopelessly outdated by the former government and they are not strong enough to ensure that our companies adequately protect the private information of Australians. If this can happen to Optus and to Medibank, two of the biggest company organisations in Australia, imagine what could happen to our smaller firms, our NGOs and smaller companies that maybe don't have the same resources that these two big companies have.

In comparison to the former government, this Albanese Labor government has reacted quickly, resolutely and with force to the recent attacks. We have wasted absolutely no time introducing legislation that will significantly increase penalties for these serious or repeated data breaches. Currently the maximum fine is $2.2 million. Let's face it: that is a pittance for some of these big companies. It really is not a deterrent; $2.2 million is peanuts. We need penalties that ensure that corporations storing Australians' data feel the full weight of responsibility and obligation to look after it properly. It is their responsibility to look after it properly, and Australians deserve nothing less. Therefore, the penalties we're proposing will be up to $50 million or three times the turnover for the relevant period. That could mean, for a large corporation, fines in the orders of hundreds of millions of dollars. We need a deterrent. Such fines are much harder to ignore and will act as a significant incentive for companies to take their data-protection obligations extremely seriously.

This bill I'm talking about will also give the Information Commissioner additional powers to make companies comply with their obligations to protect our data. As I said, when they store our data, our personal information, they have an absolute responsibility to ensure that it's stored properly. The bill will equip the Australian Information Commissioner and the Australian Communications and Media Authority to have greater information-sharing powers. But our efforts won't stop there because this is a serious problem. In addition to the legislation, the Albanese Labor government is undertaking a comprehensive review of the Privacy Act. This review is expected to be completed this year and will contain a raft of recommendations for further reform.

Australians can have faith in this government's commitment to ensuring that their data and personal information are protected. That is the starting point: their information must be protected. While there is no doubt that the world has changed, there is also no doubt that governments and businesses must adapt to this new threat—and it is a threat. One attack every seven minutes is a serious threat. It's not just Optus and Medibank; many organisations have been attacked by cyberthreats et cetera. This is precisely why this government is putting legislation in place to protect Australians' private details. It's also precisely what the previous government failed to do. Unlike them, we understand that, when Australians hand over their personal information, they have a right to expect it will be protected.

Andrew Hastie (Canning, Liberal Party, Shadow Minister for Defence) Share this | Link to this | Hansard source

I've often said that the cyberdomain is the new international battleground. We've always thought about war in terms of air, sea and land, but if you own a smartphone and you're connected, you're on the battlefield, whether you realise it or not. This reality struck hard in September when Optus was the subject of a major cyberattack, affecting around 10 million Australians. Contact details and passport, drivers licence and Medicare numbers were compromised and hung over the head of Australians by cybercriminals. According to the Minister for Cyber Security, 2.8 million Australians had a significant amount of data taken—a serious breach—yet the minister saw it as more appropriate to tweet about the AFL grand final before publicly addressing the Optus attack.

Last month Medibank fell victim to a cyberattack where 3.9 million customers were affected. After a slow and confused response to the Optus incident, it took the minister a week to publicly respond to the Medibank hack, delaying government engagement. In a speech to parliament, the minister referred to the Medibank hack as 'an urgent wake-up call for Australia'. Yes, but it should not have been an urgent wake-up call for the government. When Australians hand over their personal data, they have a right to expect it will be protected. The annual cyberthreat report released by the Australian Cyber Security Centre last week concedes cyber incidents are growing in severity. In 2021-22 over 76,000 cybercrime reports were made, an increase of nearly 13 per cent from the previous year. That means one cybercrime report is being made approximately every seven minutes. The ACSC also reported an average of 69 calls to the cybersecurity hotline every day, an increase of 15 per cent.

These are alarming figures, yet while cybercrime is on the rise, our government is asleep at the wheel. Since the Optus attack, there has been no legislative response from the Albanese government. Instead, all we have seen the government do is host a virtual international counter-ransomware task force. Labour must ensure that there are stronger penalties in place for cybercriminals seeking to use ransomware. A private members' bill recently introduced by the opposition, based on legislation introduced by the former coalition government, would specifically reform criminal law and secure tougher penalties for all forms of cyber-extortion in the event of the exact cybersecurity issues we've been seeing. Disappointingly, in the week after we introduced the bill, Labor members on the Selection of Bills Committee blocked it from progressing for further evaluation, despite failing to provide any of their own legislation to deter cybercriminals.

While Labor stalls on legislation that the opposition is handing to them on a platter, Australians are continuing to fall victim to data breaches. I ask the government: what are they waiting for? The proof that the cyber domain is getting more dangerous is right in front of them in the ACSC's report, signed off by the Deputy Prime Minister. When will Australians stop having to pay the price for this government's inaction? In comparison, the former coalition government passed significant legislation to help protect Australians and our critical infrastructure. In November 2021, based on recommendations from the Parliamentary Joint Committee on Intelligence and Security, we passed important amendments to Australia's national security legislation to better safeguard our community and economy from cybersecurity threats. Earlier this year, we launched the National Plan to Combat Cybercrime and opened a new cybercrime centre led by the Australian Federal Police. In March, the coalition government launched the most significant single investment in the Australian Signals Directorate's 75 years—REDSPICE, a $9.9 billion project to respond to the deteriorating strategic circumstances in our region. Last week I joined my colleagues the shadow minister for cyber security and the shadow minister for home affairs in calling on the government to guarantee that project REDSPICE, funded in the March budget, will be delivered in full.

We need to see Labor commit to investing in offensive and defensive cybercapabilities, work with industry to protect Australia from the escalating cyber threat and expedite the passage of new ransomware bills. The Australian people simply cannot afford any more delays, confusion or uncertainty from the Albanese government. This government's absence on ransomware legislation is harming Australians by the day, particularly when this bill has now been presented and Labor's only response to this issue is a task force. That's why I'm calling the Labor to support the swift passage of the coalition's bill, which increases penalties for a range of cybercrimes in order to give law enforcement, working in conjunction with our intelligence agencies, another tool to pursue cybercriminals. This bill is not a silver bullet, but it is a step in the right direction towards further safeguarding our digital future. It must be supported by a broad range of legislative, policy and operational reforms. The coalition stands ready to support measures to bolster Australia's defences to the ongoing cyber threat, and the passage of this bill would be a helpful start.

Peter Khalil (Wills, Australian Labor Party) Share this | Link to this | Hansard source

Australians have every right to be concerned about the Optus and Medibank data breaches, which have exposed the sensitive information of thousands of people and businesses. Of course, they rightly expect the Australian government to do everything it can to respond to such cyberattacks. But I have to tell you, this motion is simply absurd. For those on the other side to come in here and make such a brazen, politicised attempt to pull the wool over the Australian people's eyes is just astounding. Previous speakers have claimed that the Morrison government passed significant legislation to protect Australians from cybercriminals. Really? Then how do they explain these breaches? Why did their significant legislation fail to protect Australians and critical infrastructure?

I know why it failed. The former minister for home affairs—the same person who moved this motion—knows why it failed. When the breaches occurred, she along with Opposition Leader Peter Dutton led a conga line of shadow ministers and all the political puppet-show opposition speakers on this motion who have been seeking to ascribe blame to the new government and the minister while avoiding any responsibility. It was the member for McPherson, when she was home affairs minister, who switched on the cyber incident and critical infrastructure register reporting obligations for the critical infrastructure sectors on 8 April 2022. So far so good, but here's the kicker: it was her and the Morrison government that decided to leave out the telco sector. They left out telecommunications. That meant not only did they leave the door unlocked in this very dangerous cybersecurity neighbourhood when there is a rise of cyberattacks and cybercriminals, they left the door wide open, they left the backdoor open, they left the windows open.

The former government told the intelligence and security committee they would turn their mind to it if their existing obligations under the telco act were assessed as being unsuitable. But rather than proactively assessing the suitability of obligations on telcos, in classic form, of this opposition when they were in government, they kicked it into the long grass. So when the Optus breach happened response powers could not deployed to support Optus to respond to the incident. It was not just the former Minister for Home Affairs who was responsible, despite her brazen attempt through this motion to absolve herself of responsibility, the former Minister for Communications Paul Fletcher did not switch on the obligations for the telecommunications sector under the SOCI Act either. He should've been well informed—

Mike Freelander (Macarthur, Australian Labor Party) Share this | Link to this | Hansard source

Order! Mr Hastie, on a point of order.

Andrew Hastie (Canning, Liberal Party, Shadow Minister for Defence) Share this | Link to this | Hansard source

I'd ask the member to refer to members by their correct titles, please. That's twice he's done it.

Mike Freelander (Macarthur, Australian Labor Party) Share this | Link to this | Hansard source

( ): The member is correct. I remind the member for Wills.

Peter Khalil (Wills, Australian Labor Party) Share this | Link to this | Hansard source

I'll do so going forward. He should've been well informed. He was an Optus executive. It's an absolute disgrace that they would come in here today and pretend that this failure is anything but one of their own making.

It was the Albanese Labor government that actually applied the cyberincident and critical infrastructure register reporting to the telecommunications sector after the election—straight after the election! We addressed the gap in the application of the SOCI obligations for telcos. Not only that, after the former coalition government abolished the role entirely, we established a cabinet level Minister for Cyber Security. She's been working hard, working with the agencies to actually address these problems to enhance coordination across government on cyberpolicy, cyberstrategy and cyber-response mechanisms. Thank goodness we did, because from the outset Minister O'Neil has been leading a dedicated team who have been working around the clock to protect Australians. We've had the toughest and smartest people in Australia and in the government working tirelessly to respond. That includes the excellent team at the Australian Signals Directorate, who are continuously updating the minister on active cyberincidents. They deserve our thanks, not the former government who made their job even harder.

Significant support is also being provided by the Australian Federal Police and the Department of Home Affairs to the Medibank and Optus incidents. And, of course, the AFP is leading a criminal investigation to hunt down and prosecute the attackers. Home Affairs has led the coordination of multiple federal, state and territory agencies and departments to support the response and put protections in place. To all of those dedicated public servants, I say thank you. Beyond the politicisation of this motion, they are doing a great job and they should be thanked. Unlike those on the other side of the House, they're not trying to escape blame or point the finger at others. They're taking responsibility and doing what needs to be done. I want them all to know that the Albanese government is right on their side, and all Australians, in protecting them from these attacks.

We're cracking down on hackers. We're making it clear with major increased penalties that companies have an obligation to protect consumer data. It's the Albanese Labor government that is actually putting all of these things in place to protect Australians.

Russell Broadbent (Monash, Liberal Party) Share this | Link to this | Hansard source

There's a lot of blame being thrown around this morning during this debate, which surprises me, but it probably shouldn't surprise me with the length of time that I have served here. In the book, The Girl with the Dragon Tattoo, which I recommend everybody read—written so many years ago—it describes exactly what we're going through at the moment. Our heroine uses her considerable skills in the cyber space to bring down her enemy either in information or in financial movements across the country, across the world. We are now living in that space. It's been coming for 20 years. I don't think Optus or Medibank enjoyed being hacked.

There's a sort of personal arrangement in this for me too. There's a building company—not a large company but not a small company—building homes, residences, trading really well, with a fantastic product. I asked a friend of the owner, 'What happened to the business? How did it go broke, when it was such a good business?' He said, 'To tell you the truth, it started with a ransomware attack on the company that cost the company $1 million to fix.' Now, if it had only involved that, the company could have survived easily, except that there were other forces that then came in. They included COVID and the mandates that were put in by the Victorian government that didn't allow their workforce to move, and their workforce was one that moved from site to site, wherever they were building homes. Because they were unable to move, they then—but that's a whole other story. Anyway, there were other problems with it. But it began with a ransomware attack on the company, which cost them $1 million to fix.

That means it's not just about the Medibanks and the big organisations. We are under threat as individuals. That was a family owned company. They have lost everything. They've lost their homes. They've lost their offices. They've lost everything. I hope and pray they will start again. But this is what happens, living in this cyberspace as we do today.

A member of the family was about to make a payment on the building of a residence. For some reason, he felt uncomfortable. It was $35,000. He was just about to, bang, press the button. He rang the builder and he said, 'Mate, it's got your name,' and everything was there, exactly the same as the last one that he paid. But, actually, he had been hacked, and, had he pressed the button, $35,000 would have gone straight into an account somewhere in Australia and then straight overseas within minutes. That's where we're up to now.

This is a war, but it comes down to the individual level as well. Members of parliament must get at least one call a week from people that are being scammed, or someone's trying scam them—all the time. So as a nation we have to be really on our guard. I believe the previous government did the best they could.

Optus and Medibank didn't want to go through the process they went through. They believed that they had armour in place so they couldn't be hacked. But somebody smarter than the person who was doing the protection was able to bypass the protection they had in place. That's what we're facing every day. So it's a whole-of-government exercise—and whole of community and whole of business. Sorry, but, to me, whacking a $1 million penalty on me is not going to make me do any better to protect my business than I would otherwise do. I will do everything to protect my business, my family and my activity. And every company is like that. I step into this space and say we've got to work together as a nation, as a people, as best we can, and we charge this government with that responsibility on behalf of the people of Australia. The greatest holder of information is the federal government of Australia, so we need to be looking at making sure our data can't be breached so that we can survive into the future.

Sally Sitou (Reid, Australian Labor Party) Share this | Link to this | Hansard source

I would like to match the member for Monash's fictional reference with one of my own. I remember watching Sandra Bullock's movie The Net, a cybersecurity movie about the internet and identity theft. The movie came out in 1995 and felt like Hollywood at its story-telling best. It was long before social media, smartphones and apps, so it seemed unbelievable at the time. How could people steal your identity and conduct surveillance on you via your computer? As Sandra Bullock's character tries to explain her predicament to a sceptical lawyer, she says: 'Our whole world is sitting there on a computer. It's in the computer, everything: your DMV records, your social security, your credit cards, your medical records. It's all right there. Everyone is stored in there. It's like this little electronic shadow on each and every one of us, just begging for someone to screw with, and you know what? They've done it to me, and you know what? They're gonna do it to you.' The movie was prescient for its time because all those concerns dreamed up by scriptwriters more than two decades ago have now come to pass. In 1995, Hollywood was able to imagine just how vulnerable we would be to cyberattacks and data breaches.

Unfortunately for us, the previous government failed to show any of that foresight. They failed to create an effective incident coordination and response mechanism or set up the legislative tools to manage the consequences of data breaches. They failed to even acknowledge the significance of this threat, and we know this because they abolished the dedicated role of cybersecurity in the ministry. Those failures are made even more stark given how much of our lives has now moved online. I had to hand over my personal information to read the news, to purchase shoes and even to pay for my son's school lunches. When so much of our lives is online, more than ever, consumers need protection from fraudulent behaviour and privacy and data breaches. They need a government to be on their side to make sure that businesses have the right tools and incentives to protect our data. The Optus and Medibank data breaches demonstrated that neither were in place when we came into government. The sensitive financial identity and health data of millions of Australians has now been exposed and the potential losses these Australians face are immeasurable.

It's this government that recognises the immense harm individuals could face from cybersecurity attacks. That's why, from the very beginning of the Optus and Medibank incidents, we have had the smartest experts from the Australian government working on a response. We have put the full weight of the Australian government into finding the attackers, coordinating government responses and keeping Australians informed so they can protect themselves. The Australian Signals Directorate's Australian Cyber Security Centre, the Australian Federal Police and the Department of Home Affairs are providing significant support to help investigate these breaches. I want to thank all these men and women who are working tirelessly to help protect Australians for their professionalism. It's the Labor government that has begun the important work of protecting the personal information of Australians. We've closed the gap that the previous government left in the Security of Critical Infrastructure Act by switching on the cyber incident reporting and critical infrastructure register for the telecommunications sector.

We've appointed Australia's first dedicated Minister for Cyber Security to the cabinet, which will allow for better coordination across the government on cyberpolicy, strategy and response mechanisms. We have brought in legislation to beef up penalties for organisations that fail to protect the personal information of customers from hackers, increasing the maximum fine for serious breaches from $2.2 million to at least $50 million and giving companies an incentive to put the work and resources into protecting customer data. We've done that because Australians have a right to expect that their personal information will be protected. We are developing our new cybersecurity strategy for Australia to equip us with the tools to prevent, detect and manage the impact and consequences of cyber incidents. We need a response that will meet the challenges of our time, and this is a government that is getting on with doing that.

Mike Freelander (Macarthur, Australian Labor Party) Share this | Link to this | Hansard source

The time allocated for this debate has expired. The debate is adjourned and the resumption of the debate will be made an order of the day for the next sitting.