David Van (Victoria, Liberal Party) Share this | Hansard source

These assistance powers are necessary due to the current threats that we face and the expectation from the community that when Australia's interests are under threat the government will use its technical expertise to ensure essential services remain functioning. It is the government's ultimate responsibility to protect the availability of Australia's critical infrastructure, and it's crucial that the government has last-resort powers to respond to the incidents or to mitigate the impact of attacks.

While the government recognises that the industry should be the ones to respond to the vast majority of attacks and cybersecurity incidents, there will be times when their skills and powers will not be enough. As a last resort, government assistance will enable the government to step in and protect critical infrastructure when industry is unable to. These last-resort powers may be exercised only when: a cybersecurity incident has occurred, is occurring or is imminent; the incident has, is having or is likely to have, a relevant impact on a critical infrastructure asset; there is material risk that the incident has seriously prejudiced or is likely to seriously prejudice the stability of Australia, its people, the defence of Australia or national security; or when no existing regulatory mechanism can be used to address the cyberattack.

The government assistance powers are subject to ministerial authorisation powers, and include the ability for the secretary of the Department of Home Affairs to give directions to a specified entity for the purposes of gathering information to determine if a further power should be exercised. The secretary will also be able to provide directions to a specified entity, requiring the entity to do one or more things in response to the incident, or make a request to the authorised agency to provide specified assistance and cooperation to respond.

While these powers are significant, they are proportionate to the threat landscape that we face and are clearly defined and confined with a range of safeguards in place to ensure that they are used appropriately and only in the most serious circumstances. These safeguards include: the need for powers to be exercised only when no existing regulatory mechanism can be used to address the cyberattack; mandatory consultation with the relevant entity, except where consultation will frustrate the effectiveness of directions or requests; the intervention power is to be authorised only once the Minister for Home Affairs has sought agreement from the Prime Minister and the Minister for Defence; mandatory notification to the Parliamentary Joint Committee on Intelligence and Security as soon as practicable of the authorisation, circumstances, actions, status and parties involved in each measure; Inspector-General of Intelligence and Security oversight of intelligence agencies' functions; that the Commonwealth Ombudsman can investigate complaints made about actions of government agencies and the exercising of the government assistance measures; and annual reporting to parliament on the use of these powers to ensure the transparency and accountability to parliament and the Australian public.

The Parliamentary Joint Committee on Intelligence and Security has backed the passage of these urgent reforms. The complex and persistent nature of these threats that our critical infrastructure faces means we cannot sit and wait for a serious incident to occur before we act. The Morrison government is committed to protecting our national interest and ensuring that threats to our national security are mitigated so that our communities remain safe and our society continues to function. This bill is an important step in protecting our critical infrastructure from cybersecurity threats, making it essential that the bill be passed. I commend the bill to the Senate.