Eric Abetz (Tasmania, Liberal Party) Share this | Hansard source

A little while ago I called for a national summit on cybersecurity to bring together the best and brightest from the private sector, the public sector and academia to work together to provide the most focused protection possible for all of us against cyberattacks. I made that call because in the most recent Australian Cyber Security Centre's annual cyber threat report we received an overview of the cyberthreats affecting Australia, and it impacts all of us. In the 2020-21 financial year the ACSC received over 67,500 cybercrime reports, an average of one every eight minutes, representing an increase of nearly 13 per cent from the previous financial year. Cybercrime reports submitted record a total self-reported financial losses of more than $33 billion. Ransom demands by cybercriminals range from thousands to millions of dollars. Almost 500 ransomware related cybercrime reports were received via the ReportCyber website, an increase of nearly 15 per cent compared to the previous financial year.

Cybercriminals are moving away from the low-level ransomware operations towards extracting hefty ransoms from large or high-profile organisations. To increase the likelihood of ransoms being paid cybercriminals are encrypting networks and also exfiltrating data then threatening to publish stolen information on the internet.

This is just a bit of an insight as to the cyberthreat that confronts us as a nation. In short, we have a problem. These attacks are by organised crime and state players who seek to do us harm, serious harm. So in this ugly and threatening environment there is an absolute imperative for the Security Legislation Amendment (Critical Infrastructure) Bill 2021.

This government is committed to protecting our critical infrastructure to secure the essential services all of us rely on—everything from electricity and water to health care and groceries. The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty. The amendments to the legislation will ensure the government is well placed to assist entities responsible for providing critical infrastructure assets to respond to serious cyberattacks as the first step in strengthening of Australia's critical infrastructure security.

The reforms outlined in the amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure in three ways: firstly, by expanding the definition of 'critical infrastructure' to include energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors; secondly, by introducing a cyberincident reporting regime for critical infrastructure assets; and, thirdly, by making government assistance available to industry as a last resort. Subject to appropriate limitations, government will be able to provide assistance immediately prior, during or following a significant cybersecurity incident to ensure the continued provision of essential services.

Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver and respond to the recommendations from the Parliamentary Joint Committee on Intelligence and Security to bring forward these elements as a priority. For the record, with Senator McAllister and others that have spoken on this bill, I serve on the Parliamentary Joint Committee on Intelligence and Security. I commend my colleagues on the way that we have been able to deal with these matters in a bipartisan way, putting forward suggestions to the government, which thankfully have been adopted, because our first concern and proper concern is the security of our fellow Australians and, in relation to this legislation, ensuring that our essential or critical infrastructure is protected as much as it possibly can be.

Importantly, the legislation will enable the government to provide emergency assistance or directions immediately before, during or after a significant cybersecurity incident, to mitigate and restore essential services. The community can be assured that any government powers will be subject to strong legislated safeguards and oversight mechanisms under very specific circumstances. It's one of those things, in debating and considering legislation of this kind, that, instinctively, I don't like this government involvement, but what I dislike even more are the threats of cyberattacks and seeing them play out elsewhere.

Attacks on our critical infrastructure require a joint response, involving government, business and individuals, reflecting the interrelated nature of the threat. The government is already working in partnership with critical infrastructure entities to codesign sector-specific requirements to manage and respond to the risks. The Australian government will continue to work with those entities that are responsible to ensure the second phase of reforms is implemented in a manner that secures appropriate outcomes without imposing unnecessary or disproportionate regulatory burdens. That's where further discussions are now taking place, and the view of the committee was that those matters had not been fully discussed and socialised with the sector. I look forward to the outcome of those discussions.

Why are these reforms necessary? While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune. As a government, we are seeking to be proactive as opposed to responding to an incident. International cyberincidents, such as the ransomware attack on the US company Colonial Pipeline, affected the distribution of fuel to customers on the east coast of the United States. This demonstrates the potential for attacks to cause devastating harm. Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on federal parliamentary networks, logistics, the medical sector and universities, just to mention a few. Internationally, we have seen disruptive cyberattacks on critical infrastructure, including water services and airports. Australia will not be, and is not, immune to those attempted attacks.

Throughout 2019 and during 2020 Australia's critical infrastructure sectors were regularly targeted by malicious cyberactors seeking to exploit both victims and the crisis of COVID for profit, with a total disregard for the community and the essential services upon which it relies. For example, during that period, multiple regional hospitals were the victims of a cyberattack. As a result, some health services to large regional communities, including surgeries, were disrupted. This has happened here. A major national food wholesaler was the victim of a cyberattack which affected their systems and temporarily disrupted their ability to provide food to our fellow Australians at a time of unprecedented pressure on the food and grocery sector. A water provider had its control system encrypted by ransomware, which, had the system not been restored quickly enough from backups, could have disrupted the supply of potable water to a regional population hub, as well as having the potential to impact on the economy, given the reliance of primary industry on this water supply. And on 19 June 2020, the Prime Minister advised that the Australian government was aware that Australia's critical infrastructure was being targeted by a sophisticated state based actor.

The situation is clear, unfortunately, that there are elements within the wider world community—both criminal actors and state based actors—that would seek to compromise the delivery of essential services to the Australian people, and that is why this bill which seeks to protect the critical infrastructure of our nation is so important. This government has been proactive in this space. Whilst more work needs to be done on other elements of the initial bill, that which is being put to the parliament in this legislation and which the Senate is being asked to pass is, on any assessment, vital. It's important. It's considered. The support of the Australian Labor Party, in that regard, is to be commended. The other aspect of the bill that needs to be considered is the incident reporting regime. Reporting cybersecurity incidents to the Australian Cyber Security Centre through the portal will help inform the government and us, as a nation and as a people, as to how to respond to these elements.

The approach taken by the Parliamentary Joint Committee on Intelligence and Security has been, to date, always a reasoned and considered approach where we seek to put political differences aside as much as possible with a sharp focus on the security of our nation and ensuring the very best outcome. So, when we are confronted with criminal elements and state actors—and these state actors, I would suggest, are dealing in a criminal manner as well—that are seeking to impact our very way of life and the provision of essential services to our fellow Australians, it is right and proper for the government to seek to legislate in this space to provide security and support to ensure that our fellow Australians are protected as much as they possibly can be.

The provision of ongoing oversight by the committee, I think, is important as well. The government has agreed to that, and that provides a bipartisan flavour to the oversight, because these powers that are given to government and government authorities are from time to time overused, if not abused, because there is a particular focus on one particular issue, and then you've got to balance those up with the other considerations which we, in a liberal democratic society, treasure and seek to protect. Getting that balance right is vitally important, and that is why having the oversight, along with the committee, is something which I am pleased the government is willing to do.

I commend the bill to the Senate. This is about protecting our fellow Australians in the best possible manner against those that seek to do us harm. I trust that this legislation will be able to be passed before we break.