Tony Sheldon (NSW, Australian Labor Party) Share this | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. The pervasive threat of cyber enabled attack and manipulation of critical infrastructure assets is serious, is considerable in scope and impact, and is increasing at an unprecedented rate. Australia is facing an increasing cybersecurity threat to essential services, businesses and all levels of government. In the past few years, cyberattacks have struck federal parliamentary networks, the health and food sectors, media, universities and transport operators. You may recall that, only three months ago, the transport giant Toll Group in Australia faced a series of attacks on its operations which had a very detrimental attack on the performance of its business. Internationally, cyberattacks have disrupted critical sectors including water and fuel supplies in the United States.

It's important that Australia's critical infrastructure is protected from cyberattack, but the government's first attempt at legislating such protection was chaotic, uncoordinated and could not be supported, even by the government members of the Parliamentary Joint Committee on Intelligence and Security, to the credit of those senators.

The original bill expanded the definition of critical infrastructure coverage from four sectors: electricity, gas, water and ports to 11 systems of national significance: communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, water and sewage. The original bill introduced additional reporting requirements for cyberincidents affecting critical infrastructure assets. The original bill introduced new government assistance measures to relevant entities for critical infrastructure sector assets in response to significant attacks, including cyberattacks. It introduced additional positive security obligations for critical infrastructure assets, including a risk management program to be delivered through sector-specific requirements.

As the PJCIS report noted, threats to critical infrastructure are often complex and serious and demand a swift and comprehensive response. The PJCIS also found that the government's attempt to introduce both the new government assistance measures and the new positive security obligations for sector-specific requirements in the one bill, given the complexity of the latter, may have ended up achieving neither. With limited opportunity to pass legislation this year, the PJCIS recommended that the government prioritise the most urgent aspects of the bill in bill 1—they are, the expansion of the sectors deemed to be systems of national significance, the additional reporting requirements for cyber incidents and the new government assistance measures.

The committee recommended that the positive security obligations and sector-specific requirements be deferred to bill 2, following additional consultation with industry. The committee also recommended that bill 2, when introduced, be referred to the PJCIS again for another inquiry. That's certainly appropriate.

The PJCIS inquiry received around 100 submissions and held multiple public hearings featuring dozens of expert and industry appearances. Most, if not all, companies, industry bodies, trade unions and critical infrastructure asset owners and operators expressed some form of reservation with the bill. It consulted on the unknown or unquantified regulatory impact or the contemporaneous rules development that has occurred in parallel with the committee's review.

Key concerns heard by the committee included that the significant detail left to be resolved by sector-specific rules in delegated legislation instead of in the primary legislation meant that neither the parliament nor the affected entities could know the full impact, impost and cost of the legislation. There was concern that the notification time frames for advising the relevant authority of any critical or other cybersecurity incident within 12 and 72 hours respectively were too short and inconsistent with existing guidelines. Many companies were concerned that they would be directed to do actions that would, intentionally or otherwise, compromise their ICT systems. Sophisticated technology companies particularly and those with global operations were concerned that the ASD could not understand and would, therefore, cause harm to their systems. Across all sectors, the committee heard about growing regulatory complexity and duplication causing confusion in compliance costs, particularly in relation to sector-specific recommendations. Unions raised that potential positive security obligations could include expanded personal security checks.

Many stakeholders felt that the consultation process with the department was poorly promoted, that the process was too rapid and that that input, concern and feedback was not acknowledged or addressed. Considering the significance and complexity of the consistent issues raised by the bill, a lack of tangible suggestions to address these by the government and the department, and the depth of disagreement between stakeholders and the department, the committee felt any attempt to resolve these concerns with a single bill would unduly delay its time-critical elements.

Instead, the bill by the government being discussed here only introduces the most pressing elements of an enhanced cybersecurity framework: an expanded definition of 'critical infrastructure assets' to include assets across the 11 sectors I've just mentioned; government assistance to relevant entities for critical infrastructure sector assets in response to significant cyberattacks; mandatory notification requirements of a cybersecurity incident by an entity to a relevant Commonwealth body, to allow for the written report to be made within 84 hours instead of 48 hours of an oral report being made, and to empower a relevant Commonwealth body to exempt an entity from the requirement to provide a written report; PJCIS oversight arrangements whereby the secretary is required to give a written report to the PJCIS as soon as practicable after a government assistance measure is directed or requested, detailing the circumstances, actions, status and parties involved relevant to any cybersecurity incident; the PJCIS review of the operation, effectiveness and implications of the security of the critical infrastructure legislative framework in the act, to begin not less than three years from when the bill receives royal assent; reporting obligations, including the draft rules relating to the mandatory reporting obligations, being provided directly to any entities that would reasonably be impacted by the draft rules; and the minister having to formally respond to any submissions made by responsible entities. There's a definition of 'significant impact': a cybersecurity incident will have a significant impact if the incident has materially disrupted the availability of essential goods and services provided using the asset or if any of the circumstances specified in the rules exist in relation to the incident.

In relation to ministerial authorisation, under new section 35AD consultation is required to inform relevant entities in writing and invite those entities to make a submission within 24 hours of receiving the draft authorisation. A person is not entitled to cause access, modification or impairment of computer data or a computer program and if a person, including employees or agents of a responsible entity, exceeds their authority then that would amount to such unauthorised access, modification or impairment for the purposes of the act.

The government has accepted the committee's conclusion that significant engagement, consultation and work are required to achieve workable, positive and enhanced cybersecurity obligations and sector-specific rules and will defer those aspects to the forthcoming bill 2 expected in 2022. The committee also made two recommendations relating to democratic institutions and elections: that the government review the risks to democratic institutions, particularly from foreign-originated cyberthreats, with a view to developing the most appropriate mechanism to protect them at federal, state and local levels; and that the government review the processes and protocols for classified briefings for the opposition during caretaker periods in response to serious cyberincidents and consider the best-practice principles for any public announcement about those incidents. The government has not yet responded to these recommendations. While they're important recommendations they're not directly relevant to bill 1.

In a dynamic and changing cyberthreat environment it is crucial that Australia's technical authority, the Australian Signals Directorate, is empowered to assist entities in responding to significant cybersecurity incidents to secure critical infrastructure assets. These are last-resort powers, and affected entities will undoubtedly retain their reservations. In supporting the legislation, Labor is relying on the intention stated in the bill, and given by department and agency heads, that these powers will only be used as a last resort. With this in mind, it is very important to emphasise that the PJCIS will be notified and briefed each time the government enacts this power and that it will conduct a full review of legislation when additional critical infrastructure reforms are introduced by the government.

In evidence provided to the committee, witnesses overwhelmingly indicated their willingness to cooperate with ASD. Government assistance powers would only be needed in the event that an affected entity is unwilling or unable to respond appropriately. Thus these measures should only be needed rarely, if ever. In the instance that there is disagreement between an entity and ASD on the best course of action, this bill incorporates the committee's recommendation to include safeguards that require the minister to consider multiple impacts and current responses.

The government has conceded that more work needs to be done in communicating, consulting on and responding to concerns regarding its proposed positive security obligations for critical infrastructure sectors. These are important initiatives, and they need to be done properly.

As I mentioned before in regard to the Toll Group incident, the critical effect on businesses of any bill in this area needs to be fully considered. One thing was raised very clearly by some of the other industry bodies:

The Australian Investment Council said the new laws—

as they were first drafted—

were a threat to Australia's economic recovery from the COVID-19 pandemic as they had the potential to impede the ability of Australian businesses to access vitally important foreign funding.

…   …   …

The Business Council of Australia said the new laws—

as they were first proposed—

would jeopardise Australia's economic prosperity and discourage foreign investment. It said the new powers would affect users in jurisdictions outside of Australia, and it is not clear how they will interact with requirements under relevant US and European laws, such as privacy statutes.

These are critical questions that were raised by the business community but also by the trade union movement. The Secretary of the Australian Council of Trade Unions, Ms McManus, said:

Potentially forcing food and distribution centre workers, apprentice electricians and nurses—the workers who have carried us through the pandemic—to comply with lengthy security checks is a massive drain on the economy and an assault on the right to privacy that every Australian should be able to enjoy …

She went on to say:

The elements of this bill which could place additional requirements on ordinary working people will do nothing to strengthen national security and will only create problems for working people, for the agencies asked to enforce it, and for the Australian economy. They should be removed from the bill.

Of course, we now see the bill broken up into bill 1 and bill 2, which is critically important to get speedy action on those matters which have broader support in the Senate:

In its submission to the inquiry, Qantas said the financial implications of implementing the reforms may create a significant financial burden for some businesses including its own.

Again, those impacts need to be considered in any proposition of the bill.

In my last 20 seconds, I wanted to raise one thing that is always important for national security and that this government has failed to do: we have thousands of overseas seafarers coming in without appropriate security checks. It's about time the government stepped in to do something there as well.